A Project by Meridian Bridge Strategy
Book Consultation
Fintech

Razorpay

Ready Score 58/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference
  • Data retention period vague ('as long as necessary')
  • No mention of Data Protection Board grievance mechanism
  • Cross-border transfer provisions unclear

✅ Strengths

  • Comprehensive cookie policy
  • Clear data collection categories
  • Contact details for privacy officer provided

Overview

Razorpay is one of India’s leading fintech companies, processing billions in transactions annually. As a payment gateway handling sensitive financial data, DPDP compliance is critical.

DPDP Readiness Assessment

Section 4: Consent & Notice ⚠️

Razorpay provides a standard privacy notice, but it does not specifically reference the DPDP Act 2023 or use the terminology defined in the Act (e.g., “Data Principal,” “Data Fiduciary”). The notice should be updated to clearly state the purpose of data processing as required under Section 4.

Section 5: Lawful Purpose 🔴

While Razorpay lists purposes for data collection, the mapping to “lawful purpose” as defined under DPDP is incomplete. Payment processing data is covered under “legitimate use,” but marketing data processing lacks explicit consent mechanisms compliant with DPDP Section 6.

The policy mentions the ability to opt out of marketing communications, but does not provide a clear, easily accessible mechanism for withdrawing consent for all processing activities. Under DPDP, withdrawal must be as easy as giving consent.

Section 8: Data Security ✅

Razorpay demonstrates strong technical safeguards including encryption, PCI DSS compliance, and regular security audits. This aligns well with Section 8 requirements for reasonable security safeguards.

Section 11: Data Principal Rights ⚠️

The policy acknowledges some data subject rights but does not comprehensively address all rights under Section 11 of the DPDP Act, including the right to correction, the right to nominate, and access to information about data sharing with third parties.

Section 17: Cross-Border Transfer 🔴

The policy mentions data may be transferred internationally but lacks specificity on which countries and whether those jurisdictions are on the approved list under Section 17. This is a significant compliance gap.

Recommendations

  1. Update privacy policy to explicitly reference DPDP Act 2023
  2. Define clear data retention periods with specific timelines
  3. Add Data Protection Board as a grievance mechanism
  4. Map cross-border transfers to approved jurisdictions
  5. Implement DPDP-compliant consent withdrawal mechanism
  6. Add Data Principal rights portal for Section 11 compliance

Risk Assessment

Risk CategoryLevelImpact
Regulatory fine riskMediumUp to ₹250 Cr under DPDP
Customer trust impactLowStrong existing security posture
Operational readinessMediumNeeds policy + process updates

This analysis is for informational purposes based on publicly available privacy policies. For a comprehensive compliance assessment, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation