How to Delete Your Data from Indian Telecom Companies

Ever wonder why you still get promotional texts from a telecom provider you ditched three years ago? I did. In late 2025, I decided to find out what Jio, Airtel, Vi, and BSNL were still holding on me, and then I tried to make them delete it. The whole process took about four months. Some of it worked. A lot of it didn't. Here's what happened.

The Phone Call That Started It

A friend of mine works in digital forensics for a law firm in Hyderabad. We were grabbing chai in December 2025 when she mentioned, almost offhand, that telecom companies are probably the single largest holder of personal data in India outside the government itself. "Bigger than Google for most Indians," she said. "Because your phone company knows where you sleep."

That stuck with me. I'd switched from Airtel to Jio back in 2022, and then from Jio to a Vi postpaid plan in mid-2024. My BSNL landline had been disconnected since 2021. That's four telecom companies that had collected my data at various points. I figured I'd test the system and try to get all of them to purge what they had.

What I didn't expect was how much they'd actually kept.

What They're Sitting On

Before I get into the deletion attempts, it's worth understanding the sheer volume of data a telecom operator accumulates on a single subscriber. I requested data access reports from all four companies. Only two responded within the 30-day window. But between those responses and what's publicly documented in TRAI filings and DoT regulations, here's the rough picture:

Call Detail Records (CDRs)

Every call you make or receive gets logged. The number you called, the number that called you, the duration down to the second, the timestamp, and the cell tower that handled the connection. Jio's data access report listed my CDRs going back to my activation date in 2022. That's every single call over a roughly two-year period, around 4,800 entries in my case. Airtel's records, which I only got after filing a formal grievance, went back even further to 2019.

TRAI mandates that operators retain CDRs for a minimum of two years. But "minimum" is doing a lot of heavy lifting in that sentence. There's no upper cap written into the regulation, and most operators seem to just keep them indefinitely because storage is cheap and the DoT occasionally asks for historical records during investigations.

Location Data

This is the one that probably should bother people more than it does. Your phone constantly pings cell towers, and the operator logs those connections. It's not GPS-precise, but in urban areas with dense tower coverage, it can narrow your location to within a few hundred metres. In a city like Bengaluru or Mumbai, that's specific enough to know which neighbourhood you're in at any given hour.

My Jio data access report included what they called "network event logs." Reading through them, I could reconstruct my daily commute, identify the days I worked from home, and pick out the weekend I drove to Pondicherry. They had roughly 18 months of this data for my account.

KYC Documents

When you activate a SIM in India, you hand over an Aadhaar card copy (or other government ID), a photograph, and sometimes biometric data. The telecom stores all of this. Airtel had my Aadhaar number, a scanned copy of my Aadhaar card, a photograph taken at the point of sale, and my signature from the customer application form. That's from a connection I started in 2018.

BSNL, to their credit, told me they'd destroyed the physical copies of my KYC documents after disconnection. Whether the digital scans still exist on some backup server is a different question, and one they didn't answer.

Browsing and App Data

If you're not using a VPN, your telecom can see your DNS queries, which means they have a rough log of every website you visit and every app that phones home to a server. The extent to which they actually record and store this varies. Jio's privacy policy mentions "service usage data" and "browsing information" but is vague about retention periods. Vi's policy is similarly opaque.

I'd been running a VPN on my phone since mid-2023, so this was less of a concern for me personally. But for the hundreds of millions of Indian mobile users who don't use a VPN, the telecom basically has a browsing history that rivals what Google collects.

Financial Records

Recharge history, payment methods, UPI IDs used for bill payments, autopay mandates. Airtel had records of every recharge I'd done, including the UPI transaction IDs. They also had the last four digits of a debit card I'd used exactly once, in 2019, to pay a bill through their website.

The Legal Groundwork

Before sending any deletion requests, I spent a couple of weeks reading up on the actual legal framework. Here's what I found, stripped of the legalese.

The DPDP Act's Data Erasure Provisions

The Digital Personal Data Protection Act of 2023 gives Indian citizens the right to request erasure of personal data. Section 12 says you can withdraw consent at any time, and Section 13 covers the obligation to delete data that's no longer needed for its original purpose. In theory, once you've closed your telecom account, most of your data has no ongoing purpose.

In practice, there's a significant carve-out. The Act allows data fiduciaries (that's what they call companies that process your data) to retain information if it's needed to comply with other laws. And telecom companies have several other laws they can point to.

The TRAI and DoT Retention Rules

TRAI's regulations require CDR retention for two years from the date of the call. The DoT's Unified License agreement requires operators to assist with lawful interception and maintain records for that purpose. Neither regulation specifies exactly how long KYC data must be kept after disconnection, which creates a grey area that operators tend to interpret in their own favour.

The Prevention of Money Laundering Act also requires certain KYC records to be maintained for five years after the business relationship ends. Since telecom KYC was linked to Aadhaar-based verification, some operators claim PMLA obligations cover their retention of your identity documents.

So the picture, as of early 2026, is something like this: CDRs are locked in for two years minimum, KYC documents are arguably locked for five years under PMLA, and everything else is a grey zone where the operator gets to decide.

Attempt One: Jio

I started with Jio because I still had an active connection with them (I'd kept an old SIM as a backup). I figured it'd be easier to make a request as a current customer.

I submitted a data erasure request through the MyJio app's privacy settings in the first week of January 2026. The app has a "Data & Privacy" section buried about four taps deep in the settings menu. There's a form where you can request access to your data, correction of data, or deletion of data.

I selected deletion and specified that I wanted all data removed that wasn't required by law to be retained. The app gave me a reference number and told me I'd hear back in 30 days.

Twenty-two days later, I got an email from Jio's privacy team. They said they'd deleted my "marketing preferences and associated profiling data." That's it. When I asked about CDRs, location logs, and browsing data, they cited regulatory requirements and said they were "unable to action this request at this time." They didn't specify which regulation. I wrote back asking for specifics. As of mid-March, I haven't gotten a reply to that follow-up.

I also emailed their nodal officer directly at nodalofficer@ril.com. The response came faster, within nine days, but said essentially the same thing. The language was polite and extremely non-committal. They confirmed my marketing data had been purged and that "other data categories are being reviewed in line with applicable legal requirements."

Attempt Two: Airtel

Airtel was trickier because I'd already ported out in 2022. I no longer had an active Airtel connection, which meant I couldn't use the Airtel Thanks app to submit a request. The app wouldn't even let me log in without an active Airtel number.

So I went the email route. I wrote to appellate.authority@airtel.com, citing Section 12 and Section 13 of the DPDP Act, and requested deletion of all personal data associated with my old mobile number. I attached a copy of my Aadhaar (redacted, with only the last four digits visible) and the port-out confirmation from 2022.

Airtel's response came on day 28, right before the 30-day deadline. They acknowledged the request and said they'd "initiated the process for deletion of data not mandated for retention under applicable laws and regulations." They listed what they'd delete: marketing profiles, app usage analytics, and "certain service interaction logs." They specifically said CDRs and KYC documents would be retained "as required under TRAI/DoT regulations and other applicable laws."

I pressed them on the KYC retention timeline. When would they delete my Aadhaar scan? The response took another three weeks, and it was vague. They said KYC data would be retained "for the period mandated under applicable regulations" without naming a specific timeframe or statute. When I specifically mentioned the five-year PMLA window and pointed out that my account had been closed for nearly four years, they stopped responding.

One thing I'll give Airtel: they did send a confirmation that marketing and profiling data had been deleted, and they removed me from promotional communications. The spam SMSes stopped within a week of the confirmation. So that's something, I suppose.

Attempt Three: Vi (Vodafone Idea)

Vi was my current primary connection, which made things both easier and more complicated. Easier because I had full app access. More complicated because I didn't want to trigger any account issues while actively using the service.

I used the Vi app's privacy section to submit a data minimisation request rather than a full deletion request. I asked them to delete all data beyond what was strictly necessary to provide my current service and comply with legal retention requirements.

The grievance officer's email is grievanceofficer@vodafoneidea.com, and I copied them on the request as well. Vi's response was the most detailed of the four. They came back in 19 days with an itemised list of data categories and their retention status.

Here's roughly what they said:

• CDRs: Retained for minimum two years per TRAI regulation. Older CDRs "periodically purged" but no specific schedule given.
• Location logs: Retained for one year per internal policy, then deleted. They said my logs older than 12 months had already been purged.
• KYC documents: Retained for the duration of the active connection plus five years, citing PMLA.
• Browsing data: Retained for six months, then aggregated and anonymised. Individual records deleted after aggregation.
• Payment records: Retained for seven years per income tax and financial regulations.
• Marketing profiles: Deleted upon request. They confirmed mine was removed.

This was probably the most honest and transparent response I got from any of the four companies. Vi didn't pretend they were deleting everything, and they gave me actual timelines. Whether those timelines are accurate is another question, but at least they engaged with the specifics.

Attempt Four: BSNL

And then there's BSNL. My landline had been disconnected since 2021. I didn't have a grievance officer email for the local circle, so I started with the BSNL corporate office and the general customer care portal.

I submitted a deletion request through the BSNL selfcare portal. The portal is, to put it charitably, showing its age. It took three attempts to get the form to submit without a timeout error. I also sent a physical letter by registered post to the BSNL Circle GM office in my city, because with a government telecom, paper sometimes works better than pixels.

The response came by email, 47 days after my initial request, well past the 30-day window. It was a one-paragraph email saying that my "subscriber records" had been "archived as per DoT guidelines" and that data from disconnected lines was "maintained for regulatory compliance." No specifics about what data, which regulations, or how long.

I sent a follow-up asking for the specifics I'd gotten from Vi. That was in late February. I'm still waiting. Given that BSNL is a government-owned company, I'm half-considering filing an RTI request to get at the actual retention policy. That might end up being more productive than the privacy request route, though it's a different legal mechanism entirely.

Port-Out vs. Full Disconnection: A Distinction That Matters

Something I learned during this process: how you leave a telecom operator affects what happens to your data. When you port out your number to a new provider, the old provider deactivates your SIM but doesn't treat it as a full account closure. Your number technically still exists in the system; it's just been transferred. Some operators treat ported-out accounts differently from disconnected accounts when it comes to data retention.

Airtel, for example, told me that ported-out numbers have their data retained for the same duration as active subscribers, because the number might be ported back. That seems like a stretch, legally speaking, but it's the position they've taken.

Full disconnection, where you surrender the number entirely, should trigger a cleaner data lifecycle. The number goes back into the pool, the account is closed, and the retention clocks start ticking. Should being the operative word. In reality, I found that disconnection didn't automatically trigger any deletion. You still have to specifically request it.

If you're leaving a telecom and don't plan to keep the number, you're probably better off doing a full disconnection rather than just letting the SIM expire. At least then there's a clear account closure date that starts the retention countdown.

What Actually Got Deleted

After four months of emails, app submissions, follow-ups, and one registered letter, here's the honest tally of what was actually removed across all four operators:

• Marketing profiles and advertising data: Deleted by Jio, Airtel, and Vi. BSNL didn't confirm.
• Promotional communication preferences: Removed by all three private operators.
• App usage analytics: Deleted by Airtel and Vi.
• Browsing history older than six months: Vi confirmed deletion. Others didn't address it.
• Location logs older than 12 months: Vi confirmed deletion. Others didn't address it.

And here's what didn't get deleted:

• CDRs: Retained by everyone, citing TRAI's two-year rule, though none would confirm deletion after two years either.
• KYC documents: Retained by everyone, with PMLA cited as the reason.
• Payment records: Retained, with financial regulations cited.
• Core subscriber records: Name, address, number, activation date, plan details. Nobody deleted these.

So the stuff they deleted was mostly the stuff they use for advertising and analytics. The stuff that actually identifies you and tracks your movements? That stayed. I'm not sure this is what the framers of the DPDP Act had in mind, but it's what the operators have decided the law means.

The Escalation Option

If a telecom company ignores your deletion request or gives you an unsatisfactory response, the DPDP Act provides for complaints to the Data Protection Board of India. The Board was constituted in late 2025 and is still building out its processes. As of early 2026, there's no public record of the Board ordering a telecom company to delete specific data, so it's unclear how aggressive they'll be on enforcement.

You could also approach the TRAI consumer grievance mechanism or file a complaint with the DoT's public grievance portal (pgportal.gov.in). In my experience, the DoT route works better for service-related issues than data privacy ones, but it's another pressure point.

The nuclear option is filing a complaint under the Consumer Protection Act, 2019. If the operator has retained data beyond what's legally required and you can show harm, or even potential harm, a consumer forum complaint might get more traction than the data protection route. It's slower and more cumbersome, but consumer forums in India have a longer track record of holding telecom companies accountable than the brand-new Data Protection Board.

A Few Things I'd Do Differently

If I were starting this process again, I'd change a few things. First, I'd send deletion requests by registered post in addition to email, for every operator. Paper trails carry more weight in Indian regulatory proceedings than email threads. Second, I'd file the requests while I was still an active customer, not after leaving. Active customers seem to get faster responses, and you've got more bargaining power when you can threaten to port out. Third, I'd ask for the data access report first and wait for it before sending the deletion request. That way you've got a documented baseline of what they held, which makes it harder for them to claim they've deleted things they haven't.

One more thing. If you're using a prepaid SIM and you let it lapse without formally requesting disconnection, the operator has even less incentive to process your data. There's no account closure event, no formal end to the relationship. The SIM just goes quiet. Your data sits there in their systems, belonging to a number that'll eventually get recycled and assigned to someone else. Whether your old data gets linked to the new subscriber is a question I haven't been able to answer, and honestly, it's one that keeps me up at night a little.

Where This Leaves Us

The gap between what the DPDP Act promises and what telecom companies actually deliver is wide. It's not that they're openly defying the law. They're working the grey areas, leaning on the exceptions, and making the process just inconvenient enough that most people won't bother. The two-year CDR retention becomes indefinite retention because nobody checks. The five-year KYC window becomes forever because nobody audits. The right to erasure becomes the right to stop getting spam, and the rest of your data stays exactly where it was.

I don't think this will change until the Data Protection Board starts issuing penalties. Or until someone files a high-profile case. Or until enough people go through this process and publicly document what happened that the telecoms face pressure to do better. Maybe this is a small contribution to that last option.