DPDP Compliance Help
for Indian Companies

We visit your office, map where customer data goes, prepare the legal documents, train your team, and help you put the changes in place.

Book a free 30-minute call ↗ See our services →

The engagement

First we find the gaps. Then we help your team fix them.

Audit Week 1

Documents Weeks 2-3

Training Week 4

Support 3 Months

Review Final

See the full process →

What we typically find

Real findings from real assessments. Company names withheld.

A health company was sending page activity to outside tools before asking users for permission.

A funded company had a privacy policy so short that it missed basic DPDP duties.

A website was recording user behavior without clear notice or vendor paperwork.

The team

Sushant Pasumarty

Meridian Bridge Strategy

Maps your data, speaks with your teams, and turns the findings into work your company can actually do.

Ayush Sahay

Dayitva Legal

Handles the legal documents, privacy policy, consent wording, and breach process.

Ekta Asrani

Ekarth Legal

Reviews privacy work, contracts, and vendor paperwork.

Meet the team →

Our method

We do not guess. Every finding comes from something we saw: a policy line, a website tracker, a consent screen, or a vendor. We check five things:

Is your data safe?

Did people agree?

Who owns it?

Who else gets it?

What is exposed?

Latest analyses

View all →

Real Estate

MagicBricks

MagicBricks operates a high-volume platform handling sensitive financial and property data. Its current policy is a legacy document built for the IT Act 2000. It lacks the 'granular consent' and 'right to erasure' frameworks mandated by the DPDP Act 2023. The absence of an escalation path to the Data Protection Board of India (DPBI) and the lack of a 'Notice' in languages specified in the Eighth Schedule are significant compliance liabilities.

⚠️ Primary framework remains the Information Technology Act, 2000 and SPDI Rules 2011

⚠️ Notice does not meet Section 5 requirements regarding the right to withdraw consent and the right to grievance redressal with the DPB

+4 more gaps detected

May 2026 View Report →

FoodTech

Licious

Licious has a transparent list of what they collect, but their legal framework is stuck in the year 2000. Their 'agree-by-default' approach to consent is high-risk under the new DPDP Act requirements.

⚠️ Explicitly built on the outdated IT Act 2000 instead of DPDP Act 2023

⚠️ Uses 'implied consent' where just browsing counts as agreeing to everything

+4 more gaps detected

May 2026 View Report →

Entertainment / OTT

JioCinema

JioCinema's privacy policy remains largely structured around the legacy IT Act 2000 (SPDI Rules). While it excels in identifying 'what' is collected, it fails the 'how' and 'why' requirements of the DPDP Act 2023. Specifically, its handling of users under 18—a massive demographic for OTT—does not meet the 'verifiable parental consent' standard, and the lack of a consent withdrawal mechanism that is 'as easy as giving consent' poses significant legal risk.

⚠️ Bundled consent framework — acceptance of policy tied to service access (violates Section 6)

⚠️ Age of consent discrepancy — defines 'Children' as under 18 but lacks 'verifiable' parental consent mechanisms required by Section 9

+4 more gaps detected

May 2026 View Report →

InsurTech / BFSI

ICICI Lombard General Insurance

ICICI Lombard has made significant strides in DPDP Act 2023 readiness compared to its peers, formally initiating a 'DPDP Compliance Roadmap' and updating its Information Security framework as of April 2026. However, its public-facing privacy policy remains legacy-heavy, particularly regarding consent architecture and the new 'Right to Nominate.' While its security posture is top-tier, the transition from 'regulatory compliance' (IRDAI) to 'data principal empowerment' (DPDP) is still a work in progress.

⚠️ Consent is still bundled with website usage — 'By using this website... you authorize us' fails the 'freely given' standard under Section 6

⚠️ No explicit mention of the Right to Nominate (Section 14) in the primary privacy policy

+3 more gaps detected

May 2026 View Report →

Entertainment / OTT

Disney+ Hotstar

Disney+ Hotstar’s privacy policy remains heavily influenced by the IT Act 2000 and global GDPR-style frameworks. While it offers strong security disclosures and clear data categorization, it falls short of the DPDP Act 2023’s stringent requirements for granular consent, specific retention limits, and the unique Indian statutory rights like the Right to Nominate. Its handling of 'Children’s Data' is particularly high-risk given the Act’s 18-year threshold vs. the platform's current 'Kids Mode' protections.

⚠️ Consent is largely bundled with the Terms of Use — lacks the 'granular' and 'separate' notice requirement of Section 5

⚠️ No provision for the Right to Nominate a representative in the event of death or incapacity (Section 14)

+4 more gaps detected

May 2026 View Report →

Insurance

HDFC Ergo

HDFC Ergo maintains a high standard of data security dictated by the IRDAI, but its privacy policy is legally outdated. It remains tethered to the 2011 SPDI Rules. To achieve DPDP 2023 compliance, the company must decouple its consent architecture, introduce the right to nominate, and explicitly integrate the Data Protection Board into its grievance hierarchy.

⚠️ Reliance on legacy IT Act 2000 and SPDI Rules 2011 framework rather than DPDP Act 2023

⚠️ Consent is bundled and implied through 'continued use' — fails Section 6's specific/unambiguous standard

+4 more gaps detected

May 2026 View Report →