Jupiter ↗

Overview

Jupiter (Amica Financial Technologies) is a popular “neobank.” They don’t just see your balance; they handle your KYC documents, PAN card, spending habits, and even your biometrics (like fingerprints or face scans).

As a Data Fiduciary—the legal term for a company that decides why and how your data is processed—Jupiter has a huge responsibility. If you’re a Data Principal (that’s you, the person the data belongs to), you need to know if they are treating your digital life with the respect the new law demands.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

The law says consent must be “freely given” and “specific.” You should be able to say “yes” to banking but “no” to marketing.

What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.”

What the law requires: Consent cannot be a “take it or leave it” deal. It must be a clear, affirmative action for a specific purpose.

The problem: Jupiter bundles everything together. If you want the app, you have to agree to let them use your data for research, analysis, and marketing. Under the DPDP Act, this “all-or-nothing” approach is on thin ice.

Section 7 — Certain Legitimate Uses ⚠️

This section of the law allows companies to process data without asking every single time (like during a medical emergency or for government jobs).

What the policy says: Jupiter mentions using data for “Internal Operations,” “Research,” and “Ensuring compliance with legal obligations.”

What the law requires: Legitimate use is now very narrow. Marketing and “improving products” generally do not count as legitimate uses that bypass consent.

The problem: Jupiter uses these broad categories to justify processing data. Under the new law, they might need to ask for explicit permission for “research and analysis” rather than just claiming it’s part of their business operations.

Section 8 — Obligations of Data Fiduciary ✅

This is about keeping your data locked up tight.

What the policy says: “Any personal information held by us will be committed to a high degree of protection… through legally enforceable arrangements.”

What the law requires: Companies must use “reasonable security safeguards” to prevent data breaches.

The problem: While Jupiter says they use “legally enforceable arrangements” with partners, they don’t explain what those are. However, being a regulated fintech, they likely meet the basic security bar.

Section 9 — Data Retention 🔴

This is a major sticking point in the new law. When you’re done with a service, your data should be deleted.

What the policy says: “These rights are limited in some situations… where we are legally or otherwise bound to process or retain your Personal Information.”

What the law requires: Once the purpose for collecting the data is over, the company must erase it unless a specific law (like RBI rules) says they have to keep it.

The problem: Jupiter never gives a timeline. They don’t say “we delete your marketing data after 2 years” or “we purge your KYC 10 years after you close your account.” It’s all very “wait and see.”

Section 11 — Rights of Data Principal ⚠️

You have the right to see, fix, or delete your data.

What the policy says: You can request a record of your info and ask to “Review, Correct and Rectify” it via email.

What the law requires: You also have the Right to Nominate. This means if something happens to you, you can name someone else to manage or delete your data.

The problem: Jupiter’s policy completely misses the Right to Nominate. They also make it sound like withdrawing consent is difficult and might just lead to them cutting off your service entirely.

Section 12 — Right of Grievance Redressal ⚠️

If you’re unhappy with how your data is handled, you need a way to complain.

What the policy says: They provide an email (privacy@jupiter.money) and name an actual person, Mr. Rajesh R Singh, as the Grievance Officer.

What the law requires: You must be able to resolve issues internally, but you also have the right to go to the Data Protection Board of India if the company doesn’t listen.

The problem: Jupiter doesn’t mention the Data Protection Board. A regular person reading this would think the Grievance Officer is the final stop. It’s not.

Section 16 — Cross-Border Data Transfer ⚠️

Is your data staying in India?

What the policy says: “We may process your data outside of India subject to applicable data protection laws.”

What the law requires: The Indian government will release a “whitelist” of countries where data can be sent.

The problem: Jupiter’s language is too broad. They don’t say where the data goes (e.g., AWS servers in Singapore or a support center in the Philippines). Under the DPDP Act, they will need to be much more specific about these “third parties… elsewhere.”

Risk Assessment

Recommendations

1. Stop Bundling Consent: Give users a toggle to opt-out of “Marketing and Research” while still letting them use the bank account.
2. Add a “Kill Switch”: Create a clear “Delete My Data” button in the app settings that triggers a 30-day erasure process for non-essential data.
3. Mention the Nominee Right: Update the policy to let users know they can appoint a person to handle their digital assets.
4. Update Grievance Steps: Clearly state that if Mr. Rajesh doesn’t solve the problem in 30 days, the user can go to the Govt’s Data Protection Board.
5. Specific Retention Periods: Tell users exactly how long their data lives. “KYC data: 10 years (as per RBI). App usage data: 18 months.”

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.