Overview
Go Digit General Insurance (Digit) is a major player in India’s InsurTech space. Because they sell insurance, they handle some of your most sensitive information: medical history, financial records, KYC documents (like Aadhaar), and even real-time location data.
In the eyes of the law, Digit is a Data Fiduciary (the entity that decides how and why your data is used), and you are the Data Principal (the person the data belongs to). Because insurance involves high-stakes data, their responsibility to protect you is much higher than a typical retail app.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Digit’s policy is a bit of a “mixed bag.” On one hand, they have a clear table for data collection. On the other, they still use the old-school “if you use our app, you agree to everything” approach.
What the policy says: “By interacting with the Website and/or the Digit App… you represent and acknowledge that you have read and understood the terms… and you agree to be bound by all its terms.”
What the law requires: Consent must be unambiguous and specific. You can’t just bundle it into the “Terms and Conditions.” A user should be able to buy insurance without necessarily agreeing to “marketing and personalized ads.”
The problem: This “all-or-nothing” approach is exactly what the DPDP Act tries to stop. You shouldn’t have to give up your privacy rights just to browse a website.
Section 7 — Certain Legitimate Uses ✅
What the policy says: Digit lists lawful purposes like “Verification of identity,” “Complying with KYC norms,” and “Prevention of fraud.”
What the law requires: The law allows companies to process data without explicit consent for “certain legitimate uses,” like responding to a medical emergency or fulfilling a legal mandate (like IRDAI insurance rules).
The verdict: Since insurance is a heavily regulated industry, Digit has a strong legal ground here. Most of their data collection is required by insurance laws, which fits perfectly under Section 7.
Section 8 — Obligations of Data Fiduciary ✅
This is where Digit shines. They are one of the few companies already mentioning Data Protection Impact Assessments (DPIA).
What the policy says: “Digit shall undertake a Data Protection Impact Assessment (DPIA) and a compliance audit once every twelve months.”
The significance: This means they aren’t just saying they are secure; they are committing to a formal “health check” of their data systems every year. This is a big win for user safety.
Section 9 — Data Retention 🔴
What the policy says: “Digit shall retain your personal Information for as long as required to provide you with services or otherwise required under the law.”
What the law requires: Companies must delete your data once the specific purpose is over. For example, if you cancel your policy and the legal “lock-in” period ends, that data should be purged.
The problem: “As long as required” is too vague. Does that mean 5 years? 50 years? A small business owner looking at this should realize that under DPDP, you need to give a specific ‘expiry date’ for data.
Section 11 — Rights of Data Principal ⚠️
What the policy says: “You may inform us at any time to delete/modify Your Personal Information by sending us an e-mail.”
The problem: While they allow deletion, they miss a key DPDP requirement: The Right to Nominate.
- What it means: If something happens to you, you have the right to name someone else to manage or delete your data. Digit’s policy doesn’t mention this yet.
Section 12 — Right of Grievance Redressal ✅
What the policy says: They have a dedicated Data Protection Officer (DPO) and provide a clear physical address and email (hello@godigit.com) for complaints.
The verdict: This is solid. They provide a clear path for a “regular person” to complain if they think their data is being misused.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: They mention “exporting” data and sharing it with “trusted third parties” which could be abroad.
The problem: The DPDP Act says the Government will eventually provide a “blacklist” of countries where Indian data cannot go. Digit’s policy is currently too broad and doesn’t specify what security standards apply when your medical data leaves Indian borders.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | Medium | Bundled “agree to all” terms may be challenged by the Data Protection Board. |
| Data Retention | High | Vague timelines make it hard to prove data was deleted after use. |
| Sensitive Data | Critical | Handling medical/biometric info carries the highest fines (up to ₹250 Cr). |
| User Rights | Low | Basic rights (delete/edit) are available, though nomination is missing. |
Recommendations for Small Businesses
If you are a business owner looking at Digit’s policy, here is what you can learn for your own:
- Don’t bundle consent: When a user signs up, ask for consent for “core service” separately from “marketing.”
- Be specific on dates: Instead of saying “as long as necessary,” say “we keep your data for 3 years after your last purchase to comply with tax laws.”
- Appoint a DPO: Even if you’re small, having one person responsible for data (and listing their email) builds huge trust.
- Reference the Act: Digit has updated its policy to mention the “DPDP Act 2023.” You should too. It shows customers you actually care about the new law.