💳

DPDP Compliance for Fintech Companies

India's fintech sector processes billions in transactions daily. Here's how the DPDP Act 2023 impacts payment gateways, lending platforms, and digital wallets — and what compliance looks like.

56/100 Avg. Score

7 Analyzed

39 Gaps Found

Why Fintech Faces Unique DPDP Challenges

India’s fintech sector sits at the intersection of financial regulation and data privacy. Companies like Razorpay, Paytm, and PhonePe process millions of transactions daily, each generating a trail of sensitive personal data — PAN numbers, bank account details, spending patterns, and credit histories.

The challenge? Fintech companies already navigate a complex web of RBI, SEBI, and PMLA compliance. The DPDP Act 2023 adds an entirely new layer. Unlike sector-specific regulations, DPDP covers all personal data processing, not just financial data. That marketing email analyzing your spending patterns? That’s now under DPDP jurisdiction too.

Most fintech apps bundle consent at onboarding — you accept the terms to use the app, and that covers everything from transaction processing to targeted advertising. Under DPDP Section 6, this bundled approach doesn’t fly. Users must be able to consent to payment processing without consenting to spending pattern analysis for cross-sell recommendations.

KYC Data: A Double-Edged Sword

KYC (Know Your Customer) data is collected under RBI/PMLA mandate — that’s a legitimate use under DPDP Section 7. But what happens when that KYC data gets used for credit scoring, insurance cross-selling, or partner marketing? That’s where the DPDP line gets crossed.

Banking regulations mandate 10-year transaction record retention. But what about:

App usage analytics and behavioral data?
Marketing interaction logs and campaign engagement?
Credit score check histories?
Third-party API call logs containing personal data?

These aren’t covered by financial regulations but are squarely within DPDP scope. Most fintech privacy policies leave these undefined — a significant compliance gap.

The Cross-Border Challenge

Fintech companies heavily rely on global cloud infrastructure (AWS, GCP, Azure) and international payment networks. Under DPDP Section 16, data can only be transferred to jurisdictions approved by the Central Government. The current approved list is still evolving, creating uncertainty for fintech infrastructure planning.

Fintech Company Analyses

PhonePe

PhonePe's privacy policy handles 500M+ users' financial data but scores poorly on DPDP alignment. As a Walmart subsidiary, its cross-border data sharing with global affiliates and vague retention policies create significant exposure under DPDP's stricter framework.

⚠️ No DPDP Act 2023 reference — policy anchored to IT Act 2000

⚠️ Broad third-party data sharing with affiliates and partners with vague safeguards

+4 more gaps detected

Feb 2026 View Report →

Upstox

Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.

⚠️ No DPDP Act 2023 reference — relies on SEBI and IT Act

⚠️ Investment behavior data retention undefined

+4 more gaps detected

Feb 2026 View Report →

Groww

Groww handles sensitive investment data including Demat holdings, mutual fund portfolios, and PAN details for 10Cr+ users. While SEBI compliance is strong, DPDP-specific alignment is missing — creating a dual compliance gap as both regulations apply simultaneously.

⚠️ No DPDP Act 2023 reference — relies on IT Act and SEBI guidelines

⚠️ Investment behavior data retention not specified

+4 more gaps detected

Feb 2026 View Report →

Paytm

Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.

⚠️ No explicit DPDP Act 2023 reference — still relies on IT Act 2000 framework

⚠️ Consent mechanism bundled with service terms — not 'freely given' per Section 6

+4 more gaps detected

Feb 2026 View Report →

Razorpay

Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.

⚠️ No explicit DPDP Act 2023 reference

⚠️ Data retention period vague ('as long as necessary')

+2 more gaps detected

Feb 2026 View Report →

HDFC Bank

HDFC Bank scores 65/100 — the highest among all companies analyzed — benefiting from years of RBI compliance mandates. However, DPDP adds requirements beyond banking regulation: granular consent, Data Protection Board integration, expanded data principal rights, and controlled cross-selling data use.

⚠️ No explicit DPDP Act 2023 reference — relies on RBI guidelines and IT Act

⚠️ Consent bundled with account opening — no granular choice

+4 more gaps detected

Feb 2026 View Report →

CRED

CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.

⚠️ Consent potentially bundled with core features, not 'freely given'

⚠️ No specific data retention periods defined beyond legal mandates

+3 more gaps detected

Feb 2026 View Report →

📞 Free Consultation