Sharing your Aadhaar: what to mask, and how to share it safely
At a glance
Your Aadhaar is the single strongest link to your identity, so the goal is to share the least exposing version of it. Where you only need to prove who you are, a masked Aadhaar (first eight digits hidden) or a Virtual ID does the job without revealing your full number. Under India’s DPDP Act a business can collect it only where the purpose genuinely needs it, must secure it, and must delete it once that purpose ends — so a full Aadhaar copy sitting in someone’s files is both avoidable and something you can question.
Educational resource only. This explains how your Aadhaar is treated as personal data under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
On this page
- What is Aadhaar, and what makes it so sensitive?
- What your Aadhaar reveals — and the myth about masking
- Who asks for it, and can they?
- The real risks if it’s misused
- What to share: masked Aadhaar, VID, or the new app
- How to share it safely
- How to store it, and when to let go
- FAQ
What is Aadhaar, and what makes it so sensitive?
Aadhaar is your 12-digit unique identity number issued by the Unique Identification Authority of India (UIDAI) — accepted almost everywhere as proof of who you are, which is exactly what makes a stray copy dangerous. It’s used for bank KYC, SIM cards, income-tax filing (it’s linked to your PAN), government schemes, and countless private verifications. That near-universal acceptance is a convenience, but it also means one leaked copy can be presented in your name in a lot of places. Unlike a driving licence or Voter ID, Aadhaar is also tied to your biometrics and can be linked across services through your number — so it deserves the most careful handling of all your IDs.
What your Aadhaar reveals — and the myth about masking
A full Aadhaar copy shows your name, photo, date of birth, gender, address and the full 12-digit number — but you rarely need to expose all of it. The number itself is the linking key; the rest is a complete identity-and-address profile on one document.
Two common myths are worth clearing:
- “Aadhaar is ‘sensitive data’ with special legal protection.” The DPDP Act has no separate sensitive-data category — Aadhaar is treated as ordinary personal data. That’s not a downgrade: ordinary personal data still carries the full duties of notice, purpose limitation, security and erasure.
- “Sharing my Aadhaar number means someone can drain my account.” Your number alone can’t unlock your biometrics or your bank. The real risk is a full, unmasked copy being reused to back fraudulent paperwork — which is precisely why masking exists.
Who asks for it, and can they?
Banks, telecom operators, and government services often have a genuine or legally mandated reason to verify Aadhaar — but a rental broker, a hotel at a domestic check-in, or a coaching-class registration asking for a copy “for records” usually does not. Whoever collects your Aadhaar becomes a Data Fiduciary with duties to you: a clear notice of why it’s being collected (Section 5), and collection limited to what the stated purpose actually needs (Section 6).
So the test is always the same: does this transaction genuinely need my Aadhaar, or a full copy of it? A regulated bank KYC does. A hotel logging a domestic guest, or an event desk taking an “ID for entry” copy, usually doesn’t — that’s over-collection you can decline or satisfy with a masked version. One firm line worth holding on to, separate from the DPDP Act: no private business can force you into Aadhaar-based biometric authentication — that’s not something an office, a housing society, or a gym gate can mandate.
The real risks if it’s misused
A loose Aadhaar copy is a strong identity anchor in the wrong hands. Because Aadhaar ties your name, photo, date of birth and address to a number accepted almost everywhere, a stray full copy can be put to work in several ways:
- Impersonation and fake onboarding — a genuine-looking copy can be used to clear identity checks or open SIMs, wallets and accounts in your name.
- Backing other fraudulent paperwork — it lends false credibility to forged documents and applications built on your real details.
- Cross-service linking — because the same number sits behind your bank, telecom, tax and more, a leaked Aadhaar lets someone correlate records that were meant to stay separate and build a fuller profile of you.
The sharpest part is what you can’t undo. A compromised card can be blocked and reissued; your Aadhaar number can’t be changed — so once a full copy is out, that exposure is effectively permanent. That’s the whole reason to share a masked version or a Virtual ID rather than the full number in the first place.
What to share: masked Aadhaar, VID, or the new app
Where Aadhaar is needed only as identity proof, never hand over the full number — use a masked Aadhaar, a Virtual ID, or the new app’s QR share instead. These are the three tools that let you satisfy a legitimate request without creating a reusable full copy:
- Masked Aadhaar — an official version, signed by UIDAI, that hides the first eight digits and shows only the last four (your photo, QR code and demographic details stay on it). Download it from the myAadhaar portal (
myaadhaar.uidai.gov.in): choose Download Aadhaar, tick “I want a masked Aadhaar,” and verify with the OTP sent to your registered mobile. It’s accepted wherever Aadhaar is used purely as identity proof. - Virtual ID (VID) — a temporary, revocable 16-digit number mapped to your Aadhaar. An agency can verify you against it, but your actual Aadhaar number can’t be worked back out of it. Generate or regenerate it anytime via the UIDAI portal, the app, or SMS. This is the safer choice for authenticated KYC, where a masked image isn’t enough.
- The new Aadhaar app (QR + Face ID) — UIDAI’s newer app (in beta since April 2025, the successor to mAadhaar) lets you share only the fields a verifier needs through a scannable QR code and face authentication — no photocopy changes hands at all. Where a counter accepts it, this is the least-exposing option going.
When you do need the full number: claiming a government benefit under Direct Benefit Transfer (DBT), or any Aadhaar-authenticated service, needs the full Aadhaar or a VID — a masked copy won’t work there. Match the tool to the purpose: masked for identity proof, VID or the app for authentication.
How to share it safely
Prefer a verifiable digital share over a flat photo of the card, and use a channel you control. A gallery screenshot of your Aadhaar is just an image anyone can copy and alter. Safer routes:
- Share from DigiLocker or the Aadhaar app, not your photo gallery — a fetched copy is verifiable against the source and doesn’t scatter a reusable scan.
- Add a purpose watermark to any copy you must send — write the purpose across it, e.g. “For [name] KYC only” — and self-attest it. A purpose-marked masked copy is far harder to reuse elsewhere.
- Avoid WhatsApp and plain email for Aadhaar copies — they leave permanent copies across chats, inboxes and backups you can’t round up later. Prefer a secure, expiring link or the organisation’s official upload portal.
- Show, don’t hand over, where a look will do — for a simple identity check, letting someone see your Aadhaar beats surrendering a copy of it.
Masking, watermarking and safe channels work the same way for every document you handle — the four steps above are the Aadhaar-specific version of that shared routine.
How to store it, and when to let go
Keep your own copy in a secure app, not a photo gallery — and hold businesses to deleting theirs once the purpose ends. For your own use, DigiLocker or the Aadhaar app is safer than an Aadhaar image sitting in your gallery or a chat thread, where it can end up in cloud backups and shared albums.
On the other side, a business that collects your Aadhaar must keep it secure and erase it once the purpose it was collected for is over (Section 8). A copy retained long after a one-time verification, or an Aadhaar scan sitting in an unsecured shared folder or a staff WhatsApp group, is a security failure the business is answerable for — not just untidy record-keeping. You can ask what it holds, ask it to delete an Aadhaar it no longer needs, and ask for written confirmation.
FAQ
Is a masked Aadhaar valid as ID? Yes. A masked Aadhaar is an official, UIDAI-signed document accepted wherever Aadhaar is used as identity proof; it simply hides the first eight digits. The main exception is Aadhaar-authenticated services and government DBT benefits, which need the full number or a Virtual ID.
Can a business demand a copy of my Aadhaar? Only where the purpose genuinely needs it, and only the minimum. A regulated bank KYC has a reason; a rental broker, a hotel desk, or a coaching class asking “for records” is usually over-collection you can decline or meet with a masked version. No private business can force Aadhaar-based biometric authentication.
What’s the safest way to share Aadhaar for KYC? Use a Virtual ID (VID) — a revocable 16-digit number that verifies you without revealing your real Aadhaar number — or, where accepted, the new Aadhaar app’s QR-and-face share, which hands over no photocopy at all.
Is it dangerous if someone has my Aadhaar number? The number alone can’t unlock your biometrics or your bank. The real risk is a full, unmasked copy being reused to back fraudulent paperwork — which is why sharing a masked version or a VID matters.
How do I get a company to delete my Aadhaar copy? Once its purpose is over, you can ask the business to erase your Aadhaar copy and confirm it’s done — the DPDP Act’s erasure duty (Section 8) backs this.
Related Articles
Reviewed by Confidential Dispatch Editorial Team
Last updated 15 July 2026
Not legal advice.