Teardown6 min read

Zomato, Blinkit, and the DPDP Act: When a Household Profile Becomes a Liability

Zomato holds food and grocery data for millions of the same households. We read its practices against the DPDP Act: cross-product profiling, GPS retention, and the 2021 breach.

Zomato knows more about 100 million Indian households than most Indian banks. Your order time reveals your sleep schedule. Your restaurant choices signal income bracket, dietary restrictions, and religious practice. Your delivery addresses map your social graph.

In June 2021, 17 million user records left the platform and appeared on a dark-web forum. The breach is documented. The more important DPDP story is what accumulates before a breach.

The Blinkit problem: two datasets, one household

After acquiring Blinkit, Zomato holds both food delivery and grocery data for millions of the same households. Cross-referenced, this is one of the most complete household behavioural profiles in India: meals, groceries, timing, location, spending, and social context from group orders and gifting.

Under §8(3), collection must be limited to what is necessary for the stated purpose. Under Rule 8, every data category requires a defined retention period. There is no operational reason to retain a 2019 delivery order in 2024, and there is no stated purpose that justifies cross-referencing food and grocery data to build a household profile. Each secondary use requires fresh, itemised consent under §6, not an umbrella "we improve your experience" clause.

Three DPDP gaps the 2021 breach makes visible

  1. 1.Cross-product aggregation without explicit purpose declaration. Zomato plus Blinkit data combined is a more sensitive profile than either alone. Each additional purpose (personalisation, advertising, or third-party sharing) requires a separate consent item under §6.
  2. 2.Location data retained beyond delivery completion. GPS data collected during a delivery is purpose-specific. Under Rule 8, it should be erased when the delivery purpose ends, not retained as historical trail data.
  3. 3.Notification to the press is not notification to the Board. Zomato confirmed the 2021 breach publicly, which is better than most. But under Rule 7, the 72-hour clock runs to the Data Protection Board, not to the media.

The takeaway for consumer tech founders

The richer your behavioural data, the higher your DPDP exposure, regardless of whether you have ever had a breach. A complete user profile is a competitive asset. Under the DPDP Act, it is also a documented liability. The question is whether your safeguards match the sensitivity.

A RoPA is exactly the artifact that would have caught the cross-product aggregation gap above before a regulator did. Run a free Compliance Score below to see whether your own retention, consent, and purpose declarations would survive the same reading.

Frequently asked questions

What happened in the Zomato data breach?

In June 2021, 17 million Zomato user records appeared on a dark-web forum. Zomato acknowledged the incident publicly. Under the DPDP Rules now in force, a comparable incident would require notification to the Data Protection Board within 72 hours of awareness.

Can Zomato combine Blinkit and Zomato data under the DPDP Act?

Only with fresh, itemised consent. Cross-referencing datasets from two products to build a richer household profile is a separate processing purpose under §6, and it requires its own notice and its own consent rather than an umbrella personalisation clause.

How long can delivery apps keep GPS data under DPDP?

GPS data collected to complete a delivery is purpose-specific. Under Rule 8, it should be erased once the delivery purpose is served unless the user has separately consented to a declared secondary use. Indefinite retention as trail data is a purpose-limitation failure.

Compliance Score

Where does your website stand against the DPDP Act?

Run a free Compliance Score: privacy policy, cookie consent, and retention posture, checked in 60 seconds. No signup.