Last updated: 8 July 2026

Privacy Policy

Here's how we collect, use, and protect your personal data - and what rights you have under the Digital Personal Data Protection Act 2023.

1. Who We Are

DPDPA Shield is a SaaS compliance platform run by DPDPA Shield Technologies Private Limited, registered in India. We're a Data Fiduciary under the DPDPA 2023 when it comes to our customers' and visitors' personal data. For the data our customers process through the platform, we act as a Data Processor - meaning we handle it on their behalf and under their instructions.

Contact: hello@dpdpashield.in

2. What Personal Data We Collect

Account data: Your name, work email, company name, and designation - we collect these when you sign up or request a demo.

Usage data: We automatically log feature usage, session info, your IP address, browser type, and device type as you use the platform.

Communication data: Anything you send us - emails, demo request forms, contact forms, support tickets.

Payment data: A third-party processor (Razorpay/Stripe) handles all payment processing. We never store your card numbers or payment credentials.

Tenant customer data: We process consent records, rights requests, and breach incident data on behalf of our tenant customers. That data belongs to the tenant. We act as Data Processor for it, follow their instructions, and don't access it for our own purposes.

3. Why We Collect It (Purposes and Legal Basis)

PurposeDataLegal Basis (DPDPA)
Providing the platformAccount + usage dataContract performance
Security and fraud preventionUsage logs, IP addressLegitimate interest
Product improvementAnonymised usage analyticsLegitimate interest
Marketing communicationsEmail addressConsent (opt-in only)
Legal complianceAll categories as requiredLegal obligation
Customer supportCommunication dataContract performance

4. Who We Share Data With

We share personal data with these categories of recipients:

  • Infrastructure providers: Amazon Web Services (AWS) hosts everything - our database (RDS PostgreSQL), API (App Runner), frontend (Amplify), file storage (S3), and cache (ElastiCache Redis). It's all in AWS ap-south-1 (Mumbai, India) under data processing agreements.
  • Email provider: Resend handles transactional emails only - things like account verification and rights request notifications.
  • Analytics: We don't use third-party web analytics or advertising trackers on the platform. None.

We don't sell personal data. We don't share it with advertisers. Full stop.

5. Data Retention

  • Account data: We keep it while your account is active, plus 30 days after you request deletion.
  • Usage logs: Deleted after 1 year, consistent with DPDPA Rules Schedule 7.
  • Consent records (tenant data): Kept per the tenant's configuration, with a minimum of 3 years to maintain audit trail integrity.
  • Marketing communications: Until you withdraw consent. You can unsubscribe at any time.

6. Your Rights Under DPDPA

As a Data Principal under the DPDPA 2023, here's what you're entitled to:

  • Right to Access (S.11): Ask us for a summary of what personal data we hold about you, why we're processing it, and who we've shared it with.
  • Right to Correction and Erasure (S.12): If something's wrong or incomplete, you can ask us to fix it. You can also request erasure when the data is no longer needed for its original purpose.
  • Right to Grievance Redressal (S.13): Not happy with how we're handling your data? Raise a complaint with us. If we don't resolve it, you can escalate to the Data Protection Board.
  • Right to Nominate (S.14): You can nominate someone to exercise your rights if you become incapacitated or pass away.

To exercise any of these rights, email hello@dpdpashield.in with the subject line “Data Rights Request”. We'll respond within 30 days.

7. Security

We take security seriously. Here's what we've put in place to protect your data, per DPDPA S.8(5) and Rule 6:

  • All personal data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access controls ensure no cross-tenant data access is possible - by design
  • Every data processing action gets logged in an immutable audit trail
  • If there's ever a breach, we'll notify the Data Protection Board within 72 hours per DPDPA S.8(6)

8. Data Residency

We store and process all personal data within India - specifically in AWS ap-south-1 (Mumbai). That includes our database, API servers, file storage, cache, and encryption key management. Everything stays in Mumbai.

There's one exception: transactional email delivery through Resend may involve processing in the United States to actually deliver emails (account verification, rights request notifications, etc.). Resend doesn't store personal data beyond what's needed for delivery.

We'll comply with any Central Government notifications under DPDPA S.16 on permissible cross-border transfers as they're issued.

9. Children

DPDPA Shield is built for business users. It's not directed at anyone under 18, and we don't knowingly collect personal data from minors in our own operations. That said, our platform does include a Children's Data Module - but that's there to help our customers comply with DPDPA S.9 in their own products.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we'll email registered users at least 30 days before they take effect. Continuing to use the platform after those 30 days means you've accepted the updated policy.

11. Contact / DPO

Got a privacy question or want to exercise your rights? Reach out: hello@dpdpashield.in

Subject line: “Data Rights Request” or “Privacy Query”