A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Razorpay was reviewed on 2026-02-09.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Fintech

Razorpay

Ready Score 58/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-09
  • Company: Razorpay
  • Readiness score: 58/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference
  • Data retention period vague ('as long as necessary')
  • No mention of Data Protection Board grievance mechanism
  • Cross-border transfer provisions unclear

✅ Strengths

  • Comprehensive cookie policy
  • Clear data collection categories
  • Contact details for privacy officer provided

Overview

Razorpay is one of India’s leading fintech companies, processing billions in transactions annually. As a payment gateway handling sensitive financial data, DPDP compliance is critical.

DPDP Readiness Assessment

Section 4: Consent & Notice ⚠️

Razorpay provides a standard privacy notice, but it does not specifically reference the DPDP Act 2023 or use the terminology defined in the Act (e.g., “Data Principal,” “Data Fiduciary”). The notice should be updated to clearly state the purpose of data processing as required under Section 4.

Section 5: Lawful Purpose 🔴

While Razorpay lists purposes for data collection, the mapping to “lawful purpose” as defined under DPDP is incomplete. Payment processing data is covered under “legitimate use,” but marketing data processing lacks explicit consent mechanisms compliant with DPDP Section 6.

The policy mentions the ability to opt out of marketing communications, but does not provide a clear, easily accessible mechanism for withdrawing consent for all processing activities. Under DPDP, withdrawal must be as easy as giving consent.

Section 8: Data Security ✅

Razorpay demonstrates strong technical safeguards including encryption, PCI DSS compliance, and regular security audits. This aligns well with Section 8 requirements for reasonable security safeguards.

Section 11: Data Principal Rights ⚠️

The policy acknowledges some data subject rights but does not comprehensively address all rights under Section 11 of the DPDP Act, including the right to correction, the right to nominate, and access to information about data sharing with third parties.

Section 17: Cross-Border Transfer 🔴

The policy mentions data may be transferred internationally but lacks specificity on which countries and whether those jurisdictions are on the approved list under Section 17. This is a significant compliance gap.

Recommendations

  1. Update privacy policy to explicitly reference DPDP Act 2023
  2. Define clear data retention periods with specific timelines
  3. Add Data Protection Board as a grievance mechanism
  4. Map cross-border transfers to approved jurisdictions
  5. Implement DPDP-compliant consent withdrawal mechanism
  6. Add Data Principal rights portal for Section 11 compliance

Risk Assessment

Risk CategoryLevelImpact
Regulatory fine riskMediumUp to ₹250 Cr under DPDP
Customer trust impactLowStrong existing security posture
Operational readinessMediumNeeds policy + process updates

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call