Subhlakshmi Finance, an RBI-registered NBFC, did the same thing - separately, and to roughly 190 people. A recovery email went out with all the borrowers' addresses exposed in the CC field, a second mass disclosure of the same kind.
Two breaches, one pattern
Putting every recipient in CC rather than Bcc means each borrower learns the identity of the others. Under the Digital Personal Data Protection Act, 2023, that is a breach. That two separate RBI-registered NBFCs sent emails of this kind points to a pattern in how some of these lenders treat borrower data - and to a right borrowers can enforce.
Know your rights as a borrower
The lenders in these reports are RBI-registered NBFCs, which means the Reserve Bank of India's Fair Practices Code binds them. Under it, recovery agents may not call before 8 am or after 7 pm; they may not contact your employer, family or references to pressure you; abuse and threats are prohibited; the all-in interest rate (APR) must be disclosed up front in the Key Facts Statement; and recovery may happen only by lawful means. The Government of India has blocked more than 600 predatory digital-lending apps and the RBI has issued repeated advisories - but the entities named here are registered, regulated companies, which makes their own paperwork the story.
How to report a loan app: the official channels
You do not need to pay anyone to be heard. Report a lender to RBI Sachet (sachet.rbi.org.in), and if a regulated entity does not resolve your complaint within 30 days, escalate to the RBI Ombudsman through the Complaint Management System. For threats, harassment or data misuse, file at the National Cyber Crime portal (cybercrime.gov.in) or call the helpline 1930. You may also file a consumer complaint. Keep every screenshot, email and call log - that record is your evidence.
Frequently asked questions
Is Subhlakshmi Finance a registered lender?
Yes, Subhlakshmi Finance is an RBI-registered NBFC. Registration makes the lending legal, but it does not license exposing roughly 190 borrowers' addresses in one email - that is a breach under the Digital Personal Data Protection Act, 2023, which you can report.
Can a loan app call my office or family?
No. Under the RBI Fair Practices Code, recovery agents may not contact your employer, family or references to pressure you, may not call before 8 am or after 7 pm, and may not use abuse or threats. Approaching your workplace or contacts to shame you over a loan falls outside lawful recovery, whatever an app's agreement says.
How do I report a loan app to the RBI?
Start at RBI Sachet (sachet.rbi.org.in). If the NBFC does not resolve your complaint within 30 days, escalate to the RBI Ombudsman through the Complaint Management System. For threats or data misuse, use the National Cyber Crime portal (cybercrime.gov.in) or call 1930, and keep all screenshots and statements.
Source
Lenders' own Key Facts Statements, agreements and recovery emails; RBI Register of NBFCs; documented borrower complaints