A Project by Meridian Bridge Strategy
Book Consultation
SaaS & IT

CleverTap

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 8 Apr 2026

Executive Summary

CleverTap is clearly built for GDPR and CCPA compliance, but it currently ignores India's DPDP Act entirely. For a company with deep Indian roots, directing Indian users to the Bulgarian Data Protection Commission for complaints is a major regulatory oversight.

⚠️ Compliance Gaps

  • No mention of India's DPDP Act 2023 — policy is stuck in 2021/GDPR mode
  • Grievance redressal points to Bulgaria, not an Indian authority
  • Consent is bundled with form submissions rather than being specific and granular
  • No provision for the Right to Nominate a representative under Section 14
  • Retention periods are vague and lack defined 'end of purpose' triggers
  • Fails to explain rights of Indian users specifically under local law

✅ Strengths

  • Excellent distinction between Controller and Processor roles
  • Strong technical security disclosures including session encryption
  • Clear identification of the Data Protection Officer (DPO)
  • Specific transparency regarding third-party service provider access

Overview

CleverTap is a massive “customer engagement” platform. In plain English: they help companies track what you do on apps (like clicking a ‘buy’ button) so those companies can send you targeted notifications.

Because they sit in the middle of thousands of apps and millions of users, they are a Data Fiduciary — the legal term for the entity that decides why and how your data is processed. If you use an app that uses CleverTap, your data is likely flowing through their servers.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

CleverTap uses “bundled consent” on their website forms. This is a big no-no under the new Indian law.

What the policy says: “By submitting this form, you agree to CleverTap’s Privacy Policy.”

What the law requires: Consent must be “specific” and “informed.” It shouldn’t be a hidden part of clicking a “Submit” button for a demo. You should be able to agree to the demo without necessarily agreeing to every other data use listed in a 20-page policy.

The problem: For the Data Principal (that’s you — the person the data belongs to), this is a “take it or leave it” deal. Under DPDP, notice must be clear and separate. CleverTap’s notice is currently buried.

Section 7 — Certain Legitimate Uses ⚠️

What the policy says: They rely on “legitimate interests” for things like marketing and business relationship management.

What the law requires: India’s DPDP Act is much stricter than the European GDPR here. Section 7 only allows “Certain Legitimate Uses” like voluntary data sharing for a specific purpose, state functions, or medical emergencies.

The problem: CleverTap’s European-style “legitimate interest” argument might not hold water in India. They need to map their data processing to the specific buckets India has defined, or they risk processing data illegally.

Section 8 — Obligations of Data Fiduciary ✅

This is one area where CleverTap shines because they deal with big global brands.

What the policy says: “We have put in place industry-standard administrative, physical, and technical safeguards… We encrypt certain sensitive information using session encryption.”

What the law requires: The law says a company must take “reasonable security safeguards” to prevent a data breach.

The problem: While their tech is strong, Section 8 also requires notifying the Data Protection Board of India if a breach happens. CleverTap’s policy currently has no mention of this Indian reporting requirement.

Section 9 — Data Retention 🔴

What the policy says: “Applicable law may permit or require CleverTap to retain some of your personal information as it is presently stored.”

What the law requires: Once the purpose for collecting the data is over (e.g., you stop using the service), the company must delete it. You can’t just keep it “just in case” forever.

The problem: There are no specific timelines. A startup using CleverTap needs to know exactly when their users’ data will be purged. Vague “as required by law” language is the old way of doing things; DPDP requires a proactive deletion plan.

Section 11 — Rights of Data Principal ⚠️

What the policy says: They list rights to access, correct, and erase data, but they state these rights “mirror your rights under the EU’s GDPR.”

What the law requires: Indian users have specific rights, including the Right to Nominate. This allows you to pick someone to manage your data rights if you pass away or become incapacitated.

The problem: CleverTap doesn’t mention the Right to Nominate at all. If you are an Indian business owner, your policy needs to include this to be compliant.

Section 12 — Right of Grievance Redressal 🔴

This is perhaps the most glaring issue for Indian users.

What the policy says: “You have the right to make a complaint at any time to the Republic of Bulgaria’s Commission for Personal Data Protection.”

What the law requires: You must have a way to complain in India. If the company doesn’t fix your issue, you have the right to escalate it to the Data Protection Board of India.

The problem: Imagine a small business owner in Bengaluru being told they have to file a complaint in Bulgaria. It’s impractical and legally insufficient under the DPDP Act.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: They transfer data to the U.S. and other countries where their service providers are located.

What the law requires: Data can only be sent to countries that the Indian government hasn’t “blacklisted” (restricted).

The problem: While the U.S. is generally safe, CleverTap’s blanket statement that they can transfer data to any country where they have a facility is too broad for the new Indian rules.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory FineHighFines in India can reach ₹250 Cr for failing to protect data or follow notice rules.
Grievance PathCriticalDirecting Indians to Bulgaria is a clear violation of Section 12.
Consent ValidityMediumBundled consent may be ruled invalid, meaning they have no legal right to process that data.
User RightsMediumMissing the “Right to Nominate” makes the policy legally incomplete in India.

Recommendations

  1. Localize the Grievance Path: Add an Indian contact and mention the Indian Data Protection Board. Don’t send people to Sofia, Bulgaria.
  2. Update the Consent UI: Don’t just bundle the privacy policy into a “Submit” button. Use a separate checkbox or a clear “Notice” that pops up.
  3. Add the Right to Nominate: Update the “Your Rights” section to include Section 14 of the DPDP Act.
  4. Clean up Retention: Instead of “as permitted by law,” say “Data is deleted 30 days after account termination.”
  5. Mention the Act: Simply referencing “The Digital Personal Data Protection Act, 2023” shows regulators you are actually trying to comply.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Gangtok: Protecting Sikkim's Growing Digital Economy city DPDP Consulting in Lucknow

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation