Swiggy and Zomato do NOT handle DPDP compliance for you. Every restaurant partner, cloud kitchen, and ONDC seller that receives customer orders — names, phone numbers, delivery addresses, food preferences — is independently processing personal data under DPDP and must comply.
Applies to: Swiggy partners • Zomato partners • ONDC sellers • Cloud kitchens • Tiffin services • Home cooks on food platforms • Direct-order restaurants using WhatsApp/phone.
Does DPDP Apply to Food Businesses?
If your food business does any of the following, DPDP applies:
- ✅ Receives orders through Swiggy, Zomato, or ONDC (customer name, phone, address visible)
- ✅ Takes direct orders via phone, WhatsApp, or your own website
- ✅ Has a loyalty programme or customer accounts
- ✅ Maintains a customer database for repeat orders
- ✅ Sends promotional messages via SMS, WhatsApp, or email
- ✅ Uses delivery tracking (GPS data of customers)
- ✅ Stores food preferences or dietary requirements
- ✅ Takes online payments (Razorpay, Paytm, UPI)
🍔 Surprising Reality: Even a home cook selling tiffins to 10 customers via WhatsApp is processing personal data under DPDP. The moment you store a customer's name, phone number, and address — you're a Data Fiduciary. No size exemption exists.
Over 500,000 restaurant partners are listed on Swiggy and Zomato combined. Add ONDC sellers, standalone delivery restaurants, cloud kitchens, tiffin services, and home bakers — the total number of food businesses processing personal data in India runs into the millions. Almost none have any DPDP compliance in place.
What Customer Data Do Food Businesses Process?
What You See for Every Delivery Order
- Customer full name
- Delivery address (building, street, area, PIN code, landmark)
- Phone number (for delivery coordination)
- Order details (what they ordered, customisations, instructions)
- Payment status
- Order time and date
Data You Accumulate Over Time
- Order history (what they order, how often, average spend)
- Food preferences (cuisines, dishes, spice levels)
- Dietary requirements (vegetarian, vegan, Jain, halal, allergies)
- Favourite delivery times and locations
- Customer reviews and ratings
If You Take Orders via WhatsApp, Phone, or Website
- WhatsApp chat history with customer orders
- Saved phone contacts of regular customers
- Payment details (UPI IDs, bank transfer records)
- Address book of delivery locations
- Custom order notes and special requests
⚠️ Location Data Is Personal Data: Customer delivery addresses are personal data under DPDP. GPS coordinates, saved "home" and "work" locations — all personal data. You must handle, secure, and delete this data like any other personal information.
Platform vs Partner: Who Is Responsible for What?
| DPDP Requirement | Platform (Swiggy/Zomato) | You (Restaurant Partner) |
|---|---|---|
| Platform privacy policy | ✅ Handled by platform | ⚠️ You need your OWN policy for direct orders and data you store |
| Customer consent for platform orders | ✅ Platform gets consent | ⚠️ Platform consent ≠ consent for YOUR marketing use |
| Security of data on platform | ✅ Platform secures their servers | ❌ YOU secure any data exported or stored locally |
| Retention of order data | ✅ Platform manages their database | ❌ YOU delete any downloaded or locally stored order data |
| Direct order data (WhatsApp/phone) | Not applicable | ❌ Entirely your responsibility |
| Customer database / loyalty programme | Not applicable | ❌ Entirely your responsibility |
| WhatsApp/SMS marketing | Not applicable | ❌ Entirely your responsibility (need explicit consent) |
🔴 The Key Trap: When a customer orders from you on Zomato, they consent to Zomato's privacy policy — not yours. If you download that customer's data and use it for your own WhatsApp marketing campaign, you're using data without valid consent. That's a ₹50 crore violation.
Swiggy & Zomato Partner Compliance
What Swiggy/Zomato Handle for You
- Customer consent for platform-mediated orders
- Platform-level security and data encryption
- Payment processing and PCI compliance
- Platform privacy policy for customer-platform relationship
What YOU Must Handle as a Restaurant Partner
1. Do NOT export customer data for marketing
Swiggy and Zomato give you access to customer order data through their partner dashboards. This data is shared for order fulfillment only.
- ❌ Do NOT download customer phone numbers and add to your WhatsApp broadcast list
- ❌ Do NOT export order reports and run SMS marketing campaigns
- ❌ Do NOT build a customer database from platform order data for direct marketing
- ✅ DO use order data only for preparing and delivering the order
2. Secure Your Partner Dashboard Access
Your Swiggy/Zomato partner dashboard contains customer data. Secure it:
- Use a strong, unique password for your partner account
- Enable 2-factor authentication if available
- Do not share your login credentials with delivery partners or third parties
- Log out of partner dashboard on shared devices
3. Handle Order Printouts Carefully
Many restaurants print order slips containing customer name, phone number, and delivery address.
- Shred/destroy printed order slips after delivery is completed
- Do not leave order printouts lying around the kitchen where non-staff can see them
- Destroy batch printouts at end of day — do not accumulate weeks of customer data on paper
4. Customer Reviews and Feedback
When customers leave reviews on Swiggy/Zomato, they include their name and feedback. If you respond to reviews:
- Do not use information from reviews to contact customers outside the platform
- Do not share customer review content publicly without consent
- Platform review data is for service improvement only
Cloud Kitchen Compliance
Cloud kitchens (delivery-only kitchens with no dine-in) have a unique DPDP profile. They process more customer data than traditional restaurants in some ways, because:
- 100% of orders are delivery orders — every order contains customer address
- Often run multiple brands from one kitchen — collecting data across multiple brand identities
- Frequently use order management software that stores customer history
- Many use customer data for re-ordering and loyalty purposes
Multi-Brand Data Separation
If you operate multiple food brands from one cloud kitchen (e.g., "Bombay Biryani" and "South Indian Express" both running from the same kitchen), each brand's customer data must be handled separately.
- Don't share customer data between your own brands without consent
- A customer who ordered from "Bombay Biryani" has NOT consented to receive marketing from "South Indian Express"
- Keep brand databases separate
Order Management Software
Most cloud kitchens use order management systems (Petpooja, Posist, UrbanPiper, etc.) that store customer data. Under DPDP:
- These software providers are your Data Processors
- Ensure they have Data Processing Agreements (DPAs)
- Verify they are DPDP-compliant
- Set data retention rules in your OMS to auto-delete old customer data
Direct Orders: WhatsApp, Phone, and Own Website
Many food businesses take orders directly via WhatsApp, phone calls, or their own website alongside (or instead of) platform listings. These are fully your responsibility — no platform compliance to rely on.
WhatsApp Orders
Consent Before Adding to Broadcast Lists
One of the most common violations: adding all WhatsApp order customers to a broadcast list for daily menu sharing and promotions.
- Customer ordering once does NOT mean they consent to daily WhatsApp messages
- Get explicit consent: "Can I add you to our daily menu broadcast? Reply YES to opt in."
- Keep a record of who said YES
- Honor opt-out requests immediately: remove from broadcast when asked
Chat Retention
- Delete WhatsApp order chats after delivery + 30 days
- Don't keep years of chat history with customer addresses and payment screenshots
- For inactive customers (no orders in 6 months), delete the chat entirely
Phone Orders
Customer Address Book
Many restaurant owners save regular customers in their phone with names and addresses. This is personal data.
- Secure your phone with PIN/biometric lock
- Do not share your phone with others who could access customer contacts
- Delete inactive customer contacts (no orders in 1 year)
- Do not use customer numbers for promotional calls without consent
Own Website Orders
- Publish a privacy policy on your website
- Add consent checkbox at checkout: "I agree to the Privacy Policy" (unchecked by default)
- Separate marketing consent: "Send me offers via WhatsApp/email" (optional, not required to complete order)
- Ensure HTTPS (SSL certificate) on your website
- Set data retention for your order database
Dietary Data: A Sensitive Category Restaurants Often Miss
This is a uniquely food-specific DPDP concern that most restaurants completely overlook.
Dietary requirements can reveal:
- Religious beliefs: Halal, Jain, kosher food preferences
- Health conditions: Diabetes-friendly, low-sodium, allergy information
- Lifestyle choices: Vegan, vegetarian preferences
Under DPDP, data that reveals religious belief or health condition is treated with heightened sensitivity. Mishandling it carries higher reputational and legal risk.
⚠️ Real Risk: Imagine a restaurant's customer database leaks and reveals which customers ordered halal food or requested Jain meals. This exposes customers' religious identity to the public. The Data Protection Board can treat this as a severe violation due to the religious sensitivity of the data.
How to Handle Dietary Data
- Collect dietary preferences ONLY when necessary for order preparation
- Do not profile customers by religion or health based on food choices
- Store dietary data with restricted access (kitchen staff only, not marketing team)
- Delete dietary history when customer requests data deletion
- Never share dietary preference data with third parties
Top DPDP Violations in Food Delivery
The mistake: You download your Zomato order history, extract customer phone numbers, add them all to a WhatsApp broadcast list, and send daily menu updates.
Why illegal: Customers consented to Zomato's terms — not your independent marketing. You're using data beyond the original purpose.
Fix: Only market to customers who explicitly opted in through YOUR channel with YOUR consent process.
The mistake: Your restaurant website takes online orders but has no privacy policy. Your WhatsApp ordering service has no privacy notice.
Why illegal: Every channel that collects personal data needs a privacy policy.
Fix: Add a privacy policy to your website. Share your privacy policy link with WhatsApp customers on their first order.
The mistake: You share a spreadsheet of customer names and delivery addresses with your contracted delivery rider, who now has a copy of your entire customer database on their personal phone.
Why illegal: This is an uncontrolled data transfer that creates security risk. If the delivery rider loses their phone, your customers' data is exposed.
Fix: Share only the specific order details needed for that delivery. Use platform-controlled delivery systems where possible.
The mistake: Keeping years of printed order slips (with customer names, addresses, phone numbers) in a box in the storeroom.
Why illegal: Paper records containing personal data are still covered by DPDP. Retention limits apply.
Fix: Shred and destroy old order slips. Keep only what's needed for tax records. Destroy physical customer data after 30 days.
The mistake: Your restaurant runs a loyalty stamp card or points programme. You collect customer names and phone numbers to track points but have no privacy policy explaining this.
Why illegal: Any organised collection of customer data for a programme requires a privacy policy and consent.
Fix: Add a simple privacy notice to loyalty enrolment: "We collect your name and phone to track your points. Read our Privacy Policy: [link]." Get their sign-off.
The mistake: Customer database with dietary preferences (halal, Jain, vegan, allergy info) is stored in an unprotected Google Sheet accessible to all staff. A disgruntled employee shares it publicly.
Why illegal: Dietary data reveals religious/health information. Security failure on sensitive data = maximum penalties.
Fix: Restrict access to dietary data. Encrypt customer databases. Limit who can see what.
Food Business DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (website, WhatsApp notice, loyalty programme) | ☐ |
| Platform order data NOT used for independent marketing | ☐ |
| WhatsApp broadcast consent (explicit opt-in only) | ☐ |
| Partner dashboard secured (strong password, 2FA) | ☐ |
| Order slips destroyed after delivery (not accumulated) | ☐ |
| Customer data NOT shared with delivery riders in bulk | ☐ |
| Dietary preference data secured (restricted access) | ☐ |
| Old WhatsApp chats deleted (after delivery + 30 days) | ☐ |
| Customer database encrypted (if using CRM or OMS) | ☐ |
| Loyalty programme privacy notice (if running one) | ☐ |
| Data retention policy set (delete inactive customer data) | ☐ |
| Privacy contact set up ([email protected] for requests) | ☐ |
FAQ for Restaurant Owners
Does DPDP apply to Swiggy and Zomato restaurant partners?
Yes. Restaurant partners access customer names, phone numbers, and delivery addresses with every order. This makes you an independent Data Fiduciary. Swiggy/Zomato's compliance does not cover your obligations.
Is customer location data personal data under DPDP?
Yes. Delivery addresses and GPS locations are personal data. You must use them only for order delivery and delete them after the retention period.
Can I use customer order history for my own marketing?
Only with explicit consent. Customers on Swiggy/Zomato consented to the platform's terms — not your independent marketing. You need a fresh, separate consent to send them WhatsApp messages or SMS promotions.
Does DPDP apply to cloud kitchens?
Yes. Cloud kitchens receive and process customer data with every order. The absence of dine-in customers doesn't change your DPDP obligations — delivery orders contain just as much personal data as any other order type.
What about dietary preferences — are they sensitive data?
Yes, treat them as sensitive. Dietary requirements can reveal religious beliefs (halal, Jain) or health conditions (allergies, diabetes). Store with restricted access and delete promptly when no longer needed.
Do I need a privacy policy if I only take orders on Swiggy and Zomato?
If you only take platform orders and never store, download, or independently use customer data beyond what the platform shows you, your exposure is lower — but you still need a seller privacy policy explaining your data practices. If you also take direct orders, WhatsApp orders, or run a loyalty programme, a privacy policy is mandatory.