Businesses in India that use Aadhaar for KYC or authentication must follow strict rules under the Aadhaar Act 2016 and UIDAI regulations. The core requirement: you cannot store the full 12-digit Aadhaar number — use a Virtual ID (VID) or tokenized UID instead. Biometric data must never be stored by any private entity. Consent is mandatory before every Aadhaar transaction. Violations carry serious penalties under both the Aadhaar Act and the Digital Personal Data Protection (DPDP) Act 2023. This guide covers exactly what you must do, what is forbidden, and how to build a compliant Aadhaar data-handling architecture.
Who Can Use Aadhaar for Authentication
Not every business can call the UIDAI authentication API. The ecosystem is built on a licensed-entity model:
- AUA (Authentication User Agency): UIDAI-licensed; submits Yes/No authentication requests against CIDR (Central Identities Data Repository).
- KUA (KYC User Agency): UIDAI-licensed; retrieves eKYC data (name, address, DOB, photo) from CIDR with the holder's consent.
- Sub-AUA / Sub-KUA: Businesses that integrate through a licensed AUA or KUA.
RBI, SEBI, and IRDAI have issued separate circulars permitting their regulated entities to use Aadhaar-based eKYC. Check the latest circular at uidai.gov.in and your regulator's site before designing your KYC flow.
The Golden Rules: What UIDAI Prohibits
UIDAI regulations and the Aadhaar Act set absolute prohibitions — legal mandates with prosecution risk, not guidelines.
| Prohibited | Compliant Alternative |
|---|---|
| Storing full 12-digit Aadhaar number | Store VID or tokenized UID only |
| Storing biometric data | Never capture or store; transmit directly to CIDR |
| Collecting Aadhaar without consent | Explicit, informed, time-stamped consent before every transaction |
| Sharing data with unauthorised third parties | Share only within the original consent scope |
| Using eKYC data beyond stated KYC purpose | Limit use to the declared purpose |
| Displaying full Aadhaar number in UI or documents | Display only Masked Aadhaar (last 4 digits) |
Virtual ID and Tokenization: The Only Safe Storage Path
UIDAI's Virtual ID (VID) system eliminates the need to store or handle raw Aadhaar numbers. The Aadhaar holder generates a 16-digit VID from the UIDAI portal or mAadhaar app and uses it in place of their Aadhaar number. UIDAI resolves the VID to the real number internally at CIDR — the AUA never sees it. AUAs instead receive a tokenized UID: a one-way, AUA-specific hash that cannot re-derive the Aadhaar number.
Store only the tokenized UID. Even if your database is breached, no Aadhaar number is exposed.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanBiometric Data: An Absolute No-Store Zone
No entity other than UIDAI may capture, store, process, or transmit biometric data (fingerprints, iris scans, or any biometric modality UIDAI designates).
When a registered biometric device (RD service) captures a fingerprint or iris, the capture is encrypted at hardware level and transmitted directly to CIDR. The AUA only receives the authentication response — never the raw biometric. No intermediate log, buffer, or temporary file should ever touch the biometric payload. Your application must never sit in this data path.
Consent: Mandatory, Informed, and Auditable
The Aadhaar Act requires consent before every authentication or eKYC transaction. The DPDP Act 2023 reinforces this with its own consent framework. Combined requirements:
- Explicit and informed: The individual must know what data is accessed, why, and by whom.
- Free and voluntary: Consent cannot be a precondition for services where Aadhaar is not legally mandated.
- Specific and time-stamped: Each transaction needs its own consent record — blanket one-time consent is insufficient.
- Auditable: Your system must produce a consent trail on demand: timestamp, purpose, and UIDAI authentication reference number.
Compliant Aadhaar KYC Data Flow
The diagram below shows the architecturally compliant path for Aadhaar-based KYC.
graph TD
A[User Initiates KYC] --> B[Display Consent Screen
State purpose scope and data]
B --> C{User Gives Consent?}
C -- No --> D[Abort KYC Flow
Log refusal]
C -- Yes --> E[Record Consent
Timestamp purpose AUA ref]
E --> F[User Provides VID or Offline XML]
F --> G[AUA Submits Auth Request
VID or signed XML to UIDAI API]
G --> H[UIDAI CIDR Validates
Returns Yes-No or eKYC token]
H --> I[AUA Receives Tokenized UID
Never receives raw Aadhaar number]
I --> J[Store Tokenized UID Only
Never store full Aadhaar or biometrics]
J --> K[KYC Record Complete
Data minimised masked display only]
D --> L[User Notified
Alternate KYC path offered]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style J fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style L fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0eKYC Data Retention: What Licensed KUAs May Store
A licensed KUA that receives eKYC data (name, address, date of birth, gender, photo) from UIDAI may store it subject to: the purpose stated at consent; UIDAI licence retention limits; data minimisation principles; AES-256 encryption at rest and in transit; role-based access controls; and a defined deletion workflow once the retention period lapses.
Encryption and Technical Security Requirements
UIDAI publishes detailed technical specifications at uidai.gov.in. Key mandatory controls for AUAs and KUAs:
| Control Area | Requirement |
|---|---|
| Data in transit | TLS 1.2+ for all UIDAI API calls; end-to-end encryption for biometric packets |
| Data at rest | AES-256 or equivalent for stored Aadhaar-linked data |
| Key management | Keys managed separately from encrypted data; HSM recommended in production |
| Audit logging | All auth transactions logged with UIDAI reference numbers and timestamps |
| Access control | Role-based; minimum necessary access to Aadhaar data |
| Registered devices | Biometric devices must be UIDAI-registered; use the RD service layer |
| Vulnerability management | Periodic security assessments of all systems touching Aadhaar data |
Aadhaar Compliance vs DPDP Act: How They Interact
The DPDP Act 2023 (notified by MeitY) and the Aadhaar Act 2016 (governed by UIDAI) are not duplicates — they layer on top of each other. Businesses must satisfy both.
pie title Aadhaar Data Obligations by Category
"Consent and Notice" : 25
"Data Minimisation and Storage Limits" : 20
"No Biometric Storage" : 20
"Encryption and Access Control" : 20
"Audit Trail and Grievance" : 15Key intersections:
- Personal data scope: Any Aadhaar-linked datum (tokenized UID, eKYC fields) is personal data under DPDP. Biometrics, if mistakenly captured, would be sensitive personal data with heightened obligations.
- Data Principal rights: Individuals have the right to access, correct, and erase their personal data — your architecture must support eKYC deletion workflows.
- Breach notification: DPDP mandates notification to the Data Protection Board. A breach of Aadhaar-linked data is automatically high-severity.
- Penalties: Both laws carry serious financial and criminal consequences. DPDP penalties can reach significant crore-level amounts for failures to safeguard personal data; the Aadhaar Act additionally provides for imprisonment for willful misuse.
Offline Aadhaar: The Privacy-Friendly Alternative
UIDAI's Offline Aadhaar mechanism — a digitally signed XML download or the QR code on the Aadhaar card — allows identity verification without a server call to UIDAI and without requiring an AUA licence. The XML contains masked Aadhaar (last 4 digits only), name, address, photo, and DOB, signed by UIDAI. Your application verifies the signature locally. This path suits use cases where a business needs identity assurance without the operational overhead of full AUA licensing.
Aadhaar Data Handling Compliance Checklist
Use before your next compliance review or regulator audit:
| # | Control | Status |
|---|---|---|
| 1 | Verified AUA/KUA licence status (own or via licensed intermediary) | |
| 2 | Consent screen implemented — explicit, purpose-specific, time-stamped | |
| 3 | No storage of full 12-digit Aadhaar number in any database or log | |
| 4 | No biometric data captured, buffered, or stored anywhere | |
| 5 | VID or tokenized UID used as the sole Aadhaar-linked identifier | |
| 6 | Masked Aadhaar used wherever Aadhaar number must be displayed | |
| 7 | eKYC data encrypted at rest (AES-256 or stronger) | |
| 8 | eKYC data access restricted by role-based controls | |
| 9 | Authentication transaction audit log maintained with UIDAI reference numbers | |
| 10 | Retention policy defined and enforced; deletion workflow implemented | |
| 11 | Breach notification procedure covers Aadhaar-linked data | |
| 12 | Vulnerability assessment of KYC pipeline conducted in last 12 months |
References: UIDAI official portal | MeitY — DPDP Act 2023 | DPDP compliance guide | the Bachao.AI blog