AltScore — Privacy & DPDP Compliance

01 —

Privacy Design Principles

AltScore processes personal data about retailers — small business owners who have never engaged with a formal data processor before. The platform's legitimacy depends on being worthy of their trust. Privacy is not a legal checkbox; it is a product value.

Every retailer whose data AltScore processes is a person, not a data point. They have a right to know what we hold, why we hold it, and to stop us holding it. The platform is designed so that exercising any of these rights is a simple, dignified experience — not an obstacle course.

PRIVACY DESIGN PRINCIPLE — ALTSCORE

Principle 01

Privacy by Design

Privacy controls are built into the data architecture, not bolted on afterward. Pseudonymization, data minimization, and consent gating are enforced at the infrastructure layer — a developer cannot bypass them even if they try.

Principle 02

Purpose Limitation

Data collected for credit scoring cannot be used for any other purpose — marketing, profiling, product recommendations — without a new, explicit consent. Purpose is fixed at collection time and verified on every processing event.

Principle 03

Data Minimization

We collect only what we need to compute the credit score. The ERP extraction scope is contractually fixed. Fields outside the defined scope are technically blocked from extraction, not just policy-excluded.

Principle 04

Consent is Real

Consent is informed, specific, and freely given. Retailers are not forced to consent as a condition of using a service they depend on. Refusal of consent has no commercial consequence managed by AltScore.

Principle 05

Accessible Rights

The right to access, correct, port, and erase personal data is available via the same WhatsApp channel used for consent — no app download, no portal login, no paper form required.

Principle 06

Accountability

A named Data Protection Officer (DPO) is accountable for DPDP Act compliance. Every data processing activity is documented. The Records of Processing Activities (ROPA) is reviewed quarterly and filed with the DPO.

02 —

Personal Data Inventory & Classification

All personal data processed by AltScore is classified into four tiers. Classification determines storage controls, access restrictions, retention periods, and subject rights applicability.

Class 1 — Highly Sensitive Personal Data

Maximum protection required · Pseudonymized before any processing

Retailer GST number (business identity, links to tax records)
Retailer mobile phone number
Shop address (geolocation-precise)
Distributor bank account details (excluded from extraction but present in ERP)

Class 2 — Sensitive Business Data

Encrypted at rest · Role-gated access · Aggregated in outputs

Invoice values and payment amounts
Payment delay history (individual transaction level)
SKU-level purchase data (reveals business strategy)
Credit terms agreed with distributor
AltScore value and risk band (directly affects creditworthiness)
Probability of Default estimate

Class 3 — Business Operational Data

Standard encryption · Limited access · Retained per policy

Retailer shop name and trade category
Distributor name and region
Order frequency patterns (aggregated monthly)
Behavioral feature values (40+ computed signals)
SHAP reason codes (categorical, not raw values)

Class 4 — System & Audit Data

Standard controls · Audit-grade retention · Read-only to most roles

Consent records (grant, revocation, scope)
API access logs (lender_id, timestamp, response band)
ERP ingestion metadata (batch_id, record_count)
Model version stamps on score outputs
Grievance records

Data Flow Map

Data Flow	From	To	Personal Data Involved	Legal Basis	Consent Required
ERP → AltScore Bronze Lake	Distributor ERP (Tally / SAP B1)	AltScore S3/ADLS Bronze	Retailer GST, phone, invoice history, payment data	Legitimate interest (distributor) + retailer consent	Yes — retailer consent gating
Bronze → Silver Feature Pipeline	Bronze Lake (raw data)	Silver Feature Store (pseudonymized)	UUID-referenced behavioral aggregates only; no PII	Same consent as collection	No new consent — covered by original
Silver → Gold Score Store	Feature Store	Score Store (PostgreSQL)	UUID, score, PD estimate, reason codes, credit limit	Same consent as collection	No new consent — covered by original
Score API → NBFC Lender	Score Store via API	NBFC credit system	Score, risk band, reason codes, recommended limit	Retailer consent (lender named in consent scope)	Yes — lender must be named in consent
WhatsApp → Consent Store	Retailer (via WhatsApp)	Consent records database	Phone number, consent decision, timestamp	N/A — this IS the consent collection event	N/A — this is the consent
AltScore → Distributor Dashboard	Feature Store + Score Store	Distributor web portal	Retailer risk banding (aggregated view of own network only)	Data partnership agreement	Covered by data partnership agreement terms

03 —

Data Controller & Processor Roles

The DPDP Act 2023 creates distinct obligations for Data Fiduciaries (controllers) and Data Processors. AltScore operates in different roles depending on the data flow — this must be clearly defined for both regulatory compliance and contractual clarity.

ALTSCORE AS DATA FIDUCIARY

For Retailer Personal Data

AltScore determines the purpose and means of processing retailer personal data. AltScore is the Data Fiduciary for all retailer data processed through the platform — regardless of the fact that data originates from the distributor's ERP.

Obligations: consent, purpose limitation, accuracy, storage limitation, data subject rights, breach notification.

ALTSCORE AS DATA PROCESSOR

For Distributor Business Data

The distributor's ERP data (their own business records, retailer relationships, commercial terms) is the distributor's data. AltScore processes it on the distributor's behalf under the data partnership agreement.

Obligations: process only as instructed, implement appropriate security, assist with data subject requests, deletion on termination.

Third-Party Data Sharing — Role Summary

Party	Role vis-à-vis AltScore	Data Shared	Legal Instrument	Sub-processor Agreement
Distributor	Data Provider + AltScore is processor of their business data; distributor facilitates retailer data collection	ERP transaction data, retailer master	Data Partnership Agreement (DPA)	N/A — distributor is data provider, not processor
NBFC Lender	Authorized data recipient — receives scores within consent scope	Score, risk band, reason codes, credit limit	Lender API Agreement + Data Sharing Schedule	NBFC signs as independent fiduciary for their credit decisions
Cloud Provider (AWS/Azure)	Sub-processor — provides infrastructure	All data at rest and in transit on their infrastructure	Cloud Provider DPA (AWS DPA / Microsoft DPA)	Yes — standard cloud provider DPA executed
WhatsApp (Meta)	Communication channel only — no data storage by Meta permitted beyond message delivery	Consent message content, phone number routing	WhatsApp Business API terms + DPA	WhatsApp Business API DPA reviewed by legal

04 —

Consent Lifecycle

Under the DPDP Act 2023, consent must be: free, specific, informed, unconditional, and unambiguous. AltScore's consent design is built around these five requirements — not just the letter of the law, but the spirit.

Consent Journey — WhatsApp First

Step 1 — Invite

Distributor introduces AltScore to retailer. Distributor sends a first message via their own channel: "I'm sharing data about our relationship with AltScore to help you get a working capital loan. They'll contact you to ask your permission." This framing ensures the consent request arrives with a trusted reference.

Step 2 — Notice

AltScore sends consent notice via WhatsApp in retailer's preferred language. The notice includes: (a) what data will be processed — specifically, their purchase and payment history with their distributor; (b) why — to compute a credit score for loan applications; (c) who will see the score — named NBFC partner(s); (d) for how long — 12 months, renewable; (e) their rights — access, correction, erasure, portability, and how to exercise them (reply "RIGHTS" to this message); (f) what happens if they say no — nothing, they continue as normal, no loss of distributor relationship.

Step 3 — Decision

Retailer replies with a clear, unambiguous affirmative. Accepted responses: "Yes", "Haan", "OK", or pressing a pre-built WhatsApp Quick Reply button. Any ambiguous response is treated as non-consent. Silence is treated as non-consent. Retailers can take as long as they need — no expiring consent request windows.

Step 4 — Record

Consent record created and cryptographically signed. Fields: retailer_id (phone hash + GST), distributor_id, consent_scope (list of named lenders), language, channel, timestamp (ISO 8601 UTC), consent_text_version, digital_signature (ECDSA P-256). Record is immutable — no updates, only new records (revocations create a new record of type "revocation"). Stored with 7-year retention.

Step 5 — Confirmation

Retailer receives confirmation and a summary of their rights. WhatsApp message: "You've given your permission. We'll use your purchase history with [Distributor Name] to create a credit score. To see your data, change your mind, or ask questions, reply 'RIGHTS' or call [number]." This message is retained as part of the consent evidence chain.

Consent Revocation

How to Revoke

Multiple Revocation Channels

Reply "STOP" or "Nahi" to any AltScore WhatsApp message
Call the AltScore consent helpline (IVR option 1)
Via distributor (distributor can revoke on retailer's behalf with authorization)
Via AltScore's web consent portal (if retailer has portal access)

What Happens on Revocation

Immediate Effect — Prospective Only

Data processing halted within 1 hour of revocation
Score queries return "CONSENT_REVOKED" for that retailer
Existing scores invalidated in score store
Lender notified of revocation within 24 hours
Historical data retained per retention schedule (required for audit); not used for new scores
Revocation does not affect the retailer's relationship with the distributor

Consent Scope Management

Scenario	Consent Requirement	Process
New lender added to AltScore platform	New consent required from each retailer before their score is shared with the new lender	New consent notice sent via WhatsApp; separate consent record per lender
Existing lender changes name (merger/acquisition)	Legal review: if same regulatory entity, existing consent survives; if new entity, new consent required	Legal sign-off required; DPO decision documented
New data field added to extraction scope	Material scope expansion requires new consent — existing consent is invalidated for the new field	New consent notice with updated data scope; prior consent records amended to reflect scope version
Processing purpose expanded (e.g., insurance underwriting)	New purpose requires new consent — existing consent is purpose-limited to credit scoring	New consent flow launched for new purpose; strictly separated from credit scoring consent

05 —

Data Minimization & Purpose Limitation

The test for every field in the AltScore data pipeline is: "Can we compute the credit score without this field?" If the answer is yes, we do not collect it. If the answer changes over time, we revisit the collection scope — not the data minimization principle.

DATA MINIMIZATION TEST — ALTSCORE

Minimization by Layer

Layer	Data Held	Minimization Applied	Justification for Retention
Bronze (Raw)	Raw ERP extract: retailer GST, phone, invoice records, payment records	Fields outside defined extraction scope blocked at connector level; bank account numbers never extracted	Audit lineage requires traceable source records; immutable for 2 years active, then cold archive for 5 additional years
Silver (Features)	40+ computed behavioral signals, indexed by UUID (no PII)	PII replaced with UUID before feature computation; invoice-level records aggregated to monthly/quarterly summaries; individual invoice amounts not retained in Silver	Feature computation requires aggregated signals; raw invoice amounts not needed at this layer
Gold (Scores)	UUID, score value, risk band, PD estimate, reason codes, credit limit, model_version, generated_at	No PII in score store; reason codes are categorical labels, not raw feature values; exact numeric feature values not stored	Score history needed for: lender portfolio monitoring, model validation, grievance resolution
API Response	Score, risk band, PD, credit limit, reason codes, data_freshness_days	Exact feature values never returned; only categorical reason codes; lender receives only what they need for underwriting decision	Lender requires score and limit for credit decision; no additional fields served without documented use case

Purpose Limitation Controls

Permitted Purpose

Credit Scoring Only

Retailer behavioral data may only be used to compute and serve the AltScore credit intelligence product. No other use permitted without new consent.

Prohibited Uses

Explicitly Forbidden

Marketing or advertising targeting
Retailer behavioral profiling for brands/OEMs
Resale or licensing of raw distributor data
Insurance underwriting (without separate consent)
Employee background checks
Any processing not stated in the consent notice

Technical Enforcement

Not Just Policy

Purpose tag on every data access event logged
Data warehouse access requires purpose justification in ticket
API scope prevents purpose drift at API layer
Quarterly purpose compliance audit by DPO

06 —

Data Retention & Deletion Policy

Data Type	Active Retention	Archive Retention	Deletion Trigger	Deletion Method
Raw ERP Data (Bronze)	2 years from ingestion	5 additional years (cold storage, encrypted)	7 years from ingestion OR consent revocation + end of legal hold period	Cryptographic erasure (CMK deletion renders data unreadable)
Behavioral Features (Silver)	Duration of active consent + 6 months	3 years (anonymized aggregate only)	Consent revocation (pseudonymized features retained for model validation in anonymized form)	UUID mapping deleted → features become orphaned and non-re-identifiable
Score Records (Gold)	Duration of active consent + 12 months	5 years (for lender audit purposes)	Retailer erasure request + end of lender regulatory hold	Record soft-deleted from active tables; archived with access controls; hard deletion at end of archive period
Consent Records	7 years from last action (grant/revocation)	Indefinite (regulatory obligation)	No deletion — consent records are audit evidence	N/A — consent records are never deleted
API Access Logs	2 years active	5 additional years	7 years from generation	Automated log lifecycle policy (S3 Lifecycle / ADLS Lifecycle)
Grievance Records	7 years from closure	N/A	7 years from closure	Soft deletion with DPO sign-off
WhatsApp Consent Messages	Metadata retained 7 years; message content not stored on AltScore systems beyond confirmation receipt	N/A	7 years for metadata	WhatsApp message content deleted on delivery; AltScore retains only consent_decision and timestamp

Deletion Workflow

Standard Deletion (Consent Revocation)

Automated + Verified

Processing lock applied within 1 hour (automated)
Deletion ticket created in data ops queue
Bronze CMK scheduled for deletion at end of retention period
UUID mapping removed → Silver features orphaned
Score records moved to archive partition
Deletion confirmed to retailer in writing within 30 days

Erasure Request (Right to Erasure)

DPO-Supervised

Request received via WhatsApp / helpline / portal
Identity verification (GST + OTP)
DPO reviews for legal hold obligations (active loan → lender notified; hold until loan closure)
Deletion executed on confirmed scope
Written confirmation to retailer within 30 days
Deletion record retained for 7 years (paradoxically — deletion proof is an audit obligation)

07 —

Data Subject Rights

Under the DPDP Act 2023, Data Principals (retailers) have the following rights. AltScore's obligation is to make these rights practical for a small retailer in Tier-3 India — not just legally available.

Right	What It Means for AltScore	How Retailer Exercises It	AltScore SLA	Exceptions
Right to Information	Retailer can ask what data AltScore holds about them, why, and who has seen it	Reply "RIGHTS" to any AltScore WhatsApp message; automated response with data summary	Automated response within 24 hours; detailed report within 15 days	None
Right to Correction	Retailer can request correction of inaccurate personal data (e.g., wrong phone number in system)	Reply "CORRECT" with details; data ops team reviews and corrects within 15 days	15 days from verified request	Immutable audit records cannot be "corrected" — a new correction record is added
Right to Erasure	Retailer can request deletion of all personal data. Subject to active loan holds and audit obligations.	Reply "DELETE" to AltScore; DPO-supervised deletion process	Confirmation within 30 days; deletion within 30 days of confirmation	Active loan: data held until loan closure + 5 years. Legal hold. Consent records never deleted.
Right to Portability	Retailer can request a machine-readable export of all their data	Reply "EXPORT" to AltScore; JSON export delivered securely within 15 days	15 days from verified request	Model weights and internal decision logic not included (trade secret)
Right to Nominate	Retailer can nominate a person to exercise rights on their behalf (e.g., spouse, business partner)	Submit nomination via helpline; verified by OTP to retailer's registered phone	Nomination processed within 7 days	Nominator must verify identity; retailer's own OTP required to authorize nomination
Right to Withdraw Consent	Retailer can revoke consent at any time, without consequence	Reply "STOP" to any AltScore message; call helpline; web portal	Processing locked within 1 hour; full revocation within 24 hours	Revocation is prospective — does not undo processing already completed
Right to Grievance Redressal	Retailer can file a complaint about their score or data handling; right of escalation to DPO and then Data Protection Board	Via WhatsApp grievance flow; or directly to DPO at dpo@altscore.in	Acknowledgement within 24 hours; resolution within 7 days; escalation to DPO at Day 7	If unsatisfied with DPO decision, retailer can escalate to Data Protection Board

08 —

DPDP Act 2023 — Compliance Map

Mapping of every material DPDP Act 2023 provision to AltScore's implementation approach. This mapping is reviewed quarterly by the DPO and updated as the Act's rules are notified by the Central Government.

DPDP Act Section	Provision	AltScore Implementation	Status
Section 4	Grounds for processing personal data — consent required for non-exempt purposes	WhatsApp consent flow with full notice; cryptographically signed consent record; purpose-limited to credit scoring	Implemented
Section 5	Notice — must be provided in English or any language in the Eighth Schedule	Consent notice available in English, Hindi, and 8 regional languages; language selected by retailer	Hindi + English live; regional languages Month 3
Section 6	Consent must be free, specific, informed, unconditional, and unambiguous	Separate consent per lender; purpose specific; no pre-ticked boxes; no bundling with distributor relationship	Implemented by design
Section 8(1)	Data Fiduciary must ensure accuracy and completeness of personal data	Data quality dashboard flags inaccuracies; correction right via WhatsApp; ERP anomaly detection	Implemented
Section 8(7)	Retain personal data only for as long as necessary	Automated retention schedule with CMK deletion; per-layer retention policy documented above	Policy defined; automated enforcement Month 2
Section 9	Processing of personal data of children — additional restrictions	Retailers are businesses (B2B); individual consumer data not processed; age verification not applicable to GST-registered entities	Out of scope by product design
Section 11	Right to information about processing	"RIGHTS" WhatsApp command; automated data summary; detailed report within 15 days	Automated summary live; detailed report Month 2
Section 12	Right to correction and erasure	WhatsApp "CORRECT" and "DELETE" commands; DPO-supervised deletion workflow; 30-day SLA	Workflow designed; implementation Month 2
Section 13	Right to grievance redressal	WhatsApp grievance flow; DPO escalation; Data Protection Board escalation path	Implemented
Section 17	Significant Data Fiduciary — additional obligations if designated	Monitor regulatory notification; DPO and DPIA obligations pre-implemented as a matter of best practice regardless of designation	Monitoring — designation criteria TBD by Government
Section 40	Penalties — up to ₹250 crore per breach of consent / purpose limitation obligations	Legal risk mapped; compliance program proportionate to penalty exposure; DPO accountable	High-priority compliance — DPO appointed Month 1

09 —

Data Breach Response

The DPDP Act 2023 requires notification to the Data Protection Board and affected Data Principals "as soon as possible" and "in such form and manner as may be prescribed." Until rules are notified, AltScore adopts the 72-hour standard used in GDPR as a conservative baseline.

What Constitutes a Breach

Personal Data Breach Definition

Unauthorized access to retailer PII (GST, phone, address)
Unauthorized disclosure of AltScore values or PD estimates to a party outside consent scope
Loss of encrypted data where key compromise is confirmed or suspected
Accidental exposure of retailer data to a different lender's environment
Ransomware affecting systems that hold personal data (even if encrypted data not confirmed accessed)

What Does NOT Constitute a Breach

Exclusions

Loss of anonymized aggregate data (no re-identification risk)
Service outage that does not expose data (availability incident, not breach)
Internal access by authorized personnel acting within RBAC scope
ERP schema drift causing data quarantine (no exposure event)

Breach Notification Content (Pre-approved Template)

Recipient	Channel	SLA	Required Content
Data Protection Board	Official Board portal / registered email	Within 72 hours of breach confirmation	Nature of breach, categories of data, approx. number of data principals affected, likely consequences, measures taken
Affected Retailers	WhatsApp (primary); SMS fallback	Within 72 hours of Board notification	What happened (simple language), what data was involved, what we are doing, what they should do, DPO contact
Affected NBFC Lenders	Email to NBFC CISO + Legal	Within 24 hours of breach confirmation	Scope of breach relevant to their data, actions taken, next update timeline
Affected Distributors	Email to distributor contact	Within 24 hours of breach confirmation	Whether their data is in scope, what AltScore is doing, contact for questions

10 —

Vendor & Third-Party Data Management

Every vendor that touches AltScore personal data must be assessed, contracted, and monitored. The DPO maintains a Vendor Risk Register reviewed quarterly.

Vendor Assessment Criteria

Before Onboarding

Due Diligence

Security questionnaire (based on CSA CAIQ)
Privacy policy review by legal
DPA negotiated and signed before data access
Sub-processor list reviewed
Breach notification obligation confirmed in DPA

Contractual Requirements

DPA Minimum Terms

Process only on AltScore documented instructions
Implement appropriate technical and organizational security measures
Notify AltScore of a breach within 24 hours
Assist with data subject rights requests
Delete or return all data on contract termination
No sub-processing without prior written consent

Ongoing Monitoring

Annual Review

Annual vendor security review
Review latest security certifications (SOC 2, ISO 27001)
Check for regulatory enforcement actions against vendor
Verify sub-processor list has not changed without approval
Confirm DPA is still current with any updated processing scope

Current Sub-Processor Registry

Sub-Processor	Role	Data Accessed	Location	DPA Status	Certification
AWS / Azure (primary cloud)	Infrastructure provider — compute, storage, networking	All data at rest and in transit on their infrastructure	India region (ap-south-1 / Central India)	Standard cloud provider DPA — executed	SOC 2, ISO 27001, PCI DSS
WhatsApp Business API (Meta)	Consent and communication channel	Phone number routing; message delivery metadata	Meta global infrastructure	WhatsApp Business API DPA — under legal review	Meta security certifications reviewed annually
MLflow (hosted / self-managed)	ML experiment tracking and model artifact storage	Model artifacts (no personal data in model files)	Same cloud as primary (India region)	N/A — self-managed deployment	N/A — internal deployment
Airflow (self-managed)	Pipeline orchestration	Pipeline metadata — no personal data in Airflow itself	Same cloud (India region)	N/A — self-managed	N/A
SIEM Provider (TBD)	Security monitoring and audit log analysis	Audit log data — contains pseudonymized retailer UUIDs and API access metadata	India region preferred; alternative: EU with adequacy	DPA required before onboarding	SOC 2 Type II required