Last updated: March 2026
This policy governs how InstaKYC handles Aadhaar-related data in strict compliance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and UIDAI Circular guidelines.
1. Legal Framework
InstaKYC performs Aadhaar-based verification services in compliance with:
- The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
- UIDAI Circular on use of Aadhaar for KYC purposes
- The Prevention of Money Laundering (Maintenance of Records) Rules
- RBI Master Direction on KYC (as applicable)
- Digital Personal Data Protection Act 2023
2. Aadhaar Verification Method
InstaKYC uses OTP-based Aadhaar verification only — the individual receives a one-time password on their Aadhaar-registered mobile number and submits it voluntarily. We do not use biometric authentication. This method is compliant with UIDAI's permitted use cases for authentication.
3. Mandatory Consent Requirements
Aadhaar verification must NEVER be performed without the explicit, informed consent of the individual whose Aadhaar is being verified.
Before performing any Aadhaar verification, the requesting business/agent must:
- Obtain explicit written or digital consent from the individual
- Inform the individual of the purpose for which Aadhaar is being used
- Ensure the individual is voluntarily sharing their Aadhaar number
- Maintain a record of consent for audit purposes
- Not coerce or mandate Aadhaar for services where it is not legally required
4. Aadhaar Data Storage Rules
| Data Type | Storage Rule | Reason |
|---|
| Full Aadhaar Number (12 digits) | ❌ NEVER stored | Prohibited under Aadhaar Act |
| Masked Aadhaar (last 4 digits: XXXX-XXXX-1234) | ✅ Stored in masked form only | UIDAI compliant |
| Name from Aadhaar | ✅ Stored for verification record | KYC audit trail |
| Date of Birth from Aadhaar | ✅ Stored for verification record | KYC audit trail |
| Address from Aadhaar | ⚠️ Not stored by default | Minimization principle |
| Aadhaar OTP | ❌ Never stored or logged | Security requirement |
| Biometric data | ❌ Not collected at all | Not applicable to our service |
5. Permitted Use Cases
Aadhaar verification through InstaKYC may only be used for:
- Customer KYC for regulated financial services (banks, NBFCs, insurance)
- Employee onboarding and background verification
- Telecom customer verification (as per DoT guidelines)
- Any other purpose explicitly permitted under the Aadhaar Act and UIDAI guidelines
6. Prohibited Use Cases
- Mandatory Aadhaar for services where it is not legally required
- Storing or sharing full Aadhaar numbers with any third party
- Using Aadhaar data for profiling, marketing, or surveillance
- Sharing Aadhaar-linked data with foreign entities without legal basis
- Any use in violation of Supreme Court judgment in K.S. Puttaswamy vs Union of India (2018)
7. Data Retention
Aadhaar verification records (masked Aadhaar + name + verification status) are retained for a minimum of 5 years from the date of verification, as required under AML/KYC regulations. After the retention period, records are permanently deleted.
8. Security Measures
- All Aadhaar-related API calls are made over encrypted HTTPS connections
- Aadhaar data is processed in-memory and never written to logs in full
- Access to Aadhaar verification records is restricted to authorized personnel only
- Regular security audits are conducted on systems handling Aadhaar data
9. Reporting Violations
If you believe Aadhaar data has been misused on our platform, contact us immediately at support@instakyc.in. You may also report violations directly to UIDAI at uidai.gov.in or call 1947 (UIDAI helpline).
10. Contact
Grievance Officer: Chandra Mani Prasad | support@instakyc.in | +91 9090686975