Privacy guide

Why DPDP makes vendor disclosure hard for Indian companies.

Vendor disclosure under DPDP in simple English: processors, trackers, adtech, analytics tools and why companies need a clear list.

The simple answer

A vendor is any outside tool or company that handles personal data for your business. That can include CRMs, email tools, analytics, ad pixels, payment processors, support desks and cloud systems.

Many companies struggle because vendors are added by marketing, product, engineering, sales and support teams over time. Nobody owns the full list.

What to check

1
List every third-party script and SaaS tool.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Mark what data each vendor receives.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Check contracts and processing terms.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Match the vendor list with the privacy policy.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

5
Remove tools nobody can justify.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

The website tells on the vendor list.

Tracker observations are useful because they show external tools that actually load. If those tools are not in the policy or internal vendor map, the company has a disclosure gap.

What to do next

1
Run a tracker scan on key pages.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Create a vendor register.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Assign owners for each vendor and review quarterly.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

What is a data processor?

A processor handles personal data on behalf of the company, usually under instructions.

Do trackers count as vendors?

Often yes, if they receive personal data or identifiers from your site.

Why is disclosure hard?

Because tools are added across teams and can change faster than the policy.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience