A Project by Meridian Bridge Strategy
Book Consultation
Fintech / Wealthtech

Coin by Zerodha (Zerodha Broking Ltd.)

Ready Score 62/100
Moderate Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 13 Mar 2026

Executive Summary

Zerodha maintains a robust privacy framework governed by SEBI regulations and the IT Act 2000. However, as of early 2026, the policy for its Coin platform remains in a 'transitional' state regarding the DPDP Act 2023. While security measures are top-tier, the policy fails to incorporate specific statutory rights like the Right to Nominate and fails the 'Notice' accessibility requirements regarding regional languages and granular consent management.

⚠️ Compliance Gaps

  • Absence of Section 14 'Right to Nominate' — no framework for data principal succession
  • Notice not provided in 22 languages as required under Section 5(3) of DPDP Act
  • Grievance mechanism lacks explicit escalation path to the Data Protection Board of India
  • Data retention policy doesn't distinguish between SEBI-mandated storage and DPDP erasure requirements
  • Consent is largely bundled with account opening — lacks itemized 'purpose-specific' opt-ins
  • No mention of 'Consent Manager' integration for revoking or managing permissions

✅ Strengths

  • High transparency regarding third-party sharing with market infrastructure (CDSL, NSE, BSE)
  • Strong technical safeguards including 2FA, biometric locking, and data encryption
  • Detailed disclosure of 'Log Data' and device-specific information collected
  • Clear identification of the Grievance Redressal Officer with direct contact details

Overview

Coin by Zerodha is India’s largest direct mutual fund platform. Because it operates within a highly regulated financial ecosystem, its data processing is a hybrid of SEBI mandates (PMLA, KYC norms) and the DPDP Act 2023. While Zerodha excels at security, its privacy documentation still leans heavily on the legacy IT Act 2000 framework, creating a compliance gap with the newer, more stringent DPDP standards.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Zerodha’s consent model for Coin is primarily all-or-nothing. To use the platform, users must agree to the privacy policy in its entirety.

What the policy says: “By opening an account… you signify your acceptance of the terms of this Privacy Policy.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. It requires a clear “Notice” accompanying the consent request, detailing the data collected and the purpose.

Gap: The policy lacks a Consent Manager interface. Users cannot selectively consent to portfolio tracking while opting out of “marketing and promotional” notifications, which is a key requirement for consent to be “specific” under Section 6.

Section 5(3) — Language & Accessibility 🔴

Critical gap. The DPDP Act mandates that the Notice and request for consent must be available in English and any of the 22 languages specified in the Eighth Schedule to the Constitution.

Status: Zerodha’s privacy policy and consent notices are currently available only in English. This is a direct violation of the accessibility standards set for Data Fiduciaries.

Section 8 — Obligations of Data Fiduciary ✅

Zerodha demonstrates high compliance here due to its adherence to SEBI’s Cybersecurity and Cyber Resilience framework.

Strength: The policy details the use of SSL encryption, firewalls, and internal access controls. As a regulated entity, Zerodha undergoes regular system audits, which satisfies the “reasonable security safeguards” requirement of Section 8.

Section 9 — Data Retention & Erasure ⚠️

This is a complex area for Zerodha due to conflicting regulations.

DPDP requirement: Data must be erased once the purpose is fulfilled or consent is withdrawn.

Zerodha’s position: The policy states data is kept as long as the account is active or “as required by law.” Under PMLA (Prevention of Money Laundering Act), brokers must keep records for at least 5 years post-account closure.

Gap: The policy does not clarify that once the legal/regulatory retention period (SEBI/PMLA) expires, the data will be automatically purged. It lacks a “Right to be Forgotten” execution timeline.

Section 11 & 14 — Rights of Data Principal 🔴

The DPDP Act introduces several new rights that are missing from the Coin/Zerodha policy:

  • Right to Nominate (Section 14): The policy has no provision for a user to nominate a person to exercise their data rights in case of death or incapacity.
  • Right of Erasure: While users can close accounts, the policy does not explicitly outline the procedure for a Data Principal to demand the erasure of specific non-regulatory data (like app usage patterns).

Section 12 — Grievance Redressal ⚠️

Zerodha provides a clear point of contact for its Grievance Officer.

Gap: Under the DPDP Act, the policy must explicitly inform the user that if they are unsatisfied with the company’s response, they have the right to escalate the matter to the Data Protection Board of India (DPBI). Zerodha’s policy currently stops at internal redressal.

Section 16 — Cross-Border Transfer ✅

Zerodha predominantly processes data within India to comply with local financial regulations (RBI/SEBI data localization). The policy states that if data is shared with global service providers (like cloud storage), it is done under strict confidentiality. This aligns with current DPDP provisions as long as the destination is not a “blacklisted” country by the Central Government.

Risk Assessment

CategoryRisk LevelMitigation Priority
Consent SpecificityHighImplementation of granular opt-ins and a Consent Manager dashboard.
Linguistic ComplianceHighTranslation of Privacy Policy and Notices into regional languages.
Data Principal RightsMediumIntegration of ‘Right to Nominate’ into the user profile settings.
Security/SafeguardsLowExisting SEBI-mandated controls are highly robust.

Final Analyst Note: Zerodha’s “Privacy by Design” is strong regarding security but weak regarding “Rights” and “Notice.” To achieve 90+ compliance, they must move away from the “Terms of Service” style of privacy and adopt the “Notice-and-Choice” framework mandated by the DPDP Act 2023.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation