Why Zerodha collects PAN and Aadhaar through DigiLocker
DigiLocker is a Government of India platform run by the Ministry of Electronics and Information Technology (MeitY) under the Digital India Programme that issues and verifies official documents digitally and shares them with a requester only after the document holder gives consent. When you open an account at Zerodha , the broker uses DigiLocker as the route to pull a digitally signed Aadhaar straight from UIDAI , and it separately fetches permanent account number (PAN) details straight from the Income Tax Department. This article explains what DigiLocker is, why a stock broker relies on it for paperless eKYC , what data actually changes hands, the consent and privacy model behind it, and how the DigiLocker pull differs from a plain Aadhaar OTP eKYC.
The short answer to the question most applicants ask is this: documents pulled through DigiLocker come straight from the issuing government system, so they are authentic and the applicant cannot edit them. That single property is why brokers prefer it to a self-uploaded photocopy. Letting a customer upload a photo of a PAN card is, in Zerodha’s own words on its customer verification note, a flawed process that can be easily manipulated. A document signed by the issuer and delivered by a Government of India platform removes that weakness.
This is a resident individual account-opening concern, and it sits alongside two related questions covered elsewhere on WebNotes: the full list of data Zerodha collects and the choice between eKYC and offline KYC . Here the focus is narrow: the DigiLocker mechanism, the legal footing it stands on, and the precise fields it surfaces.
What DigiLocker is and who runs it
DigiLocker is a flagship initiative of the Digital India Programme aimed at paperless governance. It is operated by MeitY , and its purpose is the issuance and verification of documents in digital form. The platform lets an Indian resident hold government-issued documents in a digital wallet and, separately, lets a registered requester fetch a specific document after the holder consents.
Three properties matter for KYC. First, authenticity: documents are issued directly by the government departments or institutions that hold the original record, so the documents are genuine and a user cannot make changes to them. Second, consent: a verifier generates an electronic consent request, and the user approves it through Aadhaar OTP, another OTP-based authentication, or an eSign before the verification system releases the data. Third, accountability: the verification system maintains a log of every successful and unsuccessful access attempt and can notify the user.
The platform’s legal footing rests on the Information Technology Act 2000 . Documents issued through DigiLocker carry parity with physical originals, and unauthorised attempts to access, upload or alter information on the service are punishable under sections 43 and 66 of that Act. A broker reaching into DigiLocker is therefore operating inside a statutory framework, not a private data exchange.
Why a broker uses DigiLocker for KYC
Every Indian market intermediary must complete Know Your Client verification before it opens a trading or demat account . The verification has to establish that the person opening the account is who they claim to be, that the identity documents are real, and that the same person controls the contact details on file. DigiLocker lets a broker satisfy all three online, without paper and without a self-uploaded image that a fraudster could edit.
Zerodha is a registered Requester on the DigiLocker platform. When an applicant consents, the broker obtains a digitally signed copy, in machine-readable form, of the customer’s Aadhaar directly from UIDAI through DigiLocker. The DigiLocker login itself relies on Aadhaar verification and an SMS OTP sent to the Aadhaar-linked mobile number, which establishes a second fact: whoever is opening the account has access to the mobile device seeded with that Aadhaar. That is a meaningful control. It is the property that, by Zerodha’s own account, significantly reduces the probability of the easy identity theft seen on some lending platforms.
PAN follows a parallel but separate path. After the applicant enters the PAN number and date of birth, Zerodha fetches the PAN details live from the Income Tax Department and obtains the legal name on record. Zerodha does not ascertain the validity of a PAN from an uploaded photocopy; it queries the source. The in-person verification step, a short video KYC clip, then runs an automated face match between the recorded video, the Aadhaar photo obtained from DigiLocker, and the PAN or ePAN.
What information is actually shared
This is the part applicants most often get wrong. Pulling Aadhaar through DigiLocker does not hand the full Aadhaar number to the broker. As prescribed by law, Zerodha does not obtain the actual Aadhaar number. When you consent through DigiLocker, Zerodha, as a registered Requester, receives information limited to six fields:
| Field | What it is | Why Zerodha needs it |
|---|---|---|
| Last four digits of Aadhaar or VID | A reference, not the full number | Identifies the Aadhaar record without exposing it |
| Full name | Name as held by UIDAI | Cross-matched against the PAN name |
| Date of birth | DOB as held by UIDAI | Cross-matched against the PAN DOB |
| Gender | As held by UIDAI | Recorded in the KYC profile |
| Address | Current Aadhaar address | Updated into the KYC records as proof of address |
| Photo | Aadhaar photograph | Matched against the IPV video face |
PAN contributes the legal name and confirms the PAN is genuine through the live Income Tax Department lookup. Beyond these, the account-opening flow separately captures bank account details, supporting documents, a secondary PAN or ePAN copy, and the IPV video. The Aadhaar-specific data set is deliberately minimal, and the full Aadhaar number is not part of it.
The address point deserves a note. The Aadhaar address pulled through DigiLocker can serve as the proof of address in the KYC record. An applicant who prefers not to use the Aadhaar address may, as an alternative choice, use a driving licence or passport copy as address proof instead. That choice is voluntary and sits with the applicant.
The consent and privacy model
DigiLocker is built on explicit, logged consent. In the online method, the verifier generates an electronic consent request; the user approves it through Aadhaar or another OTP-based authentication, or through eSign; and only then does the verification system release the data. The system maintains a log of all successful and unsuccessful data-access attempts and will notify the user using available contact details. Nothing moves without an approval step the applicant performs in real time.
Zerodha documents its own consent footing on its Aadhaar consent page and its privacy policy . The broker’s framing is that providing Aadhaar is voluntary in nature. It is required only for completing the account opening procedure online and digitally signing the Zerodha account-opening form. An applicant who does not want to share Aadhaar at all can go through the offline route, physically signing every account-opening document, which does not require sharing any Aadhaar information. The DigiLocker pull is therefore the price of doing the whole thing online, not a non-negotiable condition of having an account.
The statutory backstop sits above the platform itself. Because DigiLocker is regulated by the government and unauthorised access or alteration is punishable under sections 43 and 66 of the Information Technology Act 2000, the applicant’s exposure is bounded by law, not only by Zerodha’s own data practices. That is a different posture from uploading a document image to a private server.
The SEBI eKYC framework behind it
DigiLocker is the delivery mechanism, but the authority for a broker to perform Aadhaar-based eKYC at all comes from SEBI . SEBI consolidates KYC requirements in its Master Circular on Know Your Client norms for the securities market dated October 2023. Within that framework, SEBI has separately notified the route by which intermediaries may use the eKYC Aadhaar authentication services of UIDAI in the securities market as a sub-KUA, in circulars issued in May 2020 and updated through March and May 2024. A registered intermediary that is not itself a KUA performs Aadhaar authentication as a sub-KUA under a notified KUA.
The end of every path is a KYC Registration Agency (KRA). The KRA independently validates the Aadhaar, PAN, mobile number and email ID uploaded by the intermediary. Once validated, the KRA generates a KRA identifier, and only then can the intermediary allow trading or investment activity in the account. The DigiLocker pull feeds clean, source-verified data into this pipeline, which is why a DigiLocker-based onboarding tends to clear KRA validation without the mismatches that dog manually keyed records.
On the mobile number, SEBI’s digital KYC process requires that a mobile number be submitted, and it should preferably be the one seeded with Aadhaar, precisely because OTP-based Aadhaar authentication depends on it. That requirement is the reason an applicant whose mobile is not linked to Aadhaar cannot complete the fully online OTP flow.
DigiLocker pull versus plain Aadhaar OTP eKYC
The two are easy to conflate because both start with an OTP to the Aadhaar-linked mobile. The difference is what comes back. A plain Aadhaar OTP eKYC under the sub-KUA route returns a demographic eKYC response from UIDAI: name, address, date of birth, gender and photo, packaged as an authentication result. A DigiLocker pull, by contrast, delivers a digitally signed Aadhaar document from UIDAI to the requester, a machine-readable file the broker can store as the source artefact.
For Zerodha’s resident-individual online flow, the DigiLocker document pull is the mechanism. It gives the broker a signed Aadhaar artefact plus the DigiLocker login as proof of mobile control, and it sits alongside the live PAN lookup and the IPV face match. The practical upshot for an applicant is the same in both cases: the mobile must be seeded with Aadhaar, and the name and date of birth must agree across PAN and Aadhaar.
The name and date-of-birth cross-check
The single most important step in the whole process is the cross-check between two independently sourced documents. Zerodha verifies the name and date of birth on the PAN, obtained from the Income Tax Department, against the name and date of birth on the Aadhaar, obtained from DigiLocker. The check is done by both an automated system and human verifiers. It is this two-source agreement, not any single document, that establishes identity with confidence.
That is also why a name or date-of-birth mismatch is the most common reason DigiLocker linking fails. To link PAN and Aadhaar through DigiLocker, the name and date of birth must match on both records. If they do not match, the applicant must first update the record with the respective authority, the Income Tax Department for PAN through Protean or UIDAI for Aadhaar, and then retry. The detailed failure modes and the offline fallback are covered in the eKYC versus offline KYC article.
What this means for an applicant
For a resident Indian whose mobile is seeded with Aadhaar and whose PAN and Aadhaar records agree, the DigiLocker pull is the fastest path to an open account: source-verified documents, no paper, an OTP-confirmed consent, and a face match against the Aadhaar photo. The data exposure is limited to six Aadhaar fields plus the PAN name, the full Aadhaar number never reaches the broker, and the whole exchange sits under the Information Technology Act 2000 with logged consent. A resident applicant ready to start can open a Zerodha account and complete this DigiLocker step in the same session.
An applicant who would rather not share Aadhaar can decline it and take the offline route at the cost of paper, courier time and a slower turnaround. The choice is real, and it is the applicant’s to make. What an applicant cannot do is complete the fully online flow without either an Aadhaar-seeded mobile or matching PAN and Aadhaar records, because both are load-bearing for the DigiLocker step.
See also
- Zerodha
- How to open a Zerodha account
- Documents required for a Zerodha account
- What data Zerodha collects when you open an account
- eKYC vs offline KYC at Zerodha
- DigiLocker
- Aadhaar
- UIDAI
- Ministry of Electronics and Information Technology
- Permanent Account Number (PAN)
- Know Your Client (KYC)
- KYC Registration Agency (KRA)
- In-person verification (IPV)
- Video KYC
- Demat account
- Trading account
- Depository participant
- CDSL
- NSDL
- SEBI
- Stock broker
- Information Technology Act 2000
- Prevention of Money Laundering Act
- Zerodha Console
- Kite by Zerodha
- Zerodha charges
- Opening multiple accounts at Zerodha
- How to open a Zerodha commodity account
- How to open a Zerodha minor account
- Contract note
External references
- DigiLocker: About the platform
- Digital Locker, Ministry of Electronics and Information Technology
- Zerodha: Customer verification at Zerodha
- Zerodha support: Why does Zerodha collect PAN and Aadhaar via DigiLocker KYC?
- Zerodha: Aadhaar consent
- SEBI: Entities allowed to use e-KYC Aadhaar authentication services of UIDAI as sub-KUA (May 2024)
- UIDAI
References
- Ministry of Electronics and Information Technology, DigiLocker policy and about page (as of 19 June 2026).
- Zerodha, Customer verification at Zerodha, Z-Connect (as of 19 June 2026).
- Zerodha support, Why does Zerodha collect PAN and Aadhaar via DigiLocker KYC? (as of 19 June 2026).
- SEBI, Master Circular on Know Your Client (KYC) norms for the securities market, October 2023.
- SEBI circular, Entities allowed to use e-KYC Aadhaar Authentication services of UIDAI in the securities market as sub-KUA, May 2024.
- Information Technology Act 2000, sections 43 and 66.