CREZU.LK: Loan Matchmaker or Data Broker?

My friend Nimendra James once remarked that we’re living in an information economy—one where time and data have become the most valuable commodities. Most Sri Lankans may not realize it, but when used strategically, data can be worth more than a mine of gold—especially when it’s data about you. Data can be collected for both legitimate (ex: targeted advertising, training AI) and illegitimate purposes (ex: Social Engineering). Even when it’s gathered for legitimate goals, like creating a profile to deliver more targeted ads, it can still pose risks. For example, a company might store that data in an insecure format, such as an Excel spreadsheet, rather than a secure, encrypted database (ex: Facebook). This opens the door for cybercriminals to access the data, potentially using it for phishing campaigns or other malicious activities. The value of personal data can be a double-edged sword, and its security should never be underestimated.

So, what does this issue have to do with CREZU.LK, you may ask. I first encountered CREZU.LK through an ad on this blog. Initially, I thought it was another online loan shark, a topic I discussed in my 2023 post, “Beware of Online Loan Sharks” – However, I later discovered that CREZU.LK operates as a “Loan Matchmaking” service, connecting users with loan providers. But as I dug deeper, I realized that CREZU.LK exhibits the characteristics of a Data Broker. A data broker collects, aggregates, and sells personal data from sources like public records, online transactions, and social media, often without individuals’ consent. They then sell or license this information to marketers, businesses, or even government agencies. So, today, let’s explore whether CREZU.LK truly fits the profile of a data broker—and whether caution is warranted.

Disclaimer: This post is intended for informational purposes only and reflects the author’s personal observations and analysis. It is not meant to cause any inconvenience or harm to any business entity, including CREZU.LK or its affiliates. No claims are made regarding the legality or accuracy of the operations of any mentioned parties. Readers are encouraged to conduct their own research and seek appropriate professional advice before making any decisions or taking action based on the content of this post.

CREZU.LK Collects Meta Data Beyond Loan Brokering

CREZU.LK asks users to submit personal details like full name, National Identity Card number, phone number, income, employment status, and banking preferences—standard information for a loan application. However, the platform goes beyond typical loan-related data by collecting sensitive device and browser metadata, IP addresses, operating system details, and even geolocation information. I personally used a VPN to conceal my IP and geolocation, but the platform still tracks such data. As stated in the Privacy Policy: “Crezu collects and processes data including the IP address, browser type, device type, screen resolution, language, time zone, visited pages, and more.” (Crezu.lk Privacy Policy, Section 2). This level of detail raises alarms, as it mirrors the kind of data typically gathered by data brokers to build extensive user profiles.

For a platform claiming to “match” users with lenders, collecting this broad and intrusive range of personal information seems unnecessary. CREZU.LK does not directly issue loans, yet its data harvesting practices extend far beyond the minimum required for loan matchmaking. By collecting such detailed metadata, the platform raises significant privacy concerns. Users may unknowingly surrender far more data than expected simply by applying for a loan. Such practices highlight the potential risks of providing personal information to platforms that operate in this gray area, where data is likely monetized or shared with third parties. Given the increasing value of personal data, it’s essential for users to be aware of how much information they’re giving away, especially when the platform’s intentions are not fully transparent.

Your Personal Data is Shared Widely With 3rd Parties

CREZU.LK explicitly states that user data is shared with third parties, including not only loan providers but also marketing agencies and analytics companies. According to their Privacy Policy: “We may disclose your Personal Data to our partners (loan companies), service providers, analytics providers, and marketing agencies.” (CREZU.LK Privacy Policy, Section 3: Who Do We Share Your Personal Data With?). This disclosure of data to external entities raises serious concerns about user privacy. The policy further notes that some of these third parties may be based outside of Sri Lanka (Estonia?), meaning personal data could fall under foreign jurisdictions that have different or even weaker privacy protections. The cross-border nature of data sharing also makes it difficult for users to understand exactly how their data is being handled and protected. With unclear boundaries on who gets access to this data, users are left vulnerable to unforeseen uses and risks associated with their personal information.

Moreover, the Privacy Policy reveals that personal data may be used for direct marketing purposes unless users explicitly opt out: “If you do not wish to receive such information, you can opt out at any time by contacting us.” This is a classic tactic used by data brokers, who often share, sell, or monetize user data for profit, with little transparency or control over its use. The fact that users must take proactive steps to opt out from marketing communications further emphasizes the passive data collection that occurs by default. Once personal information is shared with a broad range of third parties, users lose control over how it is used, which is a key characteristic of data broker networks. In these environments, personal data is often commodified, with limited insight into where it goes or how it might be leveraged, leading to greater risks for individuals.

100% Free Service Means Your Data is the Product

CREZU.LK website proudly states the service does not charge users for access, application submission, or loan matching services, which raises an important question: If the service is free, what’s actually being sold? The most plausible answer is user data. CREZU.LK likely relies on affiliate commissions from lenders when users accept loan offers, which incentivizes the platform to process and route as many applications as possible. This business model prioritizes volume over the long-term benefit to the borrower, raising concerns about whether users are being exploited for the platform’s profit. Since the service is free to users, it seems the real product being sold is their data, which can be a valuable asset for the platform and its affiliates. This reliance on data monetization is increasingly common among platforms that claim to offer free services but generate revenue through user data, often without full transparency.

Although this model is not illegal, it blurs the line between offering a helpful service and exploiting personal data for financial gain. The Privacy Policy of CREZU.LK reveals a commercial interest in profiling users, stating: “We process your data to improve our service, send you personalized offers, and conduct analytical and marketing research.” This goes beyond merely connecting users with lenders—it involves creating detailed behavioral profiles for targeted marketing, which could be shared with third parties. This is a hallmark of data brokers, who collect, analyze, and sell personal data to a variety of industries without directly benefiting the individual. Such practices highlight how data brokers aggregate, monetize, and distribute personal data for profit, raising significant concerns about user privacy and control over their personal information.

CREZU.LK IS Linked to Locally Known Predatory Lenders

Perhaps the most alarming indicator that CREZU.LK fits the profile of a data broker is its connection to local online loan sharks. While the platform brands itself as a neutral “loan matchmaker,” the offers users receive after submitting their personal information often come from lenders with a reputation for predatory practices. In my own experience, shortly after testing the service, I received a call from one such lender—and Simple Dialer flagged the caller ID as “CashX හොරු” (CashX Thieves). This wasn’t just a random name; it reflects a community-driven warning based on user reports, a red flag about the lender’s legitimacy. The presence of such entities within CREZU.LK’s lending network suggests the platform is less concerned with ethical partnerships and more focused on maximizing lead distribution—behavior common to data brokers who prioritize volume over consumer safety.

This raises critical questions: Is CREZU.LK vetting its lending partners at all, or is it simply forwarding sensitive data to any entity willing to pay for leads? The latter scenario is disturbingly plausible, especially in a loosely regulated digital lending landscape. When platforms like this distribute personal data to unregulated or shady lenders, the risk to users increases significantly—not just in terms of exploitative loan terms, but also potential harassment and data abuse. What begins as a simple online inquiry for a loan could lead to a barrage of unsolicited calls, phishing attempts, and aggressive debt collection tactics. These consequences demonstrate why data transparency and platform accountability matter. CREZU.LK’s association with known loan sharks strengthens the case that it operates with data brokerage-like behavior, prioritizing monetization of user data over genuine financial assistance.

Update: March 18th 2025

I never completed my registration on CREZU.LK. Yet, within hours, I began receiving a barrage of automated phone calls—more than 50 in total—from at least nine different numbers, all beginning with the prefix +94114500. The frequency was overwhelming, and the persistence bordered on harassment. I initially thought it was a mistake, so I answered a few calls and informed the callers that I was not interested. Unfortunately, this did not deter them. The calls continued, one after another, often within minutes of each other. My phone’s dialer app, Simple Dialer, identified the caller ID strings (CLIs) as suspicious, with some labeled “Cash X scam” and even “Cash X පොන්නයො”—the latter being a crude Sinhala slang term implying hostility or mockery. This made me question the legitimacy and ethics of the companies behind these calls. Eventually, I had no choice but to block each number manually to regain control of my phone.

What struck me most was the aggressive persistence of these calls—clearly automated, clearly indifferent to my request to opt out, and coming from a rotating list of similar phone numbers. This suggests a larger network or coordinated effort behind the outreach. If these lenders were truly professional, one would expect a single courteous follow-up—not dozens of invasive, spam-like calls. The use of multiple caller IDs, some of which are flagged by third-party apps as scams or shady entities, points to a troubling lack of transparency. It also implies that CREZU.LK may be partnering—or at the very least, sharing data—with predatory lenders operating in violation of ethical or legal standards. While the platform presents itself as a legitimate “loan matchmaking” service, this behavior undermines its credibility and suggests ulterior motives. If a user receives such relentless follow-ups without even completing registration, it raises the question—what else is being done with their personal information?

Wrap Up

So, does this mean that CREZU.LK is a data broker? It’s difficult to say definitively, but the service certainly aligns with the characteristics of a data broker. According to their website, CREZU.LK is based in Estonia and is a subsidiary of Fininity. However, the WhoIs record for the parent domain CREZU.COM doesn’t show any connection to a business by that name, and the WhoIs record for CREZU.LK offers little significant information, other than indicating the website is likely hosted in India. Since CREZU.LK claims to be a subsidiary of Fininity, an offshore entity, it’s worth noting that foreign entities are required to have a local presence in Sri Lanka to register a .LK domain. This typically means having a business registration or appointing a local agent, but I could not find any such information regarding CREZU.LK’s compliance with these requirements.

While the issues surrounding CREZU.LK are not enough to definitively classify it as a data broker, it’s essential to exercise caution when sharing personally identifiable information (PII) with such online services. Once you surrender your data to an online entity, you lose control over it, even if you later opt out, as your data often becomes redundant or difficult to retract. Additionally, there’s no guarantee that your data is stored securely or in compliance with industry standards and data protection laws. Many online platforms do not adhere to robust security practices, which leaves personal information vulnerable to breaches. Therefore, before engaging with services like CREZU.LK, ensure you fully understand their data handling practices, and the potential risks involved in sharing sensitive information. Safeguarding your personal data should always be a priority, especially in today’s data-driven environment.

---

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.