A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

Myntra

Ready Score 47/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Myntra collects uniquely intimate data — body measurements, style preferences, and shopping behavior — making its 47/100 DPDP score particularly concerning. As a Flipkart subsidiary within the Walmart ecosystem, cross-border data flow adds another layer of risk.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference — relies on IT Act 2000
  • Extensive third-party ad tracking with limited user control
  • Body measurement and size data collection raises sensitive data concerns
  • No specific data retention timelines
  • Data Protection Board not mentioned in grievance mechanism
  • Cross-border data transfer to Flipkart/Walmart entities unaddressed
  • No consent withdrawal mechanism for behavioral tracking

✅ Strengths

  • Cookie preference center available
  • Clear data categories listed including purchase history
  • Security measures including encryption mentioned

Overview

Myntra, India’s largest fashion e-commerce platform, collects uniquely personal data compared to general e-commerce. Beyond standard purchase history, Myntra gathers body measurements (for size recommendations), style preferences, fashion behavior patterns, and increasingly, image data (virtual try-on features). This intimate data profile makes DPDP compliance critically important.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Myntra’s consent mechanism is bundled: “By using Myntra, you agree to the collection and use of your information.”

Unique concern for Myntra: The platform collects potentially sensitive personal data:

  • Body measurements (height, weight, waist, chest)
  • Style preference algorithms
  • Image data from virtual try-on features
  • Browsing and wishlist behavior

Under DPDP, this level of personal profiling — especially body measurement data — should require explicit, purpose-specific consent, not a blanket acceptance.

Section 7 — Certain Legitimate Uses ⚠️

Myntra processes data for advertising personalization and shares behavioral data with Flipkart’s advertising ecosystem. This extends well beyond legitimate use provisions under DPDP.

Gap: Fashion recommendation algorithms that profile body types and spending patterns don’t qualify as “legitimate use” under Section 7 — they require explicit consent.

Section 8 — Obligations of Data Fiduciary ⚠️

Standard security measures described including encryption and access controls. However:

  • No mention of data protection impact assessments for high-risk processing (body data, image analysis)
  • No details on how virtual try-on image data is secured and deleted

Section 9 — Data Retention 🔴

No specific retention timelines for:

  • Purchase history (retained indefinitely for recommendation engine)
  • Body measurement data (how long is your waist size stored?)
  • Virtual try-on photos (are they ever deleted?)
  • Browsing behavior and wishlist data
  • Style preference profiles

Section 11 — Rights of Data Principal 🔴

  • No mechanism to request deletion of body measurement data
  • No way to opt out of algorithmic style profiling while continuing to use the platform
  • No nomination rights
  • No data portability for purchase history and preferences

Section 12 — Right of Grievance Redressal ⚠️

Grievance officer designated but no Data Protection Board escalation path.

Section 16 — Cross-Border Data Transfer 🔴

As a Flipkart subsidiary (Walmart), user data may flow through the broader corporate structure spanning India, US, and global entities. The policy doesn’t clarify:

  • What data is shared with Flipkart/Walmart
  • Which jurisdictions receive Myntra user data
  • Whether body measurement and style data is shared with the parent company’s consumer analytics division

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr
Sensitive data handlingCriticalBody measurements and image data are intimately personal
Advertising data sharingHighCross-platform profiling within Walmart ecosystem
Data retentionHighIntimate personal data with no deletion timeline
Cross-border transferCriticalWalmart corporate structure creates multi-jurisdiction risk

Recommendations

  1. Implement separate consent for body data — “We’ll use your measurements for size recommendations only. Share for style analytics? [Optional]”
  2. Create virtual try-on data deletion policy — “Photos used for virtual try-on are deleted within 24 hours / processed locally on your device”
  3. Separate Flipkart/Walmart data sharing — Clear disclosure of what data flows beyond Myntra and for what purpose
  4. Define retention schedules by data category — Body measurements, purchase history, and style profiles need distinct timelines
  5. Build granular preference controls — Allow users to manage body data, style profiling, and ad targeting independently

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation