A Project by Meridian Bridge Strategy
Book Consultation
Hospitality

OYO Rooms

Ready Score 40/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 19 Feb 2026

Executive Summary

OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences — all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Guest ID document scans retained without defined lifecycle
  • Room booking patterns reveal relationship and lifestyle data
  • Couple booking rejections create discriminatory data
  • No data retention timelines for stay history and IDs
  • Data Protection Board not referenced
  • Hotel partner access to guest PII uncontrolled

✅ Strengths

  • Basic security measures described
  • Grievance officer designated
  • ID verification for safety referenced

Overview

OYO operates across 800+ cities through a franchise model — OYO branded hotels are independently owned and operated. When a guest books, their personal data (ID documents, phone number, stay details) flows to both OYO’s platform and the independent hotel operator. This creates thousands of uncontrolled data access points.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

OYO guests provide:

  • Government ID documents (Aadhaar, PAN, passport) — scanned and stored
  • Phone numbers shared with hotel owners
  • Stay patterns (frequency, locations, solo vs. couple bookings)
  • Payment information

Unique concern: In India, OYO bookings have social stigma implications. “Couple bookings” and “local ID” policies create data that reveals sensitive personal situations. This data should have enhanced privacy protections.

Section 9 — Data Retention 🔴

No retention timelines for:

  • ID document scans (Aadhaar numbers stored on hotel owners’ phones)
  • Stay history across 800+ cities
  • Co-guest information
  • Booking modification patterns (room upgrades, late checkouts)

Section 11 — Rights of Data Principal 🔴

  • Can guests request deletion from both OYO and the hotel operator?
  • ID scans on hotel owners’ devices — uncontrollable
  • No data portability for stay history
  • No nomination rights

Risk Assessment

CategoryRisk LevelPotential Impact
ID document handlingCriticalAadhaar scans on thousands of hotel operators’ devices
Franchise data governanceCriticalIndependent operators = uncontrolled data access
Stay pattern inferenceHighBooking patterns reveal lifestyle and relationships
Data retentionHighID documents with no defined lifecycle

Recommendations

  1. Implement centralized ID verification — Hotels verify through OYO’s platform; never retain raw ID scans
  2. Establish franchise data agreements — All hotel partners must sign data handling commitments
  3. Mask guest phone numbers — Route communications through OYO platform
  4. Define stay data retention — “Active booking: until checkout + 24 hours; ID verification: system-verified, raw scans deleted; stay history: 1 year”
  5. Add enhanced privacy for sensitive bookings — Option to minimize data shared with hotel operators for privacy-sensitive stays

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation