A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Pepperfry was reviewed on 2026-04-28.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

Pepperfry

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 28 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Pepperfry’s policy is a classic example of an 'IT Act era' document that hasn't been updated for India's new privacy regime. While it covers the basics of data collection, it fails the DPDP Act’s strict requirements for granular consent, clear retention limits, and modern user rights.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-28
  • Company: Pepperfry
  • Readiness score: 42/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Explicitly follows IT Act 2000 and 2011 Rules instead of DPDP Act 2023
  • Uses 'browse-wrap' consent where simply using the site implies agreement
  • No specific data retention or auto-deletion timelines defined
  • No mention of Data Principal rights like the right to nominate
  • Vague 'commercially reasonable' standard for security instead of absolute protection
  • Missing mandatory escalation path to the Data Protection Board of India

✅ Strengths

  • Clearly identifies a specific individual as the Grievance Officer
  • Provides a direct email address specifically for data deletion requests
  • Explicitly lists the types of technical data and device permissions collected
  • Transparent about sharing data with third-party logistics and marketing partners

Overview

Pepperfry is one of India’s largest online furniture retailers. To sell you a sofa or a lamp, they collect a lot of personal info: your home address, phone number, GPS location, and even your tax details if you’re a business seller.

As a Data Fiduciary (the company that decides why and how your data is used), Pepperfry is responsible for keeping this data safe. As the Data Principal (the person the data belongs to), you have new rights under the DPDP Act that this policy doesn’t quite acknowledge yet.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Pepperfry uses “bundled” and “implied” consent, which is a big no-no under the new law. They assume that if you are on the website, you’ve already agreed to everything.

What the policy says: “Personal Information of a User(s) is collected if the User(s) registers… accesses the Website or take any action on the Website.”

What the law requires: Consent must be affirmative. This means you have to click a button that says “I agree” specifically for data processing. Simply “accessing” a site isn’t consent anymore.

The problem: Under Section 6, consent must be specific and clear. Pepperfry bundles marketing, shipping, and “internal analytics” into one giant bucket. You can’t say “yes to shipping” but “no to marketing” easily at the start.

Section 7 — Certain Legitimate Uses ⚠️

The policy claims they collect data for “lawful purposes” related to their business functions.

What the policy says: “You understand, agree and acknowledge that our collection… is for a lawful purpose connected with a function or activity of the Platform.”

What the law requires: The DPDP Act replaced “lawful purpose” with Certain Legitimate Uses. This is a much narrower list, such as medical emergencies or government functions.

The problem: Pepperfry is still using the old, broad language from the 2011 rules. They cannot claim “legitimate use” for marketing or tracking your behavior; they must get your explicit consent for those things now.

Section 8 — Obligations of Data Fiduciary ⚠️

Pepperfry promises to try their best, but the law now demands a higher standard.

What the policy says: “We will ensure on reasonable commercial efforts basis that the third parties… are under an obligation to maintain confidentiality.”

What the law requires: The Data Fiduciary (Pepperfry) is responsible for any data breach, even if it happens at their partner’s end (like a delivery company).

The problem: Using words like “reasonable commercial efforts” is a legal shield. The DPDP Act doesn’t care about “efforts”—it mandates that you must protect data, or face fines up to ₹250 crore.

Section 9 — Data Retention 🔴

This is a major gap. The policy doesn’t tell you how long they keep your data.

What the policy says: It mentions you can ask for deletion, but it doesn’t say how long they keep it if you don’t ask.

What the law requires: Data must be deleted as soon as the purpose is fulfilled. If you bought a bed three years ago and haven’t logged in since, Pepperfry technically shouldn’t be holding onto your home address anymore.

The problem: Without a clear retention policy, your data sits in their servers forever, increasing your risk if they ever get hacked.

Section 11 — Rights of Data Principal ⚠️

The DPDP Act gives you four “superpowers,” but Pepperfry only mentions one and a half.

The gaps:

  • Right to Nominate: You can’t currently tell Pepperfry who should manage your account if something happens to you.
  • Right to Withdraw: While they mention “opting out” of emails, they don’t provide a clear way to withdraw consent for all processing without deleting your account entirely.

Section 12 — Right of Grievance Redressal ⚠️

They have a Grievance Officer, which is good, but the rules they follow are out of date.

What the policy says: It explicitly cites the “IT Rules, 2011.”

The problem: Those rules are being replaced by the DPDP Act. The policy fails to mention that if the Grievance Officer doesn’t help you, you have the right to complain to the Data Protection Board of India.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: “Your information may be transferred to… computers… located outside of your state or country.”

The problem: The DPDP Act says the government will create a “restricted list” of countries where data cannot go. Pepperfry’s policy is too vague; it doesn’t specify which countries your data might end up in or how they protect it once it leaves India.

Risk Assessment

CategoryRisk LevelPotential Impact
Consent ValidityHighBundled/implied consent is invalid under DPDP; could stop data use.
Old Law RelianceHighReferencing the IT Act 2000 instead of DPDP Act 2023 shows non-compliance.
Data RetentionMediumKeeping data indefinitely increases liability during a breach.
User RightsMediumLack of nomination and easy withdrawal features.

Recommendations

  1. Update the Legal Framework: Immediately remove references to the “IT Rules 2011” and replace them with the DPDP Act 2023.
  2. Unbundle Consent: Give users checkboxes. Let them agree to “Delivery” (essential) but opt-in to “Marketing” (optional).
  3. Set a Deletion Timer: Define that if an account is inactive for 3 years, the data is automatically deleted or made anonymous.
  4. Modernize the Grievance Path: Add a link to the Data Protection Board and commit to acknowledging complaints faster than the old 36-hour limit.
  5. Add a “Notice”: Before asking for data, show a simple notice in clear language (maybe even in Hindi) explaining what is being collected and why.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Data Breach Notification Compliance

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call