Privacy Notice
Stratops Solutions Private Limited · DPDPOne Platform · Mahadev Consultancy
This Privacy Notice explains how Stratops Solutions Private Limited (also operating as Mahadev Consultancy and DPDPOne) collects, uses, stores, and protects your personal data. It applies to all individuals whose data we process — including visitors to dpdpone.com, users of the DPDPOne compliance platform, clients and contacts of our consulting practice, and participants in our training programmes.
We are committed to processing personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA). We built DPDPOne specifically to help Indian organisations achieve DPDPA compliance — and this notice is how we hold ourselves to the same standard.
1. Who We Are
Data Fiduciary (legal entity):
Stratops Solutions Private Limited
Trading as: Mahadev Consultancy and DPDPOne
4th Floor, No. 33, 1st Main, CBI Main Road, Ganganagar,
Bengaluru, Karnataka, India
Email: hello@dpdpone.com
Website: https://dpdpone.com
Our dual role under the DPDPA:
Data Fiduciary — we determine the purpose and means of processing for: (a) all personal data collected through dpdpone.com and the DPDPOne platform, and (b) all personal data processed in the course of our consulting, training, and business development activities.
Data Processor —when subscriber organisations use DPDPOne to manage rights requests, RoPA records, or breach workflows that contain personal data of their own data principals (their employees, customers, or other individuals), Stratops processes that data solely on the subscriber's instructions. In that capacity, subscribers are the Data Fiduciaries and Stratops is the Data Processor. A Data Processing Agreement (DPA) governs this processing — available at dpdpone.com/legal/dpa.
2. Who This Notice Applies To
This notice applies to the following categories of individuals:
- DPDPOne platform users — individuals who register for a DPDPOne account (org admins, compliance officers, CA firm staff, GRC consultants, HR leads)
- Free tool visitors — individuals who use the free penalty calculator or free notice generator at dpdpone.com without creating an account
- Consulting clients — decision-makers, project contacts, and stakeholders at organisations that engage Stratops for information security, GRC, or DPDPA consulting services
- Prospects and business contacts — professionals approached or who have approached us regarding consulting services or DPDPOne, including via LinkedIn
- Training participants — employees of organisations that have contracted Stratops to deliver DPDPA or information security training
- Partners and associates — GRC consultants, CA firms, lawyers, and AIDAI members engaged as referral partners, subcontractors, or associates
- Website visitors — individuals who visit dpdpone.com
3. What Personal Data We Collect
3.1 DPDPOne Platform Users (Registered Accounts)
- Account data: full name, organisation name, email address, and hashed password
- Organisational context: industry sector, organisation size, DPDPA processing role, and geographic operation — used to personalise your compliance assessment
- Assessment and compliance data: your responses to DPDPA gap assessment questions, RoPA entries, generated notices, breach workflow records, rights request records, and Evidence Library uploads — this is the core data used to deliver the DPDPOne service
- Payment data: subscription plan and transaction references. Card numbers, CVV, and bank details are processed exclusively by Razorpay. We do not receive or store raw payment credentials
- Usage data: assessment history, report download dates, and feature usage patterns — used to provide and improve the service
- Technical data: IP address, browser type, and session identifiers — collected for security audit trails and debugging, not for advertising or profiling
3.2 Free Tool Visitors (Unauthenticated)
If you use the free notice generator or penalty calculator at dpdpone.com without creating an account:
- The free notice generator operates entirely within your browser using template substitution. No data entered in the free tools is transmitted to any external AI service
- If you provide an email address for follow-up, we store it for lead generation purposes with your consent
- We use a rate-limiting counter in your browser's localStorage — this contains no personal data
If AI-assisted generation is introduced in future, this policy will be updated and users will be notified at the point of use.
3.3 Consulting Clients
- Name, designation, business email address, and phone number of client-side contacts
- Company name and project-related correspondence
- Invoicing details including GST number and billing address
3.4 Prospects and Business Contacts
- Name, firm name, designation, and business email address
- LinkedIn profile URL where you have made this publicly available on LinkedIn
- Notes from networking events, referral context, or inbound enquiries
3.5 Training Participants
- Name, designation, and organisation (provided by your employer as the contracting organisation)
- Business email address and attendance records
- Participation certificate details
3.6 Partners and Associates
- Name, firm, email, phone, and LinkedIn profile
- Bank details and PAN number — only where we pay fees to you as a contractor or associate
3.7 Website Visitors
We collect your IP address in server logs for security purposes only. No analytics tools are currently used to track website visitor behaviour.
4. Why We Collect It — Purpose and Legal Basis
| Data Category | Purpose | Detail | Legal Basis (DPDPA) |
|---|---|---|---|
| Platform user account data | Service delivery | Creating and managing your account, delivering DPDPOne features, processing payments, sending transactional emails | Consent — Section 6 |
| Platform usage and assessment data | Service improvement | Improving platform features using anonymised analytics; generating aggregate compliance insights | Consent — Section 6 |
| Free tool visitor data | Tool delivery and lead generation | Template-based notice generation within your browser — no data transmitted externally; following up with information about DPDPOne if you provide email consent | Consent — Section 6 |
| Consulting client contact data | Contract performance | Delivering contracted consulting services, project communication, and invoicing | Contract — Section 7(a) |
| Prospect and LinkedIn contact data | Business development | Initial outreach and sales conversations regarding consulting or DPDPOne. LinkedIn-sourced data processed on basis of professional information voluntarily made public. All outreach includes opt-out. Suppression list maintained. | Legitimate use — Section 7 |
| Training participant data | Training delivery | Administering training sessions contracted by employer organisations — registration, attendance, certificates, and follow-up | Contract — Section 7(a) (B2B contract with employer) |
| Partner and associate data | Business collaboration | Collaboration on client engagements, referral arrangements, and DPDPOne channel partnerships | Legitimate use — Section 7 |
| Financial and tax records | Legal compliance | Issuing GST-compliant invoices, processing payments, collecting PAN for TDS, and maintaining records required under Indian tax law | Legal obligation — Section 7(b) |
We do not use your personal data for any purpose incompatible with the purpose for which it was collected. We do not sell your data. We do not share your data with advertising networks or data brokers.
5. How Long We Keep It
| Data Category | Retention Period | Basis |
|---|---|---|
| Platform account data | Active subscription + 3 years after closure | Dispute resolution; financial audit trail |
| Assessment, RoPA, notices, breach records | Active subscription; deleted within 30 days of account deletion request | Service delivery; deleted on request unless statutory obligation applies |
| Rights request records | 3 years from date of request | Section 13 DPDPA — grievance audit trail |
| Breach incident records | 5 years | Potential DPBI inquiry requirements |
| Payment records (platform subscriptions) | 7 years | GST Act Section 36; Income Tax Act Section 128 |
| Security and technical audit logs | 90 days rolling (technical logs); 3 years (security events) | Security operations; legal obligation for business records |
| Free tool visitor data | 12 months from submission, or 30 days from opt-out request | Lead generation window; immediate deletion on opt-out |
| Consulting client records | 7 years post-engagement | GST Act; Income Tax Act; dispute resolution |
| Prospect and business contact data | 2 years from last meaningful interaction, or on opt-out | B2B sales cycle; opt-out = immediate suppression |
| Training participant records | 3 years post-engagement | Certificate reissuance; employer queries |
| Partner/associate contact data | Duration of relationship + 2 years | Business continuity; financial records where applicable |
| Partner/associate financial data (PAN, bank) | 7 years | Income Tax Act — TDS records |
When a retention period expires, personal data is securely deleted or anonymised. Deletion is logged in our compliance records. Where data is under an active legal dispute or regulatory inquiry, we retain it until resolution regardless of the above periods.
6. Where Your Data is Stored
🇮🇳 Primary storage: India
All DPDPOne platform data — database records, compliance data, uploaded files, and application data — is stored on AWS infrastructure in the ap-south-1 (Mumbai) region.
- Database: Supabase (hosted on AWS Mumbai ap-south-1)
- File storage: AWS S3 (ap-south-1, Mumbai)
- Application hosting: AWS EC2 (ap-south-1, Mumbai)
- Payment processing: Razorpay — India-based, RBI data localisation compliant
- Transactional email: ZeptoMail by Zoho Corporation Pvt Ltd — India-based, Chennai
Cross-border transfers
Some of our operational tools involve transfer of data outside India. Where this occurs, we document it here:
| Service | Purpose | Data Transferred | Safeguard |
|---|---|---|---|
| Anthropic Claude API (US) | AI-assisted action plan generation (platform) | User-submitted inputs (org name, sector, assessment context) | Anthropic API Data Processing Agreement; processing limited to generating output — no training on customer data per API terms |
| LinkedIn (Ireland / US) | Prospect identification and outreach | Publicly available professional profile data | Data limited to publicly listed professional contact information. LinkedIn platform terms govern original data. |
7. Third-Party Services and Data Processors
We use the following third-party services to operate DPDPOne and our consulting practice. Each processor is contractually bound to process data only on our instructions and to maintain appropriate security standards.
| Processor | Purpose | Data Categories | Location | Applies To |
|---|---|---|---|---|
| Supabase Inc | Database and authentication | All platform data categories | Mumbai (AWS) | Platform |
| Amazon Web Services | Cloud hosting and file storage | All platform data categories | Mumbai | Platform |
| Razorpay Software Pvt Ltd | Payment processing | Transaction reference, billing contact | India | Platform |
| ZeptoMail (Zoho Corp Pvt Ltd) | Transactional email delivery | Email address, email content | India (Chennai) | Platform |
| Anthropic PBC | AI-powered action plan generation | User-submitted inputs for AI features | USA | Platform |
| Google LLC (Gmail / Workspace) | Business email | Email content | USA / India | Consulting |
| LinkedIn (Microsoft) | Prospect research and outreach | Publicly available professional data | Ireland / USA | Consulting |
We do not sell your personal data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes outside the above.
8. Your Rights Under the DPDPA, 2023
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights. To exercise any right, write to hello@dpdpone.com with the subject line "Data Rights Request — [Your Name]". We will acknowledge within 48 hours and respond within 7 business days.
You may request a summary of the personal data we hold about you and the processing activities applicable to it. Platform users can also view their data directly in Account Settings.
You may request correction of inaccurate, incomplete, or misleading personal data we hold about you. Platform users can update profile data directly in Settings. For consulting or training records, write to us.
You may request deletion of your personal data where the purpose of collection is fulfilled or where you withdraw consent. Platform users can initiate account deletion from the Billing page. We will process erasure within 30 days where no statutory retention obligation applies. Where a retention obligation exists (such as financial records under the GST Act), we will inform you of the specific period and delete at expiry.
Where we process your data on the basis of consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawal is as easy as giving consent:
- Platform users: cancel subscription from Billing page (self-service) or write to hello@dpdpone.com with subject "Withdraw Consent"
- Free tool users: write to hello@dpdpone.com with subject "Opt Out — Free Tools"
- Marketing and prospect outreach: use the unsubscribe link in any email, or write to hello@dpdpone.com with subject "Opt Out"
You may file a complaint with our Grievance Officer at any time. See Section 11 of this notice. We aim to resolve all grievances within 30 days.
You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Write to hello@dpdpone.com to register a nomination.
9. How We Protect Your Data
- AES-256 encryption for data at rest on AWS infrastructure
- TLS 1.2+ encryption for all data in transit
- Row-level security (RLS) on all Supabase database tables — complete isolation between subscriber organisations
- Multi-factor authentication (MFA) on all administrative accounts
- Access controls limiting data access to the minimum necessary
- Regular web application security assessments (most recent: June 2026)
- No production data used in development or testing environments
In the event of a personal data breach that is likely to cause harm to data principals, we will notify affected individuals and the Data Protection Board of India within the timeframes required under Section 8(6) of the DPDPA.
10. Cookies and Local Storage
We use only essential cookies required for platform functionality — session authentication cookies that keep you logged in. No analytics or tracking cookies are currently used on dpdpone.com. We do not use advertising or cross-site tracking cookies of any kind.
localStorage is used only for rate-limiting counters on the free tools and to remember dismissed messages. No personal data is stored here.
You can clear cookies and localStorage at any time through your browser settings.
11. Grievance Officer
Grievance Officer — DPDPOne
Mahadev Thukaram
Stratops Solutions Private Limited, Bengaluru, Karnataka, India
Email: hello@dpdpone.com
Response: Acknowledgement within 48 hours · Resolution within 30 days
How to file a grievance
- Write to hello@dpdpone.com with subject: "Grievance — [Your Name]"
- Describe your complaint clearly — what happened, what data is involved, and what outcome you seek
- Include your registered email address or phone number so we can identify your records
- You will receive an acknowledgement within 48 hours
- We aim to resolve all grievances within 30 days of receipt
12. Escalation to the Data Protection Board of India
If your grievance is not resolved to your satisfaction within 30 days of submission to our Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India (DPBI) — the statutory regulatory authority established under Section 18 of the DPDPA, 2023.
The DPBI's formal complaint mechanism will be available once notified by the Central Government under the DPDPA.
13. Changes to This Notice
We may update this Privacy Notice to reflect changes in our practices, services, or legal requirements. Material changes will be communicated to registered platform users by email at least 14 days before they take effect. The latest version is always available at dpdpone.com/privacy-policy. The effective date at the top of this notice indicates when the current version took effect.
14. Language Availability
This Privacy Notice is available in Hindi and other languages listed in the Eighth Schedule of the Constitution of India upon request, as required under Section 5(2) of the DPDPA, 2023. To request a translated version, write to hello@dpdpone.com with the subject "Privacy Notice — [Language] Version". We will provide the translation within 7 business days at no charge.
© 2026 Stratops Solutions Private Limited. All rights reserved.