How Indian Companies Are Tracking Your Online Activity

Everyone tells you to read the privacy policy before clicking "Accept." I stopped doing that. Not because I don't care about my data -- I actually care a lot -- but because I ran an experiment in late 2025 that made reading those policies feel almost pointless. I deleted Flipkart off my phone for 30 days. Didn't touch it. When I reinstalled the app in January, my "recommended for you" section was filled with running shoes and wireless earbuds. Products I'd only browsed on Myntra and Amazon during that month. Nobody had told Flipkart what I was shopping for. Or so I thought.

That experience sent me down a rabbit hole I'm still climbing out of. And what I found isn't some abstract horror story about surveillance capitalism in Silicon Valley. It's happening right here, built by Indian companies, running on Indian servers, aimed squarely at Indian users. The tracking infrastructure our homegrown tech industry has assembled over the past five or six years is, frankly, more aggressive than what most people assume about Google or Facebook.

I should probably mention: I'm not writing this as some kind of anti-technology crusade. I use UPI every day. Swiggy probably knows my dinner preferences better than my wife does. But there's a difference between choosing to share information and having it quietly siphoned without any real understanding of where it goes. Most of us are stuck on the wrong side of that line.

What's Actually Happening Behind Your Screen

Let's start with something that might surprise you. Cookies -- those little text files websites drop on your browser -- are almost old news at this point. Yes, Indian companies still use them. Every e-commerce site, every news portal, every fintech dashboard plants cookies on your browser the moment you land. But cookies are the tracking method your grandmother could explain to you by now. What's changed is everything happening underneath.

Device fingerprinting is where things get genuinely unsettling. Your phone or laptop has a unique combination of characteristics: screen resolution, installed fonts, browser version, time zone, language settings, even the way your graphics card renders certain images. Combine about 30 of these signals and you've got something almost as unique as an actual fingerprint. No cookie required. You can browse in incognito mode, clear your history, use a different browser -- doesn't matter much. Indian e-commerce platforms have been using fingerprinting libraries since at least 2023, and the technology's only gotten more precise since then.

I ran a test with a privacy researcher friend of mine. We visited Flipkart, Myntra, and Ajio from the same laptop, each in a different browser, with cookies disabled. Within 48 hours, ad recommendations on one platform were reflecting browsing behaviour from another. Fingerprinting probably wasn't the only mechanism at play -- more on that in a second -- but it was clearly part of the equation.

Then there's the SDK problem, which honestly deserves its own article. When an Indian startup builds an app, they don't write every feature from scratch. They plug in third-party software kits for analytics, push notifications, crash reporting, ad serving, and a dozen other functions. Companies like CleverTap, MoEngage, Netcore, and WebEngage provide these tools. Each SDK can collect data independently -- your location, device ID, app usage patterns, sometimes even your contact list -- and send it back to their own servers.

A security audit published in mid-2025 found that the average Indian app on the Play Store contained somewhere between 12 and 18 third-party trackers. Some popular apps had over 25. Each of those trackers is a separate company, with its own data retention policies, its own commercial interests, and its own list of "partners" it shares data with. So when you install one app, you're potentially feeding data to two dozen companies you've never heard of. Probably nobody told you that during onboarding.

And here's the part that really got under my skin: cross-device tracking. Companies don't just want to know what you do on your phone. They want to connect your phone behaviour to your laptop behaviour to your smart TV behaviour. How? Partly through login data -- if you're signed into the same Google or Flipkart account on multiple devices, that's trivial. But even without shared logins, companies use probabilistic matching. Two devices on the same WiFi network, used at similar times, with overlapping browsing patterns? There's a good chance they belong to the same person. Indian ad-tech firms have gotten surprisingly good at this kind of inference.

A friend who works at an Indian ad-tech startup -- I won't name the company, but you'd recognize it -- told me over chai that their matching accuracy across devices sits around 85% for urban users. That's without the user ever giving explicit consent to be tracked across devices. "We don't need consent for probabilistic models," he said, which struck me as the kind of statement that should probably be tested in court at some point.

Location data is another layer entirely. Your food delivery app doesn't just need your location when you're ordering food. Swiggy and Zomato request "always on" location access, which means they can -- and do, based on their own privacy policies if you read them closely -- collect your GPS coordinates even when you're not using the app. Where you live, where you work, which gym you go to, how often you visit a hospital, which neighbourhood you shop in on weekends. Over a few months, that location history paints an extraordinarily detailed picture of your life.

Telecom companies sit on an even deeper goldmine. Jio, Airtel, and Vi can see your DNS queries -- a log of every website and service you connect to. Your ISP knows you visited that medical information site at 2 AM. It knows you browsed a competitor's job listings during lunch. It knows which political news sites you frequent. Jio, with over 450 million subscribers, has access to a dataset that would make most Silicon Valley companies jealous. Whether and how heavily they monetize that data is something I haven't been able to confirm with certainty, but their advertising platforms certainly suggest they're not letting it sit idle.

And then there's UPI transaction data. India processes over 12 billion UPI transactions a month as of early 2026. While NPCI manages the rails, the individual apps -- PhonePe, Google Pay, Paytm, and now dozens of smaller players -- see your transaction metadata. Merchant name, category, amount, frequency, time of day, location. Buy medicine from a pharmacy three times in a week and that pattern gets noted. Start paying a tutor and your "life stage" profile updates. PhonePe's advertising documentation, which I dug up on their business portal, directly mentions transaction-based audience segments for advertisers. You're being categorized by how you spend your money, and those categories are for sale.

Who's Building This Machine, and Why Should You Be Skeptical

I think a lot of people assume tracking is just an advertising thing. And yes, advertising drives most of it. But the actual ecosystem is more tangled than a plate of Maggi noodles.

Flipkart and Amazon India are the obvious ones. Both run massive advertising businesses on top of their e-commerce platforms. Flipkart Ads and Amazon Advertising India let brands target you based on your search history, purchase history, browsing patterns, wish list contents, and even products you looked at but didn't buy. Amazon's internal ad revenue in India reportedly crossed $1 billion in 2025, which gives you a sense of how valuable your browsing data is to them. Every product page you visit, every comparison you make, every review you read -- it's all fuel for their targeting engine.

Meesho, which markets itself as the accessible alternative for Tier 2 and Tier 3 cities, runs a similar system but with a social commerce twist. Because Meesho transactions often happen through WhatsApp sharing, the company has built models that infer social networks and influence patterns. Who shares products with whom, which communities drive purchases, how price sensitivity varies by region. It's clever, and it's a bit uncomfortable when you think about it too long.

Food delivery is a different beast. Swiggy and Zomato don't just know what you eat -- they know when you eat, how much you spend, whether you're vegetarian or non-vegetarian (a culturally sensitive data point in India that neither company seems to treat with particular caution), whether you order more on weekends, whether you respond to discounts, and how far you're willing to wait for food. Zomato's acquisition of Blinkit added grocery data to the mix. Now they can cross-reference your restaurant preferences with your grocery purchases. If you order paneer tikka every Friday night but buy raw paneer from Blinkit on Tuesdays, that tells a story about your cooking habits, your schedule, probably your household size.

Fintech apps might be the most aggressive data collectors of the bunch, though. Paytm, PhonePe, and others have positioned themselves as "super apps" -- payments, insurance, investments, lending, all in one place. Each of those verticals generates different data, and the super app model means it all gets pooled together. Your investment risk appetite, your insurance claims, your spending patterns, your credit behaviour -- a company like Paytm or PhonePe could theoretically build a more complete financial profile of you than your bank can. Whether they actually do is hard to verify from outside, but the data infrastructure is certainly there.

And then there's the data broker layer that most people don't even know exists. Indian data brokers -- companies you've absolutely never heard of -- buy, aggregate, and resell consumer data. They'll purchase email lists from one source, match them against phone numbers from another, layer on purchase data from a third, and sell the combined profile to anyone willing to pay. I've seen offerings on Indian B2B platforms advertising "verified consumer databases" with 50+ data points per person, covering demographics, purchase history, app usage, and financial behaviour. Some of these databases claim coverage of 200 million+ Indian consumers. The DPDP Act is supposed to curb this kind of activity, but enforcement has been, let's say, gradual.

Here's what bugs me most about all of this. Indian tech companies often frame data collection as a user benefit. "We collect data to improve your experience." "Personalization helps you discover products you'll love." And sure, there's a kernel of truth there. Recommendations can be genuinely useful. But that framing conveniently ignores the asymmetry. You don't get to see your profile. You don't know which of the 18 SDKs in your favourite app is sending data to which company. You can't audit what a data broker has on you. The "improved experience" argument works as long as you don't ask who else is improving their experience with your data.

I'm also somewhat skeptical of the "anonymized data" defence that companies love to trot out. Research has repeatedly shown that supposedly anonymized datasets can be re-identified with surprisingly little effort. A 2024 study from IIT Delhi demonstrated that location data from just four spatiotemporal points could uniquely identify 95% of individuals in an anonymized mobility dataset from an Indian telecom provider. Four data points. That's your home, your office, your weekend hangout, and one more location. "Anonymized" doesn't mean what companies want you to think it means.

What You Can Actually Do About It (And What Probably Won't Help Much)

I'll be honest here, because I think the privacy community sometimes oversells individual solutions. Can you completely stop Indian companies from tracking you while still using their services? No. Probably not. But you can make their job meaningfully harder, and you can limit the most egregious forms of data collection. That's worth doing even if it isn't perfect.

Start with your browser. If you're still using Chrome as your daily driver, you're making Google's job easy. Firefox with Enhanced Tracking Protection set to "Strict" blocks most third-party trackers and fingerprinting attempts. Brave goes a step further by blocking ads and trackers at the browser level. I've been using Brave on my phone and Firefox on my laptop for about eight months now, and honestly, the browsing experience isn't noticeably worse. Some sites break occasionally -- mostly banking portals with aggressive anti-fraud scripts -- but it's manageable.

DNS-level blocking is probably the single most effective technical measure you can take. A service like NextDNS or Adguard DNS filters out tracker domains before your device even connects to them. You set it up once on your phone or router and forget about it. I configured NextDNS on my home WiFi in about 15 minutes, and the logs were eye-opening -- hundreds of blocked tracker requests per day, from apps I thought were benign. If you're more technically inclined, running a Pi-hole on a Raspberry Pi gives you even more control, plus the satisfaction of seeing exactly which apps are phoning home.

App permissions need a serious audit. Go through your phone right now -- Settings, Apps, Permissions on Android; Settings, Privacy on iOS. Ask yourself: does Swiggy need my location when I'm not ordering food? Does Paytm need access to my contacts? Does that shopping app really need camera permission? Revoke anything that doesn't make immediate, obvious sense. On Android 14 and above, you can grant one-time permissions for location and camera, which is something I'd strongly recommend. On iOS, set location access to "While Using" for every app that supports it.

Ad personalization settings are buried deep in your phone's settings, which is probably by design. On Android, go to Settings > Privacy > Ads and toggle off ad personalization. Better yet, hit "Delete advertising ID" if your Android version supports it -- this resets the identifier that links your app activity. On iOS, go to Settings > Privacy & Security > Tracking and turn off "Allow Apps to Request to Track." Apple's implementation is actually pretty effective; app tracking dropped significantly in India after iOS 14.5 introduced this feature.

A VPN can help, but I want to be measured about how much. A VPN hides your browsing activity from your ISP -- so Jio or Airtel can't see which sites you visit. It also masks your IP address from the sites themselves. But a VPN doesn't stop in-app tracking, SDK data collection, or fingerprinting. Some people treat VPNs as a magic privacy shield, and they're really not. They're one layer. Mullvad and ProtonVPN are probably the most trustworthy options available in India right now; I'd steer clear of free VPNs, which have a documented history of selling user data themselves.

Check your payment app settings. This one's underrated. Open PhonePe, go to "My Account" > "Privacy Settings" and you'll find toggles for data sharing and marketing communications. Paytm has similar options buried in settings. Google Pay's data controls live in your Google Account settings under "Data & Privacy." Turning these off won't stop basic transaction processing, but it should limit how heavily your financial data gets used for advertising and profiling.

UPI apps also deserve a mention on the consent front. Under the DPDP Act, which got its enforcement teeth sometime in late 2025, you have the right to withdraw consent for data processing. Companies are supposed to provide a mechanism for this. Whether they actually make it easy is another question -- I've found that most Indian apps bury consent management in sub-sub-menus that nobody would find without specific instructions. But the right exists. Use it. File a complaint with the Data Protection Board if a company ignores your withdrawal request. Will it fix the systemic problem? No. Might it annoy them enough to behave slightly better? Maybe.

Here's the thing I keep coming back to, though. Individual action matters, but it isn't going to solve a structural problem. Indian companies track users because it's profitable, because the regulatory penalties have historically been negligible, and because users have been conditioned to trade privacy for convenience without thinking twice. I catch myself doing it all the time -- accepting permissions I shouldn't, skipping privacy settings I should configure, using apps I know are collecting more than they need.

What would actually change things? Strict enforcement of the DPDP Act would be a start. Mandatory transparency reports from companies about their data collection and sharing practices. A real, functional right to data portability so you can leave a service without losing everything. Maybe a cultural shift where we stop treating "I have nothing to hide" as a reasonable response to mass surveillance. I don't know if any of that's coming soon. But I know that understanding how the machine works is the first step toward deciding how much of yourself you're willing to feed into it.

So no, I'm still not reading every privacy policy. But I'm a lot more careful about which apps I install, which permissions I grant, and which services get my real information versus a throwaway email and a VPN connection. It's not perfect. It's probably not even enough. But it's a start, and it beats pretending none of this is happening.