Groww ↗

Overview

Groww is a prominent fintech platform in India, allowing users to invest in stocks, mutual funds, and other financial instruments. Given its role in managing significant amounts of personal and financial data (KYC documents, transaction history, investment portfolios), a robust and transparent privacy policy is paramount. However, the provided policy text is exceptionally brief, offering almost no substantive details on how user data is actually handled under the DPDP Act.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

The policy merely states it “specifies the manner in which personal data and other information are collected.” It does not describe any consent mechanism or how notice is provided.

What the policy says: “This Privacy Policy specifies the manner in which personal data and other information are collected, received, stored, processed, disclosed, transferred, dealt with or otherwise handled by the Company.”

DPDP requirement: Consent must be free, specific, informed, and unambiguous. Notice must describe the personal data to be collected and the purpose of processing.

The problem: Without explicit detail, users cannot know if their consent is genuinely “freely given” for specific purposes. The provided text offers no such assurance.

Section 7 — Certain Legitimate Uses 🔴

The provided policy text does not address “Certain Legitimate Uses” (now called Legitimate Uses) as defined by the DPDP Act.

DPDP requirement: Data Fiduciaries can process data without consent only for specific, limited purposes like medical emergencies, state functions, or voluntary provision by the Data Principal.

The problem: Any processing by Groww outside of explicit consent would be a major compliance gap, and the policy provides no information on this.

Section 8 — Obligations of Data Fiduciary 🔴

The policy text does not contain any details regarding data security safeguards or other obligations of a Data Fiduciary.

DPDP requirement: A Data Fiduciary (Groww, in this case) must implement “reasonable security safeguards” to prevent data breaches, complete accurate processing, and notify the Data Protection Board and affected Data Principals in case of a breach.

The problem: The complete absence of information on security measures leaves users in the dark about how their sensitive financial data is protected.

Section 9 — Data Retention 🔴

The policy completely lacks any information on how long Groww retains user data.

DPDP requirement (Section 9): Data Fiduciaries must erase personal data once the purpose for which it was collected is met, or when consent is withdrawn. Data Principals have the right to request erasure.

The problem: Without defined retention periods, Groww could be holding onto sensitive financial data indefinitely, creating significant risk for both the company and its users.

Section 11 — Rights of Data Principal 🔴

The policy text does not mention any rights available to the Data Principal (the user).

DPDP requirement: Data Principals have several rights, including the right to access information, correct data, erase data, and nominate another person to exercise these rights on their behalf.

The problem: Users have no explicit guidance on how they can exercise their statutory rights regarding their personal data held by Groww.

Section 12 — Right of Grievance Redressal 🔴

The provided policy text does not outline any grievance redressal mechanism. While a “Contact Us” link exists on the page, the policy itself is silent on a dedicated process.

DPDP requirement: Data Fiduciaries must establish an effective mechanism for Data Principals to register grievances, typically involving a Grievance Officer and a clear escalation path to the Data Protection Board.

The problem: Users facing data-related issues would not know the formal steps or who to contact based on the provided policy.

Section 16 — Cross-Border Data Transfer 🔴

The policy only generally mentions data being “disclosed, transferred, dealt with or otherwise handled by the Company.” It makes a vague mention of “excluding the group companies, affiliates and subsidiary companies” for third-party information, but provides no specifics on cross-border data transfers.

DPDP requirement (Section 16): Personal data can only be transferred outside India to countries specifically notified by the Central Government, or based on other conditions specified by the law.

The problem: Without explicit details, users have no idea if their data is being sent abroad, to which countries, or under what safeguards, posing a significant compliance gap.

Risk Assessment

Recommendations

1. Develop a comprehensive privacy policy: Replace the current placeholder with a detailed policy outlining all aspects of data handling as required by DPDP.
2. Implement explicit consent mechanisms: Introduce granular, opt-in consent for different data processing activities (e.g., core service, marketing, analytics).
3. Define specific data retention periods: Clearly state how long each category of data (e.g., transaction logs, KYC documents, marketing data) will be retained.
4. Outline Data Principal rights: Detail how users can exercise their rights to access, correct, erase, and nominate under Section 11 and 14 of the DPDP Act.
5. Establish a clear grievance redressal process: Name a Grievance Officer, provide contact details, and include the Data Protection Board as an escalation path.
6. Disclose cross-border transfer specifics: If data is transferred abroad, clearly state the countries and the safeguards in place.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.