A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Ola was reviewed on 2026-04-25.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Mobility

Ola

Ready Score 50/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 25 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Ola's privacy policy for its mobility services provides transparency on data collection and acknowledges some data principal rights. However, it falls significantly short of DPDP Act 2023 compliance. The core issue of bundled consent, where users must accept the policy to use services, contradicts the Act's requirement for 'freely given' consent. Coupled with a lack of explicit DPDP 2023 alignment, vague data retention, and broad legitimate use claims, Ola faces considerable regulatory exposure. A comprehensive update is necessary to align with India's new data protection regime.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-25
  • Company: Ola
  • Readiness score: 50/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Bundled consent mechanism — agreement to privacy policy tied to service terms, not 'freely given' per Section 6
  • No explicit DPDP Act 2023 reference — still appears rooted in IT Act 2000 framework
  • Vague data retention period — uses 'as long as necessary' language without specific timelines (Section 9)
  • Broad definition of 'legitimate uses' for processing, exceeding narrow scope of DPDP Section 7 without explicit consent
  • Cross-border data transfer provisions lack specificity on all jurisdictions or alignment with Central Government's permitted list (Section 16)
  • No explicit mention of Data Principal's nomination rights under Section 14

✅ Strengths

  • Comprehensive data collection disclosure — categories clearly listed for various data types
  • Explicit mention of the Data Principal's 'right to be forgotten' and ability to restrict processing
  • Grievance redressal mechanism noted, including a DPO (for certain entities) and commitment to a one-month response, with escalation to supervisory authority mentioned
  • Security safeguards described, including reasonable measures, SSL technology, and use of secure cloud infrastructure

Overview

Ola (ANI Technologies Private Limited) is a leading mobility platform in India, facilitating ride-hailing and other transportation services. Given the extensive personal and location data collected from millions of users and drivers, its privacy practices are critically assessed against the stringent requirements of India’s Digital Personal Data Protection Act 2023 (DPDP Act).

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Ola’s privacy policy explicitly states: “BY ACCEPTING THE CUSTOMER TERMS AND CONDITIONS, YOU AGREE TO THE TERMS OF THIS PRIVACY POLICY”. This constitutes a bundled consent mechanism, meaning users must accept the entire policy to use the services. This approach does not meet the DPDP Act’s requirement for consent to be “freely given, specific, informed, and unconditional,” as mandated by Section 6. There is no clear provision for granular consent for different processing purposes.

What the policy says: “By accepting the Customer Terms and Conditions, you agree to the terms of this Privacy Policy.”

DPDP requirement: Consent must be unbundled, specific to each purpose, informed, and capable of being withdrawn.

Gap: The policy presents a “take it or leave it” scenario, failing to offer data principals genuine choice over specific data processing activities.

Section 7 — Certain Legitimate Uses ⚠️

The policy outlines various purposes for data processing, some of which may exceed the narrow scope of “legitimate uses” defined under Section 7 of the DPDP Act. For instance, purposes such as “To improve our Services and conduct research”, “To communicate with you; including to send you information about our Services and events; To develop new programs and services”, and “to protect the safety of the public for any reason” are broadly stated. While some of these might fall under legitimate interests in other jurisdictions, under DPDP, these could require specific consent if not directly fulfilling a state function, medical emergency, or employment-related necessity.

Gap: Several processing activities claimed under broad legitimate interests would likely require explicit consent under the DPDP Act.

Section 8 — Obligations of Data Fiduciary ✅

Ola’s policy acknowledges the importance of data security. It states, “We take reasonable measures to protect the information you provide to us from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction”. Specific measures mentioned include the use of “Secure Socket Layer (SSL) technology to encrypt your credit card number”. Additionally, for related entities, it refers to using Amazon Web Services (AWS) with “state-of-the-art security measures”, indicating a general commitment to industry-standard security practices across the group.

Strength: The policy demonstrates an awareness of the need for security safeguards in line with Section 8.

Section 9 — Data Retention 🔴

Critical gap. The policy employs vague language regarding data retention, stating, “We retain personal data only as long as necessary for the purposes described in this policy or as required by law”. Similarly, another snippet notes, “We will only retain your Personal Data for as long as it is necessary to fulfill the purposes outlined in this Policy or the purposes of which You have otherwise been informed”. This generic phrasing lacks specific retention periods for different categories of personal data, which is a key requirement under Section 9 of the DPDP Act to ensure data is erased once the purpose is fulfilled or consent is withdrawn.

Gap: No specific timelines for data retention or automated deletion triggers, leaving data principals unclear about the duration their data is stored.

Section 11 — Rights of Data Principal ⚠️

Ola’s policy mentions the Data Principal’s right to “access and update your information”. A significant strength is the explicit mention of “Your right to be forgotten” and the ability to “restrict or prevent processing your personal information” under specific conditions. However, the policy does not explicitly address the right to nominate another person to exercise these rights in case of death or incapacity, as outlined in Section 14 of the DPDP Act. While mechanisms for requesting updates exist, a self-service portal for all rights is not clearly indicated.

Partial compliance. Basic rights are acknowledged, but DPDP-specific rights like nomination are missing.

Section 12 — Right of Grievance Redressal ✅

The policy provides a mechanism for grievance redressal. For Ola Maps (part of ANI Technologies), it specifically mentions a Data Protection Officer (DPO) at support@olakrutrim.com, with a commitment to address issues “as soon as possible and within a maximum period of one month”. Crucially, it also states, “if you are still of the opinion that we are processing your personal data in violation of data protection laws and regulations you have the right to lodge a complaint with the supervisory authority”. This aligns well with DPDP requirements for a clear grievance process and escalation path to the Data Protection Board.

Strength: Clear grievance contact, response timelines, and escalation to supervisory authority (even if specific DPO email might vary across Ola’s services).

Section 16 — Cross-Border Data Transfer ⚠️

The policy states that information may be transferred “to the United States or Canada or other countries outside of where you live”, and also to “recipients in countries outside India that may have differing data protection laws”. While Ola Electric’s policy mentions ensuring appropriate safeguards for transfers, the general Ola Cabs policy lacks the specific detail required by the DPDP Act. Under Section 16, transfers are permitted only to countries notified by the Central Government, and the policy does not explicitly confirm adherence to such a ‘white list’ or detail specific safeguards for all such transfers.

Gap: The cross-border transfer provisions lack the necessary specificity and alignment with the DPDP Act’s framework for restricted jurisdictions and explicit safeguards.

Risk Assessment

CategoryRisk LevelRationale
ConsentHigh 🔴Bundled consent is a fundamental departure from DPDP’s “freely given” standard.
NoticeMedium ⚠️While data collection is disclosed, the lack of specific DPDP referencing means data principals are not fully informed of their rights under the new Act.
Legitimate UseHigh 🔴Broad interpretation of legitimate uses could lead to processing without valid consent as per DPDP.
Data Principal RightsMedium ⚠️Right to nomination is absent; self-service mechanisms are not clearly detailed for all rights.
Data Fiduciary ObligationsLow ✅Security measures are mentioned, indicating basic adherence to reasonable safeguards.
Data RetentionHigh 🔴Vague retention periods pose a significant risk of non-compliance with erasure requirements.
Grievance RedressalLow ✅Clear DPO and escalation path to supervisory authority is a strength, though specific to certain services.
Cross-Border TransferHigh 🔴Lack of specificity on permitted jurisdictions and safeguards presents significant compliance risk.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Cross-Border Data Transfer Rules

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call