A Project by Meridian Bridge Strategy
Book Consultation
๐Ÿšš

DPDP Compliance for Logistics Companies

Logistics companies handle delivery addresses, recipient identities, and real-time location tracking of drivers and packages. DPDP creates new obligations for last-mile delivery data.

40/100 Avg. Score
1 Analyzed
7 Gaps Found

Logistics: The Last-Mile Data Challenge

Indiaโ€™s logistics companies โ€” Delhivery, Dunzo, and dozens of last-mile delivery providers โ€” operate at the intersection of e-commerce, food delivery, and transportation data. Every package delivered generates a data trail connecting senders, recipients, delivery personnel, and real-time location tracking.

The Three-Party Data Problem

In every delivery transaction, personal data flows between three parties:

  1. Sender/Platform: Provides recipient name, address, phone number, and package contents description
  2. Logistics Company: Processes all of this plus adds delivery timestamps, GPS coordinates, and delivery proof
  3. Delivery Personnel: Has temporary access to recipientโ€™s full name, exact address, and phone number

Under DPDP, each party has different obligations. The logistics company must ensure delivery personnel donโ€™t retain recipient data beyond the delivery window โ€” but enforcing this on personal devices is practically challenging.

Driver Location Data: 24/7 Surveillance

Delivery drivers are tracked continuously during their shifts. This GPS data reveals:

  • Working hours and break patterns
  • Speed and driving behavior
  • Route efficiency metrics
  • Time spent at each delivery location

Drivers are Data Principals under DPDP. They have the right to know how their location data is used, retained, and shared. Many logistics companies use driver location data for performance scoring, route optimization, and even insurance risk assessment โ€” each requiring separate consent.

Address Data: The Permanent Record

Delivery addresses are among the most sensitive personal data. They reveal:

  • Home locations (security risk if breached)
  • Office locations (employment information)
  • Frequently visited addresses (relationship patterns)

Most logistics companies retain address data indefinitely for โ€œoperational efficiency.โ€ Under DPDP, addresses should be retained only as long as necessary for delivery completion and any mandatory dispute resolution period.

Package Contents: Inference Risk

While logistics companies may not know exact package contents, the combination of sender, product category, weight, and dimensions can reveal sensitive purchases โ€” medications, personal items, or financial documents. DPDP requires that even metadata about deliveries be treated with appropriate data protection measures.

Logistics Company Analyses

Logistics

Dunzo

40

Dunzo's hyper-local delivery model creates an intensely personal data profile โ€” every delivery reveals what you order, where you live, and when you're home. At 40/100, alcohol deliveries, medicine pickups, and photo proofs of delivery create particularly sensitive data categories that the current policy ignores under DPDP.

โš ๏ธ No DPDP Act 2023 reference
โš ๏ธ Hyper-local delivery data reveals precise lifestyle patterns
+5 more gaps detected
Feb 2026 View Report
๐Ÿ“ž Free Consultation