A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Freshworks was reviewed on 2026-02-27.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
SaaS & IT

Freshworks

Ready Score 35/100
Critical Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 27 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-27
  • Company: Freshworks
  • Readiness score: 35/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference or compliance framework
  • Broad use of 'legitimate interest' where DPDP requires consent
  • Consent mechanism bundled with service terms — not 'freely given' per Section 6
  • Data retention periods are not specified
  • Crucial security safeguard details missing in provided policy text
  • DPDP-specific Data Principal rights not addressed
  • No mention of Data Protection Board grievance escalation
  • Cross-border transfer provisions not aligned with DPDP Section 16

✅ Strengths

  • Clear identification of various data controller entities globally
  • Detailed categories of data collected and purposes
  • Specific rights mentioned for EEA, UK, Swiss, California, Brazil
  • Acknowledges consent for marketing in specific jurisdictions

Overview

Freshworks is a global SaaS company offering a suite of business software, from customer support to IT service management. With an active presence, including a registered entity in Chennai, India, Freshworks handles a vast amount of customer and user data. This analysis focuses on how their existing privacy policy, heavily influenced by Western regulations, measures up against India’s new DPDP Act, 2023.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Freshworks’ policy relies on the broad acceptance of its terms for data collection. For many purposes, it cites “legitimate interests” or “contractual necessity.” While it mentions consent for marketing in the UK, EU, and Brazil, it does not explicitly seek “free, specific, informed, unconditional, and unambiguous” consent as required by DPDP Act Section 6 for India.

What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.” Also: “In the UK, EU and Brazil we will rely on your consent when sending marketing communications. Otherwise, it is in our legitimate interest to use your Personal Data for marketing purposes…”

DPDP requirement: Consent must be clearly sought for each specific purpose, and the Data Principal (the individual whose data is collected) must be able to withdraw it easily.

Gap: The policy bundles consent with service usage and defaults to “legitimate interest” for many activities without clear, opt-in mechanisms for Indian users.

Section 7 — Certain Legitimate Uses 🔴

Freshworks frequently states “legitimate interests” as its basis for processing data, including for providing services, recruitment, events, promotions, community forums, marketing (outside specific regions), personalized advertising, and service analytics.

What the policy says: “We process your Personal Data for these purposes based on our legitimate interests or a third party’s legitimate interest to ensure we provide our Services in an effective, safe and efficient way.”

DPDP requirement: The DPDP Act Section 7 defines “certain legitimate uses” very narrowly (e.g., medical emergency, state functions, employment). Most of Freshworks’ claimed legitimate interests (especially for marketing and general service improvement not tied to contractual obligations) would not qualify under this strict framework.

Gap: Over-reliance on “legitimate interest” for activities that would require explicit consent under DPDP.

Section 8 — Obligations of Data Fiduciary 🔴

The provided policy text mentions a section “6. HOW DOES FRESHWORKS KEEP PERSONAL DATA SECURE?” (in their quick links) but the detailed content for this critical section is missing from the provided text snippet. It ends abruptly before explaining specific security safeguards.

DPDP requirement: A Data Fiduciary (the entity collecting and processing data) must implement “reasonable security safeguards” to prevent data breaches.

Gap: Lack of detail on security safeguards in the provided text means we cannot assess compliance with DPDP’s security obligations.

Section 9 — Data Retention 🔴

The provided policy text contains a section heading “12. RETENTION OF PERSONAL DATA” but lacks any actual content detailing data retention periods.

DPDP requirement (Section 9): Data Fiduciaries must erase data once the purpose for its collection is fulfilled, or if consent is withdrawn, within a reasonable period. Specific retention policies are expected.

Gap: No specific retention periods are mentioned, leaving users in the dark about how long their data is kept.

Section 11 — Rights of Data Principal ⚠️

Freshworks acknowledges rights for users under GDPR, CCPA, and LGPD (e.g., access, correction, opting out). However, there is no specific mention of the rights granted to a Data Principal under the DPDP Act, such as the right to correction, erasure, or nomination.

What the policy says: “EEA, UK AND SWISS SPECIFIC RIGHTS”, “CALIFORNIA-RESIDENT SPECIFIC RIGHTS”, “BRAZILIAN GENERAL DATA PROTECTION LAW (LGPD)” are listed.

DPDP requirement: Data Principals have rights to access information, correct errors, erase data, and nominate another person to exercise these rights on their behalf (Section 14).

Gap: The policy needs to be updated to reflect DPDP-specific rights and the mechanisms for exercising them in India.

Section 12 — Right of Grievance Redressal 🔴

The policy’s quick links include “18. CONTACTING FRESHWORKS,” but the detailed content for grievance redressal, including contact for a Grievance Officer or escalation paths, is missing from the provided text.

DPDP requirement: A Data Fiduciary must have an easily accessible grievance redressal mechanism, including a designated Data Protection Officer or Grievance Officer, and clearly state the Data Protection Board of India as an escalation path.

Gap: No information on a specific grievance officer or the Data Protection Board of India as an escalation route is available in the provided text.

Section 16 — Cross-Border Data Transfer ⚠️

Freshworks states that data may be processed in countries where they are established (US, UK, EEA) and where third parties are based, adhering to DPF Principles (for EU/US/UK/Swiss transfers).

What the policy says: “We process Personal Data in the countries in which we are established, including the United States, the United Kingdom and the European Economic Area (‘EEA’) and in other countries where third parties that we may use are based.”

DPDP requirement (Section 16): Cross-border transfer of personal data is permitted only to countries explicitly notified by the Central Government.

Gap: The policy does not specify which countries data may be transferred to, nor does it acknowledge India’s specific requirement for government notification of permitted jurisdictions.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Consent complianceCriticalInvalid consent could affect all Indian users
Data retentionCriticalUndefined deletion policies for sensitive data
Data Principal rightsHighIncomplete or inaccessible rights framework
Grievance redressalHighLack of DPDP-aligned mechanism for complaints
Cross-border transferMediumPending government notification of allowed countries

Recommendations

  1. Integrate DPDP Act 2023 explicitly — Update the policy to clearly reference the DPDP Act and explain compliance for Indian users.
  2. Implement layered, granular consent — Provide clear, specific, and opt-in consent options for various data processing activities, especially marketing and analytics, for Indian users.
  3. Define specific data retention periods — Clearly state how long different types of data are retained and when they will be erased.
  4. Add DPDP-specific Data Principal rights — Outline the rights of correction, erasure, and nomination under the DPDP Act and provide clear mechanisms for exercising them.
  5. Establish DPDP-compliant grievance process — Name a Grievance Officer for India and detail the escalation path, including the Data Protection Board.
  6. Clarify cross-border data transfers — Specify countries where data is transferred and ensure alignment with the Central Government’s notified list under DPDP Section 16.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call