A Project by Meridian Bridge Strategy
Book Consultation
Hospitality

OYO Rooms β†—

Ready Score 40/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 19 Feb 2026

Executive Summary

OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences β€” all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Guest ID document scans retained without defined lifecycle
  • Room booking patterns reveal relationship and lifestyle data
  • Couple booking rejections create discriminatory data
  • No data retention timelines for stay history and IDs
  • Data Protection Board not referenced
  • Hotel partner access to guest PII uncontrolled

βœ… Strengths

  • Basic security measures described
  • Grievance officer designated
  • ID verification for safety referenced

Overview

OYO operates across 800+ cities through a franchise model β€” OYO branded hotels are independently owned and operated. When a guest books, their personal data (ID documents, phone number, stay details) flows to both OYO’s platform and the independent hotel operator. This creates thousands of uncontrolled data access points.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

OYO guests provide:

  • Government ID documents (Aadhaar, PAN, passport) β€” scanned and stored
  • Phone numbers shared with hotel owners
  • Stay patterns (frequency, locations, solo vs. couple bookings)
  • Payment information

Unique concern: In India, OYO bookings have social stigma implications. β€œCouple bookings” and β€œlocal ID” policies create data that reveals sensitive personal situations. This data should have enhanced privacy protections.

Section 9 β€” Data Retention πŸ”΄

No retention timelines for:

  • ID document scans (Aadhaar numbers stored on hotel owners’ phones)
  • Stay history across 800+ cities
  • Co-guest information
  • Booking modification patterns (room upgrades, late checkouts)

Section 11 β€” Rights of Data Principal πŸ”΄

  • Can guests request deletion from both OYO and the hotel operator?
  • ID scans on hotel owners’ devices β€” uncontrollable
  • No data portability for stay history
  • No nomination rights

Risk Assessment

CategoryRisk LevelPotential Impact
ID document handlingCriticalAadhaar scans on thousands of hotel operators’ devices
Franchise data governanceCriticalIndependent operators = uncontrolled data access
Stay pattern inferenceHighBooking patterns reveal lifestyle and relationships
Data retentionHighID documents with no defined lifecycle

Recommendations

  1. Implement centralized ID verification β€” Hotels verify through OYO’s platform; never retain raw ID scans
  2. Establish franchise data agreements β€” All hotel partners must sign data handling commitments
  3. Mask guest phone numbers β€” Route communications through OYO platform
  4. Define stay data retention β€” β€œActive booking: until checkout + 24 hours; ID verification: system-verified, raw scans deleted; stay history: 1 year”
  5. Add enhanced privacy for sensitive bookings β€” Option to minimize data shared with hotel operators for privacy-sensitive stays

How Does Your Policy Compare?

πŸ” Run Your Free DPDP Audit β†’

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
πŸ“ž Free Consultation