Overview
Swiggy processes food orders for millions daily, collecting a unique data profile: precise home/office locations, food preferences (which can reveal dietary restrictions, religious practices, and health conditions), order timing patterns, and real-time GPS tracking. This data is shared with restaurant partners and delivery workers, creating a multi-party data processing chain.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Swiggy’s consent model covers all data collection under a single acceptance. Problematic areas:
- Location data: Continuous GPS tracking during delivery — no separate consent for background location
- Food preferences: Order history reveals vegetarian/non-vegetarian preferences (potentially religious), allergen information (health data), and alcohol orders
- Address data: Home and office locations stored permanently
DPDP concern: Food preferences that reveal religious beliefs or health conditions fall into sensitive personal data territory, requiring heightened consent.
Section 7 — Certain Legitimate Uses ⚠️
Swiggy processes data for numerous purposes:
- ✅ Order fulfillment and delivery — legitimately necessary
- ⚠️ “Personalizing user experience” — broad
- 🔴 Targeted advertising and partner marketing — requires separate consent
- 🔴 “Analytics and business intelligence” on order patterns — beyond service delivery
Section 8 — Obligations of Data Fiduciary ⚠️
Security measures are described but the multi-party chain creates gaps:
- Customer data reaches restaurant partners (name, order, sometimes phone number)
- Delivery partners access real-time location and address
- Payment processors handle financial data
Gap: Is each party maintaining DPDP-adequate security? Who’s responsible if a delivery partner’s compromised phone leaks customer addresses?
Section 9 — Data Retention 🔴
Critical gaps in retention:
- Location history: How long is GPS trail data retained? Can Swiggy reconstruct 2 years of your daily movements?
- Order history: Food order patterns stored indefinitely could reveal religious practices over time
- Address book: Home, office, and “other” addresses — are they ever deleted?
- Delivery partner interactions: Chat/call logs between customer and rider stored how long?
Section 11 — Rights of Data Principal ⚠️
- Account deletion available but unclear if location and order history are truly purged
- No mechanism to selectively delete address history while keeping the account
- No right to download a complete data profile (order history + location data + food preferences)
- No nomination rights
Section 12 — Right of Grievance Redressal ⚠️
Grievance officer exists. No DPB escalation path. No mechanism to file complaints about delivery partner misuse of personal data.
Section 16 — Cross-Border Data Transfer ⚠️
Cloud infrastructure and analytics tools may transfer data internationally. The policy doesn’t specify jurisdictions or safeguards for location data transfer.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr |
| Location data | Critical | GPS history = digital surveillance capability |
| Food preference inference | High | Religious/health inferences from order patterns |
| Delivery partner data sharing | High | Uncontrolled data processors with customer PII |
| Data retention | Critical | Location + address + food history = comprehensive profiling |
The Food Delivery Data Problem
Swiggy’s data reveals more about users than most platforms realize:
| Order Pattern | Inference | Sensitivity |
|---|---|---|
| No beef orders, vegetarian on specific days | Religious practices | High |
| Sugar-free, low-carb items | Health condition (diabetes) | Health data |
| Alcohol delivery frequency | Lifestyle/health pattern | Sensitive |
| Order timing 2 AM vs. 7 PM | Live-alone status, work schedule | Personal |
| Multiple addresses | Relationship/family patterns | Personal |
Under DPDP, these inferences — derived from food orders — could constitute processing of sensitive personal information without adequate consent.
Recommendations
- Implement location data lifecycle — “GPS tracking: only during active delivery, deleted after 48 hours; address book: user-managed with deletion option”
- Add food preference sensitivity controls — Allow users to opt out of preference-based profiling and recommendations
- Establish delivery partner data agreements — Formal data processing agreements with riders restricting retention of customer data
- Create transparent retention policy — “Order history: 2 years; location data: 48 hours post-delivery; address book: until user deletes; chat logs: 90 days”
- Deploy data minimization for restaurants — Mask customer names and phone numbers where possible
- Build inference transparency — Allow users to see and control what Swiggy has inferred from their order patterns
How Does Your Policy Compare?
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.