Privacy Policy

DPDP Comply (“we,” “us,” or “our”) operates the DPDP Comply platform (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable Indian law.

We collect the following categories of personal data:

• Account data: Name, email address, organization name, and password (hashed) when you create an account.
• Consent records: Data principal identifiers, consent decisions, timestamps, and metadata submitted through your consent widgets.
• Usage data: Pages visited, features used, browser type, IP address, and device information collected automatically.
• Communication data: Messages and support requests you send to us.
• Payment data: Billing information processed by our third-party payment provider. We do not store full payment card details.

We process your personal data for the following purposes:

• Providing, maintaining, and improving the Service
• Processing consent records on your behalf as a data processor
• Generating privacy notices and compliance reports
• Sending transactional emails (account verification, security alerts, service updates)
• Analyzing usage patterns to improve the platform
• Complying with legal obligations under the DPDP Act and other applicable laws

We process your personal data based on the following legal grounds under the DPDP Act:

• Consent: Where you have given explicit consent for specific processing activities.
• Contractual necessity: Processing necessary to provide the Service you have subscribed to.
• Legal obligation: Processing required to comply with applicable laws and regulations.
• Legitimate uses: As specified under Section 7 of the DPDP Act.

We do not sell your personal data. We may share data with the following categories of recipients:

• Service providers: Cloud hosting (infrastructure), payment processing, email delivery, and analytics services that process data on our behalf under strict contractual obligations.
• Legal authorities: When required by law, court order, or government request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

We retain your personal data only as long as necessary for the purposes described in this policy:

• Account data: Retained while your account is active and for 90 days after deletion.
• Consent records: Retained as required by the DPDP Act for audit and compliance purposes, typically 5 years from collection.
• Usage data: Retained in anonymized/aggregated form for up to 24 months.

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, regular security audits, and secure development practices. While no system is completely secure, we strive to maintain industry-standard protections.

As a data principal, you have the following rights under the DPDP Act:

• Right to access: Request information about what personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to withdraw consent: Withdraw previously given consent at any time.
• Right to grievance redressal: Lodge a complaint with our Data Protection Officer or the Data Protection Board of India.
• Right to nominate: Nominate a person to exercise your rights in case of death or incapacity.

To exercise any of these rights, contact us at privacy@dpdpcomply.com.

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verifiable parental consent, we will take steps to delete it promptly, as required under Section 9 of the DPDP Act.

Your data is primarily stored and processed in India. If any data is transferred outside India, we ensure that such transfers comply with Section 16 of the DPDP Act and any rules notified by the Central Government regarding permissible jurisdictions. We use standard contractual clauses and other appropriate safeguards where required.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, sending you an email notification. The “Last updated” date at the top indicates when the policy was most recently revised.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: privacy@dpdpcomply.com
• Data Protection Officer: dpo@dpdpcomply.com