A Project by Meridian Bridge Strategy
Archived analysis

This page is old. CRED was reviewed on 2026-02-26.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Fintech

CRED

Ready Score 66/100
Moderate Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 26 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-26
  • Company: CRED
  • Readiness score: 66/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent potentially bundled with core features, not 'freely given'
  • No specific data retention periods defined beyond legal mandates
  • Incomplete Data Principal rights mentioned (e.g., access, nomination)
  • No Data Protection Board escalation path for grievances
  • Ambiguity on cross-border transfer for non-payment data

✅ Strengths

  • Strong commitment to data security with ISO certifications
  • Explicit RBI data localization for payment data within India
  • Clear grievance officer contact published
  • Granular consent revocation mechanism mentioned

Overview

CRED is a prominent Indian fintech platform primarily known for credit card bill payments and premium rewards. As it handles highly sensitive financial data — credit scores, transaction details, payment history, and associated personal information — its privacy policy needs to be fully compliant with the new DPDP Act, 2023.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

CRED states that “it starts with your consent. your consent holds absolute power.” This is a strong start. The policy also mentions users can “revoke our access to your data anytime by changing your permission settings.” However, there’s a catch:

What the policy says: “however, revoking access to crucial permissions may cause certain side effects: some features may not work as expected or may even be unavailable for your use.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose and can be withdrawn at any time without undue negative consequences.

The problem: If revoking consent for certain data processing leads to features becoming unavailable, the consent isn’t truly “freely given.” It implies a bundled, “take it or leave it” approach for core functionalities, which is a key issue under DPDP.

Section 7 — Certain Legitimate Uses ✅

The provided policy text does not broadly claim “legitimate uses” for processing data without explicit consent for purposes like marketing or personalization. The only mention of processing without explicit, active consent is for data retention “as required by applicable laws,” which generally aligns with DPDP’s legitimate uses.

Strength: CRED avoids making broad claims for “legitimate uses” that fall outside the narrow definitions of the DPDP Act, such as for “improving services” or “personalization” without consent.

Section 8 — Obligations of Data Fiduciary ✅

CRED demonstrates a strong commitment to data security, aligning well with Section 8’s requirement for a Data Fiduciary (the entity determining why and how data is processed, in this case, CRED) to implement “reasonable security safeguards.”

What the policy says: “security comes first… We use strong physical, administrative, and technical safeguards to protect your data from unauthorized access, use, and disclosure… CRED is in compliance with ISO 27701:2019 and 27001:2022 standards.”

Strength: Explicitly lists types of safeguards, mentions ISO certifications (international standards for privacy and information security management), and states data is “anonymized or pseudonymized wherever possible.”

Section 9 — Data Retention ⚠️

The policy mentions the right to request deletion, but provides vague details on how long data is kept otherwise.

What the policy says: “You can also request the deletion of your data. In certain cases, CRED and relevant third parties may retain the data as required by applicable laws. read more about that here.”

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose for which it was collected is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period, or explicitly state the retention period.

The problem: While legal retention is legitimate, the policy doesn’t specify how long data is retained when no legal mandate applies, or after the initial purpose is fulfilled. The “read more about that here” link needs to provide clear, specific timelines to be compliant.

Section 11 — Rights of Data Principal ⚠️

The policy acknowledges the right to revoke consent and request deletion. However, a Data Principal (the individual whose data is being processed) has more rights under DPDP.

DPDP requirement: Data Principals have rights including access to their data, correction, erasure, and the right to nominate another person to exercise these rights on their behalf (Section 14).

The problem: The policy does not explicitly mention the right to access one’s data or the right to correction. It also omits the crucial nomination right under Section 14, which allows individuals to designate someone to act on their behalf after their demise or incapacity.

Section 12 — Right of Grievance Redressal ⚠️

CRED provides a path for grievance redressal, but it’s not fully aligned with DPDP.

What the policy says: “for any concerns… reach out to us via our support channels here. if your issue remains unresolved, you can escalate it to our grievance officer (Mr. Atul Patro) by clicking the button below.”

DPDP requirement: A Data Principal has the right to complain to a Grievance Officer and, if unsatisfied, escalate the matter to the Data Protection Board of India. Response timelines (e.g., 30 days) are also expected.

The problem: While a Grievance Officer is named, the policy does not mention the Data Protection Board as an escalation path. There are also no explicit commitments for response timelines.

Section 16 — Cross-Border Data Transfer ✅

CRED provides strong assurances regarding data localization for payments data.

What the policy says: “we meet RBI’s data localization rules, ensuring that all payment data is securely stored within India.”

DPDP requirement (Section 16): Transfer of personal data outside India is only permitted to countries notified by the Central Government.

Strength: Explicitly stating compliance with RBI data localization rules for payment data is a significant strength.

A note on ambiguity: While strong on payment data localization, the policy doesn’t explicitly clarify if any other types of data (e.g., non-payment analytics or anonymized data) are transferred cross-border, and if so, what safeguards are in place for them. However, given the emphasis on localization, it suggests a default to in-India processing.

Risk Assessment

CategoryRisk LevelPotential Impact
Consent complianceHighFines up to ₹250 Cr if bundled consent challenged
Data retentionHighRegulatory action for indefinite data storage
Data principal rightsMediumUser complaints, potential penalties for non-compliance
Grievance redressalMediumUsers bypass internal process, directly escalate to DPB (if they know about it)
Reputational impactMediumLoss of trust if perceived as non-compliant

Recommendations

  1. Refine consent mechanism: Clearly separate consent for essential service features from optional data uses (e.g., marketing, analytics). Ensure users can withdraw consent for optional uses without impacting core service functionality.
  2. Define specific retention periods: For each category of data, clearly state how long it will be retained, citing legal mandates where applicable, and a default “max X months after account closure” otherwise.
  3. Expand Data Principal rights: Explicitly state all rights under DPDP (access, correction, erasure, nomination) and how users can exercise them through self-service or support channels.
  4. Add Data Protection Board escalation: Clearly state that if a user is unsatisfied with the Grievance Officer’s resolution, they can escalate the complaint to the Data Protection Board of India.
  5. Clarify cross-border transfers: If any non-payment data is transferred outside India, explicitly disclose the types of data, the countries involved, and the safeguards in place.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call