Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Razorpay is an Indian payment gateway and full stack financial platform founded in 2014, headquartered in Bangalore. It enables online merchants to accept payments via cards, UPI, net banking, wallets and EMI. For European merchants serving Indian customers, Razorpay involves a cross border transfer of payment data to India, a country without a GDPR adequacy decision.
Razorpay is an Indian payment gateway and full stack financial services platform founded in 2014 by Harshil Mathur and Shashank Kumar. Headquartered in Bangalore, it serves more than 10 million businesses in India and provides solutions for card payments, UPI, net banking, wallets, EMI, subscriptions, payouts and lending. It is registered with the Reserve Bank of India as a Payment Aggregator and is PCI DSS Level 1 certified.
Razorpay processes payment instrument data (card number, expiry, CVV when entered, UPI VPA, bank account), buyer name, email, phone, billing address, IP address, device fingerprint and transaction amount. The checkout iframe served from checkout.razorpay.com sets first party cookies on its own domain for session continuity, CSRF protection and fraud detection. When integrated as a redirect or hosted page, Razorpay may also set cookies for partner attribution.
For European merchants serving Indian customers or operating in India, Razorpay acts as a data processor for the transaction and as an independent controller for its own fraud and regulatory obligations. The ePrivacy Directive applies to cookies the merchant''s own page would set, but the Razorpay checkout iframe is on a third party domain, so consent for non essential cookies should be obtained before the iframe loads. Strictly necessary cookies for completing the payment are exempt.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required for the strictly necessary checkout cookies that fraud prevention and session continuity depend on. Consent is required for any analytics or marketing cookies Razorpay loads inside the checkout overlay, and merchants must inform users that their data will be transferred to India. The privacy notice should disclose Razorpay as a sub processor and reference the Standard Contractual Clauses.
All Razorpay processing happens in India, which has no Art. 45 GDPR adequacy decision. Transfers from EU controllers therefore require Standard Contractual Clauses with supplementary measures, a Transfer Impact Assessment, and a notice to data subjects. Card data is further shared with international card networks. The Indian DPDPA 2023, the Telegraph Act and the IT Act allow lawful access by Indian authorities, which must be analysed in the TIA.
Sign Razorpay''s Data Processing Agreement and Standard Contractual Clauses, complete a Transfer Impact Assessment that accounts for Indian government access powers, list Razorpay and its sub processors in your Record of Processing Activities, configure the checkout to load only after consent for non essential cookies, disclose the India transfer in your privacy notice and at checkout, restrict the amount of customer data passed to Razorpay to the minimum required and rely on tokenisation where possible.
Websites using Razorpay must obtain user consent under GDPR regulations.
DPIA considerations
Razorpay processes payment card and personal data in India. Key DPIA considerations: (1) India has no GDPR adequacy decision, transfers require SCCs and a Transfer Impact Assessment; (2) RBI rules force payment data to be stored in India, limiting alternative locations; (3) Razorpay holds PCI DSS Level 1 certification and is registered with RBI as a Payment Aggregator; (4) the checkout iframe sets cookies for fraud prevention that may be classified as strictly necessary, while analytics cookies require consent; (5) Razorpay shares data with card networks (Visa, Mastercard, RuPay) and acquiring banks; (6) the Digital Personal Data Protection Act 2023 changes the Indian legal landscape and should be referenced in the Transfer Impact Assessment.
Sample consent text
We use Razorpay, an Indian payment gateway, to process your card, UPI and bank payments. Razorpay places strictly necessary cookies on its checkout window for fraud prevention and shares transaction data with card networks and acquiring banks. Your payment data is transferred to and stored in India under Standard Contractual Clauses.
Third-party domains contacted
razorpay.comcheckout.razorpay.comapi.razorpay.comcdn.razorpay.comlumberjack.razorpay.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rzp_checkout_anonymous_token | Functional | Session | Anonymous session identifier set by the Razorpay checkout iframe to maintain context during the payment flow. |
| rzp_device_id | Functional | 1 year | Persistent device identifier used by Razorpay for fraud detection across payment sessions. |
| rzp_stored_user_id | Functional | 1 year | Stores a customer identifier when the buyer uses Razorpay saved instruments to speed up future checkouts. |
| csrf_token | Functional | Session | CSRF protection token used by the Razorpay checkout API to validate requests during a payment session. |
Razorpay uses cookies for user preferences — inform visitors with a consent banner.
Razorpay sets first party cookies on its checkout.razorpay.com domain (rzp_checkout_*, rzp_device_id, rzp_stored_user_id, csrf_token) for session continuity, device fingerprinting and fraud detection. These are strictly necessary for the checkout iframe. Any analytics cookies inside the overlay would require consent.
You do not need consent for the strictly necessary cookies the checkout iframe sets to process a payment. You do need to inform users that data is transferred to India and that Razorpay is a sub processor. If you embed the checkout before consent, only the necessary cookies should be loaded.
Contract performance (Art. 6(1)(b) GDPR) covers processing the transaction the customer requested. Legitimate interest (Art. 6(1)(f) GDPR) covers fraud prevention, anti money laundering and audit obligations. Any marketing cookies inside the checkout require consent (Art. 6(1)(a) GDPR).
All Razorpay processing happens in India, primarily in Mumbai data centres, with disaster recovery in other Indian regions. India has no GDPR adequacy decision, so EU controllers must use Standard Contractual Clauses, document a Transfer Impact Assessment that considers Indian government access powers, and inform data subjects of the transfer.
A DPIA is recommended for any merchant processing personal data through Razorpay because of the third country transfer to India and the volume of payment data. The DPIA should cover the transfer to India, sharing with card networks, the DPDPA 2023 and RBI rules, retention of payment data and tokenisation strategies.
Sign the Razorpay Data Processing Agreement and SCCs, complete a Transfer Impact Assessment, restrict the data passed to Razorpay to what is needed for the payment, prefer tokenisation over storing raw card data, disclose Razorpay in your privacy notice and at checkout, and ensure your cookie banner does not load any non essential script before consent.
For EU centric flows, consider Stripe, Adyen, Mollie, Klarna or Worldline, all of which process primarily inside the EEA and have established SCC frameworks. Razorpay remains relevant when you specifically need to accept payments from Indian customers (UPI, RuPay, Indian net banking).
List Razorpay as a sub processor in your privacy notice, name the categories of payment data shared, disclose the transfer to India, reference the SCCs and your Transfer Impact Assessment, mention the cookies the checkout iframe sets and their fraud prevention purpose, and link Razorpay's own privacy policy and DPA.