A Project by Meridian Bridge Strategy
Archived analysis

This page is old. BigBasket was reviewed on 2026-02-09.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

BigBasket

Ready Score 43/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 9 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce β€” diet, health needs, baby care, income bracket β€” all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-09
  • Company: BigBasket
  • Readiness score: 43/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Grocery purchase data reveals household composition and health patterns
  • Tata Group entity data sharing scope unclear
  • No data retention timelines
  • Data Protection Board not mentioned
  • Baby product purchases reveal sensitive family information
  • Medicine/health product purchases treated as standard e-commerce data

βœ… Strengths

  • Standard security measures described
  • Grievance officer designated
  • Account deletion mechanism available

Overview

BigBasket, now a Tata Digital subsidiary, delivers groceries to millions of Indian households. Weekly grocery orders reveal more about a household than almost any other data source: dietary practices (religious indicators), health products (medical conditions), baby products (family composition), premium vs. budget choices (income level), and organic preferences (health consciousness). This household-level profiling is under-addressed in their privacy policy.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

Single consent covers all grocery data processing. No separate consent for:

  • Household profiling based on order patterns
  • Health product purchase tracking
  • Baby/child product pattern monitoring
  • Sharing data within Tata Group entities

DPDP concern: Grocery data is deceptively intimate. A household’s weekly orders reveal religion, health, family stage, income, and lifestyle β€” all without explicit consent for such inferences.

Section 7 β€” Certain Legitimate Uses ⚠️

Order fulfillment is legitimate. But BigBasket extends processing to:

  • Purchase pattern analytics for supplier partnerships
  • Household classification for targeted marketing
  • Tata ecosystem cross-selling (Tata Neu, 1mg, Croma integration)

These go beyond service delivery and need separate justification under DPDP.

Section 8 β€” Obligations of Data Fiduciary ⚠️

Standard security measures. However:

  • Delivery personnel access customer addresses and order contents
  • Warehouse staff process orders revealing personal information
  • No mention of enhanced handling for health or baby product orders

Section 9 β€” Data Retention πŸ”΄

No retention timelines. Particularly concerning for:

  • Health product orders: Revealed medical conditions stored indefinitely
  • Baby product patterns: Family lifecycle data persisted
  • Delivery address history: Housing patterns tracked
  • Order frequency and timing: Household routine mapping

Section 11 β€” Rights of Data Principal πŸ”΄

  • No mechanism to delete order history selectively (e.g., delete medicine purchases but keep grocery history)
  • No transparency on household profile inferences
  • No nomination rights
  • No right to prevent cross-Tata-entity profiling

Section 12 β€” Right of Grievance Redressal ⚠️

Basic grievance officer. No DPB pathway.

Section 16 β€” Cross-Border Data Transfer ⚠️

As a Tata Group entity, data may flow within the conglomerate’s global infrastructure. Policy doesn’t specify whether household grocery data is processed or accessible outside India.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to β‚Ή250 Cr
Household profilingCriticalWeekly groceries = comprehensive household intelligence
Health product dataHighMedicine and health product purchases reveal conditions
Tata ecosystem sharingHighCross-entity data flow within conglomerate
Data retentionHighIndefinite storage of intimate household data

The Grocery Data Intelligence Problem

Weekly grocery orders create the most detailed household profile available in Indian digital commerce:

Product CategoryInferenceSensitivity
No non-veg items, specific religious itemsReligious practicesHigh
Diabetes-friendly, sugar-free productsChronic health conditionHealth data
Baby formula, diapers, baby foodNew parent, child ageFamily data
Organic, premium productsIncome level, health consciousnessFinancial
AlcoholLifestyle choicePersonal
Feminine hygiene productsHousehold gender compositionPersonal
Quantity and frequencyHousehold sizeDemographic

Recommendations

  1. Classify health product purchases as sensitive data β€” Enhanced consent and retention rules for medicines, health products
  2. Implement household profiling transparency β€” Let users see and control inferences made from their purchase patterns
  3. Establish Tata Group data boundaries β€” Clear rules on what BigBasket data is shared with other Tata entities
  4. Add granular retention β€” β€œActive orders: 6 months; health products: 1 year; general purchase: 2 years; addresses: until user deletion”
  5. Separate consent for cross-platform sharing β€” Distinct consent for Tata Neu integration, 1mg health cross-referencing
  6. Deploy inference protection β€” Don’t combine grocery patterns to create religious, health, or family profiles without explicit consent

πŸ“– Related Compliance Guides

city DPDP Consulting in Lucknow β†’ city DPDP Consulting in Noida β†’ compare DPDP vs Kenya Data Protection Act Guide β†’

What Should You Do Next?

πŸ” Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

πŸŽ“ Train Your Team

Book a DPDP compliance workshop β€” available online, onsite, and hybrid.

πŸ“° Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call