DPDP Compliance for Insurance Companies
Insurance companies process health records, financial data, and family details for underwriting and claims. Get expert help today.
Discuss this page with an LLM
Now replace the sandwich shop with your InsurTech company. Where does personal data enter? Where does it sit? Who else touches it?
InsurTech DPDP Self-Check
Start here to understand why DPDP is relevant to InsurTech. Before any other task, first understand how personal data moves through the business.
What is InsurTech?
In this context, InsurTech means the websites, apps, operations, support teams, customer records, employee systems, vendor tools and data workflows that collect or use personal data.
Children's data
- Do you collect age, class, school, parent details or learning progress?
- Can you separate child, parent and guardian data?
- Do you know which users are under 18?
Consent
- Can you prove where consent came from?
- Is consent collected before data is used for the stated purpose?
- Can consent be withdrawn without breaking the entire account flow?
Tracking and profiling
- Do you track usage, performance, attention, behavior or drop-offs?
- Is any of this used for ads, recommendations or nudges?
- Are analytics tools collecting user identifiers?
Vendors and SDKs
- Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
- Do contracts say they process data only on your instructions?
- Can you delete or export data from each vendor?
Retention
- What happens when the service ends?
- What happens when a user leaves?
- What data is kept for certificates, invoices, disputes or regulatory records?
First action
- Map one user journey from sign-up to completion.
- Mark where data is collected, stored, shared, used for communication and deleted.
If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.
Book a DPDP clarity callInsurTech Company Analyses
PolicyBazaar
PolicyBazaar collects detailed health questionnaires, income declarations, and family histories — then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.
Acko Insurance
Acko’s policy is a classic example of 'consent overkill.' While they are transparent about the massive amount of data they collect—including your SMS and Gmail—the policy relies on bundled consent and lacks the granular control required by the DPDP Act.
Digit Insurance
Digit Insurance is ahead of the curve by explicitly referencing the DPDP Act, but still relies on 'bundled consent' where using the app equals agreeing to everything. While their security and audit commitments are strong, they need to fix vague retention periods to be fully compliant.
Frequently asked questions
Do we need new consent from existing policyholders?
Yes, if your current consent is bundled or lacks a clear description of third parties like TPAs. You must send a notice to existing users explaining what data you hold and giving them the option to withdraw consent for non-essential services.
How does DPDP affect our use of telematics for premium discounts?
You must clearly state that GPS data is used solely for risk scoring. If you share this location data with marketing partners without a separate, specific checkbox, you violate the purpose limitation rule.
Are Third Party Administrators (TPAs) considered Data Processors?
Generally, yes. You must sign specific contracts with TPAs that restrict them from using your customers' health data for any purpose other than processing the specific claims you send to them.