Overview
EatSure (owned by Rebel Foods) is a major player in India’s cloud kitchen space. When you order a wrap or a pizza, you aren’t just giving them your hunger—you’re handing over your home address, phone number, GPS location, and even access to your contacts and calendar.
As a Data Fiduciary (the company that decides how your data is handled), EatSure is responsible for keeping the information of you, the Data Principal (the person the data belongs to), safe and legal under the new law.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
EatSure uses what we call “bundled consent.” They basically say if you use the app, you agree to everything they do. The DPDP Act says this is a big no-no.
What the policy says: “By accessing or using its Services… you agree to this privacy policy and you are consenting to EatSure’s collection, use, disclosure…”
What the law requires: Consent must be free, specific, and informed. You should be able to say “Yes to delivery” but “No to marketing.”
The problem: You can’t opt-out of specific things at the start. It’s a package deal. If the consent isn’t “granular” (broken into choices), it might be considered invalid under the new law.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to process data without a “Yes” in very specific cases, like medical emergencies or if you voluntarily provided it for a specific reason.
What the policy says: EatSure doesn’t explicitly list “Legitimate Uses,” but they claim they use data for “improving services” and “measuring advertising effectiveness.”
The problem: Marketing and analytics usually require explicit consent and don’t fall under “legitimate uses” in the DPDP Act. EatSure is playing it broad, which is risky.
Section 8 — Obligations of Data Fiduciary ⚠️
This section is about whether they are keeping your data behind a strong enough lock and key.
What the policy says: “Once we have received your information, we will use strict physical, electronic, and procedural safeguards…”
What the law requires: A Data Fiduciary must take “reasonable security safeguards” to prevent a data breach. If a breach happens, they must notify you and the government.
The problem: The policy is very vague. It doesn’t mention their legal duty to report a data breach to the Data Protection Board (the new government body that polices privacy).
Section 9 — Data Retention 🔴
This is a major weak spot for EatSure.
What the policy says: The policy mentions “retention” in the intro but never actually says how long they keep your data.
What the law requires: As soon as the purpose (like delivering your food) is over, the company must erase your data unless they have a legal reason to keep it.
The problem: If you delete the EatSure app today, will they delete your home address from their servers next week or next decade? The policy doesn’t say, which fails the Section 9 test.
Section 11 — Rights of Data Principal ⚠️
As a Data Principal (the owner of the data), you now have “superpowers” under the law, like the right to be forgotten.
What the policy says: They allow you to “withdraw consent” by writing an email, and they promise to process it in 5 days.
The problem:
- They don’t mention your right to erase your past data.
- They don’t mention your right to nominate someone to manage your data if you are unable to.
- They suggest they “may not be able to offer services” if you withdraw consent, which can sometimes be seen as “forcing” consent.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: “If you have any queries… please email us at feedback@eatsure.com.”
What the law requires: You must have a clear way to complain, and if the company doesn’t fix it, a clear path to complain to the Data Protection Board.
The problem: “feedback@eatsure.com” sounds like a place where suggestions for more cheese go, not a legal privacy desk. The policy doesn’t mention your right to escalate the issue to the government.
Section 16 — Cross-Border Data Transfer ✅/⚠️
What the policy says: “Your personal data may be transferred stored and process outside India…”
What the law requires: Data can only be sent to countries that the Indian government has “whitelisted.”
The problem: While they disclose that they send data abroad, they don’t specify where or how they ensure that the person receiving it follows Indian law.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | Bundled consent could be ruled invalid, stopping all data processing. |
| Data Deletion | Critical | Keeping data indefinitely is a direct violation of Section 9. |
| Regulatory Fines | High | Fines under DPDP can go up to ₹250 Crore for lack of safeguards. |
| User Rights | Medium | Users can’t easily exercise their right to be forgotten or nominate. |
Recommendations
- Stop the “Agreement by Use”: Update the app so users have to click “I Agree” to specific things (like marketing vs. delivery) rather than assuming they agree just by opening the app.
- Add a Deletion Clock: Tell users exactly when their data is deleted. For example: “We delete your exact GPS location 48 hours after delivery.”
- Appoint a DPO: Explicitly name a Data Protection Officer and give them a dedicated “privacy@” email address.
- Fix the “Deemed Acceptance” rule: You can’t just change the policy and say “if you keep using the app, you agree.” You must notify users of major changes.
- Add Nomination Rights: Give users a setting in the app to name a person who can manage their account if something happens to them.