Zomato

Overview

Zomato has expanded far beyond restaurant discovery. The ecosystem now includes: Zomato food delivery, Blinkit quick commerce (groceries, medicine, daily essentials), dining out reservations, and Hyperpure B2B supplies. Each touchpoint adds to a comprehensive consumer profile — what you eat, what groceries you buy, what medicines you order, and where you live and work.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Zomato’s consent covers the entire ecosystem under one policy. A user who signs up for food delivery automatically consents to data processing across:

• Restaurant ordering and delivery
• Blinkit grocery/medicine ordering
• Location tracking
• Review and rating profiles
• Advertising and personalization

DPDP concern: The Blinkit integration significantly expands the data scope. Medicine orders reveal health conditions. Grocery patterns reveal household composition. A single consent for this expanded scope doesn’t meet DPDP’s purpose-specific standard.

Section 7 — Certain Legitimate Uses ⚠️

Zomato’s broad ecosystem means “legitimate use” claims extend across:

• Core delivery service (legitimate)
• Blinkit grocery recommendations (stretch)
• Cross-platform profiling — food + grocery + medicine patterns (overreach)
• Advertising across the ecosystem (requires separate consent)

Section 8 — Obligations of Data Fiduciary ⚠️

Security is better documented than competitors, with references to ISO certifications and encryption. However:

• Blinkit medicine order data requires enhanced handling
• Delivery partner access to customer data across both Zomato and Blinkit creates expanded exposure
• Restaurant partner access to customer data varies by partnership level

Section 9 — Data Retention ⚠️

Better than most competitors — some retention mentions exist. But:

• Medicine orders on Blinkit: Health data with no specific retention boundary
• Restaurant review history: Potentially indefinite even if user wants to forget a review
• Location patterns: Daily delivery addresses paint a detailed movement map

Section 11 — Rights of Data Principal ⚠️

More accessible than many platforms — account deletion is available. However:

• Reviews written under pseudonyms are still linked to real accounts — can they be fully anonymized on deletion?
• Blinkit purchase history (especially medicines) — is it truly purged?
• No mechanism to delete data from one service (Blinkit) while keeping another (Zomato food)
• No nomination rights

Section 12 — Right of Grievance Redressal ⚠️

Grievance officer details published. No Data Protection Board escalation. The multi-platform nature means a user may not know which entity to complain to.

Section 16 — Cross-Border Data Transfer ⚠️

As a publicly listed company with global investors and technology partners, data may flow internationally. Cloud infrastructure locations not specified.

Risk Assessment

The Ecosystem Data Challenge

Zomato’s multi-platform ecosystem creates a compound privacy profile:

A single user’s data across these platforms creates one of the most detailed consumer profiles in Indian digital commerce — and it’s all covered by one privacy policy.

Recommendations

1. Separate Blinkit and Zomato consent — Especially for medicine orders, which reveal health information
2. Implement health data protections for Blinkit — Medicine orders need enhanced consent, retention limits, and access controls
3. Create per-platform data controls — Let users manage privacy settings for Zomato and Blinkit independently
4. Define cross-platform profiling rules — Disclose if/how food + grocery + medicine data is combined for profiling
5. Add retention schedules by data sensitivity — “Medicine orders: 1 year; food orders: 2 years; location data: 48 hours; reviews: until user deletion”
6. Deploy DPDP compliance framework — Reference the Act and map each platform’s data processing to specific provisions