DPDP Comply← Back to Home

Privacy Policy

Effective date: April 4, 2026

1. Introduction

DPDP Comply ("we", "us", "our") operates the dpdpcomply.in platform, a software-as-a-service solution that helps businesses comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act). This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform.

We are committed to transparency and to handling personal data responsibly. This policy applies to all users of the DPDP Comply platform, including account holders, team members, and visitors to our website.

2. Data We Collect

Account Data

When you register for an account, we collect your name, email address, and a password (which is stored in hashed form using bcrypt). If you create or join an organization, we also collect the organization name and related details.

Usage Data

We automatically collect certain information when you use the Service, including pages visited, features used, timestamps of actions, IP address, browser type and version, and device information. This data helps us understand how the platform is used and where we can improve.

Billing Data

Payment processing is handled by Razorpay. We do not store credit card numbers, debit card numbers, or bank account details on our servers. We receive and store transaction identifiers, plan details, and billing history from Razorpay for record-keeping and support purposes.

Customer Data

When you use DPDP Comply to manage compliance for your business, you may process personal data of your end users through our platform. This includes consent records, rights requests, privacy document content, and related audit events. This data is processed by us on your behalf (see Section 6 below).

3. How We Use Data

We use the data we collect for the following purposes:

  • Provide and maintain the Service: To operate DPDP Comply, authenticate users, manage organizations and projects, and deliver the features you use
  • Process billing and subscriptions: To manage your subscription plan, process payments through Razorpay, and maintain billing records
  • Send transactional emails: To deliver account-related notifications (registration confirmation, password reset, team invitations), billing notifications, and security alerts
  • Improve the Service: To analyze aggregated and anonymized usage patterns, identify issues, and develop new features. We do not use your Customer Data for this purpose.
  • Comply with legal obligations: To meet requirements under applicable laws, respond to lawful requests from authorities, and maintain records as required by tax and business regulations

4. Data Storage & Security

We take the security of your data seriously and implement industry-standard measures to protect it:

  • All data is stored on servers located in India (AWS ap-south-1 region or equivalent infrastructure), ensuring compliance with data localization preferences
  • Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • API keys are hashed using SHA-256 before storage; the original key is never stored
  • Access to production systems is restricted to authorized personnel and protected by multi-factor authentication
  • We perform regular backups and have disaster recovery procedures in place

While we implement robust security measures, no system is completely immune to threats. We encourage users to keep their credentials secure and report any suspected vulnerabilities to our security team.

5. Data Sharing

We do not sell, rent, or trade your personal data or Customer Data to third parties. We share data only with the following categories of service providers, all of whom operate under data processing agreements (DPAs):

  • Razorpay: For payment processing and subscription management
  • Resend / AWS SES: For sending transactional emails (account notifications, billing emails, security alerts)
  • Hosting providers: For infrastructure and server hosting within India

We may also disclose data if required by law, court order, or governmental regulation, or if necessary to protect our rights, safety, or property, or those of our users.

6. Customer Data (Data Processor Role)

When you use DPDP Comply to collect and manage consent, process rights requests, or host privacy documents for your end users, you act as the Data Fiduciary under the DPDP Act, and we act as the Data Processor.

  • We process your end users' personal data only in accordance with your instructions and for the purpose of providing the Service
  • We do not use Customer Data for our own purposes, including marketing, analytics, or training models
  • We implement appropriate technical and organizational measures to protect Customer Data
  • Upon termination of your account, Customer Data is available for export for 30 days and is then permanently deleted
  • You are responsible for ensuring that you have a valid legal basis for collecting and processing your end users' data through our platform

7. Data Retention

  • Account data: Retained for as long as your account is active, plus 30 days after account deletion to allow for reactivation or data export
  • Customer Data: Retained according to your configured settings within the platform. Upon account termination, Customer Data is retained for 30 days and then permanently deleted
  • Billing records: Retained for a minimum of 7 years in accordance with Indian tax and accounting regulations
  • Usage data: Aggregated and anonymized usage data may be retained indefinitely for analytical purposes. Identifiable usage logs are deleted after 90 days
  • Audit logs: Consent audit events and compliance action logs are retained for the duration of your account and for 30 days thereafter, unless a longer retention period is required by law

8. Your Rights (under the DPDP Act)

As a Data Principal under the DPDP Act, you have the following rights regarding your personal data:

  • Right to Access: You may request a summary of the personal data we hold about you and how it is being processed
  • Right to Correction: You may request correction of inaccurate or incomplete personal data. You can also update most account information directly through the platform
  • Right to Erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records
  • Right to Grievance Redressal: You may raise concerns about how we process your data, and we will address them promptly

To exercise any of these rights, please contact us at privacy@dpdpcomply.in or through our contact page. We will respond to your request within 30 days.

9. Cookies

DPDP Comply uses cookies in a minimal and privacy-respecting manner:

  • Session cookies: Essential cookies used to maintain your authenticated session and ensure security. These are strictly necessary for the Service to function
  • No third-party tracking cookies: We do not use third-party advertising, analytics, or social media tracking cookies
  • Consent banner widget: The consent banner widget we provide to our customers uses localStorage (not cookies) to store consent preferences on end users' devices

10. Children's Data

DPDP Comply is a business-to-business service intended for use by organizations and professionals. The Service is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a child under 18 has provided personal data to us, we will take steps to delete such data promptly. If you are a parent or guardian and believe your child has provided data to us, please contact us at privacy@dpdpcomply.in.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. When we make material changes:

  • We will provide at least 30 days' notice via email to the address associated with your account
  • The updated policy will be posted on this page with a revised effective date
  • Continued use of the Service after the effective date constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out to us:

We aim to respond to all privacy-related inquiries within 30 days.