Privacy Policy

Last updated: 27 May 2026

This Privacy Policy explains how Lend’L (“we”, “our”, “us”) collects, uses, stores, shares and protects your personal data when you visit golendl.com, use our camera rental services or interact with our team. It is published in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 together with the rules made thereunder.

Reading time: about 8 minutes. If you only have 30 seconds: we collect what is necessary to rent you cameras, verify your identity, deliver and maintain the equipment, bill you, and meet our legal obligations. We do not sell your data. You can contact our Grievance Officer at any time using the details in section 14.

1. Who we are

For the purposes of the DPDP Act, Lend’L is the Data Fiduciary responsible for the personal data described in this policy. Where this policy refers to “you”, you are the Data Principal.

Business contact:

2. Personal data we collect

We collect the following categories of personal data. Where data is required by law, we say so; everything else is optional and we explain the consequence of not providing it.

  • Identification & contact data — full name, email address, mobile number, billing and delivery address, business name (where applicable). Collected at registration, checkout and KYC.
  • KYC documents (sensitive) — government-issued identifiers such as Aadhaar (masked / VID where possible), PAN, passport or driving licence. Collected before activation of a rental agreement, in line with the Lending Agreement and applicable anti-fraud requirements.
  • Payment data — processed by PCI-DSS compliant third-party gateways (Razorpay, UPI). We retain only the payment reference, last 4 digits / VPA, and amount. We do not store full card numbers or bank credentials.
  • Rental & subscription data — equipment rented, plan, lock-in period, retention period, deposit, return condition, billing history, in-app actions.
  • Camera footage — video recorded by cameras you rent from us, stored in the Lend’L cloud platform under the retention period configured by you. You are responsible for any further processing of this footage. See section 6 for details.
  • Device & usage data — IP address, browser and device identifiers, pages visited, referral source, server logs, support-chat transcripts.
  • Cookies & similar technologies — see section 11.

Some data categories above are treated as sensitive personal data (notably KYC documents and camera footage). They receive the additional protections described in section 6.

3. Lawful basis for processing

Under DPDP Act § 7, we process personal data either on the basis of your consent or for “certain legitimate uses” permitted by the Act. The table below sets out what we rely on for each purpose:

  • Account registration & service delivery (rental orders, deliveries, support, app login) — Consent (DPDP § 6) and performance of the rental contract.
  • KYC & identity verificationCompliance with law and risk management (DPDP § 7(b) & 7(c)) and as a necessary safeguard for entering into a rental agreement.
  • Payments and invoicing — performance of contract; statutory record-keeping (GST, Income Tax Act).
  • Customer support, disputes & legal claims — legitimate use under DPDP § 7(g) (compliance with judgment or court order, exercising legal claims).
  • Marketing communicationsConsent only, opt-out at any time via the unsubscribe link or by emailing the Grievance Officer.
  • Analytics and product improvementConsent for non-essential cookies; aggregated and pseudonymised wherever possible.
  • Fraud prevention, network & information security — legitimate use under DPDP § 7(g).

You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and some services (e.g. an active rental agreement) cannot continue without certain categories of data.

4. How we use your personal data

  • Register your account and authenticate logins.
  • Verify identity and execute the rental agreement.
  • Schedule, deliver, install, maintain, repair and recover the rented equipment.
  • Provide the Lend’L cloud platform for accessing camera footage.
  • Send transactional communications (order confirmations, invoices, service updates, support).
  • Send marketing communications, only with your consent and only until you opt out.
  • Detect, prevent and investigate fraud, abuse and security incidents.
  • Comply with applicable laws and respond to lawful requests from authorities.
  • Improve our website, app and services using anonymised or aggregated analytics.

5. Sharing & disclosure

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

  • Service providers (Data Processors) — payment gateways, cloud hosting, identity verification, logistics, customer support and analytics tools. Each is bound by a written agreement requiring confidentiality, security and processing only on our instructions.
  • Authorities & law enforcement — where required by an order of a court, tribunal or competent authority, or to comply with applicable law.
  • Professional advisers — lawyers, auditors and accountants under duties of confidentiality.
  • Successors in interest — in connection with a merger, acquisition, financing or sale of business, subject to equivalent protections.

6. Special categories: KYC documents & camera footage

These categories receive additional safeguards:

  • Encryption — in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls — role-based access, least-privilege principles, and audit logs for every read/write operation on KYC documents and footage.
  • Aadhaar handling — we accept masked Aadhaar / Virtual ID where possible and avoid storing the full 12-digit Aadhaar number unless strictly necessary, in line with UIDAI guidelines.
  • Camera footage — you own and control footage from cameras you rent. Lend’L acts as a Data Processor for that footage on your behalf. We do not view or share footage except to provide the service, troubleshoot a reported issue with your consent, or as required by law.
  • Children — under DPDP § 9, we do not knowingly process personal data of children under 18 without verifiable parental consent, and we do not undertake tracking, behavioural monitoring or targeted advertising directed at children.

7. Data hosting and cross-border transfers

Our cloud infrastructure currently runs in a data centre in Tokyo, Japan. We are in the process of migrating primary hosting to a data centre in Chennai, India during 2026; once complete, all production personal data will be primarily stored within India. Encrypted backups may be retained in a secondary region outside India for disaster-recovery purposes.

The Central Government has, as of the “Last updated” date of this policy, not notified any country to which transfer of personal data is restricted under DPDP § 16. We will update this section if the position changes.

Where we transfer personal data outside India, we put in place safeguards that include encryption, contractual obligations on the recipient, and (where applicable) standard contractual clauses or equivalent commitments.

8. Data retention

  • Account data — while your account is active and for up to 18 months after closure, unless a longer period is required by law.
  • KYC documents — minimum 5 years from end of the rental relationship, as required by Indian anti-money-laundering and consumer credit norms; longer if a dispute or investigation is open.
  • Financial records (invoices, GST) — minimum 8 years, as required under the GST Act and Income Tax Act.
  • Camera footage — according to the retention period you configure (default 7 days). Older footage is permanently deleted on a rolling basis.
  • Server logs & security events — up to 12 months.
  • Marketing data — until you opt out, plus a short suppression record so we do not re-contact you.

After the applicable retention period, data is securely deleted or anonymised.

9. Your rights as a Data Principal

Under the DPDP Act, you have the following rights:

  • Right to information (DPDP § 11) — to know what personal data we hold about you and how it is being processed.
  • Right to correction and erasure (DPDP § 12) — to ask us to correct, complete, update or erase your personal data, subject to legal retention requirements.
  • Right to grievance redressal (DPDP § 13) — to raise a grievance with our Grievance Officer (see section 14). If you are not satisfied with our response, you may approach the Data Protection Board of India.
  • Right to nominate (DPDP § 14) — to nominate another individual who can exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent — with the same ease with which it was given. Some services may stop working as a result.

To exercise any of these rights, email privacy@golendl.com. We will verify your identity before acting on the request and respond within 30 days, or sooner where required by law.

10. Security

We implement reasonable security practices and procedures including, at a minimum:

  • TLS 1.2+ encryption in transit and AES-256 encryption at rest.
  • Role-based access control, multi-factor authentication for administrators, and audit logging.
  • Network segmentation, intrusion detection, vulnerability scanning and periodic penetration testing.
  • Documented incident response and breach notification procedures consistent with DPDP § 8(6) and the CERT-In Directions, 2022.
  • SOC 2 Type II audit currently in progress.

No online transmission or storage system is completely secure. We will notify you and the Data Protection Board promptly in the event of a personal data breach affecting your data, as required by law.

11. Cookies and similar technologies

We use cookies and similar technologies to:

  • Strictly necessary cookies — login, security, shopping cart. These cannot be switched off.
  • Performance & analytics cookies — aggregated usage statistics to improve the site. Loaded only with your consent.
  • Functional cookies — remember your preferences (language, region).
  • Marketing cookies — only with your consent, only to measure campaign effectiveness; we do not run third-party behavioural advertising on our site.

You can manage cookie preferences via your browser settings or our cookie banner. Disabling some cookies may affect site functionality.

12. International users — EU / UK

Lend’L is an India-based service. We do not currently target or actively market the service in the European Union or the United Kingdom. If you are visiting our website from the EU/UK, we will rely on the lawful bases described in section 3 and treat any rights request you make in good faith.

If and when we expand our service to the EU/UK, we will update this policy to address the additional requirements of the EU General Data Protection Regulation (GDPR) and the UK GDPR — including identifying lawful bases under GDPR Art. 6, appointing an EU/UK representative where required, and using approved transfer mechanisms (Standard Contractual Clauses or equivalent) for any cross-border transfer.

13. Children

Our service is intended for businesses and adults. We do not knowingly collect personal data from children under 18 without verifiable parental consent. If you believe a child has provided personal data to us, contact the Grievance Officer and we will delete it.

14. Grievance Officer

In accordance with DPDP Act § 10 and IT Rules 2011, our Grievance Officer is:

  • Grievance Officer, Lend’L
  • Email: privacy@golendl.com
  • Response time: we acknowledge complaints within 48 hours and provide a substantive response within 30 days.

If your concern remains unresolved, you may escalate to the Data Protection Board of India once it is operational, or pursue remedies available under applicable law.

15. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email and/or a prominent notice on our website at least 7 days before they take effect. The “Last updated” date at the top of this policy will always reflect the latest version.

16. Contact us