Handling PII Data
Overview
In compliance with the Digital Personal Data Protection (DPDP) Act, Nimbbl has implemented robust personal information masking and encryption across its API responses and system logs. These enhancements are designed to strengthen customer data privacy and ensure secure handling of sensitive information in your integrations.
PII Data Masking
Sensitive fields (e.g., name, email, phone, UPI, card, address) are now masked by default in:
- API responses
- Webhook payloads
- Command Center views/downloads
- System logs
PII Data Encryption
All personal data is encrypted:
- In transit
- At rest
- Across internal services
PII Data
| Field | Example (Before Masking) | Example (After Masking) |
|---|---|---|
| First Name/Last Name / UPI Holder/ Card holder | Diana Prince | D**** P***** |
| Mobile Number | +91 9876543210 | +91 ******3210 |
| [email protected] | wo*********[email protected] | |
| Address (e.g. Street) | 123 Main Street | 1** M*** S***** |
| Address Landmark | Opposite Magic Mountain | O******* M**** M******* |
| Address Area | Elyria | El**** |
| Address City | Atlantis | At***** |
| Address State | Maharashtra | Maharashtra |
| Address Country | India | India |
| Pincode | 100389 | 10**** |
| UPI ID | 91111111111@superyes | 91*******11@superyes |
| Card Number | 4111 1111 1111 1111 | XXXX XXXX XXXX 1111 |
| Account Number | 123456789012 | ********9012 |
| Expiry | 12/2025 | XX/XXXX |
| CVV | 123 | XXX |
| IFSC Code | UTIB00047 | UTIB***47 |
| PAN | BXXPD8601C | BXX******C |
API Endpoints
The following APIs will now return masked PII:
| Method | Endpoint |
|---|---|
GET | /api/v3/order |
PATCH | /api/v3/order |
GET | /api/v3/transaction-enquiry |
POST | /api/v3/validate-vpa |
GET | /api/v3/payment-modes |
GET | /api/v3/addresses |
PATCH | /api/v3/addresses |
POST | /api/v3/addresses |
Want Unmasked PII?
If your integration flow depends on full PII (for example, for user KYC, compliance, reconciliation):
You have two secure options:
| Scenario | Action Required |
|---|---|
| You need unmasked PII via webhook/callback | Use encrypted webhooks/callbacks to receive unmasked PII securely |
| You need unmasked PII via API | Use Transaction Enquiry API from your server to fetch unmasked PII securely |
In case you require access to unmasked PII for a specific customer, particularly in relation to a suspected fraudulent activity, please reach out to us via email.
You are legally responsible for securing and storing unmasked PII in compliance with the DPDP Act.
Need Help?
If you need support adapting your integration or securing PII storage.
Email us at [email protected] or contact your dedicated account manager.