Indian E-commerce Platforms and Your Data: What They Collect

Indian e-commerce companies tell you they collect data to "improve your experience." That framing suggests they're doing you a favor. The reality is the opposite — your data is the product they sell to advertisers, and the shopping experience is the bait. That's not a conspiracy theory or an exaggeration. It's the business model, stated plainly in their own privacy policies if you bother to read them. Most people don't.

India's online retail market crossed $80 billion in 2025. Flipkart, Amazon India, Meesho, Myntra, JioMart, Ajio — each one runs on a dual revenue stream: the margins on goods sold and the monetization of user data. The second stream is growing faster than the first. Flipkart's advertising division, for instance, reportedly generated over Rs 5,000 crore in revenue during fiscal year 2025. That money comes from brands paying to target you using the behavioral profile Flipkart has assembled from your browsing, purchasing, and searching habits.

So what exactly gets collected? The registration data is the obvious part — name, email, phone number, delivery addresses. But that's the shallow end. The deeper collection happens silently, in the background, every second you have the app open. Every product you view gets logged with a timestamp. Every search query is stored. When you add something to your cart and don't buy it, that's recorded as a "cart abandonment event" tied to the specific item, price point, and time of day. When you compare two products, the platform notes which one you lingered on longer. If you scrolled past a product without clicking, that disinterest is data too. These signals, accumulated over weeks and months, build what the industry calls a "consumer graph" — a behavioral profile precise enough to predict what you'll want to buy before you know you want it.

Location tracking adds another dimension. Most e-commerce apps request GPS access, and many users grant it without thinking. Even without GPS permission, the apps infer your approximate location from your IP address, delivery pin codes, and the Wi-Fi networks your phone connects to. They know where you live, where you work, and which stores you visit physically. That last part might sound paranoid, but location-based retargeting — showing you online ads for products similar to what you browsed in a physical store — is a documented advertising technique. Amazon holds patents on it.

Payment data occupies a somewhat murkier space. The RBI's card tokenization mandate from 2022 means platforms can no longer store your full credit or debit card numbers. That was a genuine improvement. But they still retain transaction metadata: what you bought, when, how much you paid, which payment method you used, whether you chose EMI, and whether the transaction succeeded or failed. Your saved UPI IDs remain on their servers. Wallet balances and transaction histories through embedded financial services like Amazon Pay, Flipkart Pay Later, or PhonePe are fully visible to the platform. This financial behavior data is probably the most sensitive category they hold, and it feeds directly into their lending products. When Flipkart offers you a "Pay Later" limit of Rs 50,000, that number wasn't pulled from thin air — it was calculated from your purchase history, return behavior, and payment consistency.

Third-party data sharing is where the picture gets genuinely messy. Flipkart's privacy policy, last updated in mid-2025, lists categories of entities it shares data with: "business partners, logistics partners, payment processors, advertising networks, analytics providers, and other third parties." That phrase "other third parties" is doing a lot of work in that sentence. Amazon India's policy is similarly broad. The practical effect is that your data doesn't stay within the platform where you generated it — it flows outward to an ecosystem of companies you've never interacted with and whose names you wouldn't recognize. Ad networks like Google Ads and Meta's advertising platform receive behavioral signals from e-commerce apps through embedded SDKs. When you search for running shoes on Flipkart and then see running shoe ads on Instagram thirty minutes later, that's not a coincidence. It's a data pipeline functioning as designed.

What E-commerce Platforms Actually Collect

Meesho presents an interesting case because its user base skews toward smaller towns and less digitally literate users. The platform's social commerce model encourages resellers to share product links via WhatsApp, which means the data collection extends beyond the app itself into messaging patterns. When a reseller shares a Meesho product link, the platform can track how that link propagates — who clicks it, from which city, on what device. This social graph data, layered on top of standard e-commerce tracking, gives Meesho a uniquely detailed picture of purchasing influence networks in tier-2 and tier-3 India.

The behavioral manipulation enabled by all this data collection deserves attention. Dynamic pricing — adjusting the price a specific user sees based on their browsing history, device type, and purchase likelihood — remains controversial and difficult to prove conclusively. But experiments by Indian consumer rights organizations have documented price variations of 5-15% for identical products shown to different user profiles on the same platform at the same time. Whether you call that "personalized pricing" or "discrimination" depends on your perspective, but it's enabled entirely by the data these platforms collect about you. Someone browsing on an iPhone in south Mumbai might see a higher price than someone on a Redmi phone in Bhopal, for the same product with the same seller.

The Digital Personal Data Protection Act of 2023 gives Indian users some theoretical rights here. Under Section 12, you can request erasure of your personal data from any data fiduciary once the purpose for collection has been served. Sections 5 and 6 require informed consent before data processing and limit collection to what's necessary for the stated purpose. In practice, enforcement is still thin. The Data Protection Board of India was only fully constituted in early 2026, and as of February, no significant enforcement actions have been taken against e-commerce platforms. The platforms' consent mechanisms — those long privacy policies you tap "Accept" on without reading — are technically compliant with the law while being practically incomprehensible to most users.

The Third-Party Data Sharing Ecosystem

There are things you can do to reduce your data exposure, and I'll list them, though I should be honest that none of them eliminate the problem entirely. Using a dedicated email address for e-commerce — one that isn't linked to your banking or professional identity — limits cross-platform profiling. Denying location permissions and camera access to shopping apps removes two major data streams without affecting basic functionality. Paying through UPI or cash-on-delivery instead of saving cards reduces stored financial data. Periodically clearing your search and browsing history on each platform removes some behavioral data, though what's already been processed and shared with third parties won't be affected. Using a browser-based version of the platform instead of the app gives the platform significantly less access to your device data — no contacts, no installed app list, no sensor data. The app versions are more aggressive in their data collection, which is precisely why every e-commerce platform pushes you so hard to "use the app for the best experience."

App permissions deserve their own paragraph because the overreach is striking. I went through the permission requests of five major Indian e-commerce apps in January 2026. Flipkart requested access to: location, camera, microphone, contacts, phone state, storage, and the ability to run at startup. Amazon India's list was nearly identical. Meesho added SMS permissions. A shopping app has no legitimate reason to access your microphone, your contacts list, or your SMS messages. The justifications offered — "to enable voice search," "to help you share deals with friends," "to auto-read OTPs" — are thin covers for data collection that benefits the platform, not the user. Deny all non-obvious permissions and see if the app still works for your purposes. It almost always does.

Legal Protections Under DPDPA

The review and rating system is another data collection mechanism that people don't think about. When you write a product review on Amazon or Flipkart, you're providing free content that the platform monetizes while simultaneously revealing information about your preferences, expectations, and communication style. Review text gets analyzed by natural language processing systems to extract sentiment, feature preferences, and even socioeconomic indicators. A review that says "Good quality for the price, my daughter loved the design" tells the platform your approximate family composition, your price sensitivity, and the age range and gender of someone you buy for. That's a lot of signal in one sentence.

How to Reduce Your Data Exposure

Return behavior is tracked meticulously. If you have a high return rate, your account gets flagged — not just for potential fraud detection, but for pricing and promotion decisions. Platforms are less likely to offer deep discounts to users who frequently return items, because the cost of processing returns erodes the value of the sale. Your return reasons ("didn't match description," "too small," "changed my mind") are categorized and stored as part of your profile.

Voice assistant integration adds yet another layer. Alexa on Amazon, and increasingly Google Assistant integration on other platforms, captures voice queries and stores them. If you've ever asked Alexa to "add rice to my shopping list" or "find deals on headphones," those voice recordings exist on Amazon's servers and are linked to your account. Amazon's Alexa privacy settings let you delete recordings, but the metadata about what you asked and when remains.

Where does all this lead? The Indian e-commerce data collection machinery is vast, growing, and largely invisible to the people feeding it. The DPDPA provides a legal framework, but enforcement hasn't caught up to the scale of the problem. Platform self-regulation hasn't materialized in any meaningful way — the incentives point in the wrong direction. Consumer awareness remains low, particularly in the demographics growing fastest as e-commerce users: rural and semi-urban India, older adults coming online for the first time, and young users who've never known shopping without data tracking.

Quick commerce apps — Blinkit, Zepto, Instamart — deserve special attention because their data collection is even more granular than traditional e-commerce. These apps know what you eat, drink, and clean your house with. They know your consumption frequency for specific products, which tells them things about your health, habits, and lifestyle that even your closest friends might not know. If you order condoms, pregnancy tests, alcohol, or specific medications through quick commerce (some platforms now deliver OTC medicines), that information exists in a database somewhere. The intimate nature of grocery and essentials data is qualitatively different from knowing you browsed for headphones. And because quick commerce orders are tied to your home address with 10-minute delivery precision, the platform has a very accurate picture of when you're at home. When you pair that with order contents, the profile becomes uncomfortably personal.

Voice commerce through smart speakers adds yet another data stream. Alexa Shopping on Amazon Echo devices lets you add items to your cart and place orders through voice commands. Every voice interaction is recorded, processed, and stored by Amazon. The recordings are analyzed by AI systems and, in some cases, reviewed by human workers for quality assurance. If you've got an Echo in your kitchen and you occasionally ask Alexa to order groceries, Amazon has audio recordings of your home environment linked to your purchasing account. The audio might capture background conversations, children's voices, or other ambient sounds. Amazon's Alexa privacy settings let you delete recordings, but most users never access those settings, and the data that's already been processed and extracted doesn't disappear just because the recording does.

Quick Commerce and Intimate Data Collection

Delivery data is a category people rarely consider. When you order something online, the delivery partner — Delhivery, Ecom Express, Blue Dart, or the platform's in-house logistics — receives your name, phone number, full address, and sometimes the contents of the package. They know when you're typically home to receive deliveries (weekday versus weekend patterns), what kinds of products you order (the weight and dimensions tell a story), and how often you order. Logistics companies have their own data retention practices, which are almost never communicated to the end consumer. You didn't choose to share your data with Delhivery — Flipkart shared it on your behalf as part of the fulfillment process. The DPDPA's consent framework doesn't cleanly address this triangular data sharing, where the entity collecting your consent (the e-commerce platform) passes your data to a third party (the logistics provider) that you have no direct relationship with.

Loyalty programs and reward systems add another wrinkle. Amazon Prime, Flipkart Plus, Myntra Insider — these programs offer perks in exchange for deeper engagement, which means deeper data collection. Prime members give Amazon data not just about their shopping but about their video watching habits, their music preferences, their reading choices through Kindle, and their smart home usage through Alexa devices. The data integration across these services creates a profile that's arguably more detailed than what any single platform should hold about an individual. Whether you consider that a fair trade for free delivery and streaming content is a personal decision, but most people make it without fully understanding what they're giving up.

The children's data angle is worth raising as well. Indian e-commerce platforms don't meaningfully distinguish between adult and child users in most cases. A teenager shopping on Meesho or adding items to a parent's Flipkart cart generates behavioral data that gets folded into the same profiling machinery as adult data. The DPDPA has specific provisions about processing children's data — requiring verifiable parental consent and prohibiting tracking and behavioral advertising directed at minors — but the implementing rules haven't been finalized yet. In the meantime, platforms continue to collect data from users of all ages without age-gated consent mechanisms.

Delivery Data and Loyalty Programs

The subscription economy layered on top of e-commerce creates additional data exposure. Amazon Prime, Flipkart Plus, Myntra Insider, and similar programs track not just your shopping but your engagement patterns — how often you log in, which promotional emails you open, which sale events you participate in, whether you watch Prime Video before or after shopping. This multi-dimensional behavioral tracking feeds prediction models that determine which discounts you see, which products appear on your homepage, and even which delivery slots are offered to you. Premium members, ironically, may face more granular tracking than free-tier users because the platform invests more in understanding and retaining them.

Cross-border data transfers complicate the picture further. Amazon India's data is processed using Amazon Web Services infrastructure that spans multiple countries. When you upload a photo for a product review or share your Aadhaar for seller verification, that data may be processed on servers outside India. The DPDPA permits cross-border transfers except to countries specifically blacklisted by the government (no blacklist has been published as of early 2026), which means your data can legally travel to jurisdictions with weaker privacy protections than India's. The EU-India data adequacy talks that resumed in February 2026 highlight how this issue cuts in both directions — India wants to be recognized as having adequate protections, while simultaneously allowing relatively free outbound data flows.

The question worth sitting with isn't whether Indian e-commerce platforms collect too much data — they clearly do, by any reasonable standard. The question is whether Indian consumers, regulators, and courts will eventually decide that the trade-off of convenience for surveillance is one they're willing to keep making. That answer isn't obvious, and it hasn't been settled yet.

Cross-Border Data Transfers