Compliance Database

ixigo is ahead of the curve by explicitly referencing the DPDP Act, but still relies on a 'take it or leave it' consent model. While they acknowledge your rights, the lack of specific deletion timelines and granular consent options remains a regulatory hurdle.

HealthifyMe relies on a 'bundled' consent model that likely fails the DPDP Act's strict requirement for specific and unconditional permission. While they prioritize security for sensitive health data, their broad data-sharing clauses and lack of a dedicated Indian grievance path create major legal risks.

HCL Technologies has proactively aligned its privacy framework with the Digital Personal Data Protection Act 2023. Unlike many Indian peers, HCL explicitly incorporates newer DPDP-specific rights, such as the Right to Nominate. While the policy is technically robust, improvements are needed in providing multi-lingual notices and clearly defining the external regulatory escalation path to the Data Protection Board.

Great Learning’s policy is a classic example of an EdTech firm clinging to 'implied consent' and vague retention timelines—both of which are now illegal under India's DPDP Act. While they are transparent about what they collect, the lack of granular control for the user creates a massive compliance gap.

Goibibo’s policy relies on outdated 'implied consent' models and lacks the specific transparency required by the DPDP Act. While they are clear about what they collect, their claim to sell user data and their vague deletion timelines pose significant compliance risks.

EaseMyTrip does a great job explaining *what* they collect, but falls short on the *how* of the new DPDP law. Their policy still relies on old-school bundled consent and lacks the specific deletion and grievance rights that Indian citizens now possess.

Druva is technically secure but legally outdated for India's new law. Its reliance on 'browse-wrap' consent and vague retention timelines creates major compliance risks under the DPDP Act.

Country Delight’s policy covers the basics of data collection but fails the 'Notice' and 'Control' tests of the DPDP Act. Its reliance on 'all-or-nothing' consent and lack of specific deletion timelines creates significant compliance risks for a company handling daily household location data.

CleverTap is clearly built for GDPR and CCPA compliance, but it currently ignores India's DPDP Act entirely. For a company with deep Indian roots, directing Indian users to the Bulgarian Data Protection Commission for complaints is a major regulatory oversight.

Cleartrip’s privacy policy remains heavily anchored in the pre-DPDP regulatory era. While it provides transparency regarding 'what' is collected, it fails the 'how' and 'why' standards of the DPDP Act 2023. Specifically, the lack of granular consent for non-essential processing (marketing vs. fulfillment) and the omission of new statutory rights like nomination and DPBI escalation represent significant compliance gaps for a major travel intermediary handling sensitive passport and financial data.

Classplus handles sensitive student data but its policy is stuck in the pre-2023 legal era. While its security tech is solid, the lack of verifiable parental consent and granular user controls creates significant legal risk under the new DPDP Act.

Chargebee maintains a high global standard of privacy, largely due to its GDPR and CCPA maturity. However, for Indian operations, it suffers from a 'compliance lag' regarding the DPDP Act 2023. Specifically, it misses India-specific nuances such as the Right to Nominate, the requirement for multi-lingual notices, and the statutory link to the Data Protection Board of India. While the data processing is secure, the legal framework is not yet localized for the Indian regulatory environment.

BrowserStack is well-prepared for GDPR, which gives them a head start, but their 'take-it-or-leave-it' consent model and lack of India-specific grievance paths leave them exposed under the DPDP Act.

Bounce handles high-risk data like your live location and government IDs, but their privacy framework is stuck in the past. Without clear, granular consent and DPDP-aligned deletion rules, they face massive liability under India's new law.

Blinkit’s privacy policy, last updated in January 2025, remains heavily influenced by the IT Act 2000 framework. While it provides high transparency regarding 'what' is collected, it fails the 'how' of DPDP Act 2023—specifically regarding granular consent, the right to be forgotten, and the new statutory rights of nomination. The reliance on 'implied consent' through platform usage is a high-risk area under the new regulatory regime.

MakeMyTrip's privacy policy, while detailed, is not aligned with the DPDP Act 2023 for Indian users. Significant gaps exist in consent mechanisms, data retention clarity, and Data Principal rights. This poses substantial compliance risks given the highly sensitive personal and financial data they handle for millions of travelers.

Lenskart's privacy policy is comprehensive in outlining data collection and security, but it doesn't explicitly reference the DPDP Act 2023. Significant gaps exist around granular consent, specific data retention periods, and a full DPDP-aligned framework for Data Principal rights and grievance redressal.

KreditBee's policy is built for RBI compliance but falls short of the DPDP Act 2023's strict consent standards. While they are transparent about *what* they take, they don't give users enough control over *how* that data is used beyond the loan application.

Kotak Mahindra Bank's privacy policy is geared towards traditional legal frameworks, not India's new DPDP Act, 2023. With vast amounts of sensitive financial data, the policy critically lacks DPDP-mandated granular consent, specific data retention timelines, and explicit data principal rights, creating significant regulatory risks.

Jupiter has a clean, readable policy but it still feels like it was written for the old laws. While they are transparent about what they take, they lack the specific 'delete-on-request' and 'granular consent' rules that the new Indian law demands.

JioMart’s policy is a classic example of 'old law' compliance, leaning heavily on the IT Act 2000. While it is transparent about what it collects, it fails the DPDP Act’s strict requirements for clear, affirmative consent and specific data deletion timelines.

Reliance Jio's privacy policy, while comprehensive in listing data categories, falls short on explicit DPDP Act 2023 alignment. Key areas like granular consent, specific data retention, and DPDP-mandated grievance escalation need significant updates to mitigate regulatory risk for its vast user base.

InMobi's global adtech operations entail extensive data processing, but its policy likely struggles with DPDP's strict consent and retention requirements. The reliance on broad terms for data use and cross-border transfers poses significant risks under the new Indian law.

IndusInd Bank's official privacy policy URL leads to a 'page not found' error, making it impossible to assess their DPDP Act 2023 readiness. This fundamental lack of an accessible privacy policy is a severe compliance gap, preventing customers from understanding how their sensitive financial data is collected, processed, and protected.

Indian Bank's 'IB Merchant App' privacy policy is foundational but largely fails DPDP Act 2023 requirements. Its lack of explicit DPDP alignment, especially around granular consent, data retention, and Data Principal rights, poses significant risks for merchant data.

IDBI Bank operates on a legacy privacy framework that prioritizes bank secrecy over modern data principal rights. While its security measures are robust, the lack of granular consent and the absence of clear deletion timelines create significant compliance gaps under the new DPDP Act.

ICICI Bank's Privacy Commitment is detailed but significantly lags in explicit alignment with the Digital Personal Data Protection Act 2023. While it outlines general data protection principles and security measures, the absence of specific DPDP Act references, bundled consent, vague data retention periods, and lack of DPDP-specific data principal rights and grievance mechanisms pose considerable regulatory compliance risks. Given its position as a major financial institution in India, a comprehensive update to reflect DPDP Act 2023 requirements, particularly around granular consent and data principal empowerment, is critical.

HDFC Bank's privacy policy is detailed regarding data collection and security standards, notably its ISO 27001:13 compliance. However, it currently lacks explicit alignment with the Digital Personal Data Protection Act 2023. Key areas requiring immediate attention for DPDP compliance include a more granular and 'freely given' consent mechanism, specific data retention periods, comprehensive detailing of all Data Principal rights (including nomination), clear grievance escalation to the Data Protection Board, and transparent cross-border data transfer policies. As a major financial institution handling sensitive personal data, updating its policy to explicitly reflect DPDP requirements is crucial to mitigate regulatory and reputational risks.

FirstCry's privacy framework is significantly misaligned with the DPDP Act 2023. As a platform primarily serving parents and children, its reliance on 'implicit' parental consent and the use of children's data (DOB/gender) for behavioral targeting and profiling creates severe regulatory risk. The policy requires a total overhaul to implement verifiable parental consent and unbundled consent mechanisms to avoid the Act's highest tier of penalties.

Fi Money offers a slick user experience, but its privacy framework remains stuck in the pre-DPDP era. While bank-grade security is a plus, the lack of specific consent controls and the current inaccessibility of policy pages create significant legal risks under the new Act.

Federal Bank's privacy policy is comprehensive on data collection and security but lacks critical alignment with the DPDP Act 2023. Key gaps include non-specific consent, undefined data retention, and absence of explicit Data Principal rights, leaving significant regulatory exposure for customer financial data.

Delhivery's privacy policy addresses core data collection and security for a logistics company, but lacks explicit DPDP Act 2023 alignment. Key areas like granular consent, data retention specifics, and comprehensive data principal rights need significant updates to mitigate regulatory risk.

Cult.fit's privacy policy, last updated in September 2021, predates the Digital Personal Data Protection Act 2023 and consequently exhibits significant compliance gaps. While it transparently outlines the categories of personal and sensitive data collected (including biometric and health information) and provides a contact for data modification/deletion, its consent framework is bundled with service terms, failing to meet the 'freely given,' specific, and granular requirements of DPDP Section 6. Critical omissions include a lack of defined data retention periods, absence of explicit DPDP Data Principal rights (such as nomination), and no clear mechanism for grievance redressal through the Data Protection Board. Furthermore, its blanket cross-border data transfer clause requires substantial revision to align with DPDP's stringent conditions. The policy's reliance on the older IT Act 2011 framework for security, while a baseline, is insufficient for the more robust security and accountability mandates of the DPDP Act 2023, especially given the sensitive nature of the data Cult.fit processes.

Zerodha maintains a robust privacy framework governed by SEBI regulations and the IT Act 2000. However, as of early 2026, the policy for its Coin platform remains in a 'transitional' state regarding the DPDP Act 2023. While security measures are top-tier, the policy fails to incorporate specific statutory rights like the Right to Nominate and fails the 'Notice' accessibility requirements regarding regional languages and granular consent management.

CarDekho's privacy policy, while detailing data collection and usage, has not yet explicitly aligned with the Digital Personal Data Protection Act 2023. Key areas such as granular consent, specific data retention periods, a clear mechanism for Data Principal rights (including nomination), and escalation to the Data Protection Board are missing. The policy's reliance on general consent for cross-border transfers and lack of explicit DPDP references pose significant compliance challenges given the new Indian data protection landscape.

Canara Bank's privacy policies for its website and mobile application are generally comprehensive regarding data collection and security under existing legal frameworks. However, they currently lack explicit alignment with the Digital Personal Data Protection Act 2023. Significant updates are needed, particularly around obtaining granular and freely given consent, detailing specific data retention periods, outlining the Data Protection Board as a grievance escalation channel, and addressing the full spectrum of Data Principal rights, including nomination. While the policies demonstrate a commitment to customer privacy, their current wording and framework may pose compliance challenges as the DPDP Act's provisions become fully enforceable.

BookMyShow's privacy policy is extensive and well-structured for pre-DPDP regulations, last updated in 2020. However, it falls short of DPDP Act 2023 requirements, particularly concerning valid consent, clear data retention periods, and specific cross-border transfer rules, creating significant compliance challenges for the large entertainment platform.

BharatPe's policy is built on the old 'I Agree' checkbox model which doesn't fly under India's new law. While they score well on keeping data in India, their consent process is too broad and lacks the control users are now legally entitled to.

Bajaj Finserv shows strong technical security but fails on the DPDP Act’s requirement for 'unbundled' consent. While their retention transparency is better than most, their control over your data remains heavily weighted in favor of the company rather than the individual.

Ather Energy's privacy policy demonstrates a foundational commitment to data security and transparency in collection. However, it lacks specific alignment with the stringent requirements of India's Digital Personal Data Protection Act 2023. Key areas needing significant enhancement include explicit DPDP Act reference, granular and explicit consent mechanisms, defined data retention periods, robust Data Principal rights frameworks, and clear grievance redressal processes that include the Data Protection Board. The current policy's reliance on general 'applicable laws' rather than DPDP-specific provisions creates potential regulatory exposure, especially concerning consent and data principal rights.

Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

Bank of Baroda's privacy policy is a generic, pre-DPDP document lacking specific compliance with the new Act. Its reliance on implied consent, vague security, and complete silence on critical user rights and data retention creates substantial regulatory risk for India's third-largest public sector bank.

Axis Bank's privacy policy, while detailing data types, largely pre-dates DPDP Act 2023 requirements. Major shortcomings include a lack of specific data retention periods, absence of explicit Data Principal rights, and reliance on bundled consent. These gaps create substantial regulatory exposure for one of India's largest banks.

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

Infosys's global privacy policy is extensive but lacks explicit alignment with India's DPDP Act 2023. Its broad use of 'legitimate interest' and vague data retention periods create significant DPDP compliance risks, alongside an incomplete framework for Data Principal rights and grievance escalation specific to India.

Groww's provided privacy policy text is incredibly sparse, acting more as a placeholder than a comprehensive statement. For a major fintech player handling sensitive financial data, this complete lack of detail regarding consent, data principal rights, security, and retention under the DPDP Act 2023 presents extreme regulatory and reputational risk.

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.

Tata Neu is India's most ambitious data aggregation play — combining flights (Air India), hotels (IHCL), groceries (BigBasket), medicines (1mg), luxury (Tanishq), insurance (Tata AIG), and more into one profile via NeuPass. At 44/100, aggregating consumer behavior across 20+ Tata companies under a single privacy policy creates the country's most comprehensive consumer profile.

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories — then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences — all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.

Matrimony.com collects India's most sensitive personal data categories: caste, religion, income, family background, physical appearance, horoscope details, and disability status. At 41/100, the platform processes data that reveals every protected characteristic under DPDP — creating the highest concentration of sensitive data of any platform analyzed.

Housing.com's property search data reveals income brackets, family stage, geographic preferences, and investment capacity — shared with dozens of broker partners. At 42/100, the platform's broadcast model to real estate agents creates DPDP consent issues similar to PolicyBazaar's insurance model.

cult.fit collects intimate health data — heart rate, body measurements, workout capacity, injury history, and mental health content engagement — processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.

Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.

BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce — diet, health needs, baby care, income bracket — all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.

Google India scores 63/100, reflecting world-class privacy infrastructure hampered by a global-first approach. Indian users' data across Search, Gmail, Maps, YouTube, and Android flows to US infrastructure under US jurisdiction — creating the fundamental tension that DPDP was designed to address.

Meesho's social commerce model creates unique DPDP challenges — customer data is shared with individual resellers (data sub-processors?) with minimal governance. The 150M+ user platform's 41/100 score reflects fundamental data flow architecture issues that go beyond simple policy updates.

Myntra collects uniquely intimate data — body measurements, style preferences, and shopping behavior — making its 47/100 DPDP score particularly concerning. As a Flipkart subsidiary within the Walmart ecosystem, cross-border data flow adds another layer of risk.

Nykaa collects deeply personal beauty and health data — skin conditions, beauty routines, and facial scans for virtual try-on — yet treats it with the same casual privacy approach as generic e-commerce. At 44/100, the gap between data sensitivity and protection is concerning.

Ola's ride data creates a detailed movement diary — every trip reveals where you go, when, and how often. At 44/100, the platform's lack of location data retention timelines and expanded ecosystem (Ola Electric, Ola Financial) creates a concerning multi-dimensional profile without adequate DPDP protections.

Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.

PhonePe's privacy policy handles 500M+ users' financial data but scores poorly on DPDP alignment. As a Walmart subsidiary, its cross-border data sharing with global affiliates and vague retention policies create significant exposure under DPDP's stricter framework.

Practo handles India's most sensitive personal data — medical records, doctor consultations, prescriptions, and health histories — scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.

Rapido's bike taxi model creates unique privacy + physical safety risks — riders share personal space with captains who know their home address, phone number, and daily patterns. At 39/100, the combination of intimate location data, personal proximity, and minimal data governance creates one of the highest risk DPDP profiles.

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

Swiggy's 46/100 DPDP score reflects a platform that collects intensely personal data — real-time location, food preferences (revealing dietary/religious patterns), and address history — without adequate DPDP safeguards. The delivery partner data sharing model adds significant processor accountability challenges.

Uber India scores highest in mobility at 59/100 — benefiting from its global privacy infrastructure. However, the one-size-fits-all global policy means Indian users' DPDP-specific rights and data localization requirements are not explicitly addressed. Indian data flowing to US infrastructure creates specific cross-border concerns.

Unacademy tracks learning behaviors, exam preparation patterns, and live class participation for millions of aspirants — many minors. At 42/100, the absence of DPDP Section 9 child protections and indefinite retention of learning data that reveals career ambitions creates significant compliance gaps.

WhatsApp processes communications for 500M+ Indians. At 51/100, while end-to-end encryption protects message content, metadata (who you talk to, when, how often) flows to Meta's global infrastructure. The 2021 privacy policy controversy showed Indian users care about data sharing — DPDP now gives them legal backing.

Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.

Zomato's ecosystem — food delivery, Blinkit groceries, dining out, and Hyperpure B2B — creates a comprehensive consumer profile. At 50/100, the platform's policy is more detailed than competitors but still lacks DPDP alignment, especially around the expanded Blinkit data collection.