Nykaa ↗

Overview

Nykaa is India’s leading beauty and personal care e-commerce platform. Unlike general e-commerce, Nykaa collects uniquely personal data: skin type assessments, beauty concern questionnaires, dermatological conditions, hair type profiles, and increasingly, facial geometry data through virtual try-on features. This data crosses into health and biometric territory.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Nykaa collects data that borders on health information:

• Skin type questionnaires: Acne-prone, dry, oily, sensitive
• Beauty concerns: Pigmentation, aging, conditions like eczema or rosacea
• Face scanning: AR-powered virtual try-on captures facial geometry

Under DPDP, while “personal data” is broadly defined, the intimate nature of this data demands higher consent standards than a standard e-commerce platform.

Gap: All data processing is covered by a single consent during account creation. No separate consent for beauty profiling, skin assessments, or facial scanning.

Section 7 — Certain Legitimate Uses 🔴

Nykaa uses beauty profile data for:

• Product recommendations (reasonable)
• Third-party brand partnerships (questionable)
• Targeted advertising (should require separate consent)

Gap: Sharing skin condition data with beauty brand partners goes well beyond legitimate use.

Section 8 — Obligations of Data Fiduciary ⚠️

Standard security measures. However, no specific mention of additional protections for:

• Facial geometry data (biometric-adjacent)
• Health-related beauty data (skin conditions)
• Virtual try-on image processing and storage

Section 9 — Data Retention 🔴

No retention timelines for:

• Beauty profile assessments
• Skin type and concern data
• Virtual try-on facial scans
• Purchase history linked to health conditions (e.g., dermatological products)

Critical concern: If a user buys acne medication, is that purchase history — which reveals health information — retained indefinitely?

Section 11 — Rights of Data Principal 🔴

• No mechanism to delete beauty profiles while keeping the account
• No right to opt out of beauty recommendation algorithms
• No access to understand how skin data influences what’s shown
• No nomination rights

Section 12 — Right of Grievance Redressal ⚠️

Basic grievance mechanism without DPB escalation.

Section 16 — Cross-Border Data Transfer ⚠️

Cloud infrastructure and beauty brand partnerships may involve international data transfer. The policy lacks specificity on which data crosses borders.

Risk Assessment

The Beauty Data Problem

Nykaa sits in a gray zone between e-commerce and health data:

Recommendations

1. Classify beauty data as sensitive — Implement enhanced protections for skin type, beauty concerns, and facial scan data
2. Separate consent for beauty profiling — “Use basic product browsing [required]. Share skin profile for personalized recommendations? [optional]”
3. Define facial scan data policy — “Virtual try-on images are processed locally and never stored on our servers” or similar clear commitment
4. Restrict brand data sharing — Don’t share individual-level skin condition data with brand partners; use only aggregated, anonymized insights
5. Create beauty data deletion tool — Allow users to clear beauty profiles, skin assessments, and facial scans independently
6. Add retention schedules for health-adjacent data — “Beauty quiz results: 1 year; virtual try-on data: deleted immediately; dermatological purchases: standard retail retention”

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.