A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

Nykaa โ†—

Ready Score 44/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
๐Ÿ“… 9 Feb 2026

Executive Summary

Nykaa collects deeply personal beauty and health data โ€” skin conditions, beauty routines, and facial scans for virtual try-on โ€” yet treats it with the same casual privacy approach as generic e-commerce. At 44/100, the gap between data sensitivity and protection is concerning.

โš ๏ธ Compliance Gaps

  • No DPDP Act 2023 reference
  • Beauty profile data (skin type, concerns, routines) collected without explicit consent
  • Virtual try-on face scanning data handling undefined
  • Third-party beauty brand data sharing lacks transparency
  • No data retention timelines for beauty profiles
  • Data Protection Board not referenced
  • Cross-border data transfer provisions vague

โœ… Strengths

  • Clear product purchase data categories
  • Security measures described
  • Grievance officer contact provided

Overview

Nykaa is Indiaโ€™s leading beauty and personal care e-commerce platform. Unlike general e-commerce, Nykaa collects uniquely personal data: skin type assessments, beauty concern questionnaires, dermatological conditions, hair type profiles, and increasingly, facial geometry data through virtual try-on features. This data crosses into health and biometric territory.

DPDP Readiness: Section-by-Section Analysis

Section 6 โ€” Consent & Notice ๐Ÿ”ด

Nykaa collects data that borders on health information:

  • Skin type questionnaires: Acne-prone, dry, oily, sensitive
  • Beauty concerns: Pigmentation, aging, conditions like eczema or rosacea
  • Face scanning: AR-powered virtual try-on captures facial geometry

Under DPDP, while โ€œpersonal dataโ€ is broadly defined, the intimate nature of this data demands higher consent standards than a standard e-commerce platform.

Gap: All data processing is covered by a single consent during account creation. No separate consent for beauty profiling, skin assessments, or facial scanning.

Section 7 โ€” Certain Legitimate Uses ๐Ÿ”ด

Nykaa uses beauty profile data for:

  • Product recommendations (reasonable)
  • Third-party brand partnerships (questionable)
  • Targeted advertising (should require separate consent)

Gap: Sharing skin condition data with beauty brand partners goes well beyond legitimate use.

Section 8 โ€” Obligations of Data Fiduciary โš ๏ธ

Standard security measures. However, no specific mention of additional protections for:

  • Facial geometry data (biometric-adjacent)
  • Health-related beauty data (skin conditions)
  • Virtual try-on image processing and storage

Section 9 โ€” Data Retention ๐Ÿ”ด

No retention timelines for:

  • Beauty profile assessments
  • Skin type and concern data
  • Virtual try-on facial scans
  • Purchase history linked to health conditions (e.g., dermatological products)

Critical concern: If a user buys acne medication, is that purchase history โ€” which reveals health information โ€” retained indefinitely?

Section 11 โ€” Rights of Data Principal ๐Ÿ”ด

  • No mechanism to delete beauty profiles while keeping the account
  • No right to opt out of beauty recommendation algorithms
  • No access to understand how skin data influences whatโ€™s shown
  • No nomination rights

Section 12 โ€” Right of Grievance Redressal โš ๏ธ

Basic grievance mechanism without DPB escalation.

Section 16 โ€” Cross-Border Data Transfer โš ๏ธ

Cloud infrastructure and beauty brand partnerships may involve international data transfer. The policy lacks specificity on which data crosses borders.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to โ‚น250 Cr
Health-adjacent data handlingCriticalBeauty/skin data borders on health information
Facial geometry dataCriticalVirtual try-on captures biometric-adjacent data
Brand partnership sharingHighSkin condition data shared with third-party brands
Data retentionHighHealth-revealing purchase history retained indefinitely

The Beauty Data Problem

Nykaa sits in a gray zone between e-commerce and health data:

Data TypeE-commerce StandardHealth/DPDP StandardNykaaโ€™s Practice
Purchase historyStandardHealth-revealing if dermatologicalTreated as standard
Skin assessmentsN/AHealth data equivalentNo extra protection
Face scansN/ABiometric-adjacentHandling undefined
Beauty concernsPreference dataHealth condition indicatorsNo separate consent

Recommendations

  1. Classify beauty data as sensitive โ€” Implement enhanced protections for skin type, beauty concerns, and facial scan data
  2. Separate consent for beauty profiling โ€” โ€œUse basic product browsing [required]. Share skin profile for personalized recommendations? [optional]โ€
  3. Define facial scan data policy โ€” โ€œVirtual try-on images are processed locally and never stored on our serversโ€ or similar clear commitment
  4. Restrict brand data sharing โ€” Donโ€™t share individual-level skin condition data with brand partners; use only aggregated, anonymized insights
  5. Create beauty data deletion tool โ€” Allow users to clear beauty profiles, skin assessments, and facial scans independently
  6. Add retention schedules for health-adjacent data โ€” โ€œBeauty quiz results: 1 year; virtual try-on data: deleted immediately; dermatological purchases: standard retail retentionโ€

How Does Your Policy Compare?

๐Ÿ” Run Your Free DPDP Audit โ†’

Take the free 60-second DPDP Audit to check your own companyโ€™s liability under the DPDP Act โ€” 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
๐Ÿ“ž Free Consultation