A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Acko Insurance was reviewed on 2026-05-03.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
InsurTech

Acko Insurance

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 3 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Acko’s policy is a classic example of 'consent overkill.' While they are transparent about the massive amount of data they collect—including your SMS and Gmail—the policy relies on bundled consent and lacks the granular control required by the DPDP Act.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-03
  • Company: Acko Insurance
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent is bundled with T&Cs — not 'freely given' or 'specific'
  • Highly intrusive data collection (Gmail and SMS access) for secondary features
  • No mention of Data Principal rights like the right to nominate
  • Vague data retention periods citing 'applicable laws' without specific timelines
  • Missing escalation path to the Data Protection Board of India
  • Broad sharing clauses with unnamed 'affiliates' and 'group companies'

✅ Strengths

  • Explicitly identifies IRDAI regulations as a basis for data processing
  • Clear disclosure of the specific types of KYC and medical data collected
  • Detailed explanation of why Gmail access is needed for the 'Airpass' feature
  • Strong language regarding the use of encryption and security audits

Overview

Acko is a digital-first insurance provider. Because they handle everything from car insurance to health cover, they are a Data Fiduciary—a fancy legal term for the company that decides how and why your data is processed.

They handle the “crown jewels” of personal info: your health records, bank statements, and even your real-time location. If you’re a business owner, Acko’s policy is a masterclass in how not to bundle consent if you want to stay on the right side of the new law.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Acko uses a “take it or leave it” approach. If you use the app, they claim you’ve given “unequivocal consent.”

What the policy says: “BY SETTING UP YOUR ACKO ACCOUNT… YOU ARE CONSENTING TO COLLECTION, PROCESSING, STORAGE, USAGE AND SHARING AS PER THIS POLICY.”

What the law requires: Under the DPDP Act, consent must be specific and informed. You can’t just bunch everything into one big “I Agree” button.

The problem: You are the Data Principal (the person the data belongs to). You should be able to get insurance without necessarily agreeing to let them read your SMS for “financial profiling.” In the eyes of the DPDP Act, this bundled consent is likely invalid.

Section 7 — Certain Legitimate Uses ⚠️

The policy leans heavily on “applicable laws” (like IRDAI rules) to process data without extra permission.

What the policy says: “We and our Insurance Providers will continue to collect, use, process, and store your personal data as per the requirements under the applicable laws…”

What the law requires: Section 7 allows companies to process data for “legitimate uses” like fulfilling a legal mandate or a medical emergency.

The problem: While insurance laws require some data storage, Acko uses this as a blanket shield. They don’t clearly separate what they must keep by law versus what they want to keep for their own marketing.

Section 8 — Obligations of Data Fiduciary ⚠️

What the policy says: They mention using “third-party service providers” to perform KYC and manage the platform.

What the law requires: Acko is responsible for what their partners do. If their KYC vendor leaks your data, Acko is on the hook for the fine.

The problem: The policy gives Acko “sole discretion” to share data with affiliates. Under DPDP, they need to ensure these partners also follow strict security standards, but the policy is vague on how they audit these “group companies.”

Section 9 — Data Retention 🔴

This is a major red flag for any privacy-conscious person.

What the policy says: “Withdrawal of consent… will not diminish and/or affect our rights… to collect, use, process, and store your personal data.”

What the law requires: Section 9 says once the purpose is served (e.g., your policy expires and the legal waiting period ends), the data must be deleted.

The problem: Acko essentially says “we might keep it anyway if the law says so,” but they don’t give you a “Delete My Data” clock. As a user, you have no idea if your medical history stays on their servers for 5 years or 50.

Section 11 — Rights of Data Principal ⚠️

What the policy says: You can withdraw consent, but they warn they might stop providing services if you do.

What the law requires: You have the right to:

  1. Correct your data.
  2. Erase your data.
  3. Nominate someone to manage your data if you pass away (Section 14).

The problem: Acko’s policy doesn’t mention the Right to Nominate. If even a big player like Acko misses this, it shows how many startups are likely skipping these new mandatory rights.

Section 12 — Right of Grievance Redressal ⚠️

The problem: While they have a Grievance Officer, the policy (in this version) doesn’t mention the Data Protection Board of India.

What the law requires: If you aren’t happy with Acko’s response, the law gives you the right to complain to a government-appointed Board. If your policy doesn’t tell users about this, you’re not fully compliant.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: “We may disclose your personal information to third parties (including any foreign third parties)…”

What the law requires: Data can only be sent to countries that the Indian government hasn’t “blacklisted.”

The problem: The policy is too broad. It doesn’t specify which countries or what protections are in place when your sensitive medical data leaves Indian shores.

Risk Assessment

CategoryRisk LevelPotential Impact
Consent Validity🔴 HighFines for “bundled consent” which is no longer legal.
Intrusive Scraping🔴 HighGmail/SMS access for “profiling” is hard to justify as “necessary.”
Data Retention⚠️ MediumLegal friction over “perpetual” data storage claims.
Principal Rights⚠️ MediumFailure to provide a nomination path is a Section 14 violation.

Recommendations

  1. Unbundle the “Agree” button — Let users choose: “Yes to Insurance,” “No to SMS marketing.”
  2. Add a Deletion Schedule — Tell people exactly how many years you keep data after a policy ends (e.g., “10 years per IRDAI mandate”).
  3. Introduce Nomination — Add a simple form in the app where users can name a person to handle their data rights.
  4. Clean up “Affiliate” sharing — Don’t just say “we share with group companies.” Tell the user which ones and why.
  5. Update Grievance Paths — Explicitly mention the Data Protection Board as the final step for unhappy customers.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call