Bombay Shaving Company's Privacy Policy Vs the DPDP Act: A Templated Clause and No Retention Schedule
Bombay Shaving Company's privacy policy has no retention clause at all, a single blanket consent sentence, and a business-transfer clause that moves your data without asking again. We read it against the DPDP Act.
Bombay Shaving Company sells razors and grooming kits. Its account deletion clause promises that "given the nature of sharing on the Offerings," any public activity on your account will remain visible after deletion. There is no public activity on this account: no posts, no profile page, no feed. That clause was written for a different kind of product and never got edited out.
Gap 1: No retention clause at all (Rule 8)
There is no retention clause in the policy. Not a weak one, not a vague one: zero mention of how long any category of personal data is kept. DPDP's Rule 8 does not accept "we didn't say" as an answer. It expects a schedule.
Gap 2: One blanket consent sentence for five actions (§6)
“you are consenting to the collection, transfer, manipulation, storage, disclosure and other uses of your information”
Five distinct actions, one blanket agreement, triggered just by using the site. Under §6, each of those is a separate purpose, and each needs its own consent, not a shared one buried in paragraph two.
Gap 3: Business-transfer clause moves data without fresh consent
The business-transfer clause says user data is a company asset. If Bombay Shaving Company is acquired or sold, personal data transfers with it, and the policy states users "acknowledge" this happens without being asked again.
That is not how consent under the DPDP Act survives an ownership change. Consent was given to one data fiduciary, for one set of purposes. It does not automatically extend to whoever buys the company next.
What Bombay Shaving Company gets right
Charu Arora is named as Grievance Officer with a phone number, email, and full office address. Most D2C brands this size do not bother. This one did, which puts it ahead of several brands in this series on that one point.
The word DPDP does not appear anywhere in the policy, though. The Grievance Officer requirement is filed under the IT Act 2000, and the statute governing all of this from November is absent. The leftover "public activity" clause is a sign this policy was templated from somewhere else and never fully adapted to what the company actually does.
Why this matters for subscription and D2C brands
D2C brands run on repeat-purchase data, browsing behaviour, and account history built over years. A grooming subscription knows more about someone's habits than most people realise. A policy with no retention clause and a consent-by-usage model is not a gap that shows up in a demo. It shows up the day a customer asks for their data to be deleted and the company has to explain why some of it cannot be.
If your own policy is missing a retention schedule or leans on one blanket consent sentence, that is the same gap at a smaller scale. Our DPDP compliance checklist covers what to fix first. Run the free Compliance Score below to see where your policy stands in 60 seconds.
Frequently asked questions
Does a privacy policy need a retention period under the DPDP Act?
Yes. Rule 8 requires a defined retention period per data category, whether expressed as a number, a date, or a trigger. A privacy policy that says nothing at all about retention does not meet this requirement.
Can a single consent statement cover collection, storage, and disclosure?
No. §6 of the DPDP Act requires consent to be specific to each processing purpose. A single sentence that bundles collection, transfer, storage, disclosure, and other uses into one blanket agreement does not meet the itemised-consent standard.
Does consent transfer automatically if a company is acquired?
Not under the DPDP Act's framework of purpose-specific consent. Consent is given to a specific data fiduciary for specific purposes. A business-transfer clause that moves personal data to an acquirer without seeking fresh consent sits in tension with that principle, even where standard commercial practice treats user data as a transferable asset.