Overview
BharatPe is a massive player in India’s merchant ecosystem, famous for its QR codes and lending products. As a Data Fiduciary (the company that decides how your data is handled), they collect sensitive info from millions of small business owners.
If you’re a merchant using their QR code, they aren’t just seeing your name; they are tracking your SMS transaction history, location, and even your business inventory. Under the new DPDP Act, the bar for how they protect this “goldmine” of data has been raised significantly.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
BharatPe uses what we call “bundled consent.” They assume that if you use their app, you’ve already agreed to everything in their policy.
What the policy says: “By visiting… or accessing… you are accepting the practices described in this Privacy Policy.”
What the law requires: Consent must be specific and clear. You can’t just hide consent in the fine print of a “Terms & Conditions” page. The Data Principal (that’s you, the person the data belongs to) must give a “thumbs up” to specific uses of their data.
The problem: You can’t say “no” to marketing while saying “yes” to payment processing. It’s all or nothing. Under DPDP, this “take it or leave it” approach is risky for the company.
Section 7 — Certain Legitimate Uses ⚠️
What the policy says: They claim they use your data for “improving marketing and promotional efforts” as a necessary part of their service.
What the law requires: The law allows companies to process data without a specific “I Agree” button only for very narrow reasons (like medical emergencies or government mandates).
The problem: “Marketing” is almost never a legitimate use that bypasses consent. BharatPe’s policy tries to group marketing with essential services, which could be challenged under the new rules.
Section 8 — Obligations of Data Fiduciary ✅
What the policy says: “Our servers are located within the territory of India… we use Secure Sockets Layers (SSL) based encryption.”
What the law requires: Companies must take “reasonable security safeguards” to prevent data breaches.
The strength: BharatPe is very clear about storing data in India, which is a huge plus for security and regulatory comfort. They also mention that they only share data with employees on a “need to know” basis.
Section 9 — Data Retention ⚠️
What the policy says: “We will retain your data for a minimum of 5 (five) years after your account has been terminated.”
What the law requires: Once the purpose of collecting the data is over (e.g., you close your account), the company must delete it unless a law says otherwise.
The problem: While 5 years aligns with some financial laws, the policy also says they can keep it “longer depending on applicable laws.” This “longer” is a black hole. Small business owners deserve to know exactly when their data will be wiped.
Section 11 — Rights of Data Principal 🔴
What the policy says: It mentions you can “correct or update” info and “withdraw consent.”
What the law requires: You now have the right to nominate someone to manage your data if you pass away or become incapacitated. You also have the right to a summary of all your data they hold.
The problem: BharatPe’s policy doesn’t mention the right to nominate at all. If you are a shop owner, you should be able to tell BharatPe who gets to control your business data if you can’t.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They provide the name (Rahul Tomar) and email of their Grievance Officer.
What the law requires: You must have a clear way to complain, and if the company doesn’t fix it, you must be told you can go to the Data Protection Board of India.
The problem: The policy is a dead end. It tells you how to email BharatPe, but it doesn’t tell you that the Government has a Board you can go to if BharatPe ignores you.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: “Our servers are located within the territory of India.”
The strength: Since they keep data local, they avoid the complicated mess of sending Indian merchants’ financial data to foreign countries. This is one of their strongest points for DPDP compliance.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | 🔴 High | If consent isn’t “free,” the company can’t legally process any data. |
| User Rights | ⚠️ Medium | Merchants can’t nominate heirs for their digital business records. |
| Regulatory Fines | 🔴 High | Up to ₹250 Crore for failing to protect data or follow consent rules. |
| Data Localization | ✅ Low | Data stays in India, which is exactly what the government wants. |
Recommendations
- Stop the “By Visiting” Consent: BharatPe needs to show a clear pop-up that lets users pick what they agree to (e.g., “Yes to payments, No to marketing calls”).
- Add Nomination Rights: They should add a simple setting in the app where a merchant can name a family member as their “Data Nominee.”
- Reference the DPDP Act: The policy still talks about the IT Act of 2000. It needs an urgent 2024 update to mention the new law.
- Clarify the Deletion Timeline: Instead of saying “5 years or longer,” give a clear table. “Loan data: 7 years. Profile photo: 30 days after account closure.”