Swiggy's Privacy Policy vs the DPDP Act: One Clause That Won't Survive November
Swiggy updated its privacy policy in April 2026. We tested it against the DPDP Act: deemed consent by continued use, prescription data without health-grade safeguards, and no retention timelines.
Swiggy updated its privacy policy in April 2026. One line in it will not survive November:
“Your continued use of the Services following changes to this Privacy Policy will constitute your consent.”
That sentence conflicts directly with §6 of the DPDP Act. Consent must be freely given, specific, and unambiguous. Not deleting an app is not consent; you cannot update a policy and treat silence as agreement to new terms. That is the whole point of the statute.
Gap 1: Prescription data, general-purpose safeguards (§8, Rule 6)
Through Instamart, Swiggy collects prescriptions to facilitate pharmaceutical purchases. The policy handles this under the same general framework as your food order history. Under §8 and Rule 6, security safeguards must be proportionate to the sensitivity of the data and the harm exposure could cause. A prescription record is not a pizza order.
Gap 2: AI data sharing without separate consent (§6)
The policy states that personal data, including "order details, delivery information, preferences, and interaction data", is shared with third-party AI service providers to enable AI features. Under §6, that is a separate purpose. It needs its own notice and its own consent. An umbrella "we use AI to improve your experience" clause does not satisfy it.
Gap 3: No retention periods (Rule 8)
“We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy.”
Rule 8 expects a schedule per data category: a timeline and a deletion trigger. "As necessary" is a decision deferred until the regulator makes it for you.
What Swiggy gets right
A named Grievance Officer with a direct email. That is the floor requirement under Rule 14, and Swiggy has met it, which already puts it ahead of several brands in this series.
But Swiggy is a public company now. These gaps are disclosed risk from November 2026 forward, visible to any analyst, auditor, or institutional investor who reads the policy against the Act.
If your own product shares data with AI vendors, collects anything health-adjacent, or retains data "as necessary", those are the first three things a DPDP audit will flag. If health-adjacent data is part of your product, see our healthtech retention breakdown. Run the free Compliance Score below and see where you stand in 60 seconds.
Frequently asked questions
Is deemed consent by continued use valid under the DPDP Act?
No. §6 of the DPDP Act requires consent that is free, specific, informed, and given through clear affirmative action. Treating continued use of a service after a policy update as consent to new terms does not meet that standard.
Does the DPDP Act have special rules for health data?
The DPDP Act does not carve out a separate "sensitive data" category like GDPR, but §8 and Rule 6 require security safeguards proportionate to the sensitivity of the data and the potential harm from exposure. Prescription and health records sit at the high end of that scale and warrant stronger protections than general order data.
Do AI vendors count as a separate purpose under DPDP?
Sharing personal data with third-party AI providers is a distinct processing purpose. Under §6, each purpose requires its own notice and its own consent; an umbrella clause about "improving your experience" does not cover it.