When Toofan Loan - an app operated by Satisfaction Commercial Pvt Ltd - set out to recover money, it sent a single demand email to roughly 269 borrowers at once. Every recipient's address sat in the To and Cc fields instead of Bcc, so each of those hundreds of borrowers could see all the others.
A data breach, not just an email
Exposing the personal data of hundreds of people this way is a breach under the Digital Personal Data Protection Act, 2023. A borrower's identity, and the fact that they hold a loan, is exactly the kind of personal information the law requires a company to protect - not to broadcast to every other defaulter on its list. This is drawn from the email itself, not an allegation.
Know your rights as a borrower
The lenders in these reports are RBI-registered NBFCs, which means the Reserve Bank of India's Fair Practices Code binds them. Under it, recovery agents may not call before 8 am or after 7 pm; they may not contact your employer, family or references to pressure you; abuse and threats are prohibited; the all-in interest rate (APR) must be disclosed up front in the Key Facts Statement; and recovery may happen only by lawful means. The Government of India has blocked more than 600 predatory digital-lending apps and the RBI has issued repeated advisories - but the entities named here are registered, regulated companies, which makes their own paperwork the story.
How to report a loan app: the official channels
You do not need to pay anyone to be heard. Report a lender to RBI Sachet (sachet.rbi.org.in), and if a regulated entity does not resolve your complaint within 30 days, escalate to the RBI Ombudsman through the Complaint Management System. For threats, harassment or data misuse, file at the National Cyber Crime portal (cybercrime.gov.in) or call the helpline 1930. You may also file a consumer complaint. Keep every screenshot, email and call log - that record is your evidence.
Frequently asked questions
Is what Toofan Loan did legal?
Toofan Loan is operated by Satisfaction Commercial Pvt Ltd. The lending is one thing; exposing roughly 269 borrowers' addresses in a single email is a data-protection failure under the Digital Personal Data Protection Act, 2023. If your address was exposed this way, you can report it as data misuse to the cyber-crime portal and raise it with the RBI.
Can a loan app call my office or family?
No. Under the RBI Fair Practices Code, recovery agents may not contact your employer, family or references to pressure you, may not call before 8 am or after 7 pm, and may not use abuse or threats. Approaching your workplace or contacts to shame you over a loan falls outside lawful recovery, whatever an app's agreement says.
How do I report a loan app to the RBI?
Start at RBI Sachet (sachet.rbi.org.in). If the NBFC does not resolve your complaint within 30 days, escalate to the RBI Ombudsman through the Complaint Management System. For threats or data misuse, use the National Cyber Crime portal (cybercrime.gov.in) or call 1930, and keep all screenshots and statements.
Source
Lenders' own Key Facts Statements, agreements and recovery emails; RBI Register of NBFCs; documented borrower complaints