A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

Meesho

Ready Score 41/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Meesho's social commerce model creates unique DPDP challenges — customer data is shared with individual resellers (data sub-processors?) with minimal governance. The 150M+ user platform's 41/100 score reflects fundamental data flow architecture issues that go beyond simple policy updates.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Reseller network creates complex data controller-processor dynamics
  • Social media integration shares extensive user data with platforms
  • No data retention timelines specified
  • Data Protection Board not mentioned
  • Seller data handling under DPDP unclear
  • Consent for sharing customer data with individual resellers problematic

✅ Strengths

  • Security measures including encryption described
  • Grievance officer designated
  • Contact information for data queries provided

Overview

Meesho pioneered social commerce in India, enabling 150M+ users to buy through individual resellers who operate on WhatsApp and social media. This unique model creates data protection challenges that most e-commerce privacy policies don’t face: customer personal data (name, address, phone number) flows to individual resellers who may have zero data protection awareness.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Meesho’s consent challenges are architecturally unique:

  1. Customer consent: Standard bundled consent during purchase — no DPDP alignment
  2. Reseller consent: Resellers share customer personal data (delivery addresses, phone numbers) with limited understanding of data protection obligations
  3. Social media layer: When resellers share product catalogs on WhatsApp/Instagram, Meta’s privacy terms add another consent layer that users may not understand

Critical issue: A customer buying through a Meesho reseller may not realize their personal data is shared with an individual (the reseller), not just Meesho the company.

Section 7 — Certain Legitimate Uses 🔴

The social commerce model stretches “necessary for service delivery”:

  • Sharing customer phone numbers with resellers — is this necessary or could Meesho mask numbers?
  • Resellers accessing customer order history and preferences — necessary or overreach?
  • Social media platform integration — legitimate use or convenience?

Section 8 — Obligations of Data Fiduciary ⚠️

Meesho has standard security measures but faces a unique challenge:

  • Individual resellers are effectively data sub-processors handling customer PII
  • There’s no evidence of data protection training or agreements with resellers
  • Customer data security depends on individual resellers’ device security and practices

DPDP implication: Under Section 8, the Data Fiduciary (Meesho) must ensure reasonable security safeguards apply to all processing, including by processors. Individual resellers handling data on personal phones may not meet this standard.

Section 9 — Data Retention 🔴

No retention timelines for:

  • Customer purchase data
  • Reseller performance and customer interaction data
  • Product browsing and interest data
  • Social media integration data

Critical question: What happens to customer data when a reseller stops using Meesho? Is it deleted from their phones?

Section 11 — Rights of Data Principal 🔴

  • No mechanism for customers to request data deletion from both Meesho and its reseller network
  • No ability to know which resellers have accessed your personal data
  • No nomination rights
  • No data portability mechanism

Section 12 — Right of Grievance Redressal ⚠️

Grievance officer exists but no DPB escalation path. Additional challenge: who handles a privacy complaint about a reseller’s data handling?

Section 16 — Cross-Border Data Transfer ⚠️

Cloud infrastructure may transfer data internationally. The unique risk here is social media integration — data shared through WhatsApp/Instagram crosses into Meta’s global infrastructure.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalArchitecture creates multi-point liability
Reseller data handlingCriticalIndividual resellers = uncontrolled data processors
Consent architectureHighCustomers unaware data flows to individual resellers
Social media integrationHighMeta data flows create compliance complexity
Data retentionHighNo control over reseller-held customer data

The Reseller Data Problem

This is Meesho’s fundamental DPDP challenge:

Customer → Meesho Platform → Individual Reseller → Customer's data on reseller's phone

Who is the Data Fiduciary? Meesho
Who is the Processor? Reseller
Does the reseller know they're a processor? Probably not
Does the customer know their data goes to an individual? Unclear

Recommendations

  1. Implement reseller data processing agreements — Every reseller should sign a data handling commitment
  2. Mask customer phone numbers — Route communications through Meesho’s platform instead of exposing direct numbers
  3. Create customer data transparency — “Your order data was shared with [Reseller Name] for delivery purposes”
  4. Establish reseller data training — Simple, mandatory data protection guidelines for all resellers
  5. Build data deletion cascading — When a customer requests deletion, it must propagate through reseller access too
  6. Define retention with reseller dimension — “Active resellers: data accessible during relationship; inactive resellers: data access revoked within 30 days”

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation