Last updated: March 2026

Privacy Policy

DPDPOne is a DPDP Act compliance platform. We take our own privacy obligations seriously and are committed to processing your personal data in accordance with the Digital Personal Data Protection Act, 2023.

This policy applies to all users of DPDPOne, including visitors to the free notice generator and registered account holders.

1. Who We Are (Data Fiduciary)

Mahadev Consultancy

Bengaluru, Karnataka, India

Email: hello@dpdpone.com

Grievance Officer email: privacy@dpdpone.com

We are the Data Fiduciary for personal data collected through the DPDPOne platform. If you use DPDPOne as part of your own organisation's compliance work, you remain the Data Fiduciary for your own end-users' personal data.

2. What Data We Collect

Account Data

Full name, organisation name, work email address, and password (hashed — never stored in plain text).

Assessment Data

Answers to DPDP compliance questions — these reflect your organisation's self-declared compliance status. This is the core data used to generate your readiness score and action plan.

Payment Data

Subscription plan and transaction references. All card and payment details are processed and stored exclusively by Razorpay. We do not receive, store, or process card numbers or CVV details.

Usage Data

Assessment history, generated notices, report download dates, and feature usage patterns — used to provide and improve the Service.

Technical Data

IP address, browser type, session identifiers. Collected for security audit trails, fraud prevention, and debugging. We do not use this data for advertising or profiling.

Free Tool Visitors

If you use the free notice generator without creating an account, we store only a rate-limiting counter in your browser's localStorage — no personal data is collected from unauthenticated visitors.

3. Why We Collect It (Purpose and Lawful Basis)

Purpose	Lawful Basis (DPDP Act)
Provide the DPDPOne service (assessment, reports, notices)	Consent (at account creation)
Calculate compliance scores and generate action plans	Consent / Contract performance
Process subscription payments	Contract performance
Maintain security audit trails	Legitimate interest / Legal obligation
Send transactional service emails	Consent / Contract performance
Improve platform features using anonymised analytics	Legitimate interest

4. How Long We Keep It (Retention)

Data Category	Retention Period
Account data (name, email)	While account is active + 1 year after deletion request
Assessment responses and reports	While account is active; deleted within 30 days of account deletion request
Security audit logs	3 years (legal obligation for business records)
Payment records	7 years (GST and accounting compliance)
Technical logs (IP, sessions)	90 days rolling

5. Where Your Data is Stored

🇮🇳 All data stored exclusively in India

Every piece of data processed by DPDPOne resides on AWS infrastructure in the ap-south-1 (Mumbai) region. Your data never leaves Indian territory. There are no international data transfers.

Database: Supabase (Mumbai region instance)
File storage: AWS S3 (ap-south-1)
Application hosting: Vercel / AWS (Mumbai edge)
Payment processing: Razorpay (India-based)

6. Your Rights Under the DPDP Act, 2023

As a Data Principal, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you.

Right to Correction: Request correction of inaccurate or incomplete personal data.

Right to Erasure: Request deletion of your personal data (subject to legal retention obligations).

Right to Grievance Redressal: Raise a grievance about how we process your data and receive a timely response.

Right to Withdraw Consent: Withdraw consent at any time; this does not affect prior processing.

Right to Nominate: Nominate another person to exercise these rights on your behalf in the event of death or incapacity.

To exercise any of these rights, email privacy@dpdpone.com. We will respond within 7 business days.

7. Data Security

AES-256 encryption for data at rest
TLS 1.2+ encryption for all data in transit
Role-based access controls — staff access is need-to-know only
Row-level security on all database tables
Regular automated security assessments
No production data used in development or testing environments

In the event of a personal data breach that is likely to cause harm, we will notify affected users and the Data Protection Board of India within the timeframes required by the DPDP Act.

8. Third-Party Services (Data Processors)

Processor	Purpose	Data Location
Razorpay	Payment processing	India
AWS	Cloud infrastructure and storage	Mumbai (ap-south-1)
Supabase	Database and authentication	Mumbai region instance

We do not sell your data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes.

9. Cookies and Local Storage

Session cookies: Used for authentication — essential to the Service
No tracking cookies: We do not use advertising or cross-site tracking cookies
localStorage: Used for rate-limiting counters on the free notice generator and to remember dismissed disclaimer messages. No personal data is stored here.

You can clear localStorage and cookies at any time through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to registered users by email at least 14 days before they take effect. The latest version is always available at dpdpone.com/privacy-policy.

11. Grievance Officer

Grievance Officer — DPDPOne

(Name to be updated upon legal counsel appointment)

Email: privacy@dpdpone.com

Address: Mahadev Consultancy, Bengaluru, Karnataka, India

Response time: Within 7 business days of receipt of grievance