Effective date: 2 May 2026·Last updated: 2 May 2026

Privacy Policy

DPDPOne is a DPDP Act compliance platform. We take our own privacy obligations seriously and are committed to processing your personal data in accordance with the Digital Personal Data Protection Act, 2023.

This policy applies to all users of DPDPOne, including visitors to the free notice generator and registered account holders.

1. Who We Are (Data Fiduciary)

Mahadev Consultancy

Bengaluru, Karnataka, India

Email: hello@dpdpone.com

We are the Data Fiduciary for personal data collected through the DPDPOne platform. If you use DPDPOne as part of your own organisation's compliance work, you remain the Data Fiduciary for your own end-users' personal data.

2. What Data We Collect

Account Data

Full name, organisation name, email address, and password (hashed — never stored in plain text). During account setup we also collect industry sector, organisation size, DPDP processing role (Data Fiduciary or Data Processor), and geographic operation location — used solely to personalise your compliance assessment.

Assessment Data

Answers to DPDP compliance questions — these reflect your organisation's self-declared compliance status. This is the core data used to generate your readiness score and action plan.

Payment Data

Subscription plan and transaction references. All card and payment details are processed and stored exclusively by Razorpay. We do not receive, store, or process card numbers or CVV details.

Usage Data

Assessment history, generated notices, report download dates, and feature usage patterns — used to provide and improve the Service.

Technical Data

IP address, browser type, session identifiers. Collected for security audit trails, fraud prevention, and debugging. We do not use this data for advertising or profiling.

Free Tool Visitors

If you use the free notice generator without creating an account, we store only a rate-limiting counter in your browser's localStorage — no personal data is collected from unauthenticated visitors.

3. Why We Collect It (Purpose and Lawful Basis)

Purpose	Lawful Basis (DPDP Act)
Provide the DPDPOne service (assessment, reports, notices)	Consent (at account creation) — Section 6
Calculate compliance scores and generate action plans	Consent / Contract performance — Section 6 & 7
Process subscription payments	Contract performance — Section 7
Maintain security audit trails	Certain legitimate uses — Section 7 of the DPDP Act
Send transactional service emails	Consent / Contract performance — Section 6 & 7
Improve platform features using anonymised analytics	Consent — Section 6 (fully anonymised data falls outside Act scope)

4. How Long We Keep It (Retention)

Data Category	Retention Period
Account data (name, email)	While account is active + 1 year after deletion request
Assessment responses and reports	While account is active; deleted within 30 days of account deletion request
Generated notices and privacy notices	While account is active; deleted within 30 days of account deletion request
Evidence Library uploads	While account is active; deleted within 30 days of account deletion request
RoPA (processing activity records)	While account is active; deleted within 30 days of account deletion request
Data Principal rights request records	3 years from date of request (grievance audit trail — Section 13)
Breach incident records	5 years (to satisfy potential DPBI inquiry requirements)
Security audit logs	3 years (legal obligation for business records)
Payment records	7 years (GST and accounting compliance)
Technical logs (IP, sessions)	90 days rolling

5. Where Your Data is Stored and Cross-Border Transfers

🇮🇳 Primary storage: India only

All database records, compliance data, uploaded files, and application data are stored on AWS infrastructure in the ap-south-1 (Mumbai) region.

Database: Supabase (Mumbai region instance)
File storage: AWS S3 (ap-south-1)
Application hosting: AWS EC2 (ap-south-1, Mumbai)
Payment processing: Razorpay (India-based, RBI data localisation compliant)

✅ Email Delivery — India Only

Transactional emails (account confirmations, rights request notifications, subscription alerts) are delivered via ZeptoMail, a service of Zoho Corporation Pvt Ltd — an Indian company headquartered in Chennai, Tamil Nadu, India.

Email data is processed entirely within India. No cross-border transfer of email data occurs.

Zoho privacy policy: zoho.com/privacy.html

6. Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights. To exercise any right, write to hello@dpdpone.com.

Right to AccessSection 11

You may request a summary of the personal data we hold about you and the processing activities undertaken. We will respond within 7 business days.

Right to CorrectionSection 12

You may request correction of inaccurate, incomplete, or misleading personal data. You can also update your profile directly in Settings.

Right to ErasureSection 12

You may request deletion of your personal data when the purpose of collection is fulfilled or you withdraw consent. We will process erasure requests within 7 days where no lawful basis to retain exists (subject to the retention periods in Section 4).

Right to Withdraw ConsentSection 6(4)

You may withdraw consent at any time. To withdraw: cancel your subscription from the Billing page (self-service), or write to hello@dpdpone.com with subject "Withdraw Consent". Withdrawal will not affect the lawfulness of processing before withdrawal. As required by law, withdrawing consent is as easy as giving it.

Right to Grievance RedressalSection 13

You may file a complaint with our Grievance Officer at any time. See Section 11 below. We aim to resolve all grievances within 30 days.

Right to NominateSection 14

You may nominate another person to exercise your data rights on your behalf in the event of your death or incapacity. Write to hello@dpdpone.com to register a nomination.

7. Data Security

AES-256 encryption for data at rest
TLS 1.2+ encryption for all data in transit
Role-based access controls — staff access is need-to-know only
Row-level security on all database tables
Regular automated security assessments
No production data used in development or testing environments

In the event of a personal data breach that is likely to cause harm, we will notify affected users and the Data Protection Board of India within the timeframes required by the DPDP Act.

8. Third-Party Services (Data Processors)

Processor	Purpose	Data Shared	Location
Razorpay	Payment processing	Transaction reference, billing contact	India
AWS	Cloud infrastructure and file storage	All data categories	Mumbai (ap-south-1)
Supabase	Database and authentication	All data categories	Mumbai region
ZeptoMail (Zoho Corporation Pvt Ltd)	Transactional email delivery	Email address, email content	India (Chennai)

We do not sell your data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes.

9. Cookies and Local Storage

Session cookies: Used for authentication — essential to the Service
No tracking cookies: We do not use advertising or cross-site tracking cookies
localStorage: Used for rate-limiting counters on the free notice generator and to remember dismissed disclaimer messages. No personal data is stored here.

You can clear localStorage and cookies at any time through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to registered users by email at least 14 days before they take effect. The latest version is always available at dpdpone.com/privacy-policy.

11. Grievance Officer

Grievance Officer — DPDPOne

Mahadev Thukaram

Mahadev Consultancy, Bengaluru, Karnataka, India

Email: hello@dpdpone.com

Response: Acknowledgement within 48 hours · Resolution within 30 days

How to file a grievance

Write to hello@dpdpone.com with the subject "Grievance — [your name]"
Describe your complaint clearly, including what happened and what outcome you seek
Include your registered email address so we can identify your account
You will receive an acknowledgement within 48 hours
We aim to resolve all grievances within 30 days of receipt

12. Escalation to the Data Protection Board of India

If your grievance is not resolved to your satisfaction within 30 days of submission to our Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India (DPBI).

The DPBI is the statutory regulatory authority established under Section 18 of the Digital Personal Data Protection Act, 2023. It has the power to investigate complaints, issue directions, and impose penalties on Data Fiduciaries found to be in breach of the Act.

Website: www.dpboard.gov.in

You may file a complaint directly with the DPBI if you believe your data protection rights under the DPDP Act, 2023 have been violated.

13. Language Availability

This Privacy Policy is available in Hindi and other languages listed in the Eighth Schedule of the Constitution of India upon request, as required under Section 5(2) of the Digital Personal Data Protection Act, 2023.

To request a translated version, write to hello@dpdpone.com with the subject "Privacy Policy — [Language] Version". We will provide the translation within 7 business days at no charge.

Effective date: 2 May 2026·Last updated: 2 May 2026

Privacy Policy

This policy applies to all users of DPDPOne, including visitors to the free notice generator and registered account holders.

1. Who We Are (Data Fiduciary)

Mahadev Consultancy

Bengaluru, Karnataka, India

Email: hello@dpdpone.com

2. What Data We Collect

Account Data

Assessment Data

Answers to DPDP compliance questions — these reflect your organisation's self-declared compliance status. This is the core data used to generate your readiness score and action plan.

Payment Data

Subscription plan and transaction references. All card and payment details are processed and stored exclusively by Razorpay. We do not receive, store, or process card numbers or CVV details.

Usage Data

Assessment history, generated notices, report download dates, and feature usage patterns — used to provide and improve the Service.

Technical Data

IP address, browser type, session identifiers. Collected for security audit trails, fraud prevention, and debugging. We do not use this data for advertising or profiling.

Free Tool Visitors

If you use the free notice generator without creating an account, we store only a rate-limiting counter in your browser's localStorage — no personal data is collected from unauthenticated visitors.

3. Why We Collect It (Purpose and Lawful Basis)

Purpose	Lawful Basis (DPDP Act)
Provide the DPDPOne service (assessment, reports, notices)	Consent (at account creation) — Section 6
Calculate compliance scores and generate action plans	Consent / Contract performance — Section 6 & 7
Process subscription payments	Contract performance — Section 7
Maintain security audit trails	Certain legitimate uses — Section 7 of the DPDP Act
Send transactional service emails	Consent / Contract performance — Section 6 & 7
Improve platform features using anonymised analytics	Consent — Section 6 (fully anonymised data falls outside Act scope)

4. How Long We Keep It (Retention)

Data Category	Retention Period
Account data (name, email)	While account is active + 1 year after deletion request
Assessment responses and reports	While account is active; deleted within 30 days of account deletion request
Generated notices and privacy notices	While account is active; deleted within 30 days of account deletion request
Evidence Library uploads	While account is active; deleted within 30 days of account deletion request
RoPA (processing activity records)	While account is active; deleted within 30 days of account deletion request
Data Principal rights request records	3 years from date of request (grievance audit trail — Section 13)
Breach incident records	5 years (to satisfy potential DPBI inquiry requirements)
Security audit logs	3 years (legal obligation for business records)
Payment records	7 years (GST and accounting compliance)
Technical logs (IP, sessions)	90 days rolling

5. Where Your Data is Stored and Cross-Border Transfers

🇮🇳 Primary storage: India only

All database records, compliance data, uploaded files, and application data are stored on AWS infrastructure in the ap-south-1 (Mumbai) region.

Database: Supabase (Mumbai region instance)
File storage: AWS S3 (ap-south-1)
Application hosting: AWS EC2 (ap-south-1, Mumbai)
Payment processing: Razorpay (India-based, RBI data localisation compliant)

✅ Email Delivery — India Only

Email data is processed entirely within India. No cross-border transfer of email data occurs.

Zoho privacy policy: zoho.com/privacy.html

6. Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights. To exercise any right, write to hello@dpdpone.com.

Right to AccessSection 11

You may request a summary of the personal data we hold about you and the processing activities undertaken. We will respond within 7 business days.

Right to CorrectionSection 12

You may request correction of inaccurate, incomplete, or misleading personal data. You can also update your profile directly in Settings.

Right to ErasureSection 12

Right to Withdraw ConsentSection 6(4)

Right to Grievance RedressalSection 13

You may file a complaint with our Grievance Officer at any time. See Section 11 below. We aim to resolve all grievances within 30 days.

Right to NominateSection 14

You may nominate another person to exercise your data rights on your behalf in the event of your death or incapacity. Write to hello@dpdpone.com to register a nomination.

7. Data Security

AES-256 encryption for data at rest
TLS 1.2+ encryption for all data in transit
Role-based access controls — staff access is need-to-know only
Row-level security on all database tables
Regular automated security assessments
No production data used in development or testing environments

In the event of a personal data breach that is likely to cause harm, we will notify affected users and the Data Protection Board of India within the timeframes required by the DPDP Act.

8. Third-Party Services (Data Processors)

Processor	Purpose	Data Shared	Location
Razorpay	Payment processing	Transaction reference, billing contact	India
AWS	Cloud infrastructure and file storage	All data categories	Mumbai (ap-south-1)
Supabase	Database and authentication	All data categories	Mumbai region
ZeptoMail (Zoho Corporation Pvt Ltd)	Transactional email delivery	Email address, email content	India (Chennai)

We do not sell your data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes.

9. Cookies and Local Storage

Session cookies: Used for authentication — essential to the Service
No tracking cookies: We do not use advertising or cross-site tracking cookies
localStorage: Used for rate-limiting counters on the free notice generator and to remember dismissed disclaimer messages. No personal data is stored here.

You can clear localStorage and cookies at any time through your browser settings.

10. Changes to This Policy

11. Grievance Officer

Grievance Officer — DPDPOne

Mahadev Thukaram

Mahadev Consultancy, Bengaluru, Karnataka, India

Email: hello@dpdpone.com

Response: Acknowledgement within 48 hours · Resolution within 30 days

How to file a grievance

Write to hello@dpdpone.com with the subject "Grievance — [your name]"
Describe your complaint clearly, including what happened and what outcome you seek
Include your registered email address so we can identify your account
You will receive an acknowledgement within 48 hours
We aim to resolve all grievances within 30 days of receipt

12. Escalation to the Data Protection Board of India

Website: www.dpboard.gov.in

You may file a complaint directly with the DPBI if you believe your data protection rights under the DPDP Act, 2023 have been violated.

13. Language Availability

To request a translated version, write to hello@dpdpone.com with the subject "Privacy Policy — [Language] Version". We will provide the translation within 7 business days at no charge.