Privacy Policy

1. Who we are

DPDPA Suite ("DPDPA Suite", "we", "us", "our") is a software-as-a-service platform that helps Indian organisations comply with the DPDP Act and allied rules. The platform is operated from India by the team behind dpdpasuite.com.

In relation to website visitors, leads, demo requesters, account holders and individuals who contact us directly, we act as a Data Fiduciary. In relation to personal data that our customers (your employer or a third-party organisation) upload to their tenant and process through DPDPA Suite, we act as a Data Processor and process such data only on documented instructions from the customer.

2. Personal data we collect

We collect the categories of personal data set out below:

• Account data: full name, work email, organisation name, designation, country, hashed password and multi-factor authentication metadata.
• Profile and preferences: language, time zone, notification preferences, theme.
• Usage and telemetry: pages viewed, features used, IP address (truncated where possible), browser, device fingerprint, operating system, referrer, request timestamps, error traces.
• Communications: support tickets, emails, chat transcripts, demo requests, survey responses, marketing replies and call notes.
• Billing data: billing contact, GSTIN, invoicing address, payment-instrument metadata (full card or bank details are handled by our payment processor, never stored by us).
• Customer tenant data: consent records, Data Principal requests, vendor and processor inventories, incidents and breach notifications, DPIA documents, retention policies and audit trails that your organisation chooses to upload or generate. We process such data strictly as a Data Processor on your organisation's instructions.
• Cookies and similar technologies: see our separate Cookies Policy.

We do not knowingly collect personal data of children below 18 years through this website without verifiable parental consent in accordance with Section 9 of the DPDP Act and Rule 10 of the DPDP Rules, 2025.

3. How we collect personal data

• Directly from you when you sign up, request a demo, fill a form, raise a ticket or call us.
• Automatically when you visit our website (cookies, server logs, product analytics).
• From your employer, when an administrator invites you to a tenant.
• From integrations and connectors that you or your administrator enable.
• From publicly available sources for business-to-business outreach, in line with applicable law.

4. Purposes and lawful basis

We process personal data for the following purposes and on the following bases under Section 4 of the DPDP Act:

• To deliver the service (performance of contract / specified legitimate use): account provisioning, authentication, hosting, support, billing, security and incident response.
• To comply with law (legal obligation): tax records, statutory retention, lawful requests by the Data Protection Board, CERT-In, or other competent authorities.
• To improve the platform (legitimate use within the meaning of the Act): bug fixing, performance monitoring, aggregated analytics, A/B testing of UI improvements.
• To send product, security and policy communications related to your account (legitimate use).
• To send marketing communications only with your prior, free, specific, informed, unconditional and unambiguous consent. You can withdraw consent at any time without affecting prior processing.

5. Your rights as a Data Principal

Under Chapter III of the DPDP Act, you have the following rights:

• Right to information about the personal data we hold and processing activities.
• Right to correction and erasure of inaccurate or unnecessary personal data.
• Right of grievance redressal through our Grievance Officer.
• Right to nominate another individual to exercise your rights in the event of death or incapacity.
• Right to withdraw consent at any time, as easily as it was given.

To exercise any right, write to hello@dpdpasuite.com with the subject "DPDP Rights Request". We respond within the statutory window — by default 90 days under Rule 14(3), and earlier where reasonably possible. If your data is held inside a customer tenant where we act as a Processor, we will forward your request to the relevant Data Fiduciary and assist them in fulfilling it.

6. Sharing with sub-processors and third parties

We do not sell personal data and do not share it for cross-context behavioural advertising. We share personal data only with vetted sub-processors that perform functions strictly necessary to deliver the service — hosting, managed database, email delivery, error monitoring, analytics, payments and customer support. Each sub-processor is contractually bound to confidentiality, purpose limitation, security obligations and assistance with Data Principal rights, in line with Section 8 of the DPDP Act.

We may disclose personal data when required by law, by an order of a competent court, by the Data Protection Board, by CERT-In or other competent authority, and as recorded in our Government Information Request register under Section 23.

7. Cross-border transfers and data localisation

Primary production data is stored in India. Cross-border processing happens only with categories of personal data that have not been restricted by the Central Government under Section 16 of the DPDP Act and Rule 13(4) of the DPDP Rules, 2025, and only under contractual safeguards equivalent to those required by the Act.

No category of personal data we process is currently on the MeitY restricted list under Rule 13(4). We will update this notice within 30 days of any such notification.

8. Retention and deletion

We retain personal data only as long as necessary for the purposes set out above or to meet a statutory retention requirement. Account data is erased within 30 days of account closure unless a longer period is required by law. Customer tenant data is retained per the customer's configured retention schedule and deleted or returned on termination per our Data Protection Policy.

9. Security

We implement reasonable security safeguards as required by Section 8(5) of the DPDP Act, including TLS 1.2+ in transit, AES-256 at rest, role-based access control, multi-factor authentication for administrators, multi-tenant isolation with row-level security, hash-chained audit logs, dedicated key-management, continuous vulnerability scanning and periodic penetration testing. See our Data Protection Policy for the full set of technical and organisational measures.

10. Personal data breach notification

In the event of a personal data breach, we will notify the Data Protection Board and affected Data Principals in the manner and within the timelines prescribed by Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025. We also follow CERT-In's incident reporting directions where applicable.

• CERT-In: within 6 hours of detection where the directive applies.
• Data Protection Board: within 72 hours of becoming aware (Rule 7(2)).
• Affected Data Principals: without undue delay, in plain language, with the information required by Rule 7(1).
• Status page: material incidents are disclosed at /security.txt.

11. Children's data

We do not process personal data of children below 18 years except where parental consent is verified, or where the processing falls within an exemption listed in the Fourth Schedule of the DPDP Rules, 2025 (such as healthcare, educational institutions, child-safety tracking, State benefits, or legal obligations).

12. Grievance Officer and Data Protection Officer

DPO contact anchor

Under Section 8(9) of the DPDP Act and Rule 9 of the DPDP Rules, 2025, our designated contact for privacy queries and grievances is:

Aarav Mehta — Data Protection Officer & Grievance Officer, DPDPA Suite
Address: DPDPA Suite, 4th Floor, Cyber Hub, DLF Phase II, Gurugram, Haryana 122002, India
Email: hello@dpdpasuite.com
Phone: +91 88513 05915
Grievance response SLA: 90 days (Rule 14(3))

If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India and ultimately to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) in accordance with Section 29 of the DPDP Act and Rule 22 of the DPDP Rules, 2025.

Submit a request at /dsar or file a grievance at /grievance.

13. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top will change. Material changes will be communicated by email or in-app prior to taking effect, and you may be asked to renew consent where required by law.

14. Governing law

This notice is governed by the laws of India and the DPDP Act, 2023. Courts at New Delhi shall have exclusive jurisdiction over any dispute arising out of it.

15. Data Principal duties (§15)

When you exercise your rights, you must not impersonate another person, suppress material information, or file frivolous complaints. Breach may attract penalties under the Schedule to the DPDP Act.

16. Significant Data Fiduciary commitments

Although we may not currently meet the SDF threshold, we proactively operate to SDF standards under §10 and Rule 13:

• India-resident DPO appointed in writing (see §12 above).
• DPIA cadence: every new processing activity, every model change, and annually thereafter.
• Algorithmic due-diligence checklist (Rule 13(3)) for every AI feature before rollout.
• Independent data audit annually.

17. Do Not Track, Global Privacy Control, and languages

We honour browser signals: if your browser sends a DNT: 1 header or a Global Privacy Control signal, we automatically suppress all non-essential cookies and treat it as a withdrawal of optional consent.

This notice is available in any Eighth Schedule language on request — email hello@dpdpasuite.com and we will provide a translated copy within 7 days.