A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

Lenskart β†—

Ready Score 44/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 16 Feb 2026

Executive Summary

Lenskart captures the most biometrically sensitive data among e-commerce platforms β€” 3D facial geometry for virtual try-on, eye prescriptions revealing vision conditions, and pupillary distance measurements. At 44/100, treating this biometric-adjacent and health data with standard e-commerce privacy practices is a significant DPDP gap.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Eye prescription data = health data treated as standard e-commerce
  • 3D face scanning for virtual try-on captures facial geometry
  • No data retention timelines for face scans and prescriptions
  • Data Protection Board not referenced
  • Third-party lens manufacturer sharing of prescription data

βœ… Strengths

  • Product data categories documented
  • Security measures described
  • Grievance officer designated

Overview

Lenskart has transformed eyewear shopping with virtual try-on technology that maps facial geometry in 3D, combined with online prescription management. This means Lenskart processes: eye prescriptions (health data), facial structure measurements (biometric-adjacent), pupillary distance (physical measurement), and visual acuity information.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

Three categories of sensitive data processed under standard e-commerce consent:

  1. Eye prescriptions β€” Health data revealing vision conditions, potentially neurological indicators
  2. 3D face scanning β€” Facial geometric mapping for virtual try-on
  3. Physical measurements β€” Pupillary distance, face width, nose bridge measurements

Under DPDP, each requires separate, informed consent explaining how this data will be used, stored, and shared.

Section 8 β€” Obligations of Data Fiduciary ⚠️

Standard security for e-commerce. But:

  • Face scan data needs biometric-grade encryption
  • Prescription data needs health-data-level access controls
  • Third-party lens manufacturers receiving prescription data β€” what security do they maintain?

Section 9 β€” Data Retention πŸ”΄

No retention timelines for:

  • 3D face scan data (how many face scans are stored from virtual try-on sessions?)
  • Eye prescriptions (medical data)
  • Physical measurements
  • Virtual try-on session recordings

Critical question: If you tried on 50 frames virtually, does Lenskart retain 50 renders of your face indefinitely?

Section 11 β€” Rights of Data Principal πŸ”΄

  • Can users delete face scan data while keeping their prescription on file?
  • No transparency on facial geometric data processing
  • No portability for prescription data to another eyewear provider
  • No nomination rights

Risk Assessment

CategoryRisk LevelPotential Impact
Facial geometry dataCriticalBiometric-adjacent data under e-commerce privacy
Prescription dataHighHealth data with no special handling
Data retentionHighFace scans and health data indefinitely stored
Third-party sharingHighPrescription data to manufacturers

Recommendations

  1. Classify face scans as biometric-adjacent β€” Enhanced encryption, limited retention, and separate consent
  2. Add prescription data health protections β€” Treat eye prescriptions as medical data with defined retention
  3. Define face scan lifecycle β€” β€œVirtual try-on scans: processed in real-time, deleted within 24 hours; saved for β€˜My Fits’: until user deletion”
  4. Implement prescription portability β€” Allow users to export prescriptions to other providers
  5. Separate consent for facial mapping β€” Clear explanation of how face geometry is processed and stored

How Does Your Policy Compare?

πŸ” Run Your Free DPDP Audit β†’

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
πŸ“ž Free Consultation