Overview
Groww has rapidly become India’s most popular investment platform with over 10 crore registered users. The platform handles extremely sensitive financial data: PAN numbers, bank account details, Demat holdings, mutual fund portfolios, investment patterns, and risk profiles. This data is subject to both SEBI regulations and the DPDP Act — a dual compliance imperative.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Groww’s consent model conflates regulatory requirements with general consent:
- Necessary processing: KYC, SEBI compliance, transaction execution — legitimately required
- Unnecessary processing: Investment behavior analytics, personalized recommendations, marketing — should require separate consent
DPDP issue: Users cannot distinguish between consenting to regulatory requirements (mandatory) and consenting to Groww’s commercial use of their data (optional). Under DPDP, these must be separated.
Section 7 — Certain Legitimate Uses ⚠️
Groww has a stronger legitimate use case than many fintechs because:
- SEBI mandates KYC and transaction record-keeping
- PMLA requires anti-money laundering checks
- RBI mandates payment processing data retention
However: analytics, recommendations, and “improving our services” extend beyond regulatory mandates and need separate consent or legitimate use justification under DPDP.
Section 8 — Obligations of Data Fiduciary ✅
Strong security posture:
- SEBI-mandated audit compliance
- Two-factor authentication for all transactions
- Encryption of financial data at rest and in transit
- Segregated Demat data handling through CDSL/NSDL
This is one of Groww’s strengths — regulatory requirements have forced robust security infrastructure.
Section 9 — Data Retention ⚠️
Mixed picture:
- Regulatory data: SEBI mandates 5-8 year retention for transaction records — this is well-handled
- Non-regulatory data: Investment behavior patterns, browsing data, recommendation engine profiles — no retention timeline specified
Gap: Groww needs to distinguish between data retained for regulatory compliance (with clear legal basis and defined periods) and data retained for commercial purposes (which should have shorter, user-consented retention windows).
Section 11 — Rights of Data Principal ⚠️
Rights are partially addressed:
- ✅ Account deletion mechanism exists
- ⚠️ Data portability — users can download trade history but not behavioral profiles
- 🔴 No nomination mechanism (Section 14)
- 🔴 No mechanism to challenge automated investment recommendations
Gap: Users can download trades but cannot request their complete data profile including behavioral analytics and risk scoring.
Section 12 — Right of Grievance Redressal ⚠️
Groww has a multi-tier grievance system (SEBI requires this):
- Customer support
- Grievance Officer
- SEBI SCORES platform
Missing: DPDP’s Data Protection Board as a privacy-specific escalation path. The SEBI grievance mechanism handles investment disputes, not data protection complaints.
Section 16 — Cross-Border Data Transfer ⚠️
The policy references cloud infrastructure and analytics services but:
- Doesn’t specify which countries process investor data
- No mention of safeguards for financial data transferred internationally
- AWS/GCP infrastructure locations not disclosed
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine (DPDP) | Medium | Up to ₹250 Cr — partially mitigated by SEBI compliance |
| Consent architecture | Medium | Regulatory/commercial consent conflation |
| Data retention | Medium | Strong for regulated data, weak for commercial data |
| Dual compliance risk | High | SEBI + DPDP overlap creates interpretation challenges |
| Data principal rights | Medium | Partial coverage from SEBI requirements |
The SEBI-DPDP Overlap Challenge
Groww’s unique situation: SEBI already mandates significant data protection measures. But DPDP goes further in several areas:
- Consent granularity — SEBI doesn’t require consent separation; DPDP does
- Retention flexibility — SEBI mandates minimums; DPDP also requires maximums for non-regulatory data
- Rights scope — SEBI focuses on investor protection; DPDP covers all personal data rights
Groww must comply with both, taking the stricter requirement from each.
Recommendations
- Create a SEBI-DPDP compliance matrix — Map where requirements overlap and where DPDP adds new obligations
- Separate regulatory consent from commercial consent — “We need your PAN for SEBI KYC [mandatory]. Want personalized recommendations? [optional]”
- Define dual retention schedules — “Transaction records: 8 years (SEBI); behavioral profiles: 2 years (DPDP); marketing data: consent-based with annual renewal”
- Add DPDP rights alongside SEBI rights — Build a unified rights portal covering both frameworks
- Implement nomination mechanism — Especially critical for investment platforms where account holders may become incapacitated
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.