Overview
Blinkit (Blink Commerce Private Limited), a subsidiary of Zomato, operates in the high-frequency quick commerce sector. It processes high volumes of sensitive personal data, including real-time precise location, financial identifiers, and consumption patterns. As of April 2026, while the policy has seen incremental updates, it has not yet achieved full “Privacy by Design” alignment with the DPDP Act 2023.
DPDP Readiness: Section-by-Section Analysis
Section 5 — Notice ⚠️
Blinkit provides a standard privacy policy, but it lacks the DPDP-mandated “Notice” format.
Gap: Under Section 5, a notice must accompany every consent request, detailing the data collected and the purpose. Crucially, Section 5(3) requires that the notice be available in English and any of the 22 languages specified in the Eighth Schedule to the Constitution. Blinkit currently only provides a singular English policy.
Section 6 — Consent 🔴
Critical Risk. Blinkit’s policy states: “By accessing or using its Services… you agree to this privacy policy and you are consenting to Blinkit’s collection…”
DPDP Requirement: Consent must be free, specific, informed, unconditional, and an unambiguous affirmative action. Analysis: “Deemed consent” through usage is no longer valid for most commercial processing. Blinkit bundles delivery fulfillment consent with marketing and third-party data sharing. To comply, they must implement a “Consent Manager” interface or layered checkboxes.
Section 8 — Obligations of Data Fiduciary ✅
Blinkit shows strength in its technical safeguards.
- Accuracy: They provide mechanisms for users to update profiles.
- Security: The policy details physical and electronic safeguards, and specifically mentions PCI-DSS compliance for payment data handled by third parties.
- Data Processor Accountability: They contractually require third parties to maintain confidentiality, aligning with Section 8(1).
Section 9 — Data Retention ⚠️
Gap: The policy states data is kept “for as long as necessary to provide services.” DPDP Requirement: Section 9 requires the Data Fiduciary to erase personal data as soon as the purpose for which it was collected is no longer served, or when consent is withdrawn. Analysis: Blinkit lacks a “Data Retention Schedule” or clear “Right to Erasure” (Right to be Forgotten) workflow that defines the “reasonable period” for deletion after account inactivity.
Section 11, 12 & 13 — Rights of Data Principal ⚠️
The policy acknowledges the right to review and correct data, but is missing the newer DPDP rights:
- Right to Nominate (Section 14): No mention of allowing a user to nominate another individual to exercise their rights in the event of death or incapacity.
- Right of Grievance Redressal: While a DPO is listed (
privacy@blinkit.com), the policy does not inform users of their statutory right to escalate unresolved grievances to the Data Protection Board of India (DPBI).
Section 16 — Cross-Border Data Transfer ⚠️
The policy mentions that information may be “stored and processed in any country where we have facilities or hire service providers.” Gap: Section 16 restricts transfers to certain countries or territories as notified by the Central Government. Blinkit’s blanket clause is too broad and may violate future “negative list” restrictions or specific localization requirements for certain data subsets.
Risk Assessment
| Category | Risk Level | Impact |
|---|---|---|
| Consent Architecture | High | Fines up to ₹250 Cr for failing to take “affirmative” consent. |
| Data Principal Rights | Medium | Exposure to DPB complaints due to lack of nomination and erasure rights. |
| Notice Compliance | High | Multi-lingual notice is a hard requirement often overlooked. |
| Security/Breach | Low | Robust existing infrastructure and DPO appointment. |
Final Analyst Note: Blinkit must move away from “Terms of Use” style privacy agreements toward a dynamic Consent Management Framework. The most urgent priorities are the implementation of a multi-lingual notice and a specific “Withdrawal of Consent” UI that is as easy as the “Give Consent” process.