A Project by Meridian Bridge Strategy
Book Consultation
InsurTech

PolicyBazaar β†—

Ready Score 46/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 20 Feb 2026

Executive Summary

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories β€” then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Health questionnaire data shared with multiple insurance partners
  • Pre-existing condition declarations retained indefinitely
  • Call recordings of health disclosures stored without clear retention
  • No data retention timelines for insurance quote data
  • Data Protection Board not referenced
  • Third-party insurer data sharing terms too broad

βœ… Strengths

  • IRDAI compliance for insurance data handling
  • Security measures including encryption
  • Grievance officer designated
  • Insurance-specific data categories documented

Overview

PolicyBazaar is India’s largest insurance aggregator. When users seek insurance quotes, they submit health conditions, pre-existing diseases, family medical history, income details, age, smoking/drinking habits, and occupation. This data is simultaneously shared with dozens of insurance companies for quote comparison β€” creating a broadcast-style data dissemination model.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

The fundamental model is problematic:

  1. User fills a health questionnaire (diabetes, heart conditions, surgeries, etc.)
  2. PolicyBazaar sends this to 20-50 insurance partners simultaneously
  3. Each partner now has the user’s complete health profile
  4. The user may only buy from one β€” the other 49 still have the data

DPDP concern: Broadcasting health conditions to dozens of companies under a single consent is the opposite of purpose-specific, minimal data processing.

Section 7 β€” Certain Legitimate Uses πŸ”΄

Insurance comparison requires sharing data with insurers. However:

  • Should all insurers get the full health questionnaire, or only summary data?
  • Post-purchase, should non-selected insurers retain the health data?
  • Using health data for future re-marketing by non-selected insurers?

Section 8 β€” Obligations of Data Fiduciary ⚠️

IRDAI compliance provides some framework. But:

  • PolicyBazaar can’t control security practices of all 50+ insurance partners
  • Health data flowing to so many parties multiplies breach risk
  • Call recordings containing health disclosures need enhanced protection

Section 9 β€” Data Retention πŸ”΄

Critical concerns:

  • Insurance quotes never purchased: Health data submitted for comparison but never converted β€” retained how long?
  • Call recordings: Agents discuss health conditions on recorded calls β€” retention undefined
  • Declined applications: If an insurer declines based on health conditions, does both PolicyBazaar and the insurer retain the health data?

Section 11 β€” Rights of Data Principal πŸ”΄

  • Can users request deletion from all 50+ partners who received their health data?
  • No mechanism to limit which insurers receive data before sharing
  • No transparency on which insurers currently hold your health profile
  • No nomination rights
  • No data portability for insurance comparison data

Section 12 β€” Right of Grievance Redressal ⚠️

IRDAI complaint mechanism exists. No DPB pathway.

Section 16 β€” Cross-Border Data Transfer ⚠️

Some insurance partners may be global companies (Allianz, AXA, etc.) that process data outside India.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalHealth data broadcast = mass non-compliance
Health data sharingCritical50+ companies have your medical history
Data retentionCriticalHealth data from abandoned quotes retained
Call recording privacyHighVerbal health disclosures recorded
Partner data controlCriticalCan’t control 50+ insurers’ data practices

The Insurance Data Broadcast Problem

PolicyBazaar’s model creates a unique data proliferation issue:

User health data β†’ PolicyBazaar β†’ 50 insurance partners simultaneously
                                   β”œβ”€ Insurer A (selected) β€” retains
                                   β”œβ”€ Insurer B (not selected) β€” also retains?
                                   β”œβ”€ Insurer C (declined user) β€” retains decline reason?
                                   └─ ... 47 more insurers with your health data

Under DPDP, each insurer becomes a separate data fiduciary with your health conditions, requiring separate purpose limitation, retention, and deletion compliance.

Recommendations

  1. Implement tiered data sharing β€” Share summary data first; only share full health questionnaire with insurers selected by the user
  2. Create partner deletion cascading β€” When a user requests deletion, it must propagate to all insurers who received the quote data
  3. Define quote data retention β€” β€œAbandoned quotes: delete from all partners within 90 days; purchased policies: retain per IRDAI; call recordings: 1 year”
  4. Add partner transparency β€” Show users exactly which insurers received their health data
  5. Build selective sharing β€” Let users choose which insurers receive their data rather than broadcasting
  6. Implement call recording consent β€” Separate consent for recording health-related conversations

How Does Your Policy Compare?

πŸ” Run Your Free DPDP Audit β†’

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act β€” 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
πŸ“ž Free Consultation