A Project by Meridian Bridge Strategy
Book Consultation
Mobility

Ola

Ready Score 44/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Ola's ride data creates a detailed movement diary — every trip reveals where you go, when, and how often. At 44/100, the platform's lack of location data retention timelines and expanded ecosystem (Ola Electric, Ola Financial) creates a concerning multi-dimensional profile without adequate DPDP protections.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Real-time GPS tracking data retention policies undefined
  • Driver and rider location data creates comprehensive movement patterns
  • Trip history reveals sensitive location visits (hospitals, religious places)
  • No data retention timelines for location history
  • Data Protection Board not mentioned
  • Ola Financial Services data sharing extends monitoring to financial behavior

✅ Strengths

  • Location permission controls referenced
  • Security measures including encryption
  • Grievance officer designated
  • Some data categories clearly listed

Overview

Ola is India’s largest ride-hailing platform, tracking the movements of millions of Indians daily. Beyond basic rides, Ola has expanded into electric vehicles (Ola Electric), financial services (Ola Financial), and other mobility solutions. Each touchpoint adds to a comprehensive movement and behavior profile.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Ola’s consent covers location tracking, trip history, and ecosystem services under one acceptance:

What ride data reveals:

  • Daily commute patterns (home and office locations)
  • Visits to sensitive locations (hospitals, religious places, nightlife)
  • Travel frequency and spending patterns
  • Social patterns (shared rides = social connections)
  • Late night/early morning movement patterns (lifestyle)

DPDP concern: Location data is the most revealing personal data category. A year of Ola trip history tells more about a person than most other data sources combined. Single consent for this depth of tracking is inadequate.

Section 7 — Certain Legitimate Uses ⚠️

Ride fulfillment requires real-time location. But:

  • Post-trip location retention — legitimate or surveillance?
  • Trip pattern analytics for “service improvement” — how long?
  • Cross-platform profiling with Ola Electric and Financial — overreach

Section 8 — Obligations of Data Fiduciary ⚠️

Standard security measures. But:

  • Driver access to rider’s pickup/drop locations
  • Customer support access to trip history
  • Location data requires enhanced security beyond standard measures

Section 9 — Data Retention 🔴

Critical gap: No specific retention for:

  • Complete trip history (origin, destination, route, time for every ride, ever)
  • GPS trail data during rides
  • Location data between rides (if background tracking is enabled)
  • Payment and fare data
  • Rating and feedback data

The surveillance question: Can Ola reconstruct 3 years of your daily movements? If yes, that’s functionally surveillance without a warrant.

Section 11 — Rights of Data Principal ⚠️

  • Can users delete trip history? What about regulatory record-keeping?
  • No mechanism to download complete movement data
  • No transparency on movement pattern analytics
  • No nomination rights

Section 12 — Right of Grievance Redressal ⚠️

Grievance officer exists. No DPB pathway.

Section 16 — Cross-Border Data Transfer ⚠️

Location data may be processed internationally through cloud infrastructure. Movement data is particularly sensitive for cross-border transfer.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr
Location data sensitivityCriticalMovement patterns = comprehensive life profile
Sensitive location visitsCriticalHospital, religious, nightlife visits exposed
Ecosystem profilingHighMovement + EV charging + financial = surveillance
Data retentionCriticalPotentially years of movement history

The Movement Data Problem

Trip data reveals more than users realize:

Trip PatternInferenceSensitivity
Regular hospital visitsChronic health conditionVery High
Trips to religious sitesReligious identityHigh
Late night entertainment district tripsLifestyle choicesHigh
Visits to specific neighborhoodsSocial circle, relationshipsMedium
Daily commute consistencyEmployment patternMedium
Second address frequent visitsRelationship patternsHigh

Recommendations

  1. Implement location data lifecycle — “Real-time GPS: during ride only; trip origin/destination: 6 months; aggregated route data: 1 year; complete trip history deletion available on request”
  2. Add sensitive location protections — Don’t display or retain exact addresses for hospitals, religious places, or similar sensitive destinations
  3. Separate ecosystem data — Firewall between Ola rides, Ola Electric, and Ola Financial data
  4. Deploy location minimization — Store origin/destination zone (e.g., “Koramangala, Bangalore”) not exact GPS coordinates for historical trips
  5. Build movement transparency dashboard — Show users what movement patterns Ola has inferred and allow opt-out of pattern analytics

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation