A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Meesho was reviewed on 2026-04-18.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

Meesho

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 18 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Meesho's privacy policy, while detailed about data collection, is primarily built on the outdated IT Act 2000. Its biggest weaknesses lie in the bundled consent mechanism, vague data retention periods, and a complete absence of DPDP Act 2023 specific provisions for Data Principal rights and cross-border data transfers, creating substantial regulatory risk.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-18
  • Company: Meesho
  • Readiness score: 42/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Still relies on IT Act 2000 framework, no DPDP Act 2023 reference
  • Consent bundled with service terms, not 'freely given' per Section 6
  • Data retention period vague ('as long as necessary')
  • No explicit mention of Data Protection Board as grievance escalation
  • Incomplete Data Principal rights (e.g., no nomination, access/correction mechanisms unclear)
  • Cross-border data transfer provisions entirely missing from DPDP perspective

✅ Strengths

  • Detailed list of collected personal and usage data
  • Acknowledges data deletion request via Grievance Officer
  • Mentions generally accepted security standards for data protection

Overview

Meesho is a popular Indian e-commerce platform primarily focused on reselling and social commerce. As millions of users engage with its platform, sharing personal details, payment information, and shopping preferences, Meesho handles a vast amount of diverse data. Its privacy policy’s alignment with the new DPDP Act is crucial for protecting user privacy and avoiding hefty penalties.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Meesho’s policy uses bundled consent, meaning you agree to the privacy terms simply by using their services. This is a big problem under the DPDP Act.

What the policy says: “By accessing or using Our Services and/or registering for an account with the Company, you expressly agree to be bound by the terms and conditions of this Privacy Policy and you are consenting to the Company’s collection, use, disclosure and retention of your personal information as described here.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. You should be able to consent to one type of data use (e.g., order processing) but not another (e.g., marketing).

Gap: Meesho’s “take it or leave it” approach means consent is not truly “freely given” or “specific” for different purposes, as required by DPDP Section 6.

Section 7 — Certain Legitimate Uses ⚠️

Meesho lists many uses for data without clear consent, such as “Recommendations and personalization,” “Advertising,” “To administer contests and sweepstakes.”

DPDP requirement: Section 7 defines “legitimate uses” very narrowly (e.g., for state functions, medical emergencies, employment, or data voluntarily provided). Most commercial uses like personalization and marketing usually require explicit consent.

Gap: Several of Meesho’s listed data uses for “improving services,” “personalization,” and “advertising” would likely not qualify as “legitimate uses” under DPDP without specific consent.

Section 8 — Obligations of Data Fiduciary ✅

The policy outlines security measures to protect user data. It mentions “reasonable physical, electronic, and managerial procedures” and adherence to “generally accepted industry standards.”

What the policy says: “We ensure to maintain reasonable physical, electronic, and managerial procedures to safeguard and help prevent unauthorized access to your information and to maintain data security.”

DPDP requirement: A Data Fiduciary (the company collecting your data) must implement “reasonable security safeguards” to protect personal data. This includes preventing breaches.

Strength: Meesho acknowledges security responsibilities, aligning well with the basic requirement for data protection. However, it also relies heavily on the user to secure their own credentials.

Section 9 — Data Retention 🔴

Meesho’s policy is vague about how long it keeps your data.

What the policy says: “We reserve the right to retain your personal information in accordance with applicable laws, for a period no longer than is required for the purpose for which it was collected or as required under any applicable law.”

DPDP requirement (Section 9): Personal data must be erased as soon as the purpose for which it was collected is met or when consent is withdrawn. The policy should state specific retention periods or clear deletion triggers.

Gap: No defined retention periods. This means users don’t know when their shopping history, contact details, or financial information will be purged, which is a significant DPDP violation.

Section 11 — Rights of Data Principal ⚠️

The policy mentions that a user can request deletion of personal information via the Grievance Officer. However, other crucial rights are less clear or missing.

DPDP requirement: Data Principals (you, the individual) have several rights, including:

  • Right to access and correct data (Section 12)
  • Right to erasure (Section 13)
  • Right to nominate another person to exercise rights in case of death or incapacity (Section 14)

Gap: While erasure is mentioned, clear mechanisms for accessing or correcting your data are not detailed. The important right to nomination (Section 14) is completely absent.

Section 12 — Right of Grievance Redressal ⚠️

Meesho provides contact details for its Grievance Officer, which is good.

What the policy says: “In accordance with Information Technology Act, 2000… the name and contact details of the Grievance Officer are provided below: Name – Murthy S.N, email id: legalsupport@meesho.com

DPDP requirement: Every Data Fiduciary must have a Grievance Officer whose details are easily accessible. Importantly, the DPDP Act also establishes a Data Protection Board as an escalation authority if your grievance isn’t resolved by the company within 30 days.

Gap: The policy doesn’t mention the Data Protection Board as the next step for unresolved complaints, nor does it commit to a 30-day resolution timeline.

Section 16 — Cross-Border Data Transfer 🔴

The policy discusses sharing data with “holding companies, subsidiaries and affiliates” and “contractors, advertisers/service providers and other third-parties.” However, it does not address cross-border data transfers specifically under DPDP.

DPDP requirement (Section 16): Personal data can only be transferred outside India to countries specifically notified by the Central Government. Companies must be clear about which countries data might go to and what safeguards are in place.

Gap: Meesho’s policy has no explicit mention of sending data abroad, nor does it specify safeguards or refer to the DPDP Act’s conditions for international transfers. For an e-commerce company, sharing data with international affiliates or cloud providers is highly probable, making this a critical omission.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per non-compliance under DPDP
Consent complianceHighBundled consent risks invalidation for all data processing
Data retentionCriticalIndefinite retention of user data = severe liability
Data principal rightsMediumIncomplete rights fulfillment could lead to complaints
Cross-border transferHighAny transfer outside India without DPDP compliance is illegal

Recommendations

  1. Update Policy Reference: Explicitly state compliance with the DPDP Act, 2023 instead of just the IT Act, 2000.
  2. Implement Granular Consent: Allow users to choose specific data uses (e.g., separate consent for marketing vs. order processing).
  3. Define Retention Periods: Clearly state how long different types of data are kept and when they are deleted. Example: “Payment data: 7 years per regulatory mandate; Marketing preferences: deleted 30 days after consent withdrawal.”
  4. Enhance Data Principal Rights: Provide clear instructions for users to access, correct, and delete their data, and introduce a nomination mechanism (Section 14).
  5. Include DPB Escalation: Clearly state that users can escalate unresolved grievances to the Data Protection Board.
  6. Address Cross-Border Transfers: If data is transferred abroad, clearly state the recipient countries and the safeguards in place, aligning with DPDP Section 16.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call