Overview
Zomato has expanded far beyond restaurant discovery. The ecosystem now includes: Zomato food delivery, Blinkit quick commerce (groceries, medicine, daily essentials), dining out reservations, and Hyperpure B2B supplies. Each touchpoint adds to a comprehensive consumer profile — what you eat, what groceries you buy, what medicines you order, and where you live and work.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Zomato’s consent covers the entire ecosystem under one policy. A user who signs up for food delivery automatically consents to data processing across:
- Restaurant ordering and delivery
- Blinkit grocery/medicine ordering
- Location tracking
- Review and rating profiles
- Advertising and personalization
DPDP concern: The Blinkit integration significantly expands the data scope. Medicine orders reveal health conditions. Grocery patterns reveal household composition. A single consent for this expanded scope doesn’t meet DPDP’s purpose-specific standard.
Section 7 — Certain Legitimate Uses ⚠️
Zomato’s broad ecosystem means “legitimate use” claims extend across:
- Core delivery service (legitimate)
- Blinkit grocery recommendations (stretch)
- Cross-platform profiling — food + grocery + medicine patterns (overreach)
- Advertising across the ecosystem (requires separate consent)
Section 8 — Obligations of Data Fiduciary ⚠️
Security is better documented than competitors, with references to ISO certifications and encryption. However:
- Blinkit medicine order data requires enhanced handling
- Delivery partner access to customer data across both Zomato and Blinkit creates expanded exposure
- Restaurant partner access to customer data varies by partnership level
Section 9 — Data Retention ⚠️
Better than most competitors — some retention mentions exist. But:
- Medicine orders on Blinkit: Health data with no specific retention boundary
- Restaurant review history: Potentially indefinite even if user wants to forget a review
- Location patterns: Daily delivery addresses paint a detailed movement map
Section 11 — Rights of Data Principal ⚠️
More accessible than many platforms — account deletion is available. However:
- Reviews written under pseudonyms are still linked to real accounts — can they be fully anonymized on deletion?
- Blinkit purchase history (especially medicines) — is it truly purged?
- No mechanism to delete data from one service (Blinkit) while keeping another (Zomato food)
- No nomination rights
Section 12 — Right of Grievance Redressal ⚠️
Grievance officer details published. No Data Protection Board escalation. The multi-platform nature means a user may not know which entity to complain to.
Section 16 — Cross-Border Data Transfer ⚠️
As a publicly listed company with global investors and technology partners, data may flow internationally. Cloud infrastructure locations not specified.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per entity (Zomato + Blinkit?) |
| Medicine/health data | Critical | Blinkit medicine orders = health information |
| Cross-platform profiling | High | Food + grocery + medicine = comprehensive profile |
| Location data | High | Multi-platform location tracking |
| Data retention | Medium | Better documented but still insufficient |
The Ecosystem Data Challenge
Zomato’s multi-platform ecosystem creates a compound privacy profile:
| Platform | Data Collected | Inference Risk |
|---|---|---|
| Zomato Food | Restaurant preferences, order frequency | Dietary patterns, lifestyle |
| Blinkit Grocery | Weekly groceries, household products | Family size, income level |
| Blinkit Medicine | OTC purchases, health products | Health conditions |
| Dining Out | Restaurant visits, table bookings | Social patterns, spending |
| Reviews | Written opinions, ratings | Personal preferences |
A single user’s data across these platforms creates one of the most detailed consumer profiles in Indian digital commerce — and it’s all covered by one privacy policy.
Recommendations
- Separate Blinkit and Zomato consent — Especially for medicine orders, which reveal health information
- Implement health data protections for Blinkit — Medicine orders need enhanced consent, retention limits, and access controls
- Create per-platform data controls — Let users manage privacy settings for Zomato and Blinkit independently
- Define cross-platform profiling rules — Disclose if/how food + grocery + medicine data is combined for profiling
- Add retention schedules by data sensitivity — “Medicine orders: 1 year; food orders: 2 years; location data: 48 hours; reviews: until user deletion”
- Deploy DPDP compliance framework — Reference the Act and map each platform’s data processing to specific provisions
How Does Your Policy Compare?
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.