When an app asks you to verify with your Aadhaar, the question isn't whether you should verify at all. It's whether that specific app handles your Aadhaar data safely. The answer depends entirely on how the verification is done. Apps that verify through DigiLocker never see your full Aadhaar number, your address, or your photograph. Apps that ask you to upload a photo of your Aadhaar card are a different story entirely.
Why Apps Ask for Aadhaar Verification
Apps request Aadhaar-based verification for one reason: to confirm that you are a real person with a verifiable government identity. This is used for:
- Financial services (KYC). Banks, mutual fund platforms, insurance companies, and UPI apps are required by RBI and SEBI regulations to verify customer identity before offering services.
- Telecom. Mobile operators must verify your identity before issuing a SIM card, as mandated by the Department of Telecommunications.
- Government services. Portals for tax filing, pension, subsidy disbursement, and scholarship applications use Aadhaar to confirm eligibility and prevent duplicate claims.
- Communication platforms. Some apps use identity verification to ensure that every user on the platform is a real, accountable individual.
The demand for Aadhaar verification is legitimate and growing. The concern most people have is not about verification itself. It's about what happens to their data once they share it.
The Two Ways Apps Verify Your Aadhaar
This is the most important distinction you need to understand. There are two fundamentally different methods an app can use to verify your Aadhaar, and they have very different safety implications.
Method 1: DigiLocker-Based Verification (Safe)
In this model, the app redirects you to DigiLocker's secure government portal. You log in to DigiLocker with your own credentials. DigiLocker asks you to consent to sharing specific data points with the app. If you consent, DigiLocker sends only the approved data to the app.
What the app receives:
- Your verified first name (or full name, depending on what was requested)
- A masked document number (typically last 4 digits only)
- A verification status (confirmed or not confirmed)
What the app does NOT receive:
- Your full 12-digit Aadhaar number
- Your address
- Your date of birth (unless specifically requested and consented to)
- Your photograph from the Aadhaar database
- Your biometric data (fingerprints, iris scans)
- Your Aadhaar-linked mobile number
The app never sees your DigiLocker login credentials. You authenticate directly with the government's system. The app only receives the data you explicitly authorised, nothing more.
Method 2: Direct Aadhaar Upload (Risky)
Some apps ask you to upload a photograph or scan of your physical Aadhaar card. This is the method you should be cautious about.
When you upload a photo of your Aadhaar card, the app receives everything visible on the card:
- Your full name
- Your full 12-digit Aadhaar number
- Your address
- Your date of birth
- Your photograph
- Your gender
This data is now in the app's database. How it's stored, who has access to it, whether it's encrypted, and how long it's retained are entirely at the discretion of the app developer. If the app is breached, all of this data is exposed.
The rule is simple: If an app asks you to take a photo of your Aadhaar card or upload a scan, it is using the less secure method. If it redirects you to DigiLocker's official portal, it is using the safer method.
What the Law Says About Your Aadhaar Data
India has strong legal protections around Aadhaar data, but many people aren't aware of them.
The Aadhaar Act, 2016
The Aadhaar Act makes it illegal for any private entity to collect, store, or use your Aadhaar number for purposes other than what you consented to. Section 29 specifically prohibits:
- Publishing, displaying, or posting your Aadhaar number publicly
- Sharing your Aadhaar number with unauthorised parties
- Using your Aadhaar number for any purpose not originally consented to
Violations carry penalties of up to 1 crore rupees and imprisonment of up to 3 years.
The Supreme Court Verdict (2018)
The landmark Puttaswamy judgment in 2018 established that Aadhaar cannot be made mandatory by private companies. Private entities can request Aadhaar-based verification, but you always have the right to refuse. However, the judgement also recognised that voluntary, consent-based Aadhaar verification through secure channels is permissible.
The Digital Personal Data Protection Act (DPDPA), 2023
India's comprehensive data protection law adds another layer of protection. Under the DPDPA:
- Purpose limitation. Apps can only collect data for the specific purpose stated at the time of collection. If an app collects your Aadhaar data for identity verification, it cannot use that data for marketing, profiling, or selling to third parties.
- Data minimisation. Apps must collect only the minimum data necessary. If an app only needs your name for verification, it should not be collecting your address.
- Right to erasure. You have the right to request deletion of your personal data at any time. The app must comply within a reasonable timeframe.
- Breach notification. If your data is breached, the app must notify the Data Protection Board of India and, in many cases, the affected users.
How to Tell if an App's Verification is Safe
Before you verify your Aadhaar with any app, check these five things:
1. Does it Redirect to DigiLocker?
The safest verification method redirects you to the official DigiLocker portal (digilocker.gov.in). You should see DigiLocker's interface, not the app's interface, when entering your credentials. If the app asks you to type your Aadhaar number directly into its own form, that's a red flag.
2. Does it Show You a Consent Screen?
Legitimate DigiLocker integrations display a clear consent screen showing exactly what data the app is requesting. You should be able to see each data point listed and choose to accept or reject. If there's no consent screen, the app may not be using the official API.
3. Does it Ask for More Data Than Necessary?
A chat app that needs to verify you're a real person doesn't need your address or date of birth. A ride-sharing app verifying your driving licence doesn't need your Aadhaar number. If an app is requesting data that seems unrelated to its purpose, question why.
4. Does it Have a Privacy Policy That Addresses Aadhaar?
Check the app's privacy policy for specific mention of how Aadhaar data is handled. Look for:
- What data is collected during verification
- How long the data is retained
- Whether the data is shared with third parties
- How you can request deletion of your data
If the privacy policy doesn't mention Aadhaar data handling at all, that's a concern.
5. Is the App DPDPA-Compliant?
As DPDPA enforcement approaches (deadline: May 2027), responsible apps are already implementing compliance measures. Look for a clear data protection statement, a named Data Protection Officer or contact, and a mechanism for you to exercise your rights under the DPDPA.
What Happens to Your Data After Verification?
This varies by app, and it's where the real risk lies. After verification, a responsible app should:
- Store only what it needs. If the app verified your name, it should store your verified name and a confirmation that verification was completed. It should not store your Aadhaar number, address, or other data it doesn't need.
- Encrypt stored data. Any personal data retained after verification should be encrypted at rest and in transit.
- Allow deletion. You should be able to delete your account and have all associated verification data purged within a defined timeframe.
- Not share it. Your verification data should not be shared with third parties, advertisers, or data brokers.
Ask these questions before you verify. If the app's privacy policy doesn't provide clear answers, consider whether the service is worth the data exchange.
Common Fears (and the Facts)
"If I share my Aadhaar, someone can take a loan in my name."
This fear is understandable but largely outdated. Since 2019, financial institutions cannot use Aadhaar alone for loan approvals. Loan applications require additional verification including credit history (CIBIL), income proof, and in many cases, in-person verification. Knowing someone's Aadhaar number alone is not sufficient to take a loan.
That said, your Aadhaar number combined with other personal details can be used for social engineering attacks. This is why DigiLocker-based verification, which only shares masked numbers, is significantly safer than sharing your full Aadhaar.
"The app will sell my data."
Under the DPDPA, selling personal data without explicit consent is illegal and carries severe penalties. While enforcement is still ramping up, the legal framework is in place. The best protection is to verify only with apps that use DigiLocker-based verification, since they never receive your full data in the first place.
"Once I share it, I can't take it back."
With DigiLocker-based verification, you can revoke consent at any time from your DigiLocker dashboard (under "Activity" > "Consent History"). Additionally, under the DPDPA, you have the right to request deletion of any personal data an app holds about you. The app is legally required to comply.
"The government is tracking me through DigiLocker."
DigiLocker is a document storage and sharing platform. It does not track your location, monitor your communications, or surveil your activity. The consent logs it maintains are for your benefit, so you can see who accessed your data and when. You have full visibility and control.
How AirlockChat Handles Aadhaar Verification
AirlockChat uses DigiLocker-based verification exclusively. Here's exactly what happens during the process and what data we handle:
During verification:
- You tap "Verify with DigiLocker" inside the AirlockChat app.
- You are redirected to DigiLocker's official government portal. You never enter credentials inside AirlockChat.
- DigiLocker shows you a consent screen listing exactly what data AirlockChat is requesting.
- If you consent, DigiLocker sends your verified first name and a masked document number (last 4 digits) to AirlockChat.
After verification, AirlockChat stores:
- Your verified first name (used as your permanent display name)
- A masked document number (last 4 digits only)
- A facial verification score (from the government ID photo comparison)
- A hashed session identifier (for anti-fraud purposes)
AirlockChat never receives or stores:
- Your full 12-digit Aadhaar number
- Your address
- Your date of birth
- Your photograph from the Aadhaar database
- Your biometric data
- Your DigiLocker login credentials
If you delete your AirlockChat account, all verification-related data is purged within 30 days. You can also revoke AirlockChat's DigiLocker consent at any time from your DigiLocker dashboard.
AirlockChat is fully committed to DPDPA compliance. Our privacy policy details exactly how we handle all user data, including verification data.
Key Takeaways
Sharing your Aadhaar for app verification is safe when the app uses DigiLocker-based verification, which shares only the minimum data you consent to and never exposes your full Aadhaar number. Avoid apps that ask you to photograph or upload your physical Aadhaar card. Before verifying, check that the app redirects to DigiLocker's official portal, shows a consent screen, has a clear privacy policy, and doesn't request more data than it needs. Indian law, through the Aadhaar Act, the Supreme Court verdict, and the DPDPA, provides strong protections for your data. Use them.