Zepto's Privacy Policy vs the DPDP Act: A Section-by-Section Teardown
We read Zepto's privacy policy against the DPDP Act, line by line: retention with no timelines, consent-by-usage, and zero mentions of the statute that governs it from November 2026.
Zepto can tell you which buildings in your neighbourhood order the most groceries at 11pm. Its privacy policy cannot tell you how long it keeps that information.
That gap between the precision of the data a company collects and the vagueness of the document governing it is what this teardown series measures. We read the policy as published. Here is where it meets the DPDP Act, and where it misses.
Gap 1: Retention with no number (Rule 8)
“only till such time it is required for the Purposes”
The DPDP Rules do not accept that. Rule 8 expects a number, a date, or a trigger: a retention schedule per data category that an auditor could verify. "Required for the Purposes" is a category the company itself defines whenever convenient. It is a deferred decision, not a retention policy.
Gap 2: Consent by usage (§6)
“By using the Platform or providing Personal Information, you agree and consent.”
Under §6 of the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous, with separate consent for each purpose. Using an app is not consent. It is usage. Bundling every purpose into the act of opening an app is precisely the pattern the statute was written to end.
Gap 3: The Act that isn't there
The word DPDP does not appear anywhere in the document. The Companies Act is there. The Contract Act is there. The IT Act is there. The statute that actually governs this data from November 2026 is not.
One more detail worth noting: Zepto's Grievance Officer is also its General Counsel. The same person, two roles. Not illegal, but it tells you where privacy sits in the org chart.
Why this matters more for quick commerce than almost anyone
Quick commerce builds one of the most detailed household profiles in India: which building, which flat, what they buy, how often, and at what time. That profile accumulates ten minutes at a time across tens of millions of orders.
Heading into an IPO at a $5 billion valuation, the question is not whether the product works. It is whether the data infrastructure holds up when someone (a regulator, an underwriter, or a journalist) actually reads the policy.
If you are building a consumer app, the same three questions apply to you: does every data category have a retention trigger, does every purpose have its own consent, and does your policy name the law it answers to? Our DPDP compliance checklist walks through all three. Run a free Compliance Score below to find out in 60 seconds.
Frequently asked questions
Is Zepto violating the DPDP Act?
This teardown identifies gaps between Zepto's published privacy policy and DPDP Act requirements, such as undefined retention periods (Rule 8) and consent-by-usage (§6). Whether they amount to violations is for the Data Protection Board to determine once enforcement begins; substantive obligations become enforceable by May 2027.
What does DPDP Rule 8 require for data retention?
Rule 8 expects Data Fiduciaries to retain personal data only as long as needed for the stated purpose, with defined erasure timelines. In practice that means a retention schedule per data category (a number, a date, or a trigger) rather than open-ended language like "as long as required".
Is "by using this app you consent" valid under the DPDP Act?
No. §6 of the DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action, with separate consent per purpose. Continued usage of a platform does not meet that standard.