Privacy Policy

This Privacy Policy describes how the Company collects, uses, shares, and erases digital personal data connected to India. The corporate data architecture reflects the unified integration of the Information Technology Act, 2000, the SPDI Rules of 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA). This policy applies comprehensively to all personal data processing activities in relation to individuals located within the territory of India. Individuals can review this technical document to understand their fundamental data principal rights, statutory grievance redressal channels, and explicit submission workflows for personal data requests.

India Privacy Policy Basics

This structural overview outlines the fundamental lifecycle, legal boundaries, and scope of data protection rules configured for the India region. Review the structural pillars of the localized data architecture across these key operational dimensions.

Operational DimensionTechnical Detail and Compliance Baseline
Scope of applicationIndia-linked personal data processing networks
Entities coveredData Fiduciaries, Data Processors, and Body Corporates
Data focusRestricted strictly to automated or digitized personal data
Linkage to IndiaDigital platforms and services targeting users in the India region
Data lifecycle stagesSystematic collection, authorized utilization, and absolute erasure
SPDI inclusionHigh-risk sensitive personal data or information categories included
Applicable lawsCoordinated framework under the IT Act, 2000 and DPDPA, 2023
Rights overviewEnforceable individual summary access, correction, and permanent deletion
Grievance contactDirect connection to the published Resident Grievance Officer channel
Cross-border handlingContract-backed international data transfers explicitly addressed

Personal Data Categories Collected in India

The Company documents each distinct type of information gathered from users to maintain complete processing transparency. Stored datasets are filtered into independent functional classifications based on their risk severity and processing criteria.

The specific parameters gathered or automatically tracked are itemized below:

  • Contact details: Active regional mobile phone numbers and verified personal email addresses;
  • Identity attributes: Full legal names, verified genders, and physical residential address records;
  • Financial information: Local bank account numbers, UPI credentials, and transaction balances where collection is necessary;
  • Device identifiers: Hardware device models, operating system types, network IP addresses, and online usage logs;
  • Location data: Generalized geographic telemetry parameters derived from network connection nodes;
  • Voluntary information: Supplementary personal parameters supplied freely by users during communications;
  • Service usage data: Real-time software interaction metrics, historical timestamps, and account activity logs;
  • Third-party records: Profile parameters collected through authorized external verification vendors or social networks;
  • Anonymised datasets: Aggregated system telemetry data used strictly for performance optimization and engineering analysis.

Treatment of SPDI Under India Rules

Sensitive Personal Data or Information (SPDI) requires independent classification and advanced administrative protections under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Review the concrete security practices and purpose limits applied to each sensitive category in the table below.

SPDI TypeTechnical Handling ApproachStatutory Purpose Limit
PasswordsHigh-grade cryptographic hashing and localized encryptionRestricted strictly to automated session authentication and account validation
Financial InformationIsolated ledger databases and tokenized processing systemsExplicit purpose explanation tied directly to settling real-money transaction requests
Health DataEnhanced role-based access controls and perimeter firewallsAdvanced user protection checks with zero secondary marketing utilization allowed
Biometric IdentifiersImmediate cryptographic verification with zero raw-file storageShorter retention lifecycles backed strictly by user-initiated affirmative consent

Notice Before Collecting Personal Information

Data Fiduciaries must deliver a clear, understandable textual notification to every individual prior to gathering any digitized attributes. The system deploys the following mandatory disclosure steps at every data entry gateway:

  1. Present the notice: Display a standalone, scannable Privacy Notice directly at the entry screen before the user inputs information.
  2. List data categories: Itemize every explicit type of personal data the platform intends to collect and define its exact purpose.
  3. Explain individual rights: Describe the native rights of the Data Principal, including the right to execute immediate consent withdrawal.
  4. Name the grievance contact: Publish the precise name, designation, and contact details of the appointed Resident Grievance Officer.
  5. Identify cross-border recipients: Disclose the categories of any overseas processors or corporate affiliates that receive the data.
  6. Store evidence of notice: RetainDated, automated server logs confirming that the text notice was displayed and accepted.

Consent Standards Under DPDPA 2023

Consent serves as the foundational legal ground for processing digitized personal attributes within the region. The platform configures its user authorization workflows according to the following strict statutory attributes:

  • Specific consent scope: Authorizations apply strictly to itemized data items linked directly to explicit business executions.
  • Clear affirmative action: Registrations require a deliberate, voluntary user choice, completely banning pre-checked boxes or silent opt-ins.
  • Linked to prior notice: The collection of consent must occur only after the comprehensive pre-collection notice is displayed.
  • Lawful and defined purposes: Processing networks block data manipulation if the underlying activity deviates from permissible statutory actions.
  • Data minimisation limits: System architecture restricts data ingestion strictly to the bare minimum parameters needed for service delivery.
  • Unconditional withdrawal: The platform explicitly grants individuals the legal right to revoke previously granted authorizations at any chosen time.
  • Simple withdrawal mechanism: The profile dashboard features a direct, single-click command to execute consent revocation commands instantly.
  • Immediate processing stoppage: Server operations cease tracking or processing relevant datasets immediately upon consent withdrawal.
  • Accountability records: Dated logs of all consent approvals and subsequent revocations are stored safely to satisfy independent audits.

Children and Minors Personal Information

Processing records linked to individuals under eighteen years of age requires implementing enhanced platform safeguards. Review the strict rules governing minor data protection under current statutory guidelines in the table below.

AspectChildren and Minors Requirement
Age thresholdRestricted strictly to individuals under 18 years of age
Parental consent needVerifiable authorization from a parent or legal guardian is mandatory before processing
Verification method referenceAge matching verified via official government documents or specialized digital tokens
Ban on targeted messagingFully restricted; behavioral tracking and personalized commercial ads are blocked automatically
Restriction on trackingProfiling and predictive behavioral monitoring are prohibited under DPDPA mandates
Retention limitationPersonal attributes are limited to immediate operational necessity and deleted promptly
Guardian-led complaintsLegal guardians maintain full authority to submit data requests on behalf of the minor
Separate treatment from adultsDistinct system rules and decoupled storage architectures applied to minor datasets

Retention and Erasure of India Personal Data

The lifespan of stored datasets is governed strictly by the duration of the authorized processing purpose. The core retention and disposal mechanisms implemented across the region are itemized below:

  • Purpose-based retention schedules apply independently to each collected information segment;
  • Shorter retention lifecycles are enforced for sensitive SPDI categories to minimize exposure risks;
  • Active real-time database nodes stay physically distinct from compressed archival backup environments;
  • Automated erasure criteria initiate immediately following a user-submitted consent withdrawal command;
  • Data correction, profile completion, and automated update rights are supported through user menus;
  • Comprehensive deletion logs and cryptographic shredding records are maintained throughout the process;
  • Archived backup components are addressed through decoupled schedules and cleared inside a rolling window;
  • Strict data accuracy standards are sustained over time to protect the integrity of financial logs.

Sharing and Disclosure of Personal Information

Data transmissions to external entities require strict compliance validation and contract-backed protection agreements. Transmitting high-risk sensitive data (SPDI) requires collecting prior explicit approval from the information provider before any cross-border or third-party transfer can initiate. Review the recipient categories and mandatory transfer conditions in the disclosure table below.

Recipient CategoryTechnical Sharing ConditionDesignated Example Use Case
Service ProvidersContractual data protection safeguards and rigid data processing limitations in placeCore system hosting and technical infrastructure support
Business PartnersStated lawful business purpose verified by the legal divisionCoordinated regional service delivery and platform optimization
Group EntitiesCompliance with the unified corporate privacy policy rules required across all branchesShared global server infrastructure access and system tuning
Government BodiesOfficial, lawful written request received from an authorized national agencyRegulatory compliance obligations and financial reporting requirements
Courts or RegulatorsValid legal order or judicial subpoena present in the compliance fileCourt-directed data submission during dispute adjudication
Overseas RecipientsApplicable geographic restrictions and data localization laws strictly followedSecured international database cross-border transfers
Anonymised RecipientsComplete erasure of identifying attributes ensuring no individual matching is possibleAggregated analytics sharing and system optimization research

Individual Rights in India Privacy Policy

The applicable legislative framework empowers local citizens with strong administrative tools to manage their digital profiles. Data fiduciaries carry rigid duties toward Data Principals at every stage of the data lifecycle. Review the core individual privileges and associated user obligations in the list below:

  • Access summary right: Players can request a clear text summary of all personal records and processing histories held by the Company;
  • Right to know recipients: Individual data principals can identify all third-party fiduciaries and processors with whom data is shared;
  • Seek correction or completion: Inaccurate or incomplete data fields can be updated or completed instantly via support channels;
  • Request erasure: Users can demand absolute data deletion once the underlying processing purpose concludes or consent is revoked;
  • Withdraw consent easily: The platform provides straightforward and non-punitive consent revocation mechanisms inside settings;
  • Request grievance handling: Individuals can demand immediate administrative reviews regarding data-handling failures;
  • Nominate another person: Users can designate a specific individual to manage their data principal rights in the event of death or incapacity;
  • Avoid frivolous complaints: Data principals carry the strict duty to provide authentic information and avoid submitting malicious or fraudulent claims.

Grievance and Complaint Handling Processes

Users can initiate formal inquiries to resolve data-handling issues directly with the corporate administration. Follow these sequential steps to initiate and track an official data complaint:

  • [Locate Contact Details] -> [Submit Written Complaint] -> [Receive Acknowledgement]
  •                                                                    |
  • [Escalate to DPBI Board] <- [Evaluate Final Outcome]   <- [Allow Investigation]
  1. Locate the designated contact details: Find the Data Protection Officer’s name, email address, and physical postal address published within the platform footer.
  2. Submit the complaint: Send a comprehensive written grievance via email detailing the exact data concern, date of occurrence, and supporting documentation.
  3. Receive acknowledgement: Await a formal written confirmation of receipt delivered to your inbox by the Company’s data protection unit.
  4. Allow investigation: The corporate compliance team reviews the ticket, logs the incident, and audits relevant server records.
  5. Receive the outcome: Read the written communication of the final decision and review any technical remedies or corrections offered by the site.
  6. Escalate unresolved matters: File the complaint directly before the Data Protection Board of India (DPBI) at its official portal if unresolved within 30 days.
  7. Retain records: Preserve all data correspondence, system acknowledgment letters, and official decision notices safely for future reference.

Cross-Border Handling of India Personal Data

International data transmissions must respect explicit user instructions and contract-backed protection agreements regardless of where the physical hardware storage occurs. Review the core cross-border data transfer scenarios in the reference table below.

Transfer ScenarioTechnical Policy Explanation and Protective Framework
India users served abroadStatutory national rules and DPDPA data protection standards apply fully to the service
Storage on foreign serversLocal Indian legislation governs the digital data assets across all international nodes
Processors located overseasDirect contractual data safeguards and data security clauses are mandatory under the contract
SPDI transferred internationallyAdditional compliance protocols and prior explicit user approvals apply before takeoff
Government destination directionsStrict central government directions override corporate transfer choices or proxy routes

Organisational Duties for India Personal Data Handling

Accountability requirements demand that processing platforms ensure absolute accuracy and operational security across all operational networks. Every data fiduciary operating under this framework must adhere to the following unified responsibilities:

  • Publishing the updated Privacy Policy clearly on the prominent corporate website;
  • Implementing explicit opt-in consent workflows prior to initiating any data collection loop;
  • Appointing a qualified Data Protection Officer (DPO) located physically within India;
  • Handling data breaches through mandatory notification steps to the Board and affected individuals within 72 hours;
  • Operating rapid, transparent grievance redressal mechanisms for all registered individuals;
  • Obtaining verifiable parental or legal guardian approval before processing minors’ datasets.

Conclusion on India Privacy Policy Application

In summary, India’s Privacy Policy framework connects data categories, SPDI handling, consent standards, individual rights, and grievance processes into one structured approach to transparent personal data handling. Each element addresses a distinct compliance requirement under the IT Act, SPDI Rules, and DPDPA 2023. Data fiduciaries hold defined duties toward Data Principals at every stage of the data lifecycle.

Key takeaways from this framework include:

  • Clarity of notices: Individual data entry points deploy scannable pre-collection notices;
  • Defined consent standards: Absolute requirement for free, specific, and informed affirmative actions under the DPDPA;
  • Children’s protection focus: Proactive exclusion of minor behavioral tracking and mandatory guardian verification;
  • Accessible rights mechanisms: Enforceable summary access, text corrections, and permanent erasure tools;
  • Structured grievance processes: Straightforward multi-stage escalation path leading directly to the Data Protection Board of India.