A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Licious was reviewed on 2026-05-16.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
FoodTech

Licious

Ready Score 52/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 16 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Licious has a transparent list of what they collect, but their legal framework is stuck in the year 2000. Their 'agree-by-default' approach to consent is high-risk under the new DPDP Act requirements.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-16
  • Company: Licious
  • Readiness score: 52/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Explicitly built on the outdated IT Act 2000 instead of DPDP Act 2023
  • Uses 'implied consent' where just browsing counts as agreeing to everything
  • Vague data retention periods using phrases like 'as long as required'
  • No mention of a user's right to nominate a representative
  • Missing instructions on how to escalate complaints to the Data Protection Board
  • Consent is all-or-nothing; you cannot opt out of marketing and keep the service

✅ Strengths

  • Very clear list of exactly what data is collected from users
  • Direct email provided specifically for data deletion and modification requests
  • Comprehensive description of physical and digital security safeguards
  • Explicitly mentions that credit card data is not stored on their own servers

Overview

Licious (Delightful Gourmet Pvt Ltd) isn’t just a meat delivery company—they are a data-heavy tech platform. They handle your home address, phone number, payment habits, and even your precise location.

Because they know what you eat and where you live, they are what the law calls a Data Fiduciary (the entity that decides why and how your data is processed). You are the Data Principal (the person the data belongs to). Under the new law, the power is supposed to shift back to you. Let’s see if Licious got the memo.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

This is the biggest red flag in the policy. Licious uses what we call “bundled consent.”

What the policy says: “By using the Platform (or even just browsing the Platform), you expressly consent to our use and disclosure of your personal information…”

What the law requires: Consent must be affirmative. This means you have to actively click a button or tick a box. “Just browsing” a website cannot legally count as consent anymore. It must also be “unbundled”—meaning you should be able to say “Yes to delivery” but “No to marketing.”

The problem: If you visit the site to check prices, Licious claims you’ve already agreed to their entire data policy. Under DPDP, this type of “forced” consent is likely invalid.

Section 7 — Certain Legitimate Uses ⚠️

What the policy says: Licious claims they use your data for “Company’s legitimate business interests” like personalization and improving functionality.

What the law requires: The DPDP Act is very strict about Legitimate Uses (situations where they don’t need your consent). This is usually limited to things like medical emergencies, court orders, or if you voluntarily gave your data for a very specific reason (like giving your address specifically to get a delivery).

The problem: “Legitimate business interest” is an old term from European law. The Indian DPDP Act doesn’t allow companies to use “business interests” as a blanket excuse to skip getting your clear consent for marketing or tracking.

Section 8 — Obligations of Data Fiduciary ✅

What the policy says: “We maintain physical, electronic and procedural safeguards… specialized technology such as firewalls… restricting use of external data devices.”

What the law requires: A Data Fiduciary (Licious) must take “reasonable security safeguards” to prevent data breaches.

Strength: Licious is quite detailed here. They mention testing products for vulnerabilities before they go live and training their staff. This shows they take the “protection” part of the law seriously, even if the “consent” part is lagging.

Section 9 — Data Retention 🔴

What the policy says: “We do not retain your personal information for longer than required for the purpose for which the information may be lawfully used.”

What the law requires: Once the purpose is over (e.g., you’ve deleted your account or haven’t ordered in years), the company must erase your data.

The problem: “Longer than required” is a lawyer’s way of saying “as long as we want.” The DPDP Act requires companies to be much more specific. If you stop using Licious, your data shouldn’t sit in their cloud forever.

Section 11 — Rights of Data Principal ⚠️

What the policy says: If you want to delete your data, you have to email a specific person: “please send an email to varun@licious.com with ‘REMOVE’ mentioned in the subject line.”

What the law requires: You have the right to access, correct, and erase your data. You also have the Right to Nominate—the ability to pick someone else to manage your data rights if you pass away or become incapacitated.

The problem: While it’s great they have an email for deletion, having to email a person named “Varun” feels a bit manual and outdated for a billion-dollar company. More importantly, they don’t mention your right to nominate a representative at all.

Section 12 — Right of Grievance Redressal ⚠️

What the policy says: They provide the name of a Grievance Officer (Dhanya Bhatt) and a physical address in Bangalore.

What the law requires: You must have a way to complain if your data is mishandled. If the company doesn’t fix it, you have the right to escalate it to the Data Protection Board of India.

The problem: Licious tells you how to complain to them, but they don’t tell you that you have a legal right to go to the government’s Data Protection Board if you aren’t satisfied with their answer.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: They mention sharing data with “third party service providers” who might use cookies or perform analytics. They don’t explicitly say if this data leaves India.

The problem: Many analytics tools are hosted in the US or Europe. Under Section 16, the government can restrict which countries Indian data can fly to. Licious’s policy is too vague here; they don’t tell you where in the world your hunger patterns are being analyzed.

Risk Assessment

CategoryRisk LevelPotential Impact
Consent Validity🔴 High”Browse-to-wrap” consent is likely illegal under DPDP.
Fines & Penalties⚠️ MediumFailure to update to 2023 standards opens them to ₹250 Cr fines.
Data Deletion🔴 HighVague retention policies mean your data stays in their system indefinitely.
User Rights⚠️ MediumMissing nomination rights and escalation paths to the Data Board.

Recommendations

  1. Stop “Implicit Consent”: Licious needs to add a clear “I Agree” checkbox that isn’t pre-ticked when a user signs up.
  2. Define the “Varun” Process: Replace the informal email-based deletion with an in-app “Delete My Data” button to meet the DPDP standard of making it easy to withdraw consent.
  3. Update the Legal Parent: The policy still thinks it’s governed by the IT Act 2000. It needs to be completely rewritten to reference the DPDP Act 2023.
  4. Set an Expiry Date: Tell users: “If you don’t order for 3 years, we will automatically anonymize or delete your data.”
  5. Add Nomination: Add a simple field in the user profile to “Nominate a Data Representative.”

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call