DPDP Compliance for Fintech Companies

IndusInd Bank's official privacy policy URL leads to a 'page not found' error, making it impossible to assess their DPDP Act 2023 readiness. This fundamental lack of an accessible privacy policy is a severe compliance gap, preventing customers from understanding how their sensitive financial data is collected, processed, and protected.

Groww's provided privacy policy text is incredibly sparse, acting more as a placeholder than a comprehensive statement. For a major fintech player handling sensitive financial data, this complete lack of detail regarding consent, data principal rights, security, and retention under the DPDP Act 2023 presents extreme regulatory and reputational risk.

Bank of Baroda's privacy policy is a generic, pre-DPDP document lacking specific compliance with the new Act. Its reliance on implied consent, vague security, and complete silence on critical user rights and data retention creates substantial regulatory risk for India's third-largest public sector bank.

Kotak Mahindra Bank's privacy policy is geared towards traditional legal frameworks, not India's new DPDP Act, 2023. With vast amounts of sensitive financial data, the policy critically lacks DPDP-mandated granular consent, specific data retention timelines, and explicit data principal rights, creating significant regulatory risks.

Axis Bank's privacy policy, while detailing data types, largely pre-dates DPDP Act 2023 requirements. Major shortcomings include a lack of specific data retention periods, absence of explicit Data Principal rights, and reliance on bundled consent. These gaps create substantial regulatory exposure for one of India's largest banks.

Federal Bank's privacy policy is comprehensive on data collection and security but lacks critical alignment with the DPDP Act 2023. Key gaps include non-specific consent, undefined data retention, and absence of explicit Data Principal rights, leaving significant regulatory exposure for customer financial data.

Indian Bank's 'IB Merchant App' privacy policy is foundational but largely fails DPDP Act 2023 requirements. Its lack of explicit DPDP alignment, especially around granular consent, data retention, and Data Principal rights, poses significant risks for merchant data.

IDBI Bank operates on a legacy privacy framework that prioritizes bank secrecy over modern data principal rights. While its security measures are robust, the lack of granular consent and the absence of clear deletion timelines create significant compliance gaps under the new DPDP Act.

PhonePe's privacy policy is extensive and handles vast financial data, but lacks explicit reference to the DPDP Act, 2023. Significant updates are needed, particularly concerning granular consent, clear data retention timelines, and proper escalation paths to the Data Protection Board, to ensure full compliance with the new privacy regime.

HDFC Bank's privacy policy is detailed regarding data collection and security standards, notably its ISO 27001:13 compliance. However, it currently lacks explicit alignment with the Digital Personal Data Protection Act 2023. Key areas requiring immediate attention for DPDP compliance include a more granular and 'freely given' consent mechanism, specific data retention periods, comprehensive detailing of all Data Principal rights (including nomination), clear grievance escalation to the Data Protection Board, and transparent cross-border data transfer policies. As a major financial institution handling sensitive personal data, updating its policy to explicitly reflect DPDP requirements is crucial to mitigate regulatory and reputational risks.

ICICI Bank's Privacy Commitment is detailed but significantly lags in explicit alignment with the Digital Personal Data Protection Act 2023. While it outlines general data protection principles and security measures, the absence of specific DPDP Act references, bundled consent, vague data retention periods, and lack of DPDP-specific data principal rights and grievance mechanisms pose considerable regulatory compliance risks. Given its position as a major financial institution in India, a comprehensive update to reflect DPDP Act 2023 requirements, particularly around granular consent and data principal empowerment, is critical.

Fi Money offers a slick user experience, but its privacy framework remains stuck in the pre-DPDP era. While bank-grade security is a plus, the lack of specific consent controls and the current inaccessibility of policy pages create significant legal risks under the new Act.

Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.

BharatPe's policy is built on the old 'I Agree' checkbox model which doesn't fly under India's new law. While they score well on keeping data in India, their consent process is too broad and lacks the control users are now legally entitled to.

Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.

Jupiter has a clean, readable policy but it still feels like it was written for the old laws. While they are transparent about what they take, they lack the specific 'delete-on-request' and 'granular consent' rules that the new Indian law demands.

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

Canara Bank's privacy policies for its website and mobile application are generally comprehensive regarding data collection and security under existing legal frameworks. However, they currently lack explicit alignment with the Digital Personal Data Protection Act 2023. Significant updates are needed, particularly around obtaining granular and freely given consent, detailing specific data retention periods, outlining the Data Protection Board as a grievance escalation channel, and addressing the full spectrum of Data Principal rights, including nomination. While the policies demonstrate a commitment to customer privacy, their current wording and framework may pose compliance challenges as the DPDP Act's provisions become fully enforceable.

Bajaj Finserv shows strong technical security but fails on the DPDP Act’s requirement for 'unbundled' consent. While their retention transparency is better than most, their control over your data remains heavily weighted in favor of the company rather than the individual.

CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.

Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.