A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Blinkit was reviewed on 2026-04-02.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

Blinkit

Ready Score 58/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 2 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Blinkit’s privacy policy, last updated in January 2025, remains heavily influenced by the IT Act 2000 framework. While it provides high transparency regarding 'what' is collected, it fails the 'how' of DPDP Act 2023—specifically regarding granular consent, the right to be forgotten, and the new statutory rights of nomination. The reliance on 'implied consent' through platform usage is a high-risk area under the new regulatory regime.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-02
  • Company: Blinkit
  • Readiness score: 58/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent is 'deemed' by continued use — violates Section 6 requirement for affirmative action
  • No provision for the Right to Nominate (Section 14) in case of death or incapacity
  • Missing notice availability in 22 scheduled languages as per Section 5(3)
  • Data retention periods are vague ('as long as necessary') — lacks Section 9 erasure clarity
  • No explicit mention of the Data Protection Board (DPB) for grievance escalation
  • Bundled consent for multiple purposes (delivery, marketing, analytics) without granular opt-outs

✅ Strengths

  • Explicit naming of a Data Protection Officer (DPO) with dedicated email contact
  • Detailed classification of data types collected (device info, location, SMS logs for fraud)
  • Clear disclosure of third-party sharing categories (Sellers, Brands, Service Providers)
  • Strong security framework referencing PCI-DSS and encryption standards

Overview

Blinkit (Blink Commerce Private Limited), a subsidiary of Zomato, operates in the high-frequency quick commerce sector. It processes high volumes of sensitive personal data, including real-time precise location, financial identifiers, and consumption patterns. As of April 2026, while the policy has seen incremental updates, it has not yet achieved full “Privacy by Design” alignment with the DPDP Act 2023.

DPDP Readiness: Section-by-Section Analysis

Section 5 — Notice ⚠️

Blinkit provides a standard privacy policy, but it lacks the DPDP-mandated “Notice” format.

Gap: Under Section 5, a notice must accompany every consent request, detailing the data collected and the purpose. Crucially, Section 5(3) requires that the notice be available in English and any of the 22 languages specified in the Eighth Schedule to the Constitution. Blinkit currently only provides a singular English policy.

Section 6 — Consent 🔴

Critical Risk. Blinkit’s policy states: “By accessing or using its Services… you agree to this privacy policy and you are consenting to Blinkit’s collection…”

DPDP Requirement: Consent must be free, specific, informed, unconditional, and an unambiguous affirmative action. Analysis: “Deemed consent” through usage is no longer valid for most commercial processing. Blinkit bundles delivery fulfillment consent with marketing and third-party data sharing. To comply, they must implement a “Consent Manager” interface or layered checkboxes.

Section 8 — Obligations of Data Fiduciary ✅

Blinkit shows strength in its technical safeguards.

  • Accuracy: They provide mechanisms for users to update profiles.
  • Security: The policy details physical and electronic safeguards, and specifically mentions PCI-DSS compliance for payment data handled by third parties.
  • Data Processor Accountability: They contractually require third parties to maintain confidentiality, aligning with Section 8(1).

Section 9 — Data Retention ⚠️

Gap: The policy states data is kept “for as long as necessary to provide services.” DPDP Requirement: Section 9 requires the Data Fiduciary to erase personal data as soon as the purpose for which it was collected is no longer served, or when consent is withdrawn. Analysis: Blinkit lacks a “Data Retention Schedule” or clear “Right to Erasure” (Right to be Forgotten) workflow that defines the “reasonable period” for deletion after account inactivity.

Section 11, 12 & 13 — Rights of Data Principal ⚠️

The policy acknowledges the right to review and correct data, but is missing the newer DPDP rights:

  • Right to Nominate (Section 14): No mention of allowing a user to nominate another individual to exercise their rights in the event of death or incapacity.
  • Right of Grievance Redressal: While a DPO is listed (privacy@blinkit.com), the policy does not inform users of their statutory right to escalate unresolved grievances to the Data Protection Board of India (DPBI).

Section 16 — Cross-Border Data Transfer ⚠️

The policy mentions that information may be “stored and processed in any country where we have facilities or hire service providers.” Gap: Section 16 restricts transfers to certain countries or territories as notified by the Central Government. Blinkit’s blanket clause is too broad and may violate future “negative list” restrictions or specific localization requirements for certain data subsets.

Risk Assessment

CategoryRisk LevelImpact
Consent ArchitectureHighFines up to ₹250 Cr for failing to take “affirmative” consent.
Data Principal RightsMediumExposure to DPB complaints due to lack of nomination and erasure rights.
Notice ComplianceHighMulti-lingual notice is a hard requirement often overlooked.
Security/BreachLowRobust existing infrastructure and DPO appointment.

Final Analyst Note: Blinkit must move away from “Terms of Use” style privacy agreements toward a dynamic Consent Management Framework. The most urgent priorities are the implementation of a multi-lingual notice and a specific “Withdrawal of Consent” UI that is as easy as the “Give Consent” process.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call