A Project by Meridian Bridge Strategy
Book Consultation
Fintech

PhonePe

Ready Score 49/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

PhonePe's privacy policy handles 500M+ users' financial data but scores poorly on DPDP alignment. As a Walmart subsidiary, its cross-border data sharing with global affiliates and vague retention policies create significant exposure under DPDP's stricter framework.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference — policy anchored to IT Act 2000
  • Broad third-party data sharing with affiliates and partners with vague safeguards
  • No specific data retention timelines for transaction or KYC data
  • Data Protection Board not mentioned as grievance escalation
  • Cross-border provisions insufficient — data shared with Walmart entities globally
  • No mention of Section 14 nomination rights

✅ Strengths

  • Clear categorization of data types collected (personal, financial, transactional)
  • Security section describes encryption and ISO compliance
  • Opt-out mechanism for promotional communications

Overview

PhonePe, India’s leading UPI platform with 500M+ registered users, processes over 5 billion monthly transactions. As a subsidiary of Walmart’s Flipkart, PhonePe operates within a global corporate structure — making cross-border data transfer provisions particularly critical under DPDP Act 2023.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

PhonePe’s consent is a classic “by using our platform, you consent” model. No layered consent. No ability for users to selectively consent to payment processing while declining targeted advertising.

Critical issue: PhonePe combines consent for 12+ data processing purposes into a single acceptance. Under DPDP, consent must be sought separately for each purpose that goes beyond what’s strictly necessary for the service.

What’s missing:

  • Purpose-specific consent toggles
  • Easy-to-understand notice in clear language (Hindi/regional language options)
  • Clear distinction between necessary and optional data processing

Section 7 — Certain Legitimate Uses ⚠️

The policy claims broad bases for processing including “business operations,” “research and analytics,” and “to administer our products.” Several of these extend well beyond DPDP’s narrow legitimate use provisions.

Gap: DPDP Section 7 limits legitimate processing to: voluntary provision, government functions, compliance with legal obligations, medical emergencies, and employment. PhonePe’s research and analytics claims wouldn’t qualify.

Section 8 — Obligations of Data Fiduciary ⚠️

PhonePe describes security infrastructure including encryption and ISO 27001 compliance. However, the policy lacks specifics on:

  • Data breach notification procedures and timelines
  • Technical and organizational measures applied to each data category
  • Regular audit and review commitments

Partial compliance. Security is addressed but not mapped to DPDP obligations.

Section 9 — Data Retention 🔴

Major gap. The policy states: “We retain information for as long as it is necessary for the purposes set out in this policy.” No specifics.

For a platform handling:

  • UPI transaction data (RBI mandates 10-year retention)
  • KYC documents (PMLA requires 5 years post-relationship)
  • Marketing and analytics data (no regulatory mandate)

Each category should have distinct retention and deletion timelines. Current policy provides none.

Section 11 — Rights of Data Principal ⚠️

Rights to access and correction are mentioned, but:

  • No self-service data download/portability mechanism
  • The right to erasure is conditional on regulatory obligations with no timeline
  • Section 14 nomination mechanism completely absent
  • No mention of the right to know what processing has been done

Section 12 — Right of Grievance Redressal ⚠️

A Nodal Officer is designated with contact details. However:

  • No reference to the Data Protection Board
  • No defined timelines for grievance resolution
  • No multi-tier escalation process

Section 16 — Cross-Border Data Transfer 🔴

Critical concern. As a Walmart subsidiary, PhonePe explicitly states data may be shared with “affiliates, group companies, and business partners” which includes entities in the US, Israel, and other jurisdictions.

DPDP Requirement: Cross-border transfer permitted only to countries notified by the Central Government. Until that list is published, PhonePe’s Walmart data sharing creates significant uncertainty.

Additional concern: The policy doesn’t distinguish between operational data sharing (necessary for platform function) and analytical/strategic data sharing with the parent company.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance
Cross-border transferCriticalWalmart entity data sharing on thin legal ground
Consent complianceHighBundled consent for 500M+ users
Data retentionHighNo timelines = indefinite data storage
Data principal rightsMediumPartial rights, no nomination mechanism

Recommendations

  1. Segregate Walmart data sharing — Create clear data processing agreements that limit what data flows to non-Indian entities, with explicit user consent for each category
  2. Implement retention schedules — Publish specific retention periods: “Transaction logs: 10 years per RBI; KYC: 5 years post-closure; Marketing: 1 year rolling, delete on withdrawal”
  3. Deploy layered consent — Separate payment processing consent from marketing, analytics, and affiliate sharing
  4. Add DPDP governance framework — Appoint a formal Data Protection Officer, reference the Data Protection Board, and publish a DPDP compliance roadmap
  5. Build nomination mechanism — Section 14 compliance for minors and data principal nominees

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation