A Project by Meridian Bridge Strategy
Archived analysis

This page is old. OYO Rooms was reviewed on 2026-02-19.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Hospitality

OYO Rooms

Ready Score 40/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 19 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences β€” all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-19
  • Company: OYO Rooms
  • Readiness score: 40/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Guest ID document scans retained without defined lifecycle
  • Room booking patterns reveal relationship and lifestyle data
  • Couple booking rejections create discriminatory data
  • No data retention timelines for stay history and IDs
  • Data Protection Board not referenced
  • Hotel partner access to guest PII uncontrolled

βœ… Strengths

  • Basic security measures described
  • Grievance officer designated
  • ID verification for safety referenced

Overview

OYO operates across 800+ cities through a franchise model β€” OYO branded hotels are independently owned and operated. When a guest books, their personal data (ID documents, phone number, stay details) flows to both OYO’s platform and the independent hotel operator. This creates thousands of uncontrolled data access points.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

OYO guests provide:

  • Government ID documents (Aadhaar, PAN, passport) β€” scanned and stored
  • Phone numbers shared with hotel owners
  • Stay patterns (frequency, locations, solo vs. couple bookings)
  • Payment information

Unique concern: In India, OYO bookings have social stigma implications. β€œCouple bookings” and β€œlocal ID” policies create data that reveals sensitive personal situations. This data should have enhanced privacy protections.

Section 9 β€” Data Retention πŸ”΄

No retention timelines for:

  • ID document scans (Aadhaar numbers stored on hotel owners’ phones)
  • Stay history across 800+ cities
  • Co-guest information
  • Booking modification patterns (room upgrades, late checkouts)

Section 11 β€” Rights of Data Principal πŸ”΄

  • Can guests request deletion from both OYO and the hotel operator?
  • ID scans on hotel owners’ devices β€” uncontrollable
  • No data portability for stay history
  • No nomination rights

Risk Assessment

CategoryRisk LevelPotential Impact
ID document handlingCriticalAadhaar scans on thousands of hotel operators’ devices
Franchise data governanceCriticalIndependent operators = uncontrolled data access
Stay pattern inferenceHighBooking patterns reveal lifestyle and relationships
Data retentionHighID documents with no defined lifecycle

Recommendations

  1. Implement centralized ID verification β€” Hotels verify through OYO’s platform; never retain raw ID scans
  2. Establish franchise data agreements β€” All hotel partners must sign data handling commitments
  3. Mask guest phone numbers β€” Route communications through OYO platform
  4. Define stay data retention β€” β€œActive booking: until checkout + 24 hours; ID verification: system-verified, raw scans deleted; stay history: 1 year”
  5. Add enhanced privacy for sensitive bookings β€” Option to minimize data shared with hotel operators for privacy-sensitive stays

πŸ“– Related Compliance Guides

city DPDP Consulting in Lucknow β†’ city DPDP Consulting in Noida β†’ compare DPDP vs Kenya Data Protection Act Guide β†’

What Should You Do Next?

πŸ” Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

πŸŽ“ Train Your Team

Book a DPDP compliance workshop β€” available online, onsite, and hybrid.

πŸ“° Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call