Compliance Database

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.

BYJU'S, a major EdTech platform, handles sensitive educational data, including that of children. Its privacy policy is extensive but hasn't fully updated for the DPDP Act 2023, particularly struggling with granular consent, verifiable parental consent for minors, and specific data retention timelines. These gaps create substantial regulatory risk, especially concerning Section 23 (Children's Data).

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.

Tata Neu is India's most ambitious data aggregation play — combining flights (Air India), hotels (IHCL), groceries (BigBasket), medicines (1mg), luxury (Tanishq), insurance (Tata AIG), and more into one profile via NeuPass. At 44/100, aggregating consumer behavior across 20+ Tata companies under a single privacy policy creates the country's most comprehensive consumer profile.

ShareChat and Moj serve India's vernacular social media users — processing content that reveals regional identity, religious affinity, political leanings, and cultural practices. At 39/100, the combination of cultural profiling, facial data from short videos, and large minor user base creates one of the most complex DPDP compliance challenges.

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories — then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences — all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.

Matrimony.com collects India's most sensitive personal data categories: caste, religion, income, family background, physical appearance, horoscope details, and disability status. At 41/100, the platform processes data that reveals every protected characteristic under DPDP — creating the highest concentration of sensitive data of any platform analyzed.

MakeMyTrip handles passport numbers, travel destinations, hotel stays, and co-traveler details — creating an intimate travel diary. At 48/100, the platform's lack of ID document protection policies and retention timelines for travel history that reveals lifestyle patterns creates significant DPDP exposure.

Lenskart captures the most biometrically sensitive data among e-commerce platforms — 3D facial geometry for virtual try-on, eye prescriptions revealing vision conditions, and pupillary distance measurements. At 44/100, treating this biometric-adjacent and health data with standard e-commerce privacy practices is a significant DPDP gap.

Jio's 47/100 reflects the privacy challenge of India's largest telecom-retail conglomerate. Combining mobile network data (call logs, location, internet browsing) with JioMart shopping, JioCinema viewing, and JioSaavn listening creates the most comprehensive consumer profile in India — all under one privacy policy with bundled consent.

Housing.com's property search data reveals income brackets, family stage, geographic preferences, and investment capacity — shared with dozens of broker partners. At 42/100, the platform's broadcast model to real estate agents creates DPDP consent issues similar to PolicyBazaar's insurance model.

Dunzo's hyper-local delivery model creates an intensely personal data profile — every delivery reveals what you order, where you live, and when you're home. At 40/100, alcohol deliveries, medicine pickups, and photo proofs of delivery create particularly sensitive data categories that the current policy ignores under DPDP.

cult.fit collects intimate health data — heart rate, body measurements, workout capacity, injury history, and mental health content engagement — processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.

Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

Airtel scores 52/100, marginally better than Jio in transparency. However, the Airtel Ads business — which uses telecom subscriber data for targeted advertising — creates a fundamental DPDP tension. Telecom data collected for service delivery being used for advertising requires consent rearchitecture.

Tata 1mg handles prescription medicines, lab tests, and health content consumption — each revealing health conditions. At 48/100, the platform's e-commerce-style privacy approach is inadequate for what is effectively a health data processor. The Tata Group integration adds cross-entity data flow concerns.

Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.

BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce — diet, health needs, baby care, income bracket — all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.

Dream11 processes some of the most sensitive behavioral data: gambling patterns, winning/losing streaks, deposit amounts, and withdrawal frequency. At 43/100, treating this gambling behavior data with standard privacy practices — while DPDP requires enhanced protections for data that reveals financial behavior and potential addiction patterns — creates significant risk.

Google India scores 63/100, reflecting world-class privacy infrastructure hampered by a global-first approach. Indian users' data across Search, Gmail, Maps, YouTube, and Android flows to US infrastructure under US jurisdiction — creating the fundamental tension that DPDP was designed to address.

Groww handles sensitive investment data including Demat holdings, mutual fund portfolios, and PAN details for 10Cr+ users. While SEBI compliance is strong, DPDP-specific alignment is missing — creating a dual compliance gap as both regulations apply simultaneously.

HDFC Bank scores 65/100 — the highest among all companies analyzed — benefiting from years of RBI compliance mandates. However, DPDP adds requirements beyond banking regulation: granular consent, Data Protection Board integration, expanded data principal rights, and controlled cross-selling data use.

Infosys scores 61/100 due to mature global privacy practices built for GDPR/CCPA. However, as India's second-largest employer in tech with 230K+ employees, its DPDP obligations extend to employee data processing — a dimension its global policy doesn't specifically address.

Meesho's social commerce model creates unique DPDP challenges — customer data is shared with individual resellers (data sub-processors?) with minimal governance. The 150M+ user platform's 41/100 score reflects fundamental data flow architecture issues that go beyond simple policy updates.

Myntra collects uniquely intimate data — body measurements, style preferences, and shopping behavior — making its 47/100 DPDP score particularly concerning. As a Flipkart subsidiary within the Walmart ecosystem, cross-border data flow adds another layer of risk.

Nykaa collects deeply personal beauty and health data — skin conditions, beauty routines, and facial scans for virtual try-on — yet treats it with the same casual privacy approach as generic e-commerce. At 44/100, the gap between data sensitivity and protection is concerning.

Ola's ride data creates a detailed movement diary — every trip reveals where you go, when, and how often. At 44/100, the platform's lack of location data retention timelines and expanded ecosystem (Ola Electric, Ola Financial) creates a concerning multi-dimensional profile without adequate DPDP protections.

Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.

PhonePe's privacy policy handles 500M+ users' financial data but scores poorly on DPDP alignment. As a Walmart subsidiary, its cross-border data sharing with global affiliates and vague retention policies create significant exposure under DPDP's stricter framework.

Practo handles India's most sensitive personal data — medical records, doctor consultations, prescriptions, and health histories — scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.

Rapido's bike taxi model creates unique privacy + physical safety risks — riders share personal space with captains who know their home address, phone number, and daily patterns. At 39/100, the combination of intimate location data, personal proximity, and minimal data governance creates one of the highest risk DPDP profiles.

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

Swiggy's 46/100 DPDP score reflects a platform that collects intensely personal data — real-time location, food preferences (revealing dietary/religious patterns), and address history — without adequate DPDP safeguards. The delivery partner data sharing model adds significant processor accountability challenges.

Uber India scores highest in mobility at 59/100 — benefiting from its global privacy infrastructure. However, the one-size-fits-all global policy means Indian users' DPDP-specific rights and data localization requirements are not explicitly addressed. Indian data flowing to US infrastructure creates specific cross-border concerns.

Unacademy tracks learning behaviors, exam preparation patterns, and live class participation for millions of aspirants — many minors. At 42/100, the absence of DPDP Section 9 child protections and indefinite retention of learning data that reveals career ambitions creates significant compliance gaps.

WhatsApp processes communications for 500M+ Indians. At 51/100, while end-to-end encryption protects message content, metadata (who you talk to, when, how often) flows to Meta's global infrastructure. The 2021 privacy policy controversy showed Indian users care about data sharing — DPDP now gives them legal backing.

Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.

Zomato's ecosystem — food delivery, Blinkit groceries, dining out, and Hyperpure B2B — creates a comprehensive consumer profile. At 50/100, the platform's policy is more detailed than competitors but still lacks DPDP alignment, especially around the expanded Blinkit data collection.