A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Box8 was reviewed on 2026-05-05.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
FoodTech

Box8

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 5 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Box8’s privacy framework remains anchored in the legacy IT Act 2000 regime. While it provides transparency regarding what data is collected, it fails the DPDP Act 2023 standards for consent granularity and data principal rights. The policy lacks the mandatory 'Notice' framework under Section 5 and provides no mechanism for data erasure or nomination, posing a high regulatory risk for a company handling high-frequency consumer location and behavioral data.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-05
  • Company: Box8
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Primary reliance on IT Act 2000 and SPDI Rules 2011 instead of DPDP Act 2023
  • Consent is bundled with the platform's Terms of Use — lacks the 'specific and informed' requirement of Section 6
  • Data retention policy is vague, using 'as long as necessary' rather than defined erasure triggers
  • Absence of the 'Right to Nominate' (Section 14) for data principals
  • No procedure or mention for grievance escalation to the Data Protection Board of India
  • Lacks a specific notice for processing of children's data or verifiable parental consent mechanisms

✅ Strengths

  • Detailed enumeration of personal data categories collected (KYC, location, transaction logs)
  • Explicit disclosure of third-party service providers (logistics, payment gateways)
  • Named Grievance Officer with dedicated contact channel for data concerns
  • Clear description of technical security measures like SSL and secure server hosting

Overview

Box8 (operated by Poncho Hospitality Pvt. Ltd.) is a major player in the Indian cloud kitchen and FoodTech space. Processing thousands of daily orders involves handling sensitive PII including real-time GPS locations, mobile numbers, and payment preferences. This analysis evaluates their current policy against the Digital Personal Data Protection Act (DPDP) 2023.

DPDP Readiness: Section-by-Section Analysis

Section 5 & 6 — Notice and Consent 🔴

Box8 utilizes a “deemed consent” or “bundled consent” model. By accessing the website or app, users are told they automatically agree to the privacy policy.

What the policy says: “By using our Website/App… you consent to our use and disclosure of your personal information in accordance with this Privacy Policy.”

DPDP Requirement: Section 6 requires consent to be free, specific, informed, unconditional, and an unambiguous affirmative action. The current “use equals consent” model is now legally insufficient. Furthermore, Box8 does not provide the mandatory Section 5 Notice at the time of collection, which must describe the data being collected and the purpose in plain language.

Gap: No granular checkboxes for different processing purposes (e.g., ordering vs. marketing).

Section 8 — Obligations of Data Fiduciary ✅

The policy demonstrates a strong commitment to security safeguards, which aligns with Section 8 requirements.

Strength: Box8 specifies that sensitive information (like credit card details) is encrypted during transmission via SSL technology and that data is stored on secure servers with restricted access. This meets the “reasonable security safeguards” threshold.

Section 9 — Data Retention and Erasure ⚠️

DPDP mandates that personal data must be erased as soon as the purpose for which it was collected is no longer served or consent is withdrawn.

Gap: Box8’s policy states they retain data “for as long as it is relevant for the purposes for which it was collected” or “to comply with legal requirements.” This is too broad. Under DPDP, the fiduciary must proactively ensure erasure once the specific purpose (the meal delivery) is completed, unless a specific law requires a longer hold.

Section 11 — Right to Access, Correction, and Erasure ⚠️

The policy allows users to “review and correct” their information through account settings or by contacting the Grievance Officer.

Gap: While correction is addressed, the policy does not explicitly facilitate the Right to Erasure (Right to be Forgotten) in the manner prescribed by DPDP Section 11. There is no clear workflow for a user to request the complete deletion of their profile and historical location data.

Section 14 — Right to Nominate 🔴

Critical Gap: A unique feature of the DPDP Act is the right of a Data Principal to nominate any other individual to exercise their rights in the event of death or incapacity. Box8’s policy contains no mention of nomination rights, which is a specific non-compliance under the new Act.

Section 12 — Grievance Redressal ⚠️

Box8 has appointed a Grievance Officer as per the old SPDI Rules 2011.

Gap: Under DPDP Section 12, the Data Fiduciary must provide a clear mechanism for redressal. While a contact email is provided, the policy fails to mention that if a grievance is not resolved within the stipulated time, the user has the legal right to approach the Data Protection Board (DPB) of India.

Section 16 — Transfer of Personal Data outside India ⚠️

The policy notes that data may be shared with “entities and affiliates” who may be located outside India.

Gap: DPDP Section 16 permits cross-border transfers unless the Central Government restricts them (blacklisting). However, the policy does not specify the safeguards (like Standard Contractual Clauses) used to ensure that the overseas recipient provides the same level of protection as required by the Act.

Risk Assessment

CategoryRisk LevelImpact
Consent ArchitectureHighNon-compliance with Section 6 leads to the highest tier of penalties.
Data RetentionMediumFailure to implement auto-deletion triggers for inactive accounts.
Principal RightsMediumLack of nomination and erasure mechanisms limits consumer control.
Regulatory AlignmentHighReferences to “IT Act 2000” instead of “DPDP Act 2023” signal a lack of legal updates.

Recommendations

  1. Notice Overhaul: Implement a Section 5 compliant notice that is separate from the Terms of Service, available in multiple languages if required by the rules.
  2. Consent Manager: Integrate a Consent Manager to allow users to manage, withdraw, or view their consent history.
  3. Erasure Policy: Define specific retention periods (e.g., 3 years for tax compliance, 6 months for customer service) and provide a “Delete My Data” button in the app.
  4. Nomination Feature: Add a field in the user profile to allow the nomination of a legal representative for data rights.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call