DPDPOne
← Back to Home
Effective date: 1 June 2026·Last updated: 3 July 2026·Version 2.0

Privacy Notice

Stratops Solutions Private Limited · DPDPOne Platform · Mahadev Consultancy

This Privacy Notice explains how Stratops Solutions Private Limited (also operating as Mahadev Consultancy and DPDPOne) collects, uses, stores, and protects your personal data. It applies to all individuals whose data we process — including visitors to dpdpone.com, users of the DPDPOne compliance platform, clients and contacts of our consulting practice, and participants in our training programmes.

We are committed to processing personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA). We built DPDPOne specifically to help Indian organisations achieve DPDPA compliance — and this notice is how we hold ourselves to the same standard.

This notice covers two distinct activities: (1) the DPDPOne SaaS platform and (2) the consulting, training, and business development activities of Stratops Solutions Pvt Ltd. Where obligations differ between these activities, we say so clearly.

1. Who We Are

Data Fiduciary (legal entity):

Stratops Solutions Private Limited

Trading as: Mahadev Consultancy and DPDPOne

4th Floor, No. 33, 1st Main, CBI Main Road, Ganganagar,

Bengaluru, Karnataka, India

Email: hello@dpdpone.com

Website: https://dpdpone.com

Our dual role under the DPDPA:

Data Fiduciary — we determine the purpose and means of processing for: (a) all personal data collected through dpdpone.com and the DPDPOne platform, and (b) all personal data processed in the course of our consulting, training, and business development activities.

Data Processor —when subscriber organisations use DPDPOne to manage rights requests, RoPA records, or breach workflows that contain personal data of their own data principals (their employees, customers, or other individuals), Stratops processes that data solely on the subscriber's instructions. In that capacity, subscribers are the Data Fiduciaries and Stratops is the Data Processor. A Data Processing Agreement (DPA) governs this processing — available at dpdpone.com/legal/dpa.

2. Who This Notice Applies To

This notice applies to the following categories of individuals:

  • DPDPOne platform users — individuals who register for a DPDPOne account (org admins, compliance officers, CA firm staff, GRC consultants, HR leads)
  • Free tool visitors — individuals who use the free penalty calculator or free notice generator at dpdpone.com without creating an account
  • Consulting clients — decision-makers, project contacts, and stakeholders at organisations that engage Stratops for information security, GRC, or DPDPA consulting services
  • Prospects and business contacts — professionals approached or who have approached us regarding consulting services or DPDPOne, including via LinkedIn
  • Training participants — employees of organisations that have contracted Stratops to deliver DPDPA or information security training
  • Partners and associates — GRC consultants, CA firms, lawyers, and AIDAI members engaged as referral partners, subcontractors, or associates
  • Website visitors — individuals who visit dpdpone.com
If you are a subscriber using DPDPOne to manage your own organisation's compliance data, the personal data of your data principals that you enter into the platform is governed by your organisation's privacy notice and our Data Processing Agreement. This notice does not cover that data.

3. What Personal Data We Collect

3.1 DPDPOne Platform Users (Registered Accounts)

  • Account data: full name, organisation name, email address, and hashed password
  • Organisational context: industry sector, organisation size, DPDPA processing role, and geographic operation — used to personalise your compliance assessment
  • Assessment and compliance data: your responses to DPDPA gap assessment questions, RoPA entries, generated notices, breach workflow records, rights request records, and Evidence Library uploads — this is the core data used to deliver the DPDPOne service
  • Payment data: subscription plan and transaction references. Card numbers, CVV, and bank details are processed exclusively by Razorpay. We do not receive or store raw payment credentials
  • Usage data: assessment history, report download dates, and feature usage patterns — used to provide and improve the service
  • Technical data: IP address, browser type, and session identifiers — collected for security audit trails and debugging, not for advertising or profiling

3.2 Free Tool Visitors (Unauthenticated)

If you use the free notice generator or penalty calculator at dpdpone.com without creating an account:

  • The free notice generator operates entirely within your browser using template substitution. No data entered in the free tools is transmitted to any external AI service
  • If you provide an email address for follow-up, we store it for lead generation purposes with your consent
  • We use a rate-limiting counter in your browser's localStorage — this contains no personal data

If AI-assisted generation is introduced in future, this policy will be updated and users will be notified at the point of use.

3.3 Consulting Clients

  • Name, designation, business email address, and phone number of client-side contacts
  • Company name and project-related correspondence
  • Invoicing details including GST number and billing address

3.4 Prospects and Business Contacts

  • Name, firm name, designation, and business email address
  • LinkedIn profile URL where you have made this publicly available on LinkedIn
  • Notes from networking events, referral context, or inbound enquiries

3.5 Training Participants

  • Name, designation, and organisation (provided by your employer as the contracting organisation)
  • Business email address and attendance records
  • Participation certificate details

3.6 Partners and Associates

  • Name, firm, email, phone, and LinkedIn profile
  • Bank details and PAN number — only where we pay fees to you as a contractor or associate

3.7 Website Visitors

We collect your IP address in server logs for security purposes only. No analytics tools are currently used to track website visitor behaviour.

4. Why We Collect It — Purpose and Legal Basis

Data CategoryPurposeDetailLegal Basis (DPDPA)
Platform user account dataService deliveryCreating and managing your account, delivering DPDPOne features, processing payments, sending transactional emailsConsent — Section 6
Platform usage and assessment dataService improvementImproving platform features using anonymised analytics; generating aggregate compliance insightsConsent — Section 6
Free tool visitor dataTool delivery and lead generationTemplate-based notice generation within your browser — no data transmitted externally; following up with information about DPDPOne if you provide email consentConsent — Section 6
Consulting client contact dataContract performanceDelivering contracted consulting services, project communication, and invoicingContract — Section 7(a)
Prospect and LinkedIn contact dataBusiness developmentInitial outreach and sales conversations regarding consulting or DPDPOne. LinkedIn-sourced data processed on basis of professional information voluntarily made public. All outreach includes opt-out. Suppression list maintained.Legitimate use — Section 7
Training participant dataTraining deliveryAdministering training sessions contracted by employer organisations — registration, attendance, certificates, and follow-upContract — Section 7(a) (B2B contract with employer)
Partner and associate dataBusiness collaborationCollaboration on client engagements, referral arrangements, and DPDPOne channel partnershipsLegitimate use — Section 7
Financial and tax recordsLegal complianceIssuing GST-compliant invoices, processing payments, collecting PAN for TDS, and maintaining records required under Indian tax lawLegal obligation — Section 7(b)

We do not use your personal data for any purpose incompatible with the purpose for which it was collected. We do not sell your data. We do not share your data with advertising networks or data brokers.

5. How Long We Keep It

Data CategoryRetention PeriodBasis
Platform account dataActive subscription + 3 years after closureDispute resolution; financial audit trail
Assessment, RoPA, notices, breach recordsActive subscription; deleted within 30 days of account deletion requestService delivery; deleted on request unless statutory obligation applies
Rights request records3 years from date of requestSection 13 DPDPA — grievance audit trail
Breach incident records5 yearsPotential DPBI inquiry requirements
Payment records (platform subscriptions)7 yearsGST Act Section 36; Income Tax Act Section 128
Security and technical audit logs90 days rolling (technical logs); 3 years (security events)Security operations; legal obligation for business records
Free tool visitor data12 months from submission, or 30 days from opt-out requestLead generation window; immediate deletion on opt-out
Consulting client records7 years post-engagementGST Act; Income Tax Act; dispute resolution
Prospect and business contact data2 years from last meaningful interaction, or on opt-outB2B sales cycle; opt-out = immediate suppression
Training participant records3 years post-engagementCertificate reissuance; employer queries
Partner/associate contact dataDuration of relationship + 2 yearsBusiness continuity; financial records where applicable
Partner/associate financial data (PAN, bank)7 yearsIncome Tax Act — TDS records

When a retention period expires, personal data is securely deleted or anonymised. Deletion is logged in our compliance records. Where data is under an active legal dispute or regulatory inquiry, we retain it until resolution regardless of the above periods.

6. Where Your Data is Stored

🇮🇳 Primary storage: India

All DPDPOne platform data — database records, compliance data, uploaded files, and application data — is stored on AWS infrastructure in the ap-south-1 (Mumbai) region.

  • Database: Supabase (hosted on AWS Mumbai ap-south-1)
  • File storage: AWS S3 (ap-south-1, Mumbai)
  • Application hosting: AWS EC2 (ap-south-1, Mumbai)
  • Payment processing: Razorpay — India-based, RBI data localisation compliant
  • Transactional email: ZeptoMail by Zoho Corporation Pvt Ltd — India-based, Chennai

Cross-border transfers

Some of our operational tools involve transfer of data outside India. Where this occurs, we document it here:

ServicePurposeData TransferredSafeguard
Anthropic Claude API (US)AI-assisted action plan generation (platform)User-submitted inputs (org name, sector, assessment context)Anthropic API Data Processing Agreement; processing limited to generating output — no training on customer data per API terms
LinkedIn (Ireland / US)Prospect identification and outreachPublicly available professional profile dataData limited to publicly listed professional contact information. LinkedIn platform terms govern original data.
Consulting client records, prospect data, training records, and financial records are stored in Gmail (Google Workspace) and mobile contacts. These involve cross-border transfer as noted above. We take reasonable steps to limit what data is shared via these channels.

7. Third-Party Services and Data Processors

We use the following third-party services to operate DPDPOne and our consulting practice. Each processor is contractually bound to process data only on our instructions and to maintain appropriate security standards.

ProcessorPurposeData CategoriesLocationApplies To
Supabase IncDatabase and authenticationAll platform data categoriesMumbai (AWS)Platform
Amazon Web ServicesCloud hosting and file storageAll platform data categoriesMumbaiPlatform
Razorpay Software Pvt LtdPayment processingTransaction reference, billing contactIndiaPlatform
ZeptoMail (Zoho Corp Pvt Ltd)Transactional email deliveryEmail address, email contentIndia (Chennai)Platform
Anthropic PBCAI-powered action plan generationUser-submitted inputs for AI featuresUSAPlatform
Google LLC (Gmail / Workspace)Business emailEmail contentUSA / IndiaConsulting
LinkedIn (Microsoft)Prospect research and outreachPublicly available professional dataIreland / USAConsulting

We do not sell your personal data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes outside the above.

8. Your Rights Under the DPDPA, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights. To exercise any right, write to hello@dpdpone.com with the subject line "Data Rights Request — [Your Name]". We will acknowledge within 48 hours and respond within 7 business days.

Right to AccessSection 11

You may request a summary of the personal data we hold about you and the processing activities applicable to it. Platform users can also view their data directly in Account Settings.

Right to CorrectionSection 12

You may request correction of inaccurate, incomplete, or misleading personal data we hold about you. Platform users can update profile data directly in Settings. For consulting or training records, write to us.

Right to ErasureSection 12

You may request deletion of your personal data where the purpose of collection is fulfilled or where you withdraw consent. Platform users can initiate account deletion from the Billing page. We will process erasure within 30 days where no statutory retention obligation applies. Where a retention obligation exists (such as financial records under the GST Act), we will inform you of the specific period and delete at expiry.

Right to Withdraw ConsentSection 6(4)

Where we process your data on the basis of consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawal is as easy as giving consent:

  • Platform users: cancel subscription from Billing page (self-service) or write to hello@dpdpone.com with subject "Withdraw Consent"
  • Free tool users: write to hello@dpdpone.com with subject "Opt Out — Free Tools"
  • Marketing and prospect outreach: use the unsubscribe link in any email, or write to hello@dpdpone.com with subject "Opt Out"
Right to Grievance RedressalSection 13

You may file a complaint with our Grievance Officer at any time. See Section 11 of this notice. We aim to resolve all grievances within 30 days.

Right to NominateSection 14

You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Write to hello@dpdpone.com to register a nomination.

9. How We Protect Your Data

  • AES-256 encryption for data at rest on AWS infrastructure
  • TLS 1.2+ encryption for all data in transit
  • Row-level security (RLS) on all Supabase database tables — complete isolation between subscriber organisations
  • Multi-factor authentication (MFA) on all administrative accounts
  • Access controls limiting data access to the minimum necessary
  • Regular web application security assessments (most recent: June 2026)
  • No production data used in development or testing environments

In the event of a personal data breach that is likely to cause harm to data principals, we will notify affected individuals and the Data Protection Board of India within the timeframes required under Section 8(6) of the DPDPA.

10. Cookies and Local Storage

We use only essential cookies required for platform functionality — session authentication cookies that keep you logged in. No analytics or tracking cookies are currently used on dpdpone.com. We do not use advertising or cross-site tracking cookies of any kind.

localStorage is used only for rate-limiting counters on the free tools and to remember dismissed messages. No personal data is stored here.

You can clear cookies and localStorage at any time through your browser settings.

11. Grievance Officer

Grievance Officer — DPDPOne

Mahadev Thukaram

Stratops Solutions Private Limited, Bengaluru, Karnataka, India

Email: hello@dpdpone.com

Response: Acknowledgement within 48 hours · Resolution within 30 days

How to file a grievance

  • Write to hello@dpdpone.com with subject: "Grievance — [Your Name]"
  • Describe your complaint clearly — what happened, what data is involved, and what outcome you seek
  • Include your registered email address or phone number so we can identify your records
  • You will receive an acknowledgement within 48 hours
  • We aim to resolve all grievances within 30 days of receipt

12. Escalation to the Data Protection Board of India

If your grievance is not resolved to your satisfaction within 30 days of submission to our Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India (DPBI) — the statutory regulatory authority established under Section 18 of the DPDPA, 2023.

The DPBI's formal complaint mechanism will be available once notified by the Central Government under the DPDPA.

13. Changes to This Notice

We may update this Privacy Notice to reflect changes in our practices, services, or legal requirements. Material changes will be communicated to registered platform users by email at least 14 days before they take effect. The latest version is always available at dpdpone.com/privacy-policy. The effective date at the top of this notice indicates when the current version took effect.

14. Language Availability

This Privacy Notice is available in Hindi and other languages listed in the Eighth Schedule of the Constitution of India upon request, as required under Section 5(2) of the DPDPA, 2023. To request a translated version, write to hello@dpdpone.com with the subject "Privacy Notice — [Language] Version". We will provide the translation within 7 business days at no charge.

© 2026 Stratops Solutions Private Limited. All rights reserved.

Terms of ServiceData Processing Agreement← Home