Overview
Bounce (Wickedride Adventure Services Pvt Ltd) has evolved from a bike-sharing app to an electric vehicle manufacturer. This means they handle a “triple threat” of sensitive data: Real-time GPS location tracking, KYC documents (Driving Licenses/Aadhaar), and Financial data for scooter bookings.
When a company knows exactly where you live, work, and travel, the Data Fiduciary (the company that decides how your data is used) must be extra careful. As a Data Principal (the person the data belongs to—you!), you deserve to know exactly how this info is being guarded.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
The current Bounce experience uses “bundled consent.” To use the scooter, you usually have to agree to a long list of permissions in one go. Under the DPDP Act, this is a big no-no.
What the policy says: Historically, Bounce uses a “by using our services, you agree” approach.
What the law requires: Notice must be a standalone document or a very clear section that explains exactly what data is being taken and why. You can’t hide it in a “Terms of Service” link at the bottom of a page.
The problem: If you can’t say “Yes to the ride, but No to selling my data to advertisers,” the consent isn’t freely given. Bounce needs to break these choices down into “Check/Uncheck” boxes.
Section 7 — Certain Legitimate Uses ⚠️
Bounce needs your location to make the scooter work—that’s fair. But the DPDP Act limits “Legitimate Use” (processing data without explicit consent) to very specific cases like medical emergencies or state functions.
The problem: Many mobility companies try to claim “business improvement” is a legitimate use to track you even when the app is closed. Under the new law, if it’s not essential for the ride, they must ask for your permission every single time.
Section 8 — Obligations of Data Fiduciary 🔴
A Data Fiduciary (Bounce) is legally responsible for everything their partners do with your data.
What the policy says: Most old-school policies say “We are not responsible for the actions of third-party links.”
What the law requires: Section 8 says the company is responsible. If Bounce sends your DL to a third-party verification service and that service leaks it, the government will come after Bounce, not just the partner.
The problem: There is no public commitment in their current text to notify users in case of a data breach, which is now a mandatory requirement under Section 8.
Section 9 — Data Retention 🔴
This is the “Delete Button” rule.
What the law requires: Once the purpose of the data is over (e.g., you finish your ride or close your account), the company must erase the data. They can’t keep your movement history forever “just in case.”
The problem: Bounce’s public documentation is silent on automated deletion. If you haven’t used the app in two years, they should technically be deleting your location history. Currently, they don’t tell you when that happens.
Section 11 — Rights of Data Principal ⚠️
As a Data Principal, you now have the “Right to be Forgotten.”
What the policy says: Usually, they provide a “help” email.
What the law requires: You must have a clear way to access, correct, or erase your data. You also have the Right to Nominate (Section 14)—picking someone to manage your data if you are no longer able to.
The problem: There is no “Privacy Dashboard” on the Bounce site. To exercise your rights, you shouldn’t have to chase a customer support agent who is trained to handle “scooter won’t start” calls, not “delete my data” requests.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: “Contact us at help@bounceinfinity.com.”
What the law requires: You need a formal grievance process. If the company doesn’t fix your privacy issue within a set time, you have the right to complain to the Data Protection Board of India.
The problem: A general support email is not enough. Bounce needs a Grievance Officer whose name and contact info are publicly listed, specifically for privacy complaints.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: Not explicitly detailed in the marketing text provided.
The situation: Most Indian startups use AWS or Google Cloud. As long as the data stays in “trusted” countries (which the Indian government will list), they are safe. However, failing to mention where the data lives is a transparency gap.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory Fine | 🔴 High | Fines up to ₹250 Cr for failing to prevent a breach |
| Consent Quality | 🔴 High | Current “all-or-nothing” consent is legally invalid |
| Data Retention | ⚠️ Medium | Storing years of GPS data without a “kill date” |
| Public Trust | ⚠️ Medium | Users are becoming wary of apps that track them 24/7 |
Recommendations
- Fix the “Hidden Policy” issue: The privacy policy shouldn’t be a game of hide-and-seek. It needs to be one click away from the homepage.
- Implement an “Itemized Menu” for Consent: Let users opt-out of marketing while still being able to rent a scooter.
- Set a “Life-Span” for Data: Tell users: “We delete your exact GPS coordinates after 6 months and keep only anonymized data.”
- Appoint a Privacy Officer: Don’t bury privacy complaints in the “General Support” inbox.
- Add a “Delete My Account” button: Make it as easy to leave as it is to join. This is a core requirement for Section 11 compliance.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.