Overview
CRED is a prominent Indian fintech platform primarily known for credit card bill payments and premium rewards. As it handles highly sensitive financial data — credit scores, transaction details, payment history, and associated personal information — its privacy policy needs to be fully compliant with the new DPDP Act, 2023.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
CRED states that “it starts with your consent. your consent holds absolute power.” This is a strong start. The policy also mentions users can “revoke our access to your data anytime by changing your permission settings.” However, there’s a catch:
What the policy says: “however, revoking access to crucial permissions may cause certain side effects: some features may not work as expected or may even be unavailable for your use.”
DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose and can be withdrawn at any time without undue negative consequences.
The problem: If revoking consent for certain data processing leads to features becoming unavailable, the consent isn’t truly “freely given.” It implies a bundled, “take it or leave it” approach for core functionalities, which is a key issue under DPDP.
Section 7 — Certain Legitimate Uses ✅
The provided policy text does not broadly claim “legitimate uses” for processing data without explicit consent for purposes like marketing or personalization. The only mention of processing without explicit, active consent is for data retention “as required by applicable laws,” which generally aligns with DPDP’s legitimate uses.
Strength: CRED avoids making broad claims for “legitimate uses” that fall outside the narrow definitions of the DPDP Act, such as for “improving services” or “personalization” without consent.
Section 8 — Obligations of Data Fiduciary ✅
CRED demonstrates a strong commitment to data security, aligning well with Section 8’s requirement for a Data Fiduciary (the entity determining why and how data is processed, in this case, CRED) to implement “reasonable security safeguards.”
What the policy says: “security comes first… We use strong physical, administrative, and technical safeguards to protect your data from unauthorized access, use, and disclosure… CRED is in compliance with ISO 27701:2019 and 27001:2022 standards.”
Strength: Explicitly lists types of safeguards, mentions ISO certifications (international standards for privacy and information security management), and states data is “anonymized or pseudonymized wherever possible.”
Section 9 — Data Retention ⚠️
The policy mentions the right to request deletion, but provides vague details on how long data is kept otherwise.
What the policy says: “You can also request the deletion of your data. In certain cases, CRED and relevant third parties may retain the data as required by applicable laws. read more about that here.”
DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose for which it was collected is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period, or explicitly state the retention period.
The problem: While legal retention is legitimate, the policy doesn’t specify how long data is retained when no legal mandate applies, or after the initial purpose is fulfilled. The “read more about that here” link needs to provide clear, specific timelines to be compliant.
Section 11 — Rights of Data Principal ⚠️
The policy acknowledges the right to revoke consent and request deletion. However, a Data Principal (the individual whose data is being processed) has more rights under DPDP.
DPDP requirement: Data Principals have rights including access to their data, correction, erasure, and the right to nominate another person to exercise these rights on their behalf (Section 14).
The problem: The policy does not explicitly mention the right to access one’s data or the right to correction. It also omits the crucial nomination right under Section 14, which allows individuals to designate someone to act on their behalf after their demise or incapacity.
Section 12 — Right of Grievance Redressal ⚠️
CRED provides a path for grievance redressal, but it’s not fully aligned with DPDP.
What the policy says: “for any concerns… reach out to us via our support channels here. if your issue remains unresolved, you can escalate it to our grievance officer (Mr. Atul Patro) by clicking the button below.”
DPDP requirement: A Data Principal has the right to complain to a Grievance Officer and, if unsatisfied, escalate the matter to the Data Protection Board of India. Response timelines (e.g., 30 days) are also expected.
The problem: While a Grievance Officer is named, the policy does not mention the Data Protection Board as an escalation path. There are also no explicit commitments for response timelines.
Section 16 — Cross-Border Data Transfer ✅
CRED provides strong assurances regarding data localization for payments data.
What the policy says: “we meet RBI’s data localization rules, ensuring that all payment data is securely stored within India.”
DPDP requirement (Section 16): Transfer of personal data outside India is only permitted to countries notified by the Central Government.
Strength: Explicitly stating compliance with RBI data localization rules for payment data is a significant strength.
A note on ambiguity: While strong on payment data localization, the policy doesn’t explicitly clarify if any other types of data (e.g., non-payment analytics or anonymized data) are transferred cross-border, and if so, what safeguards are in place for them. However, given the emphasis on localization, it suggests a default to in-India processing.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent compliance | High | Fines up to ₹250 Cr if bundled consent challenged |
| Data retention | High | Regulatory action for indefinite data storage |
| Data principal rights | Medium | User complaints, potential penalties for non-compliance |
| Grievance redressal | Medium | Users bypass internal process, directly escalate to DPB (if they know about it) |
| Reputational impact | Medium | Loss of trust if perceived as non-compliant |
Recommendations
- Refine consent mechanism: Clearly separate consent for essential service features from optional data uses (e.g., marketing, analytics). Ensure users can withdraw consent for optional uses without impacting core service functionality.
- Define specific retention periods: For each category of data, clearly state how long it will be retained, citing legal mandates where applicable, and a default “max X months after account closure” otherwise.
- Expand Data Principal rights: Explicitly state all rights under DPDP (access, correction, erasure, nomination) and how users can exercise them through self-service or support channels.
- Add Data Protection Board escalation: Clearly state that if a user is unsatisfied with the Grievance Officer’s resolution, they can escalate the complaint to the Data Protection Board of India.
- Clarify cross-border transfers: If any non-payment data is transferred outside India, explicitly disclose the types of data, the countries involved, and the safeguards in place.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.