A Project by Meridian Bridge Strategy
Archived analysis

This page is old. MagicBricks was reviewed on 2026-05-17.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Real Estate

MagicBricks

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 17 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

MagicBricks operates a high-volume platform handling sensitive financial and property data. Its current policy is a legacy document built for the IT Act 2000. It lacks the 'granular consent' and 'right to erasure' frameworks mandated by the DPDP Act 2023. The absence of an escalation path to the Data Protection Board of India (DPBI) and the lack of a 'Notice' in languages specified in the Eighth Schedule are significant compliance liabilities.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-17
  • Company: MagicBricks
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Primary framework remains the Information Technology Act, 2000 and SPDI Rules 2011
  • Notice does not meet Section 5 requirements regarding the right to withdraw consent and the right to grievance redressal with the DPB
  • Consent is largely bundled with the acceptance of Terms and Conditions (Section 6 violation)
  • Absence of 'Right to Nominate' under Section 14
  • Retention policy is vague ('as long as required for the purpose') without specific erasure timelines per Section 9
  • Cross-border transfer clause is broad and does not account for future 'restricted list' notifications

✅ Strengths

  • Detailed enumeration of data categories collected (KYC, financial, property details)
  • Clear identification of the Grievance Officer with physical address and email
  • Specific sections addressing the collection of sensitive personal data (e.g., payment info)
  • Explicit mention of data security measures including SSL and internal access controls

Overview

MagicBricks (MagicBricks Reality Services Ltd.) is India’s leading real estate portal. Its data ecosystem is vast, involving not just contact details but sensitive financial profiles, property ownership documents, and location data. As a Data Fiduciary, MagicBricks must transition from the “notice and consent” model of 2011 to the “purpose-limited and granular” model of the DPDP Act 2023.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

MagicBricks currently uses a “deemed consent” or “bundled consent” approach. By navigating the site or registering, users are assumed to have accepted the policy in its entirety.

Gap: DPDP Section 6 requires consent to be “free, specific, informed, unconditional, and unambiguous.” MagicBricks does not offer a Consent Manager interface or the ability to opt-out of marketing while opting-in to property alerts. The “Notice” (Section 5) fails to explicitly mention the Data Principal’s right to withdraw consent and the manner of doing so.

Section 7 — Certain Legitimate Uses ⚠️

The policy mentions sharing data with “partners” and “group companies” for marketing and service improvement.

Gap: Under DPDP, “legitimate uses” are limited. Marketing and sharing data with third-party banks for home loans based on user browsing behavior would likely require explicit, affirmative consent rather than falling under the “voluntary provision” clause of Section 7.

Section 8 — Obligations of Data Fiduciary ✅

MagicBricks demonstrates strong adherence to security standards. The policy outlines the use of encryption, firewalls, and limited employee access.

Strength: The platform maintains a high standard of technical safeguards which aligns with the “reasonable security safeguards” requirement to prevent personal data breaches under Section 8(5).

Section 9 — Data Retention & Erasure 🔴

Critical gap. The policy states: “We will retain your information for as long as your account is active or as needed to provide you services.”

DPDP requirement: Section 9 mandates that a Data Fiduciary must erase personal data upon the user withdrawing consent or as soon as it is reasonable to assume that the specified purpose is no longer being served. MagicBricks lacks a clear “Right to be Forgotten” or “Request for Erasure” workflow in its public-facing policy.

Section 11 — Rights of Data Principal ⚠️

The policy allows users to “review and correct” information.

Gap: It does not address the full suite of rights under the DPDP Act:

  • Right to Erasure: Not explicitly provided.
  • Right to Nominate (Section 14): No provision for a user to nominate another individual to exercise rights in case of death or incapacity.
  • Right to Grievance Redressal: While an officer is named, the policy does not inform the user that they can approach the Data Protection Board of India if not satisfied.

Section 16 — Cross-Border Data Transfer ⚠️

MagicBricks reserves the right to transfer data to servers/entities outside India.

Gap: While the DPDP Act allows transfers unless restricted by the Central Government, the policy fails to specify the safeguards (like Standard Contractual Clauses) used during such transfers, which is a requirement for “informed” consent.

Risk Assessment

CategoryRisk LevelDPDP Compliance Note
Consent ArchitectureHighLack of granular, unbundled consent checkboxes.
Data ErasureHighNo automated or request-based deletion policy defined.
Principal RightsMediumNo mention of nomination rights or DPB escalation.
Notice TransparencyMediumMissing notice of rights in 22 official languages (if requested).
SecurityLowStrong legacy IT Act security implementations.

Conclusion

MagicBricks is currently in a state of Partial Compliance. While its security infrastructure is robust, its legal framework is outdated. To avoid the heavy penalties under the DPDP Act (up to ₹250 Cr for breaches), the company must overhaul its consent collection mechanism, implement a verifiable data deletion process, and update its grievance redressal section to include the Data Protection Board of India.

📖 Related Compliance Guides

guide DPDP Consent Management Guide guide DPDP for Cookie Consent Dpdp: Expert Guide guide DPDP Cross-Border Data Transfer Rules

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call