A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Nykaa was reviewed on 2026-04-24.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

Nykaa

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 24 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Nykaa's privacy policy makes a commendable effort by explicitly mentioning the DPDPA’23 for certain Data Principal rights. However, it faces significant challenges with bundled consent, vague data retention periods, and broad legitimate use claims, requiring substantial alignment with India's new privacy law.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-24
  • Company: Nykaa
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Bundled consent for multiple purposes — not freely given
  • Broad legitimate interest claims for marketing and personalization
  • Vague data retention period ('as long as necessary')
  • No mention of Data Protection Board grievance escalation
  • Cross-border transfers lack specific country details and DPDP safeguards
  • No explicit nomination rights for Data Principal (Section 14)

✅ Strengths

  • Explicit mention of DPDPA’23 for Data Principal rights
  • Clear disclosure of data categories collected
  • Detailed description of security safeguards, including encryption
  • Grievance Officer contact details clearly published

Overview

Nykaa (NYKAA E-RETAIL LIMITED) is a leading Indian e-commerce platform specializing in beauty and fashion products. Given the personal nature of data handled — skin types, purchase history, communication patterns — its privacy policy needs robust DPDP compliance to protect its millions of users.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Nykaa’s policy states: “By using the Platform and/ or by providing your information, you agree and consent to us collecting, storing, processing, transferring, using and sharing of your personal information…”

This is a single, bundled consent for all activities.

DPDP requirement: Consent must be free, specific, informed, and unambiguous. A Data Fiduciary (the entity processing data, here Nykaa) must obtain clear consent for each specific purpose. It cannot be “take it or leave it.”

The problem: Users cannot agree to purchases but opt out of personalized recommendations or marketing. This bundled approach does not meet DPDP’s “freely given” standard.

Section 7 — Certain Legitimate Uses 🔴

Nykaa lists purposes like “Recommendations and Personalization,” “Communicate With You” (for offers), and “Advertising” as reasons for processing data.

The policy says: “We use your personal information to recommend features, products, and services that might be of interest to you, identify your preferences, and personalize your experience with NYKAA.”

DPDP requirement: Section 7 defines “legitimate uses” very narrowly, such as for emergencies, state functions, or voluntary provision by the Data Principal (the individual whose data is collected, here the user). Marketing and personalization generally require explicit consent, not legitimate use.

The problem: Nykaa’s broad interpretation of legitimate use for marketing and personalization is unlikely to stand up under DPDP’s stricter framework.

Section 8 — Obligations of Data Fiduciary ✅

Nykaa details its commitment to security: “We take reasonable steps to ensure appropriate physical, technical and managerial safeguards… encryption protocols… multi-layered controls…” It also mentions putting “appropriate contracts” and “personal data protection obligations” on third parties.

DPDP requirement: A Data Fiduciary must implement reasonable security safeguards to prevent data breaches and process data accurately, completely, and consistently.

Strength: The policy provides a good overview of security measures and extends obligations to third parties, which aligns well with DPDP expectations.

Section 9 — Data Retention 🔴

Critical gap. The policy uses vague language: “We keep the Personal Information we collect about you on our systems or with third parties for as long as it is required for the purposes set out in this Privacy Policy and for legal or regulatory reasons. We shall take reasonable steps to delete or permanently de-identify Personal Information that is no longer needed.”

DPDP requirement: Data must be erased once the purpose for which it was collected is fulfilled or consent is withdrawn. The Data Fiduciary must specify clear retention periods.

The problem: “As long as necessary” provides no specific timelines. Users have no clarity on how long their sensitive shopping data, skin analysis results, or demographic information will be stored. This creates significant exposure.

Section 11 — Rights of Data Principal ⚠️

Nykaa explicitly mentions the DPDPA’23 here, which is a positive step. It states: “enshrined by the DPDPA’23 you as a customer can also opt to get your account and associated data deleted.” It also broadly mentions the right to “access your Personal Information, correct any errors among others.”

DPDP requirement: Data Principals have rights to access, correction, erasure, and nomination (designating someone to exercise rights posthumously).

Partial compliance: While acknowledging deletion and access/correction rights and mentioning the DPDPA’23, the policy doesn’t explicitly detail the right to nomination (Section 14) or the full process for exercising these rights.

Section 12 — Right of Grievance Redressal ⚠️

Nykaa publishes a clear Grievance Officer (Mr. Pratiek Varma) with contact email and address. It also outlines a “Customer Grievance Redressal Policy” with various support channels and complaint numbers.

The policy says: “For any further queries and complaints related to privacy under applicable laws and regulations, you could reach us at: Contact Email Address: support@nykaa.com… IN ACCORDANCE WITH INFORMATION TECHNOLOGY ACT 2000 AND RULES MADE THERE UNDER, THE NAME AND CONTACT DETAILS OF THE GRIEVANCE OFFICER ARE PROVIDED BELOW…”

DPDP requirement: A Data Fiduciary must appoint a Grievance Officer, and the policy should clearly outline escalation paths, including the Data Protection Board (DPB), as a final resort for unresolved grievances.

The problem: The policy still heavily references the IT Act 2000 and does not mention the Data Protection Board as an escalation authority. While a Grievance Officer is present, the DPDP-specific escalation mechanism is missing.

Section 16 — Cross-Border Data Transfer 🔴

Nykaa states: “Personal Information we hold about you may be transferred to other countries outside your residential country for any of the purposes described in this Privacy Policy. You understand and accept that these countries may have differing (and potentially less stringent) laws…”

DPDP requirement: Data Fiduciaries can only transfer personal data to such countries or territories as may be notified by the Central Government. Specific safeguards for such transfers must be clearly communicated.

The problem: Nykaa’s clause is broad and relies on the possibility of “less stringent laws,” which is contrary to the spirit of DPDP. It does not specify the countries involved or the specific safeguards applied, making it non-compliant with DPDP Section 16.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Consent complianceHighBundled consent invalidation affects all users
Data retentionCriticalUndefined retention for sensitive shopping data
Cross-border transferHighNon-compliance with permitted jurisdictions/safeguards
Data principal rightsMediumIncomplete rights framework, missing nomination

Recommendations

  1. Implement layered consent: Break down consent requests into granular choices (e.g., separate for marketing, analytics, personalization).
  2. Define specific retention periods: Clearly state how long different types of data are kept (e.g., “Purchase history: 5 years; Marketing data: deleted on consent withdrawal within 30 days”).
  3. Update “legitimate uses”: Align purposes like marketing and personalization with explicit consent, reserving “legitimate use” for DPDP Section 7 defined reasons.
  4. Integrate Data Protection Board: Add the DPB as the ultimate escalation path in the grievance redressal process.
  5. Specify cross-border transfers: List specific countries to which data is transferred and describe the safeguards in place, aligning with future government notifications.
  6. Add nomination rights: Explicitly mention the Data Principal’s right to nominate a person to exercise their rights after their demise (Section 14).

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Cross-Border Data Transfer Rules

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call