Banking

IndusInd Bank

Ready Score 5/100

ANALYSIS SUPERVISED BY Sushant Pasumarty

📅 24 Mar 2026

Discuss this page with an LLM

Executive Summary

IndusInd Bank's official privacy policy URL leads to a 'page not found' error, making it impossible to assess their DPDP Act 2023 readiness. This fundamental lack of an accessible privacy policy is a severe compliance gap, preventing customers from understanding how their sensitive financial data is collected, processed, and protected.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

Notice and consent clarity
Purpose limitation
Data minimization
Retention and deletion language
Vendor and processor disclosures
Data Principal rights
Grievance redressal
Breach and security posture

Source Check

Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
Date reviewed: 2026-03-24
Company: IndusInd Bank
Readiness score: 5/100
Policies and product behavior may have changed since review
Whether the current source policy still matches this archived policy-only review
Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

Do we collect similar categories of personal data?
Do we share data with the same number or type of vendors?
Can users understand why their data is shared?
Can we prove deletion, retention and grievance workflows?
What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

Official privacy policy URL leads to 'page not found' error
No public privacy policy text available for analysis
Fundamental failure to provide easily accessible privacy information
Customers cannot understand data handling, consent, or rights
Severe transparency and accountability issues under DPDP Act 2023
Inability to assess any DPDP compliance elements due to absence of policy

✅ Strengths

None could be assessed as privacy policy text is unavailable.

Overview

IndusInd Bank is a prominent Indian private sector bank, offering a wide range of financial products and services. As a bank, it handles an immense volume of highly sensitive personal data belonging to millions of customers – things like account details, transaction history, KYC documents (PAN, Aadhaar), loan applications, and investment records. Under the new DPDP Act 2023, how a bank like IndusInd manages this data is critical.

However, a fundamental issue exists: the privacy policy URL provided by IndusInd Bank (https://www.indusind.com/in/en/privacy-policy.html) leads to a “page not found” error. This means the public, including you, cannot access their official privacy policy. This in itself is a significant DPDP compliance problem.

DPDP Readiness: Section-by-Section Analysis

The DPDP Act requires Data Fiduciaries (the company that decides how your data is used, in this case, IndusInd Bank) to give clear notice and obtain valid consent (your permission) before collecting and processing your personal data.

What the policy says: We couldn’t find a functional privacy policy at the provided URL. The page displays a “We can’t seem to find the page you’re looking for.” message.

DPDP requirement: Notice must be clear and given before or at the time of data collection. Consent must be free, specific, informed, and unambiguous.

The problem: Without an accessible policy, Data Principals (that’s you, the individual whose data is collected!) cannot understand how IndusInd Bank collects or uses their personal data, what information is being collected, and for what purposes. This is a fundamental breach of transparency under the DPDP Act.

Section 7 — Certain Legitimate Uses 🔴

The DPDP Act allows data processing without consent in very specific, “legitimate uses” (like for state functions, medical emergencies, or employment). Companies often try to claim other reasons, but DPDP is very strict.

What the policy says: No policy text available to review.

DPDP requirement: Legitimate uses are narrowly defined. Most commercial processing, especially for marketing or general service improvement, requires explicit consent.

The problem: Since the policy is missing, it’s impossible to check if IndusInd Bank is accurately applying these limited exceptions or if they are overreaching. This creates uncertainty about how your data might be used without your explicit permission.

Section 8 — Obligations of Data Fiduciary 🔴

This section covers the responsibilities of the company holding your data to keep it safe and accurate. This includes implementing security safeguards and responding to data breaches.

What the policy says: No policy text available to review.

DPDP requirement: Data Fiduciaries must implement “reasonable security safeguards” to prevent data breaches and ensure accuracy.

The problem: For a bank handling highly sensitive financial data, robust security measures are paramount. Without a policy, customers have no clear statement or assurance from IndusInd Bank about how they fulfill these critical obligations under DPDP.

Section 9 — Data Retention 🔴

DPDP Act mandates that personal data should only be kept for “as long as is necessary” for the purpose for which it was collected. Once that purpose is fulfilled, the data must be erased.

What the policy says: No policy text available to review.

DPDP requirement (Section 9): Data must be erased when the purpose is fulfilled or consent is withdrawn. Clear retention periods are expected.

The problem: You have no idea how long IndusInd Bank plans to keep your financial records, KYC documents, or transaction history. This lack of defined retention periods is a significant gap, as indefinite retention increases the risk of data exposure.

Section 11 — Rights of Data Principal 🔴

The DPDP Act gives you several important rights, like the right to access your data, correct it, erase it, and nominate someone to act on your behalf.

What the policy says: No policy text available to review.

DPDP requirement: Data Principals have rights including access, correction, erasure, and grievance redressal, and companies must facilitate these.

The problem: Without a policy, you don’t know how to exercise your rights. Can you easily request your data? Can you ask them to correct an error? Can you even ask them to delete your marketing data? The answer is unclear because the policy is absent.

Section 12 — Right of Grievance Redressal 🔴

If you have a problem with how your data is being handled, DPDP requires a clear path for you to complain, eventually escalating to the Data Protection Board.

What the policy says: No policy text available to review.

DPDP requirement: A Data Fiduciary must have a readily available Grievance Redressal mechanism, including details of a Grievance Officer, and eventually, the Data Protection Board.

The problem: While IndusInd Bank likely has general customer service, there’s no DPDP-specific grievance process or named officer in a public privacy policy. This makes it difficult for you to complain about privacy violations specifically under the new law.

Section 16 — Cross-Border Data Transfer 🔴

This section deals with whether your data might be sent outside India. DPDP is clear that this can only happen to countries notified by the Central Government.

What the policy says: No policy text available to review.

DPDP requirement: Cross-border transfer is permitted only to countries notified by the Central Government, with appropriate safeguards.

The problem: As a bank with potential international operations or third-party service providers, it’s crucial for IndusInd to be transparent about any cross-border data transfers. Without a policy, you have no information on where your sensitive financial data might be going globally.

Risk Assessment

Category	Risk Level	Potential Impact
Regulatory fine	Critical	Fundamental non-compliance with DPDP transparency requirements
Transparency & Notice	Critical	Customers cannot understand data practices, leading to loss of trust
Consent compliance	Critical	No basis to verify valid consent for data processing
Data principal rights	Critical	Customers unable to exercise statutory rights effectively
Data Retention	Critical	Undefined retention periods for sensitive financial data creates high exposure
Public perception	High	Major brand reputation damage for a leading bank

Recommendations

Publish a functional privacy policy immediately — Ensure the official URL works and prominently link it on the website.
Explicitly reference the DPDP Act 2023 — Clearly state compliance with the new law.
Provide clear notice and consent mechanisms — Detail what data is collected, why, and get explicit, granular consent.
Define specific data retention periods — Inform customers exactly how long different types of data are kept.
Outline Data Principal rights and how to exercise them — Create clear pathways for access, correction, and erasure requests.
Establish a DPDP-specific grievance redressal process — Name a Grievance Officer and include the Data Protection Board as an escalation path.

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >

Book clarity call