Does DPDP apply to restaurants in India?

Yes. If your restaurant collects phone numbers at billing, runs a loyalty program, stores employee Aadhaar for payroll, or shares customer data with Zomato/Swiggy, you are a Data Fiduciary under DPDP. The law applies regardless of restaurant size — from a single outlet to a chain.

How does DPDP affect Zomato and Swiggy restaurant partnerships?

When customers order through Zomato/Swiggy, both the platform AND the restaurant receive personal data (name, phone, address, order history). Under DPDP, the restaurant must have clear consent for how it uses this data. Sharing customer data back with Zomato/Swiggy for marketing requires separate consent.

What restaurant data is protected under DPDP?

All digital personal data: customer phone numbers collected at billing, loyalty program data (purchase history, preferences), employee records (Aadhaar, PAN, bank details for salary), delivery addresses, payment information, and any customer data received from food delivery platforms.

Do Mumbai restaurants need DPDP compliance?

Yes. Mumbai restaurants collecting phone numbers for reservations or billing, running WhatsApp marketing campaigns, operating loyalty programs, or employing staff whose Aadhaar/PAN they store digitally must comply with DPDP by May 2027. The penalty for non-compliance is up to ₹250 Crores regardless of restaurant size.

DPDP Compliance for Restaurants in India

The Reality

7 Places Your Restaurant Collects Personal Data

Most restaurant owners think DPDP doesn't apply to them. "We just serve food." But every modern restaurant is a data machine:

1Billing Counter

Phone numbers collected for GST invoices, loyalty points, feedback. Every POS system stores this digitally.

2Zomato / Swiggy

Customer names and order details shared by the platform. Phone numbers are masked via proxy — but you still receive and process personal data.

3Reservation Systems

Dineout, EazyDiner, or your own WhatsApp booking — names, phone numbers, party size, special requests.

4Loyalty Programs

Purchase history, visit frequency, preferences, birthday offers — all personal data under DPDP.

5WhatsApp Marketing

"New menu launch!" "Happy hour offers!" — every WhatsApp blast to customer phone numbers is DPDP territory.

6Employee Records

Kitchen staff Aadhaar, delivery riders' PAN, manager bank details — all stored digitally for payroll.

7CCTV & WiFi

CCTV footage captures faces (biometric data). Guest WiFi login captures phone numbers and device IDs. Both are personal data under DPDP.

The Dominos Lesson

In 2021, Dominos India had 18 Crore orders leaked — names, phone numbers, delivery addresses searchable by phone number. Under DPDP, this would be a ₹250 Crore fine. Your restaurant's POS system and delivery records are the same type of data. See full penalty schedule →

Platform Compliance

The Zomato/Swiggy Data Problem

Who Owns the Customer Data?

When a customer orders through Zomato, both Zomato AND your restaurant process personal data. Under DPDP:

Zomato/Swiggy's Responsibility

• Customer consent on their platform
• Their own data security
• Their marketing to the customer

YOUR Responsibility

• How you USE the data they share
• Storing delivery addresses securely
• NOT using order data for YOUR marketing
• Deleting data when purpose is served

The trap: Zomato masks customer phone numbers with proxy numbers. But you still get customer names and order details. Some restaurants collect real phone numbers at dine-in, then message those customers about delivery offers — that's a DPDP violation if the consent was only for billing. Even the names and order data you receive through the platform can't be used for your own marketing without separate consent.

Your Roadmap

Restaurant DPDP Compliance Roadmap

Step 1 — This Week

Audit Your Data Collection Points

Walk through every touchpoint: POS, reservation system, loyalty program, employee records, WiFi login, CCTV. List what personal data each one collects.

Step 2 — Month 1

Stop Using Zomato/Swiggy Data for Marketing

If you're messaging delivery customers directly without their consent, stop immediately. Build your own consent-based customer list through in-store sign-ups.

Step 3 — Month 1-2

Fix Billing Counter Consent

When collecting phone numbers, tell customers WHY. "For GST invoice" = fine. Adding them to marketing without asking = ₹50 Cr violation.

Step 4 — Month 2-3

Secure Employee Records

Staff Aadhaar and PAN in a WhatsApp group? That's a breach waiting to happen. Move to encrypted storage. Limit access to HR/payroll only.

Step 5 — Before May 2027

Data Processor Agreements

Sign DPAs with your POS vendor, reservation platform, loyalty program provider, and cloud storage. If they get breached, you need contractual cover.

Mumbai Focus

Why Mumbai Restaurants Face Higher Risk

Delivery Volume

Mumbai has the highest food delivery volume in India. More orders = more personal data = higher exposure.

Staff Turnover

High turnover means more employee records (Aadhaar, PAN) cycling through your systems. Each former employee's data needs handling.

Aware Customers

Mumbai's customer base is tech-savvy and aware of privacy rights. A single complaint triggers an inquiry you can't afford.

A Project By Meridian Bridge Strategy

Your Restaurant Needs a Data Audit.

We help restaurants map their data collection points, fix consent gaps, and get compliant before May 2027. Free 30-minute clarity call.

Book Free Clarity Call

DPDP for Restaurants