A Project by Meridian Bridge Strategy
Book Consultation
Fintech

Paytm

Ready Score 54/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — still relies on IT Act 2000 framework
  • Consent mechanism bundled with service terms — not 'freely given' per Section 6
  • Data retention period undefined — uses 'as long as necessary' language
  • No mention of Data Protection Board grievance escalation
  • Cross-border transfer provisions lack specificity on restricted jurisdictions
  • Nomination rights under Section 14 not addressed

✅ Strengths

  • Comprehensive data collection disclosure — categories clearly listed
  • Granular cookie consent with opt-out mechanisms
  • Grievance officer contact clearly published with response timelines
  • Security safeguards described including encryption and access controls

Overview

Paytm (One97 Communications Ltd.) is India’s largest digital payments platform, processing billions of transactions annually. Given the volume and sensitivity of financial data it handles — UPI transactions, bank account details, KYC documents, spending patterns — its privacy policy requires the highest bar of DPDP compliance.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Paytm’s consent mechanism is bundled with service terms. When a user signs up, they accept the privacy policy as part of the T&C — this is “take it or leave it” consent, which does not meet DPDP’s “freely given” standard under Section 6.

What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose and can be withdrawn at any time.

Gap: No layered consent — users cannot accept payments tracking but decline marketing data use. Paytm collects data for 15+ stated purposes with a single “I agree.”

Section 7 — Certain Legitimate Uses ⚠️

Paytm broadly claims legitimate interest for data processing including “improving services,” “personalization,” and “marketing.” Under DPDP, legitimate uses are narrowly defined (Section 7) — voluntary provision by data principal, state functions, medical emergencies, and employment.

Gap: Several of Paytm’s claimed legitimate interests (especially marketing and personalization) would not qualify under DPDP’s narrower framework.

Section 8 — Obligations of Data Fiduciary ✅

The policy describes security safeguards including encryption, firewalls, access controls, and periodic audits. This aligns reasonably well with Section 8’s requirement for “reasonable security safeguards.”

Strength: Paytm references PCI-DSS compliance for payment data and mentions regular security audits.

Section 9 — Data Retention 🔴

Critical gap. The policy uses vague language: “We retain your data for as long as necessary to provide services and comply with legal obligations.”

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period.

Gap: No specific retention timelines. No automated deletion triggers. A user who stops using Paytm has no clarity on when their financial data will be purged.

Section 11 — Rights of Data Principal ⚠️

Paytm acknowledges the right to access and correct data, but the mechanisms are limited:

  • Access requests go through a support form — no self-service portal
  • No mention of the right to nominate another person (Section 14)
  • No reference to the right to grievance redressal before the Data Protection Board

Partial compliance. The basics are there but the DPDP-specific rights framework is absent.

Section 12 — Right of Grievance Redressal ⚠️

A Grievance Officer is named with email and address. However:

  • No mention of the Data Protection Board as an escalation path
  • No 30-day response commitment as expected under DPDP
  • The grievance process is generic, not DPDP-aligned

Section 16 — Cross-Border Data Transfer ⚠️

The policy states data may be transferred to “third parties located in other countries” but doesn’t specify:

  • Which countries
  • Whether those countries are on the permitted list (once notified by Central Government)
  • What safeguards apply to cross-border transfers

Gap: Under DPDP Section 16, transfer is only permitted to countries notified by the Central Government. Paytm’s blanket transfer clause would need significant revision.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Consent complianceHighBundled consent invalidation could affect 350M+ users
Data retentionCriticalNo deletion timelines for financial data = significant exposure
Cross-border transferMediumPending government notification of permitted jurisdictions
Data principal rightsMediumIncomplete rights framework needs update

Recommendations

  1. Implement granular consent layers — Separate consent for payments processing, marketing, analytics, and third-party sharing
  2. Define specific retention periods — “UPI transaction logs: 7 years per RBI mandate; marketing data: deleted on consent withdrawal within 30 days”
  3. Add DPDP Act 2023 references — Explicitly cite the Act and map policy sections to corresponding DPDP provisions
  4. Deploy Data Protection Board escalation — Include DPB as the final grievance step after internal resolution
  5. Implement nomination mechanism — Allow users to nominate a person to exercise rights on their behalf (Section 14)

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation