A Project by Meridian Bridge Strategy
Archived analysis

This page is old. PolicyBazaar was reviewed on 2026-02-20.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
InsurTech

PolicyBazaar

Ready Score 46/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 20 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories β€” then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-20
  • Company: PolicyBazaar
  • Readiness score: 46/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Health questionnaire data shared with multiple insurance partners
  • Pre-existing condition declarations retained indefinitely
  • Call recordings of health disclosures stored without clear retention
  • No data retention timelines for insurance quote data
  • Data Protection Board not referenced
  • Third-party insurer data sharing terms too broad

βœ… Strengths

  • IRDAI compliance for insurance data handling
  • Security measures including encryption
  • Grievance officer designated
  • Insurance-specific data categories documented

Overview

PolicyBazaar is India’s largest insurance aggregator. When users seek insurance quotes, they submit health conditions, pre-existing diseases, family medical history, income details, age, smoking/drinking habits, and occupation. This data is simultaneously shared with dozens of insurance companies for quote comparison β€” creating a broadcast-style data dissemination model.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

The fundamental model is problematic:

  1. User fills a health questionnaire (diabetes, heart conditions, surgeries, etc.)
  2. PolicyBazaar sends this to 20-50 insurance partners simultaneously
  3. Each partner now has the user’s complete health profile
  4. The user may only buy from one β€” the other 49 still have the data

DPDP concern: Broadcasting health conditions to dozens of companies under a single consent is the opposite of purpose-specific, minimal data processing.

Section 7 β€” Certain Legitimate Uses πŸ”΄

Insurance comparison requires sharing data with insurers. However:

  • Should all insurers get the full health questionnaire, or only summary data?
  • Post-purchase, should non-selected insurers retain the health data?
  • Using health data for future re-marketing by non-selected insurers?

Section 8 β€” Obligations of Data Fiduciary ⚠️

IRDAI compliance provides some framework. But:

  • PolicyBazaar can’t control security practices of all 50+ insurance partners
  • Health data flowing to so many parties multiplies breach risk
  • Call recordings containing health disclosures need enhanced protection

Section 9 β€” Data Retention πŸ”΄

Critical concerns:

  • Insurance quotes never purchased: Health data submitted for comparison but never converted β€” retained how long?
  • Call recordings: Agents discuss health conditions on recorded calls β€” retention undefined
  • Declined applications: If an insurer declines based on health conditions, does both PolicyBazaar and the insurer retain the health data?

Section 11 β€” Rights of Data Principal πŸ”΄

  • Can users request deletion from all 50+ partners who received their health data?
  • No mechanism to limit which insurers receive data before sharing
  • No transparency on which insurers currently hold your health profile
  • No nomination rights
  • No data portability for insurance comparison data

Section 12 β€” Right of Grievance Redressal ⚠️

IRDAI complaint mechanism exists. No DPB pathway.

Section 16 β€” Cross-Border Data Transfer ⚠️

Some insurance partners may be global companies (Allianz, AXA, etc.) that process data outside India.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalHealth data broadcast = mass non-compliance
Health data sharingCritical50+ companies have your medical history
Data retentionCriticalHealth data from abandoned quotes retained
Call recording privacyHighVerbal health disclosures recorded
Partner data controlCriticalCan’t control 50+ insurers’ data practices

The Insurance Data Broadcast Problem

PolicyBazaar’s model creates a unique data proliferation issue:

User health data β†’ PolicyBazaar β†’ 50 insurance partners simultaneously
                                   β”œβ”€ Insurer A (selected) β€” retains
                                   β”œβ”€ Insurer B (not selected) β€” also retains?
                                   β”œβ”€ Insurer C (declined user) β€” retains decline reason?
                                   └─ ... 47 more insurers with your health data

Under DPDP, each insurer becomes a separate data fiduciary with your health conditions, requiring separate purpose limitation, retention, and deletion compliance.

Recommendations

  1. Implement tiered data sharing β€” Share summary data first; only share full health questionnaire with insurers selected by the user
  2. Create partner deletion cascading β€” When a user requests deletion, it must propagate to all insurers who received the quote data
  3. Define quote data retention β€” β€œAbandoned quotes: delete from all partners within 90 days; purchased policies: retain per IRDAI; call recordings: 1 year”
  4. Add partner transparency β€” Show users exactly which insurers received their health data
  5. Build selective sharing β€” Let users choose which insurers receive their data rather than broadcasting
  6. Implement call recording consent β€” Separate consent for recording health-related conversations

πŸ“– Related Compliance Guides

city DPDP Consulting in Lucknow β†’ city DPDP Consulting in Noida β†’ compare DPDP vs Kenya Data Protection Act Guide β†’

What Should You Do Next?

πŸ” Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

πŸŽ“ Train Your Team

Book a DPDP compliance workshop β€” available online, onsite, and hybrid.

πŸ“° Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call