Consent & Compliance
Understand consent requirements, valid reason codes, and regulatory compliance when using Deepvue's identity verification APIs.
Overview
Deepvue APIs that access personal data require explicit user consent before processing. This is mandated by Indian data protection regulations and the terms of upstream government data sources. Every API call that retrieves or verifies personal information must include consent parameters.
Consent parameters
Most Deepvue verification endpoints require two parameters:
Must be set to Y to indicate that the end user has provided explicit consent for this verification. Requests with consent set to any other value or missing will be rejected.
A short string indicating the purpose of the verification. This value is logged for audit purposes.
Accepted reason values
| Reason | Use case |
|---|---|
KYC | Know Your Customer — identity verification during onboarding |
KYB | Know Your Business — business entity verification |
Credit Check | Evaluating creditworthiness for lending decisions |
Employment Verification | Verifying employment history for hiring or lending |
Background Check | Pre-employment or pre-lending background screening |
Always pass the actual reason for the verification. Using incorrect or generic reason codes may result in account suspension.
What you must do
Collect consent before calling the API
Obtain explicit, informed consent from the individual whose data is being verified before making the API call. This means:
- Clearly inform the user what data will be accessed
- Explain the purpose of the verification
- Obtain an affirmative action (checkbox, button click, signed form)
- Record the timestamp and method of consent collection
Pass consent parameters in every request
Include consent=Y and the appropriate reason value in every API request that accesses personal data.
curl -X GET "https://production.deepvue.tech/v1/verification/panbasic?pan_number=AXXPX1234X&consent=Y&reason=KYC" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "x-api-key: YOUR_CLIENT_SECRET"
Maintain consent records
Store proof of consent for each verification request, including:
- Who gave consent (user identifier)
- When consent was given (timestamp)
- What they consented to (data type and purpose)
- The Deepvue
transaction_idfrom the API response
Retain consent records for the duration required by your applicable regulations. Eg: typically a minimum of 5 years for financial services.
Regulatory context
Deepvue's consent requirements align with the following Indian regulations:
| Regulation | Relevance |
|---|---|
| Digital Personal Data Protection Act, 2023 (DPDPA) | Requires explicit consent before processing personal data, with clear purpose limitation |
| RBI KYC Master Direction | Mandates customer consent for identity verification in regulated financial services |
| UIDAI Aadhaar Regulations | Requires informed consent before Aadhaar-based authentication or eKYC |
| IT Act, 2000 (Section 43A) | Requires reasonable security practices when handling sensitive personal data |
Data handling guidelines
- Purpose limitation — Only use verification data for the stated purpose. Do not repurpose KYC data for marketing or unrelated activities.
- Data minimization — Only request the data fields you actually need. If you only need to verify a PAN number's validity, use PAN Basic instead of PAN Plus.
- Storage security — Encrypt personal data at rest and in transit. Restrict access to verification results on a need-to-know basis.
- Retention limits — Do not retain personal data longer than necessary for the stated purpose, unless required by regulation.
- Aadhaar data restrictions — Aadhaar numbers and eKYC data have specific storage restrictions under UIDAI guidelines. Mask or redact Aadhaar numbers after verification using the Aadhaar Masking API.
Compliance checklist
Use this checklist to ensure your integration meets compliance requirements before going live:
- Consent collection UI implemented with clear language
-
consentandreasonparameters included in all API calls - Consent records stored with timestamps and user identifiers
- Personal data encrypted at rest and in transit
- Data retention policy defined and enforced
- Aadhaar numbers masked in storage and logs
- Access controls in place for verification data
- Audit trail maintained for all verification requests
Need help with compliance for your specific use case? Contact support@deepvue.tech for guidance on regulatory requirements.
Last updated 1 day ago