A Project by Meridian Bridge Strategy
Book Consultation
Automotive E-commerce

CarDekho (Girnar Software Private Limited)

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 12 Mar 2026

Executive Summary

CarDekho's privacy policy, while detailing data collection and usage, has not yet explicitly aligned with the Digital Personal Data Protection Act 2023. Key areas such as granular consent, specific data retention periods, a clear mechanism for Data Principal rights (including nomination), and escalation to the Data Protection Board are missing. The policy's reliance on general consent for cross-border transfers and lack of explicit DPDP references pose significant compliance challenges given the new Indian data protection landscape.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — still implicitly operates under IT Act 2000 framework in earlier versions, and the most recent policy makes no explicit reference to DPDP Act.
  • Consent mechanism appears bundled with service terms, not 'freely given' per Section 6; acceptance of policy implies consent.
  • Data retention period undefined — uses 'as long as necessary' and 'to comply with legal obligations' language.
  • No mention of Data Protection Board grievance escalation as required by DPDP Act 2023.
  • Cross-border transfer provisions lack specificity on restricted jurisdictions or adequacy assessments under Section 16.
  • Nomination rights under Section 14 not addressed.
  • Mechanisms for Data Principal rights (access, correction, erasure) are not clearly outlined for self-service or explicit DPDP compliance.

✅ Strengths

  • Comprehensive data collection disclosure — categories clearly listed including personal and non-personal information.
  • General security safeguards are mentioned, including steps to ensure data is treated securely.
  • Purpose for data collection is broadly defined, linking to service provision and improvement.

Overview

CarDekho (operated by Girnar Software Private Limited) is a prominent automotive e-commerce platform in India, facilitating vehicle sales, financing, and related services. It handles a significant volume of personal and non-personal data from its users. The current privacy policy, updated in November 2025, details how user information is collected, used, and processed.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

CarDekho’s privacy policy indicates that by using its services, users agree to the collection and use of their information in accordance with the policy. The latest policy also states, “Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.” This suggests a bundled consent mechanism, where acceptance of the terms of service or continued use implies consent. This approach does not fully meet DPDP’s “freely given, specific, informed, and unconditional” standard under Section 6, which requires a clear affirmative action for each specific purpose.

What the policy says: “Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.” (Referring to data transfer, but the general implied consent for data processing follows a similar pattern in earlier versions).

DPDP requirement: Consent must be free, specific, informed, unconditional, and unambiguous with a clear affirmative action, given for a specific purpose, and can be withdrawn at any time.

Gap: The policy lacks granular consent options, meaning users cannot selectively consent to different processing activities. There is no explicit mechanism for demonstrating “freely given” consent separate from general service agreement.

Section 7 — Certain Legitimate Uses ⚠️

The policy lists various purposes for data use, including providing and maintaining services, managing accounts, performing contracts, and internal analysis. While some of these align with service necessity, others like “monitoring the usage of our Service” or general “internal analysis purposes” might be broadly interpreted. Under DPDP, legitimate uses (Section 7) are narrowly defined, generally covering voluntary provision by the data principal, state functions, medical emergencies, and employment.

Gap: While core service provision might qualify, the policy’s broad justification for “internal analysis” or general “monitoring” may need to be more precisely aligned with DPDP’s narrower scope of legitimate uses, or be explicitly covered by specific consent.

Section 8 — Obligations of Data Fiduciary ✅

The policy generally states that the Company will take “all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy”. While it doesn’t detail specific technical and organizational measures (like encryption or access controls) within the provided snippets, it indicates a commitment to security. Earlier policy versions mention “industry standards” for protecting personal information.

Strength: The policy acknowledges the responsibility to maintain data security, which aligns with Section 8’s requirement for reasonable security safeguards.

Section 9 — Data Retention 🔴

Critical gap. The policy uses vague language regarding data retention: “The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.”

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period.

Gap: No specific retention periods or criteria for automated deletion are mentioned. This lack of clear timelines for data erasure is a significant non-compliance point with the DPDP Act.

Section 11 — Rights of Data Principal ⚠️

The snippets provided do not explicitly detail the comprehensive rights of Data Principals as outlined in DPDP Act Section 11 (right to access, correction, erasure, etc.) or Section 14 (right to nominate). While many privacy policies generally allow for data access/correction requests, the policy doesn’t specify the mechanisms in a DPDP-compliant manner, such as a self-service portal or a clearly defined process for exercising these rights.

Partial compliance: The policy doesn’t explicitly mention or clearly delineate the specific rights of the Data Principal as mandated by the DPDP Act, nor does it address the right to nominate.

Section 12 — Right of Grievance Redressal ⚠️

While CarDekho likely has a grievance officer (common for Indian companies), the provided snippets from the privacy policy do not mention a specific grievance officer or, critically, the Data Protection Board of India (DPBI) as an escalation path. The DPDP Act requires the Data Fiduciary to clearly publish the contact details of a Data Protection Officer or a person who is able to answer on behalf of the Data Fiduciary and details for complaining to the Data Protection Board.

Gap: The absence of a clear mention of the Data Protection Board as an escalation route for grievances and specific contact information for a DPDP-compliant grievance officer is a notable omission.

Section 16 — Cross-Border Data Transfer ⚠️

The policy states, “no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.” It also mentions that user consent to the privacy policy implies agreement to data transfer. However, it does not specify the countries to which data may be transferred, nor does it refer to the Central Government’s list of permitted jurisdictions as required by DPDP Section 16.

Gap: Under DPDP Section 16, cross-border transfer is permitted only to countries notified by the Central Government. The policy’s blanket statement, without specifying jurisdictions or outlining DPDP-mandated safeguards for such transfers, falls short of the Act’s requirements.

Risk Assessment

CategoryRisk Level
Consent & NoticeHigh 🔴
Legitimate UsesMedium 🟠
Obligations of Data FiduciaryLow-Medium 🟡
Data RetentionHigh 🔴
Rights of Data PrincipalHigh 🔴
Grievance RedressalHigh 🔴
Cross-Border Data TransferHigh 🔴

CarDekho handles significant personal data, including financial and vehicle-related information. The current privacy policy, despite its recent update, lacks explicit adherence to the DPDP Act 2023. The most critical risks stem from the absence of granular consent mechanisms, undefined data retention periods, insufficient detail on Data Principal rights and their exercise, and the lack of explicit reference to the Data Protection Board for grievance redressal. The cross-border data transfer clause also needs significant revision to comply with Section 16 of the Act. Failure to update these aspects can lead to substantial regulatory penalties and reputational damage.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation