A Project by Meridian Bridge Strategy
Book Consultation
InsurTech

PolicyBazaar

Ready Score 46/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 20 Feb 2026

Executive Summary

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories — then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Health questionnaire data shared with multiple insurance partners
  • Pre-existing condition declarations retained indefinitely
  • Call recordings of health disclosures stored without clear retention
  • No data retention timelines for insurance quote data
  • Data Protection Board not referenced
  • Third-party insurer data sharing terms too broad

✅ Strengths

  • IRDAI compliance for insurance data handling
  • Security measures including encryption
  • Grievance officer designated
  • Insurance-specific data categories documented

Overview

PolicyBazaar is India’s largest insurance aggregator. When users seek insurance quotes, they submit health conditions, pre-existing diseases, family medical history, income details, age, smoking/drinking habits, and occupation. This data is simultaneously shared with dozens of insurance companies for quote comparison — creating a broadcast-style data dissemination model.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

The fundamental model is problematic:

  1. User fills a health questionnaire (diabetes, heart conditions, surgeries, etc.)
  2. PolicyBazaar sends this to 20-50 insurance partners simultaneously
  3. Each partner now has the user’s complete health profile
  4. The user may only buy from one — the other 49 still have the data

DPDP concern: Broadcasting health conditions to dozens of companies under a single consent is the opposite of purpose-specific, minimal data processing.

Section 7 — Certain Legitimate Uses 🔴

Insurance comparison requires sharing data with insurers. However:

  • Should all insurers get the full health questionnaire, or only summary data?
  • Post-purchase, should non-selected insurers retain the health data?
  • Using health data for future re-marketing by non-selected insurers?

Section 8 — Obligations of Data Fiduciary ⚠️

IRDAI compliance provides some framework. But:

  • PolicyBazaar can’t control security practices of all 50+ insurance partners
  • Health data flowing to so many parties multiplies breach risk
  • Call recordings containing health disclosures need enhanced protection

Section 9 — Data Retention 🔴

Critical concerns:

  • Insurance quotes never purchased: Health data submitted for comparison but never converted — retained how long?
  • Call recordings: Agents discuss health conditions on recorded calls — retention undefined
  • Declined applications: If an insurer declines based on health conditions, does both PolicyBazaar and the insurer retain the health data?

Section 11 — Rights of Data Principal 🔴

  • Can users request deletion from all 50+ partners who received their health data?
  • No mechanism to limit which insurers receive data before sharing
  • No transparency on which insurers currently hold your health profile
  • No nomination rights
  • No data portability for insurance comparison data

Section 12 — Right of Grievance Redressal ⚠️

IRDAI complaint mechanism exists. No DPB pathway.

Section 16 — Cross-Border Data Transfer ⚠️

Some insurance partners may be global companies (Allianz, AXA, etc.) that process data outside India.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalHealth data broadcast = mass non-compliance
Health data sharingCritical50+ companies have your medical history
Data retentionCriticalHealth data from abandoned quotes retained
Call recording privacyHighVerbal health disclosures recorded
Partner data controlCriticalCan’t control 50+ insurers’ data practices

The Insurance Data Broadcast Problem

PolicyBazaar’s model creates a unique data proliferation issue:

User health data → PolicyBazaar → 50 insurance partners simultaneously
                                   ├─ Insurer A (selected) — retains
                                   ├─ Insurer B (not selected) — also retains?
                                   ├─ Insurer C (declined user) — retains decline reason?
                                   └─ ... 47 more insurers with your health data

Under DPDP, each insurer becomes a separate data fiduciary with your health conditions, requiring separate purpose limitation, retention, and deletion compliance.

Recommendations

  1. Implement tiered data sharing — Share summary data first; only share full health questionnaire with insurers selected by the user
  2. Create partner deletion cascading — When a user requests deletion, it must propagate to all insurers who received the quote data
  3. Define quote data retention — “Abandoned quotes: delete from all partners within 90 days; purchased policies: retain per IRDAI; call recordings: 1 year”
  4. Add partner transparency — Show users exactly which insurers received their health data
  5. Build selective sharing — Let users choose which insurers receive their data rather than broadcasting
  6. Implement call recording consent — Separate consent for recording health-related conversations

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation