Overview
Freshworks is a global SaaS company offering a suite of business software, from customer support to IT service management. With an active presence, including a registered entity in Chennai, India, Freshworks handles a vast amount of customer and user data. This analysis focuses on how their existing privacy policy, heavily influenced by Western regulations, measures up against India’s new DPDP Act, 2023.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Freshworks’ policy relies on the broad acceptance of its terms for data collection. For many purposes, it cites “legitimate interests” or “contractual necessity.” While it mentions consent for marketing in the UK, EU, and Brazil, it does not explicitly seek “free, specific, informed, unconditional, and unambiguous” consent as required by DPDP Act Section 6 for India.
What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.” Also: “In the UK, EU and Brazil we will rely on your consent when sending marketing communications. Otherwise, it is in our legitimate interest to use your Personal Data for marketing purposes…”
DPDP requirement: Consent must be clearly sought for each specific purpose, and the Data Principal (the individual whose data is collected) must be able to withdraw it easily.
Gap: The policy bundles consent with service usage and defaults to “legitimate interest” for many activities without clear, opt-in mechanisms for Indian users.
Section 7 — Certain Legitimate Uses 🔴
Freshworks frequently states “legitimate interests” as its basis for processing data, including for providing services, recruitment, events, promotions, community forums, marketing (outside specific regions), personalized advertising, and service analytics.
What the policy says: “We process your Personal Data for these purposes based on our legitimate interests or a third party’s legitimate interest to ensure we provide our Services in an effective, safe and efficient way.”
DPDP requirement: The DPDP Act Section 7 defines “certain legitimate uses” very narrowly (e.g., medical emergency, state functions, employment). Most of Freshworks’ claimed legitimate interests (especially for marketing and general service improvement not tied to contractual obligations) would not qualify under this strict framework.
Gap: Over-reliance on “legitimate interest” for activities that would require explicit consent under DPDP.
Section 8 — Obligations of Data Fiduciary 🔴
The provided policy text mentions a section “6. HOW DOES FRESHWORKS KEEP PERSONAL DATA SECURE?” (in their quick links) but the detailed content for this critical section is missing from the provided text snippet. It ends abruptly before explaining specific security safeguards.
DPDP requirement: A Data Fiduciary (the entity collecting and processing data) must implement “reasonable security safeguards” to prevent data breaches.
Gap: Lack of detail on security safeguards in the provided text means we cannot assess compliance with DPDP’s security obligations.
Section 9 — Data Retention 🔴
The provided policy text contains a section heading “12. RETENTION OF PERSONAL DATA” but lacks any actual content detailing data retention periods.
DPDP requirement (Section 9): Data Fiduciaries must erase data once the purpose for its collection is fulfilled, or if consent is withdrawn, within a reasonable period. Specific retention policies are expected.
Gap: No specific retention periods are mentioned, leaving users in the dark about how long their data is kept.
Section 11 — Rights of Data Principal ⚠️
Freshworks acknowledges rights for users under GDPR, CCPA, and LGPD (e.g., access, correction, opting out). However, there is no specific mention of the rights granted to a Data Principal under the DPDP Act, such as the right to correction, erasure, or nomination.
What the policy says: “EEA, UK AND SWISS SPECIFIC RIGHTS”, “CALIFORNIA-RESIDENT SPECIFIC RIGHTS”, “BRAZILIAN GENERAL DATA PROTECTION LAW (LGPD)” are listed.
DPDP requirement: Data Principals have rights to access information, correct errors, erase data, and nominate another person to exercise these rights on their behalf (Section 14).
Gap: The policy needs to be updated to reflect DPDP-specific rights and the mechanisms for exercising them in India.
Section 12 — Right of Grievance Redressal 🔴
The policy’s quick links include “18. CONTACTING FRESHWORKS,” but the detailed content for grievance redressal, including contact for a Grievance Officer or escalation paths, is missing from the provided text.
DPDP requirement: A Data Fiduciary must have an easily accessible grievance redressal mechanism, including a designated Data Protection Officer or Grievance Officer, and clearly state the Data Protection Board of India as an escalation path.
Gap: No information on a specific grievance officer or the Data Protection Board of India as an escalation route is available in the provided text.
Section 16 — Cross-Border Data Transfer ⚠️
Freshworks states that data may be processed in countries where they are established (US, UK, EEA) and where third parties are based, adhering to DPF Principles (for EU/US/UK/Swiss transfers).
What the policy says: “We process Personal Data in the countries in which we are established, including the United States, the United Kingdom and the European Economic Area (‘EEA’) and in other countries where third parties that we may use are based.”
DPDP requirement (Section 16): Cross-border transfer of personal data is permitted only to countries explicitly notified by the Central Government.
Gap: The policy does not specify which countries data may be transferred to, nor does it acknowledge India’s specific requirement for government notification of permitted jurisdictions.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | Critical | Invalid consent could affect all Indian users |
| Data retention | Critical | Undefined deletion policies for sensitive data |
| Data Principal rights | High | Incomplete or inaccessible rights framework |
| Grievance redressal | High | Lack of DPDP-aligned mechanism for complaints |
| Cross-border transfer | Medium | Pending government notification of allowed countries |
Recommendations
- Integrate DPDP Act 2023 explicitly — Update the policy to clearly reference the DPDP Act and explain compliance for Indian users.
- Implement layered, granular consent — Provide clear, specific, and opt-in consent options for various data processing activities, especially marketing and analytics, for Indian users.
- Define specific data retention periods — Clearly state how long different types of data are retained and when they will be erased.
- Add DPDP-specific Data Principal rights — Outline the rights of correction, erasure, and nomination under the DPDP Act and provide clear mechanisms for exercising them.
- Establish DPDP-compliant grievance process — Name a Grievance Officer for India and detail the escalation path, including the Data Protection Board.
- Clarify cross-border data transfers — Specify countries where data is transferred and ensure alignment with the Central Government’s notified list under DPDP Section 16.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.