Last updated: 1 March 2026
Privacy Policy
This policy explains how DPDPA Shield collects, uses, and protects your personal data, and your rights under the Digital Personal Data Protection Act 2023.
1. Who We Are
DPDPA Shield is a SaaS compliance platform operated by [Company Name], registered in India. We are a Data Fiduciary under the DPDPA 2023 for the personal data of our customers and website visitors, and a Data Processor for personal data that our customers process through the platform.
Contact: hello@dpdpashield.in
2. What Personal Data We Collect
Account data: Name, work email address, company name, and designation — collected when you register or request a demo.
Usage data: Feature usage logs, session data, IP address, browser type, and device type — collected automatically when you use the platform.
Communication data: Content of emails sent to us, demo request forms, contact forms, and support tickets.
Payment data: Payment processing is handled by a third-party payment processor (Razorpay/Stripe). We do not store card numbers or payment credentials.
Tenant customer data: DPDPA Shield processes consent records, rights requests, and breach incident data on behalf of our tenant customers. This data belongs to the tenant and is processed under their instructions. We act as Data Processor for this data and do not access it for our own purposes.
3. Why We Collect It (Purposes and Legal Basis)
| Purpose | Data | Legal Basis (DPDPA) |
|---|---|---|
| Providing the platform | Account + usage data | Contract performance |
| Security and fraud prevention | Usage logs, IP address | Legitimate interest |
| Product improvement | Anonymised usage analytics | Legitimate interest |
| Marketing communications | Email address | Consent (opt-in only) |
| Legal compliance | All categories as required | Legal obligation |
| Customer support | Communication data | Contract performance |
4. Who We Share Data With
We share personal data with the following categories of recipients:
- Infrastructure providers: Supabase (database, Singapore), Vercel (frontend hosting), Render (API hosting), Cloudflare R2 (file storage), Upstash (cache) — all under data processing agreements.
- Email provider: Resend — used for transactional emails (account verification, rights request notifications) only.
- Analytics: We do not use third-party web analytics or advertising trackers on the DPDPA Shield platform.
We do not sell personal data. We do not share personal data with advertisers.
5. Data Retention
- Account data: Retained while your account is active, plus 30 days after a deletion request is processed.
- Usage logs: 1 year from processing date, consistent with DPDPA Rules Schedule 7.
- Consent records (tenant data): Retained per tenant configuration, with a minimum of 3 years for audit trail integrity.
- Marketing communications: Until consent is withdrawn. You may unsubscribe at any time.
6. Your Rights Under DPDPA
As a Data Principal under DPDPA 2023, you have the following rights:
- Right to Access (S.11): Request a summary of the personal data we hold about you, the purposes for processing, and the entities with whom we have shared it.
- Right to Correction and Erasure (S.12): Request correction of inaccurate or incomplete data, or erasure of data no longer necessary for the original purpose.
- Right to Grievance Redressal (S.13): Raise a complaint about how we handle your data. If unresolved, you may escalate to the Data Protection Board.
- Right to Nominate (S.14): Nominate another individual to exercise your rights in the event of death or incapacity.
To exercise any right: email hello@dpdpashield.in with subject “Data Rights Request”. We will respond within 30 days.
7. Security
We implement technical and organisational security measures in accordance with DPDPA S.8(5) and Rules Rule 6, including:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access controls — no cross-tenant data access possible by design
- Immutable audit logs for all data processing actions
- 72-hour breach notification to the Data Protection Board per DPDPA S.8(6)
8. Cross-Border Transfers
Our infrastructure providers may process data outside India (Supabase in Singapore, Vercel and Render in the United States, Cloudflare R2 globally). All transfers are governed by contractual protections. We comply with Central Government notifications under DPDPA S.16 on permissible cross-border transfers as they are issued.
9. Children
DPDPA Shield is a platform for business users and is not directed at individuals under 18. We do not knowingly collect personal data of minors in our own operations. Our platform includes a Children's Data Module to help our customers comply with DPDPA S.9 in their own products.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to registered users via email at least 30 days before taking effect. Continued use of the platform after 30 days constitutes acceptance of the updated policy.
11. Contact / DPO
For privacy queries or to exercise your rights: hello@dpdpashield.in
Subject line: “Data Rights Request” or “Privacy Query”