E-commerce

Myntra

Ready Score 15/100

ANALYSIS SUPERVISED BY Sushant Pasumarty

📅 22 Apr 2026

Discuss this page with an LLM

Executive Summary

Myntra's privacy policy page currently displays an error message, rendering it completely inaccessible. This presents a critical compliance failure under the DPDP Act, as users cannot be informed about data practices, nor can the company's adherence to legal obligations be assessed.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

Notice and consent clarity
Purpose limitation
Data minimization
Retention and deletion language
Vendor and processor disclosures
Data Principal rights
Grievance redressal
Breach and security posture

Source Check

Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
Date reviewed: 2026-04-22
Company: Myntra
Readiness score: 15/100
Policies and product behavior may have changed since review
Whether the current source policy still matches this archived policy-only review
Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

Do we collect similar categories of personal data?
Do we share data with the same number or type of vendors?
Can users understand why their data is shared?
Can we prove deletion, retention and grievance workflows?
What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

Privacy policy inaccessible and displays error message
No discernible DPDP Act 2023 compliance due to policy unavailability
Fundamental user right to information completely violated
Regulatory non-compliance risk due to absence of publicly viewable policy
Breach of transparency and accountability principles

✅ Strengths

None, as the privacy policy is inaccessible

Overview

Myntra, a major e-commerce platform in India, handles a vast amount of personal data from millions of users – everything from browsing history and purchase patterns to payment details and addresses. For such a large data fiduciary, a robust and accessible privacy policy is paramount for legal compliance and building user trust.

Crucially, Myntra’s privacy policy page at https://www.myntra.com/privacypolicy currently displays an error message, making the policy completely inaccessible. This is a fundamental and critical issue under the DPDP Act.

DPDP Readiness: Section-by-Section Analysis

The DPDP Act requires Data Fiduciaries (like Myntra) to provide a clear, itemised notice about data processing before seeking consent. Consent must be specific, informed, and freely given.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: A transparent notice detailing the personal data collected, purpose of processing, and how Data Principals (you, the user) can exercise your rights. This notice must be given before consent is obtained.

The problem: With an inaccessible privacy policy, Myntra cannot adequately provide notice or obtain valid consent as required by Section 6. Users cannot understand what they are consenting to. This is a severe breach of transparency.

Section 7 — Certain Legitimate Uses 🔴

DPDP Act Section 7 outlines specific “legitimate uses” where a Data Fiduciary may process personal data without explicit consent (e.g., for state functions, medical emergencies, or voluntary provision by the Data Principal).

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Any processing under legitimate uses must strictly adhere to the defined categories and principles of necessity and proportionality.

The problem: Without an accessible policy, there is no way for users or regulators to verify if Myntra claims any legitimate uses, and if so, whether these claims align with the DPDP Act’s narrow definitions.

Section 8 — Obligations of Data Fiduciary 🔴

Section 8 mandates Data Fiduciaries to implement reasonable security safeguards to prevent data breaches, ensure accuracy, completeness, and consistency of data, and erase data when consent is withdrawn or purpose is fulfilled.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Comprehensive security measures, data accuracy protocols, and mechanisms for data erasure.

The problem: While Myntra likely has internal security measures, an inaccessible policy means users have no way to understand what safeguards are in place or how the company fulfills its broader obligations under Section 8. This undermines trust and accountability.

Section 9 — Data Retention 🔴

The DPDP Act requires data to be erased once the purpose for which it was collected is fulfilled, or if consent is withdrawn, unless retention is required by law. Data Fiduciaries must specify retention periods or criteria.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Clear statements on how long data is retained and the triggers for its erasure.

The problem: Users have no information on Myntra’s data retention practices for their e-commerce data. This is a significant gap, as indefinite retention is a major compliance risk.

Section 11 — Rights of Data Principal 🔴

Data Principals have several rights under DPDP, including the right to access information, correct data, erase data, and nominate another person to exercise these rights on their behalf.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Clear mechanisms for users to exercise their rights, including how to request access, correction, or erasure of their personal data.

The problem: With no policy, users cannot understand their rights or the process for exercising them. This completely undermines the spirit of individual control over personal data.

Section 12 — Right of Grievance Redressal 🔴

Data Fiduciaries must appoint a Grievance Officer and establish a clear redressal mechanism for Data Principals to complain if they believe their rights have been violated. The Data Protection Board is the escalation point.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Clearly published contact details for a Grievance Officer and an outlined process for escalating complaints, including reference to the Data Protection Board.

The problem: An inaccessible policy means users cannot find information about Myntra’s Grievance Officer or the steps to take if they have a complaint, leaving them without a formal redressal path.

Section 16 — Cross-Border Data Transfer 🔴

DPDP Act Section 16 permits cross-border data transfer only to countries or territories notified by the Central Government.

What the policy says: “Oops! Something went wrong Please contact your administrator”

What the law requires: Disclosure of any cross-border data transfers, specifying the countries involved and compliance with Section 16’s restrictions.

The problem: It’s impossible to determine if Myntra transfers data abroad or, if they do, whether such transfers comply with the DPDP Act.

Risk Assessment

Category	Risk Level	Potential Impact
Regulatory fine	Critical	Up to ₹250 Cr for non-compliance with notice and consent requirements
User trust & reputation	Critical	Severe damage to user confidence; public backlash
Consent validity	Critical	All past and future data processing potentially invalid
Data Principal rights	Critical	Users cannot exercise fundamental rights, legal exposure
Data retention & erasure	Critical	Indefinite retention creates massive liability
Legal challenges	High	Class-action lawsuits possible from affected Data Principals

Recommendations

Immediate Policy Restoration: Urgently fix the privacy policy page to ensure it is publicly accessible and error-free.
Conduct Full DPDP Audit: Once the policy is accessible, perform a comprehensive audit to ensure it explicitly addresses all DPDP Act 2023 requirements.
Ensure Clear Notice & Consent: Implement clear, layered consent mechanisms and a detailed privacy notice that is easy for users to understand.
Define Retention Schedules: Explicitly state data retention periods for different categories of personal data.
Enhance Data Principal Rights Mechanisms: Clearly outline how users can exercise their rights to access, correct, erase data, and nominate a representative.
Update Grievance Redressal: Publish clear Grievance Officer contact details and include the Data Protection Board as an escalation path.

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >

Book clarity call