Data Retention Periods for Fintech Companies in India Under DPDP
Fintech retention obligations in India come from three sources at once: RBI directions, the Income Tax Act, and the DPDP Act. Here is how to reconcile them into one schedule.
Fintech data retention in India is governed by three regulators at once: RBI and PMLA require KYC and transaction records for 5 years, the Income Tax Act requires financial records for 7 to 8 years, and the DPDP Act adds a retention ceiling with mandatory erasure for any data outside those regulatory floors.
Retention is unusually complicated for Indian fintech, because it is not governed by the DPDP Act alone. RBI directions, the Prevention of Money Laundering Act (PMLA), and the Income Tax Act each impose their own retention floors, and the DPDP Act layers a ceiling and a deletion obligation on top once those floors are satisfied. Getting this wrong in either direction (deleting too early or retaining "just in case") is a compliance failure.
The retention floors that come before DPDP
| Data category | Governing rule | Minimum retention |
|---|---|---|
| KYC records and identity documents | PMLA Rules, RBI Master Direction on KYC | 5 years from the end of the business relationship, or 5 years from the transaction date for occasional customers |
| Transaction records | PMLA Rules | 5 years from the date of the transaction |
| Books of account, vouchers, and financial records | Income Tax Act, Companies Act | Generally 7 to 8 years, depending on the record type |
| Payment system data (cards, UPI transaction data) | RBI directions on storage of payment system data | Full transaction data retained per RBI's current data-localisation and retention directions, typically not less than the period needed for dispute resolution and regulatory reporting |
These are floors, not defaults. They exist independent of the DPDP Act and do not go away because a user asks you to delete their data; §17 and Rule 8 both preserve retention where "compliance with any law for the time being in force requires otherwise."
What the DPDP Act adds on top
- •A retention ceiling for everything else. Data collected for a purpose not covered by RBI, PMLA, or tax law (marketing preferences, app usage analytics, support tickets) must be erased once that specific purpose is served, per Rule 8.
- •A minimum one-year log retention, separately. Rule 6(1)(e) requires security and access logs to be retained for at least one year for breach detection and investigation purposes, regardless of your other retention schedules.
- •A 48-hour pre-erasure notice, for large platforms. If you meet the user thresholds in the Third Schedule (this applies specifically to large e-commerce, gaming, and social media platforms, not most fintech products), you must warn users 48 hours before erasing dormant account data.
- •Itemised consent for any secondary use. If transaction data collected for regulatory retention is also used for credit scoring, personalisation, or shared with lending partners, that is a separate purpose requiring its own consent under §6, independent of how long RBI says you must keep the underlying record.
A worked retention schedule for a lending fintech
| Data category | Retention period | Basis |
|---|---|---|
| KYC documents | 5 years post relationship end | PMLA Rules |
| Loan transaction records | 5 years from transaction | PMLA Rules |
| Financial statements and books | 8 years | Income Tax Act |
| Security and access logs | 1 year minimum | DPDP Rule 6(1)(e) |
| Marketing preference data | Until consent withdrawn, or 2 years of inactivity | DPDP Rule 8 (no external floor applies) |
| Credit-scoring model inputs (secondary use of transaction data) | Matches underlying transaction retention, but consent tracked separately | DPDP §6 itemised consent |
Why this is worth automating, specifically for fintech
Fintech is the sector where manually reconciling three retention regimes is most likely to produce silent errors: deleting KYC data too early because a generic DPDP policy did not carve out the PMLA floor, or retaining marketing data indefinitely because it got bundled with regulatorily-mandated transaction records. Privacy Labs' retention engine is built to hold sector-specific floors and DPDP ceilings as separate rules per data category, so the deletion job never has to guess which law wins. See our DPDP compliance checklist for the full picture beyond retention, or run a free Compliance Score below to check your current setup.
Frequently asked questions
Can a user force a fintech company to delete their KYC data under DPDP?
No. Both the DPDP Act (§17) and Rule 8 preserve data retention required by any other law in force. RBI and PMLA-mandated retention periods for KYC and transaction data override a Data Principal's general erasure request until that regulatory floor is satisfied.
What is the minimum retention period for financial records in India?
It depends on the record type: KYC and transaction records generally need 5 years under PMLA Rules, while books of account and financial statements typically need 7 to 8 years under the Income Tax Act and Companies Act. These are independent of, and generally longer than, DPDP's general erasure expectations.
Does DPDP retention apply to data fintech companies are legally required to keep?
The DPDP Act's general erasure expectations under Rule 8 explicitly do not override retention required by other laws. DPDP's main additional requirements for this data are security safeguards (Rule 6) and itemised consent for any secondary use beyond the original regulatory purpose (§6).