A Project by Meridian Bridge Strategy
Book Consultation
EV

Ather Energy

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 7 Mar 2026

Executive Summary

Ather Energy's privacy policy demonstrates a foundational commitment to data security and transparency in collection. However, it lacks specific alignment with the stringent requirements of India's Digital Personal Data Protection Act 2023. Key areas needing significant enhancement include explicit DPDP Act reference, granular and explicit consent mechanisms, defined data retention periods, robust Data Principal rights frameworks, and clear grievance redressal processes that include the Data Protection Board. The current policy's reliance on general 'applicable laws' rather than DPDP-specific provisions creates potential regulatory exposure, especially concerning consent and data principal rights.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference; relies on generic 'applicable laws' language
  • Consent mechanism appears implied ('voluntarily provide') and not 'free, specific, informed, and unambiguous' as required by Section 6
  • Data retention period undefined — uses vague 'as long as necessary' language, lacking specific timelines or erasure triggers per Section 9
  • No explicit mention or mechanisms for Data Principal rights, including access, correction, erasure, or nomination rights under Section 11/14
  • Absence of a clear grievance redressal mechanism, particularly an escalation path to the Data Protection Board of India (Section 12)
  • Cross-border data transfer provisions are not clearly defined or aligned with DPDP Act Section 16's 'negative list' approach
  • No mention of a Data Protection Officer (DPO) or Data Protection Impact Assessments (DPIAs), which may be required if designated as a Significant Data Fiduciary

✅ Strengths

  • Clear commitment to data security measures, including encryption and physical security reviews, aligning with Section 8
  • Transparency regarding the types of personal information collected (name, address, phone, email, etc.)
  • Explicit statement that personal information is not rented, sold, or illegally shared with non-affiliated third parties for purposes other than requested services
  • Emphasizes that data collection is based on voluntary provision by individuals

Overview

Ather Energy is a prominent Indian electric vehicle (EV) manufacturer. As a company operating in India and collecting personal data from its users (e.g., for vehicle sales, service, and app usage), its privacy practices are directly subject to the Digital Personal Data Protection (DPDP) Act, 2023. Given the personal nature of data collected (contact details, potentially vehicle usage data), comprehensive DPDP compliance is critical.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Ather Energy’s policy states: “Ather does not collect personal information about individuals except when such individuals specifically provide such information on a voluntary basis.” While emphasizing voluntary provision, this language suggests an implied consent model rather than the “free, specific, informed, and unambiguous” consent mandated by Section 6 of the DPDP Act. There is no explicit mechanism described for users to give granular consent for different processing purposes or to withdraw consent readily.

What the policy says: “Ather does not collect personal information about individuals except when such individuals specifically provide such information on a voluntary basis.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose and can be withdrawn at any time through easily accessible means.

Gap: The policy does not detail how consent is obtained, managed, reviewed, or withdrawn by the Data Principal, nor does it refer to Consent Managers as envisaged by the DPDP Act.

Section 7 — Certain Legitimate Uses ⚠️

The policy generally states information is collected “to provide the services You have requested.” This purpose is broad. Under DPDP Section 7, legitimate uses are specifically defined (e.g., voluntary provision by data principal, state functions, medical emergencies, employment). While providing requested services might fall under “voluntary provision by data principal,” the policy could be more precise about other processing activities (e.g., analytics, marketing) and their legitimate basis under the Act.

Gap: The policy does not explicitly differentiate between processing based on consent versus “certain legitimate uses,” potentially grouping various processing activities under a single, broad purpose without clear DPDP alignment.

Section 8 — Obligations of Data Fiduciary ✅

Ather Energy’s policy includes a commitment to data security. It states: “We work hard to protect You from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. Pursuant to the same, we: 1. Encrypt our services using secure server software, which is the industry standard and among the best software available today for secure transactions. 2. Review our information collection, storage and processing practices, including physical security measures to guard against unauthorized access to systems.” These measures generally align with Section 8’s requirement for implementing “reasonable security safeguards” to prevent personal data breaches.

Strength: The policy explicitly mentions encryption and regular review of security practices, demonstrating a commitment to protecting data.

Section 9 — Data Retention 🔴

Critical gap. The policy states: “Personal information will be retained for as long as necessary for the Company’s purposes identified in the Privacy Policy / contracts / agreements at the time of collection or as subsequently authorized by the data subjects. Personal information will be erased if their storage violates any of the data protection rules.” This “as long as necessary” language is vague and does not meet the DPDP Act’s requirement for defining specific retention periods or ensuring erasure when the purpose is fulfilled or consent is withdrawn, within a reasonable period.

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period.

Gap: No specific retention timelines are provided, nor are there clear triggers or mechanisms for automated or requested data erasure upon cessation of purpose or withdrawal of consent.

Section 11 — Rights of Data Principal ⚠️

The policy mentions that information is “stored in accordance with the applicable laws”, but it does not explicitly outline the various rights of a Data Principal as prescribed by the DPDP Act. These include the right to access information, the right to correction and erasure, and the significant right to nominate another person to exercise these rights in case of death or incapacity (Section 14). Without clear articulation of these rights and the mechanisms to exercise them, the policy is not fully compliant.

Partial compliance: While a general intent to comply with “applicable laws” is stated, the specific rights under DPDP are not detailed.

Section 12 — Right of Grievance Redressal ⚠️

The provided privacy policy snippet [1] does not include information about a designated Grievance Officer, their contact details, or a formal process for Data Principals to seek redressal. Crucially, there is no mention of the Data Protection Board of India as an escalation authority, which is a key component of the DPDP Act’s grievance mechanism.

Gap: A clear and accessible grievance redressal mechanism, including the details of a Grievance Officer and the escalation path to the Data Protection Board, is absent.

Section 16 — Cross-Border Data Transfer ⚠️

The policy states: “Company does not rent, sell or share Your Personal Information with third parties or non affiliated companies except to provide the services You have requested.” This statement focuses on sharing within India for service provision but does not explicitly address the transfer of personal data outside India. Under DPDP Act Section 16, cross-border transfers are permitted only to countries not specifically restricted by the Central Government (a ‘negative list’ approach). The policy lacks clarity on whether and under what conditions Ather Energy transfers data internationally, and what safeguards are in place for such transfers.

Gap: The policy does not provide specific provisions for cross-border data transfers in accordance with DPDP Act 2023.

Risk Assessment

Ather Energy faces moderate regulatory risk due to its current privacy policy’s lack of explicit alignment with the DPDP Act 2023. While general security measures are in place, the vagueness around consent mechanisms, data retention periods, Data Principal rights, and grievance redressal poses a significant compliance challenge. As the DPDP Act and Rules are being phased in, with full compliance expected by mid-May 2027, Ather Energy needs to promptly update its policy to mitigate potential penalties, which can be substantial (up to INR 250 crore for certain breaches). The absence of a clear DPO or DPIA framework might also become a concern if Ather is designated a Significant Data Fiduciary.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation