A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Paytm Money was reviewed on 2026-04-26.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Fintech / Wealth Management

Paytm Money

Ready Score 56/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 26 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Paytm Money’s privacy framework is robust regarding financial regulatory compliance (SEBI/RBI) but shows significant gaps under the DPDP Act 2023. While the policy excels at security safeguards and data categorization, it fails to provide the granular consent controls and notice requirements mandated by the new Act. Transitioning from a 'compliance-by-regulation' model to a 'privacy-by-design' model—including automated erasure and nomination rights—is critical to mitigate legal risks.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-26
  • Company: Paytm Money
  • Readiness score: 56/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Absence of explicit DPDP Act 2023 terminology — policy remains anchored in IT Act 2000 and SPDI Rules 2011
  • Consent is bundled with general terms and conditions, failing the 'specific' and 'unconditional' requirements of Section 6
  • Data retention timelines are governed by 'legal obligations' (SEBI/PMLA) but lack DPDP-mandated erasure triggers for non-regulatory data
  • No provision for the Right to Nominate (Section 14) in the event of death or incapacity of the Data Principal
  • Grievance redressal mechanism does not formally acknowledge the Data Protection Board (DPB) of India as an appellate authority
  • Lack of granular notice regarding the specific categories of 'Significant Data Fiduciary' obligations if classified

✅ Strengths

  • Highly detailed disclosure of data categories collected, including device-level metadata and financial identifiers
  • Strong adherence to SEBI and PMLA-mandated security standards, aligning with Section 8 obligations
  • Clear identification of a Grievance Officer with physical address and electronic contact details
  • Explicit mention of third-party sharing limitations, restricting data use to the specific purpose of service delivery

Overview

Paytm Money (a subsidiary of One97 Communications Ltd.) operates in a highly regulated environment, handling sensitive personal data including KYC documents, bank account details, trade history, and investment patterns. As a fintech intermediary, its data processing is governed by both SEBI regulations and the DPDP Act 2023. The current policy is optimized for financial transparency but lacks the individual-centric rights framework introduced by India’s new data law.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Paytm Money utilizes a “deemed consent” approach via site usage and bundled acceptance. Under Section 6 of the DPDP Act, consent must be free, specific, informed, unconditional, and an affirmative action.

What the policy says: “By using the Website/App and/or by providing your information, you consent to the collection and use of the information you disclose.”

Gap: This “take it or leave it” model is legally fragile under DPDP. There is no evidence of a “Notice” (Section 5) that must precede consent, listing the data collected and the purpose in a clear, separate format. Users cannot opt-out of marketing analytics while opting-in for brokerage services.

Section 8 — Obligations of Data Fiduciary ✅

Paytm Money demonstrates high readiness in technical safeguards. As a regulated entity, it already implements “reasonable security safeguards” to prevent data breaches.

Strength: The policy highlights 128-bit encryption, firewalls, and restricted access. These measures align with Section 8(5) of the DPDP Act, which requires fiduciaries to protect personal data in their possession or control.

Section 9 — Data Retention 🔴

Critical gap. The DPDP Act requires the Data Fiduciary to erase personal data upon the withdrawal of consent or as soon as it is reasonable to assume that the specified purpose is no longer being served.

What the policy says: “We will retain your information for as long as it is necessary for the purposes for which it was collected or as required by applicable law.”

Gap: While SEBI requires record-keeping for up to 8 years, the policy does not distinguish between “regulatory data” (which must be kept) and “behavioral/marketing data” (which must be erased). There is no “Right to be Forgotten” implementation path described for the user.

Section 11 — Rights of Data Principal ⚠️

The policy allows users to “review and correct” data, which addresses Section 11(1). However, the broader suite of DPDP rights is missing:

  • Right to Erasure: Only offered “subject to legal requirements” without a clear mechanism for non-regulated data.
  • Right to Nominate (Section 14): Totally absent. There is no provision for a user to nominate a person to exercise their rights in case of death or incapacity.

Section 12 — Right of Grievance Redressal ⚠️

Paytm Money provides a clear escalation path to a Grievance Officer. However, to be DPDP-compliant, the policy must inform the Data Principal that they have the right to lodge a complaint with the Data Protection Board of India if they are unsatisfied with the internal resolution. The current policy makes no mention of the Board.

Section 16 — Cross-Border Data Transfer ✅/⚠️

The policy states that data is primarily stored in India but may be shared with partners who might process it elsewhere.

DPDP Alignment: The Act allows cross-border transfers unless restricted by the Central Government. While Paytm Money is currently compliant, they lack the required disclosure of where the data might go, which may be required under future DPDP rules.

Risk Assessment

CategoryRisk LevelDescription
ConsentHighBundled consent is no longer valid; requires granular “check-box” architecture.
Data RetentionMediumConflict between SEBI retention mandates and DPDP erasure mandates needs explicit clarity.
RightsHighAbsence of nomination rights and DPB escalation path creates regulatory exposure.
SecurityLowExisting fintech security protocols are largely sufficient for Section 8 compliance.

Recommendations

  1. Notice Layering: Implement a DPDP-compliant “Notice” before the consent screen, available in English and scheduled 8th Schedule languages.
  2. Granular Consent: De-link marketing and analytics consent from the core brokerage service agreement.
  3. Nomination Module: Add a feature in the “Profile” section allowing users to nominate a data representative.
  4. Board Integration: Update the Grievance Redressal section to include the Data Protection Board of India as the statutory appellate body.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call