Overview
MakeMyTrip (MMT) is one of India’s largest online travel agencies, facilitating flights, hotel bookings, holiday packages, and more. As a Data Fiduciary (the company that decides how and why your data is processed), MMT handles a vast amount of sensitive personal information, including financial details, identity documents (Aadhaar, PAN, passport), health data (vaccination status), and detailed travel patterns. Understanding their privacy policy is crucial for millions of Indian users.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
MMT’s consent mechanism is a classic example of bundled consent. When you use their services, you’re expected to agree to the entire policy. This isn’t the “freely given, specific, informed, and unambiguous” consent required by the DPDP Act.
What the policy says: “By using or accessing the Website or other Sales Channels, the User hereby agrees with the terms of this Privacy Policy and the contents herein.”
DPDP requirement: As a Data Principal (you, the individual whose data is processed), you must give clear, granular consent for each specific purpose. This means you should be able to consent to booking a flight without automatically consenting to marketing emails.
The problem: MMT combines all data processing purposes into one blanket acceptance. While it mentions “explicit consent” for users outside India, it does not offer the same standard for Indian users, indicating a compliance gap under the new Act.
Section 7 — Certain Legitimate Uses ⚠️
MMT lists various ways it uses your data, including “improving services,” “personalization,” “marketing promotions,” “surveys,” and “fraud detection.” Under DPDP, certain legitimate uses (called “Grounds for Processing Personal Data”) are narrowly defined (e.g., for state functions, medical emergencies, employment, or when you voluntarily provide data for a specific purpose).
What the policy says: MMT uses your data for “Marketing Promotions, Research and Programs” and to “contact you on your birthday/anniversary to offer a special gift or offer.”
DPDP requirement: Activities like marketing and personalized offers generally require your explicit consent, not merely “legitimate interest” as understood in other regulations. The DPDP Act has a stricter interpretation of “legitimate uses.”
The problem: Many of MMT’s claimed legitimate uses, especially for marketing and personalization, would likely require specific consent under the DPDP Act and may not qualify under the narrower framework for “legitimate uses.” Fraud detection might fit under a “reasonable purpose” but needs careful legal mapping.
Section 8 — Obligations of Data Fiduciary ⚠️
MMT states its commitment to privacy and confidentiality and mentions redacting sensitive information.
What the policy says: “MMT will always redact all/any sensitive & confidential information contained in the vaccination certificate, passbook, bank statement or any other identity card submitted…” and “MMT will never share any of the above information collected including PAN card details, Vaccination status & certificate, Passport details, Aadhar Card details without their prior consent unless otherwise such action is required by any law enforcement authority for investigation, by court order or in reference to any legal process.”
DPDP requirement: A Data Fiduciary must implement reasonable security safeguards to prevent data breaches and misuse. This includes technical and organisational measures. They also need to notify the Data Protection Board and affected Data Principals in case of a breach.
Strength: The explicit commitment to redact sensitive documents and not share them without consent is a good practice. MMT also states it does “not authorize the end service provider to use your information for any other purpose(s) except as may be for fulfilling their part of service.”
The problem: While good intentions are present, the policy lacks specific details on actual security measures, breach notification procedures for Indian users, or designated data protection roles, as expected under DPDP.
Section 9 — Data Retention 🔴
MMT’s policy on data retention uses broad, non-specific language.
What the policy says: “MMT will retain your Personal Information on its servers for as long as is reasonably necessary for the purposes listed in this policy. In some circumstances we may retain your Personal Information for longer periods of time, for instance where we are required to do so in accordance with any legal, regulatory, tax or accounting requirements.”
DPDP requirement: Data Fiduciaries must ensure personal data is erased once the purpose for which it was collected is fulfilled, or if the Data Principal withdraws consent. Specific retention periods should be defined and communicated.
The problem: “As long as is reasonably necessary” is vague and does not provide clarity or certainty to users about how long their sensitive travel and financial data will be kept. There are no specific timelines for different types of data.
Partial Strength: The policy does provide a link for users to delete their account: “In case user wishes to delete their account, they can do so using this Link.”
Section 11 — Rights of Data Principal ⚠️
MMT allows for withdrawal of consent for some processes and has an unsubscribe option for marketing emails.
What the policy says: “If you have any concerns in the processing of your data and wish to withdraw your consent, you may do so by writing to the following email id: privacy@go-mmt.com.” Also, for marketing emails, “click on the “unsubscribe” link or follow the instructions in each e-mail message.”
DPDP requirement: Data Principals have several key rights, including the right to access information about their data, correct inaccuracies, erase their data, and nominate another person to exercise these rights on their behalf (Section 14).
The problem: MMT’s policy doesn’t explicitly mention the full suite of rights granted to Data Principals under the DPDP Act, such as the right to information, correction, or the crucial right to nominate someone to act on their behalf. The mechanisms for exercising available rights are not clearly defined or self-service.
Section 12 — Right of Grievance Redressal 🔴
MMT provides an email for privacy concerns.
What the policy says: “If you have any concerns in the processing of your data and wish to withdraw your consent, you may do so by writing to the following email id: privacy@go-mmt.com.”
DPDP requirement: Every Data Fiduciary must have a readily accessible Grievance Officer whose contact details are published. They must acknowledge receipt of a grievance within 7 days and resolve it within 30 days. If unsatisfied, the Data Principal can escalate to the Data Protection Board.
The problem: Only a generic email address is provided for “privacy concerns.” There is no named Grievance Officer, phone number, physical address, or specified timelines for addressing grievances. Crucially, there’s no mention of the Data Protection Board as an escalation path.
Section 16 — Cross-Border Data Transfer 🔴
MMT’s policy addresses cross-border transfers mainly for users outside India, stating that data may be processed in “such other jurisdictions where a third party engaged by MMT may process the data.”
What the policy says: “Please note that the data shared with MMT shall be primarily processed in India and such other jurisdictions where a third party engaged by MMT may process the data on MMT’s behalf.”
DPDP requirement: Under Section 16, cross-border transfer of personal data is only permitted to countries or territories specifically notified by the Central Government. Transfers must adhere to specified safeguards.
The problem: The policy provides no specific list of countries where data might be transferred. More importantly, it doesn’t align with the DPDP Act’s framework that limits transfers to a government-notified list of jurisdictions, or specify applicable safeguards for transfers involving Indian users.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | High | Bundled consent invalidation could affect millions of users |
| Data retention | Critical | Undefined deletion timelines for sensitive data = significant exposure |
| Cross-border transfer | High | Non-compliance with notified jurisdictions and safeguards |
| Data principal rights | Medium | Incomplete rights framework and unclear exercise mechanisms |
| Grievance redressal | High | Lack of designated officer and DPB escalation path |
Recommendations
- Redesign Consent Mechanisms: Implement clear, granular, and separate consent options for different data processing activities (e.g., booking vs. marketing vs. analytics).
- Define Data Retention Periods: Specify clear timelines for how long different categories of data are retained, adhering to DPDP’s “purpose fulfillment” principle.
- Update DPDP Act 2023 References: Explicitly reference the DPDP Act throughout the policy and map its sections to relevant DPDP provisions.
- Appoint a DPDP Grievance Officer: Clearly publish the name, contact details (email, phone, address), and expected response timelines for a dedicated Grievance Officer. Include the Data Protection Board as an escalation path.
- Strengthen Data Principal Rights: Detail all DPDP rights (access, correction, erasure, nomination) and provide clear, easy-to-use mechanisms for users to exercise them, preferably through a self-service portal.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.