Do I need to disclose Razorpay in my privacy policy?

Yes. Razorpay processes sensitive payment data on your behalf, making it a third-party data processor under GDPR, CCPA, and Indian data protection frameworks. You must explicitly name Razorpay in your privacy policy and explain what customer data you share with them during payment processing.

What specific data does Razorpay collect?

Razorpay collects and processes payment card details (tokenized for security), UPI identifiers, transaction amounts, customer names, email addresses, phone numbers, and bank account details used for merchant settlements. All card data is handled in compliance with PCI-DSS Level 1 standards.

Does Razorpay require a cookie consent banner?

No documented cookies are used by Razorpay's core payment processing. However, you should verify your implementation, as analytics or marketing tools integrated alongside Razorpay may use cookies. Review Razorpay's technical documentation for your specific integration.

Where is my payment data transferred and who processes it?

Razorpay Software Pvt. Ltd., based in India, is your payment processor. Payment data is transferred to and stored in India, subject to RBI (Reserve Bank of India) payment regulations. If you have EU customers, cross-border data transfer clauses (Standard Contractual Clauses) should be in place to comply with GDPR.

Fintech

Privacy policy clauses for Razorpay

Razorpay is a payment gateway that processes online transactions for merchants in India and emerging markets. Websites integrate Razorpay to accept credit cards, debit cards, UPI, and bank transfers from customers, handling payment processing and settlement.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Razorpay collects

Your privacy policy must disclose each of the following data types when you use Razorpay.

Payment card and UPI details (tokenized)

Transaction data and amounts

Customer name, email, and phone

Bank account details for settlements

When does Razorpay trigger privacy obligations?

Razorpay integration triggers privacy obligations the moment payment processing begins—specifically when customer payment card details, UPI identifiers, bank account information, and personally identifiable data (name, email, phone) flow through Razorpay's infrastructure.

Immediate triggers:

–PCI-DSS compliance: Razorpay holds PCI-DSS Level 1 certification, but your business becomes a PCI-DSS merchant the instant you accept card payments through it. You must conduct a Self-Assessment Questionnaire (SAQ) and maintain compliance scope documentation.

Privacy policy clauses for Razorpay

What data Razorpay collects

When does Razorpay trigger privacy obligations?

Where data goes

Common compliance pitfalls

Missing or incomplete Data Processing Agreement

Omitting Razorpay from privacy policy disclosures

Misunderstanding PCI-DSS tokenization as full data handling exemption

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Razorpay in my privacy policy?

What specific data does Razorpay collect?

Does Razorpay require a cookie consent banner?

Where is my payment data transferred and who processes it?

Don't ship without Bandit.