A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Groww was reviewed on 2026-02-28.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Fintech

Groww

Ready Score 25/100
Critical Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 28 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Groww's provided privacy policy text is incredibly sparse, acting more as a placeholder than a comprehensive statement. For a major fintech player handling sensitive financial data, this complete lack of detail regarding consent, data principal rights, security, and retention under the DPDP Act 2023 presents extreme regulatory and reputational risk.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-28
  • Company: Groww
  • Readiness score: 25/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Extremely limited policy details — mostly a general statement
  • No explicit DPDP Act 2023 reference or compliance framework
  • Consent mechanism undefined — no mention of 'free, specific, informed, unambiguous'
  • Absence of data retention periods
  • No clarity on Data Principal rights like access, correction, erasure
  • Grievance redressal mechanism is absent, no Data Protection Board mention
  • Cross-border data transfer details are entirely missing

✅ Strengths

  • Acknowledges handling of personal data (basic initial step)

Overview

Groww is a prominent fintech platform in India, allowing users to invest in stocks, mutual funds, and other financial instruments. Given its role in managing significant amounts of personal and financial data (KYC documents, transaction history, investment portfolios), a robust and transparent privacy policy is paramount. However, the provided policy text is exceptionally brief, offering almost no substantive details on how user data is actually handled under the DPDP Act.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

The policy merely states it “specifies the manner in which personal data and other information are collected.” It does not describe any consent mechanism or how notice is provided.

What the policy says: “This Privacy Policy specifies the manner in which personal data and other information are collected, received, stored, processed, disclosed, transferred, dealt with or otherwise handled by the Company.”

DPDP requirement: Consent must be free, specific, informed, and unambiguous. Notice must describe the personal data to be collected and the purpose of processing.

The problem: Without explicit detail, users cannot know if their consent is genuinely “freely given” for specific purposes. The provided text offers no such assurance.

Section 7 — Certain Legitimate Uses 🔴

The provided policy text does not address “Certain Legitimate Uses” (now called Legitimate Uses) as defined by the DPDP Act.

DPDP requirement: Data Fiduciaries can process data without consent only for specific, limited purposes like medical emergencies, state functions, or voluntary provision by the Data Principal.

The problem: Any processing by Groww outside of explicit consent would be a major compliance gap, and the policy provides no information on this.

Section 8 — Obligations of Data Fiduciary 🔴

The policy text does not contain any details regarding data security safeguards or other obligations of a Data Fiduciary.

DPDP requirement: A Data Fiduciary (Groww, in this case) must implement “reasonable security safeguards” to prevent data breaches, complete accurate processing, and notify the Data Protection Board and affected Data Principals in case of a breach.

The problem: The complete absence of information on security measures leaves users in the dark about how their sensitive financial data is protected.

Section 9 — Data Retention 🔴

The policy completely lacks any information on how long Groww retains user data.

DPDP requirement (Section 9): Data Fiduciaries must erase personal data once the purpose for which it was collected is met, or when consent is withdrawn. Data Principals have the right to request erasure.

The problem: Without defined retention periods, Groww could be holding onto sensitive financial data indefinitely, creating significant risk for both the company and its users.

Section 11 — Rights of Data Principal 🔴

The policy text does not mention any rights available to the Data Principal (the user).

DPDP requirement: Data Principals have several rights, including the right to access information, correct data, erase data, and nominate another person to exercise these rights on their behalf.

The problem: Users have no explicit guidance on how they can exercise their statutory rights regarding their personal data held by Groww.

Section 12 — Right of Grievance Redressal 🔴

The provided policy text does not outline any grievance redressal mechanism. While a “Contact Us” link exists on the page, the policy itself is silent on a dedicated process.

DPDP requirement: Data Fiduciaries must establish an effective mechanism for Data Principals to register grievances, typically involving a Grievance Officer and a clear escalation path to the Data Protection Board.

The problem: Users facing data-related issues would not know the formal steps or who to contact based on the provided policy.

Section 16 — Cross-Border Data Transfer 🔴

The policy only generally mentions data being “disclosed, transferred, dealt with or otherwise handled by the Company.” It makes a vague mention of “excluding the group companies, affiliates and subsidiary companies” for third-party information, but provides no specifics on cross-border data transfers.

DPDP requirement (Section 16): Personal data can only be transferred outside India to countries specifically notified by the Central Government, or based on other conditions specified by the law.

The problem: Without explicit details, users have no idea if their data is being sent abroad, to which countries, or under what safeguards, posing a significant compliance gap.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalUp to ₹250 Cr per instance for compliance failure
Consent complianceCriticalDefault processing without valid consent invalidates data collection
Data retentionCriticalIndefinite retention of financial data = massive liability
Cross-border transferHighPotential fines and regulatory action if data leaves India without approval
Data principal rightsHighInability to exercise rights leads to user distrust and complaints
Data securityCriticalUndefined safeguards risk severe breaches and fines

Recommendations

  1. Develop a comprehensive privacy policy: Replace the current placeholder with a detailed policy outlining all aspects of data handling as required by DPDP.
  2. Implement explicit consent mechanisms: Introduce granular, opt-in consent for different data processing activities (e.g., core service, marketing, analytics).
  3. Define specific data retention periods: Clearly state how long each category of data (e.g., transaction logs, KYC documents, marketing data) will be retained.
  4. Outline Data Principal rights: Detail how users can exercise their rights to access, correct, erase, and nominate under Section 11 and 14 of the DPDP Act.
  5. Establish a clear grievance redressal process: Name a Grievance Officer, provide contact details, and include the Data Protection Board as an escalation path.
  6. Disclose cross-border transfer specifics: If data is transferred abroad, clearly state the countries and the safeguards in place.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call