Compliance

Aadhaar Verification Rules for PG Owners: What's Legal in 2025

PG owners often collect Aadhaar copies without understanding the legal boundaries. Here's what you can and cannot do with tenant Aadhaar data.

April 20257 min readAbode Team

Almost every PG owner in India asks tenants for a photocopy of their Aadhaar card at move-in. Most do not know that photocopying a full Aadhaar card is a UIDAI violation. The penalty for non-compliant Aadhaar data handling is up to ₹10 lakh under Section 29 of the Aadhaar Act 2016.

Here is exactly what you are legally permitted to do — and what crosses the line.

What You CAN Do

  • Record the last-4 digits of a tenant's Aadhaar number for identity verification purposes. This is the legally compliant approach for non-licensed entities.
  • Accept a masked Aadhaar printout (where the first 8 digits are hidden) as identity proof. UIDAI provides a tool to generate masked Aadhaar at uidai.gov.in.
  • Store a photograph of the tenant alongside their self-declared details.
  • Ask tenants to self-declare their identity details on your C-Form — the responsibility for accuracy is theirs.

What You CANNOT Do

  • Photocopy or scan the full Aadhaar card. Full photocopies of Aadhaar are prohibited for entities that are not UIDAI-licensed Authentication User Agencies (AUAs). PG operators are not AUAs.
  • Store digital scans of full Aadhaar numbers on your computer, Google Drive, WhatsApp, or any unencrypted storage.
  • Share tenant Aadhaar data with any third party (including your CA, property manager, or broker) without the tenant's written consent.
  • Perform biometric authentication. Only AUAs with explicit UIDAI approval may collect biometrics.

The DPDP Act 2023 Layer

The Digital Personal Data Protection Act 2023, now progressively being notified, adds another compliance layer on top of Aadhaar rules:

  • You must obtain explicit, informed consent before collecting any personal data (name, phone, email, document details).
  • Consent must be granular — tenants can consent to identity verification but decline marketing communications.
  • Data must be stored only as long as necessary, and tenants have the right to request erasure.
  • You must be able to demonstrate what data you hold, why, and that it is secured.

For PG operators, the practical implication is a consent form at move-in that explicitly lists what data you collect and why, signed by the tenant.

How Abode Handles This

Abode's tenant onboarding flow is designed for UIDAI and DPDP compliance by default:

  • The application form only captures the last-4 digits of Aadhaar — the full number field does not exist.
  • Consent is recorded digitally at the time of onboarding, timestamped, and immutable.
  • Document uploads are stored in encrypted Supabase Storage with Row Level Security — accessible only by your organisation.
  • Tenants can request data erasure, which pseudonymises their record while preserving financial history for audit purposes.

Practical Checklist for Compliance

  • Replace full Aadhaar photocopies with masked Aadhaar or last-4 digit records
  • Add a data collection consent clause to your tenant agreement
  • Delete any existing full Aadhaar scans from WhatsApp, Google Drive, and email
  • Encrypt digital document storage (don't use a plain folder on your desktop)
  • Document your data retention policy — how long you keep data and when you delete it

Ready to simplify your PG operations?

Abode handles rent collection, police verification, and tenant management — all in one platform built for India.

Start free 14-day trial

No credit card required.