Introduction: Why Privacy Policy Matters Under DPDPA
A privacy policy is the foundation of DPDPA compliance. DPDPA Section 8 requires organizations to provide clear, specific, and intelligible information about data practices before collecting personal data. A well-drafted privacy policy not only meets legal requirements but also builds consumer trust and serves as internal documentation of compliance efforts.
Legal Requirement: DPDPA Section 8 mandates that privacy notices must be provided in a clear and intelligible manner before or at the point of data collection, in the language(s) that the data subject understands. Failure to provide proper notice is a compliance violation.
Before & After: Common Privacy Policy Mistakes
Common Mistakes Found in Legacy Privacy Policies:
| Mistake | Before (Non-compliant) | After (DPDPA Compliant) |
|---|---|---|
| Vague Language | "We may use your data for business purposes." | "We use your name and email address to send you order confirmations and delivery updates. We store this data for 2 years after your last purchase." |
| Bundled Consent | "By registering, you agree to our ToS, privacy policy, and marketing communications." | [Separate checkboxes] ☐ I consent to order processing (required) ☐ I consent to marketing emails (optional) |
| Missing Sensitive Data Disclosure | "We protect all your information." | "We collect biometric data (fingerprint) for account authentication. This sensitive biometric data is encrypted and deleted within 90 days of account closure." |
| No Retention Timeline | "We keep your data as long as needed." | "Customer contact data: retained for 5 years post-purchase. Transaction records: retained for 7 years for tax compliance. Support tickets: deleted 2 years after resolution." |
| Hidden Data Sharing | "We may share with third parties." | "We share your address with shipping partners (UPS, Fedex) to deliver orders. We do NOT share your payment data with third parties." |
| No Rights Information | Privacy policy silent on user rights | "You can request access, correction, or deletion of your data by emailing privacy@company.com within 30 days. Email privacy@company.com to opt-out of marketing." |
| Incomprehensible to Consumers | 18th grade reading level, legal jargon | 8th grade reading level, plain English, formatted with headers and bullet points |
Section-by-Section Breakdown of DPDPA-Compliant Privacy Policy
Minimum Required Sections Under DPDPA Section 8:
A DPDPA-compliant privacy policy must address all these elements. Many organizations choose to organize them as follows:
1. Introduction & Scope
What to include:
- Identity of data controller (your company name, address, contact)
- Policy effective date and last updated date
- Scope (what types of data, what services covered, any exceptions)
- Reference to Data Protection Officer contact if applicable
Sample Language:
XYZ Company Private Limited (referred to as "we," "us," "our," or "Company") collects personal data as part of providing our e-commerce platform and related services. This privacy policy explains how we collect, use, protect, and share your personal data in compliance with the Digital Personal Data Protection Act (DPDPA), 2023. Data Controller: XYZ Company Private Limited, located at [Address], India. Contact: privacy@xyz.com, +91-[Phone] Policy Last Updated: February 1, 2026 Effective Date: February 1, 2026
2. Personal Data We Collect
What to include:
- Categories of personal data collected (name, email, address, payment info, etc.)
- Sensitive personal data specifically identified
- How data is collected (directly from user, from third parties, from cookies, etc.)
- What is optional vs. required
Sample Language:
Directly Collected From You:Collected From Third Parties:
- Required for account creation: Full name, email address, phone number, password
- Required for purchases: Billing address, shipping address, payment method (credit card, UPI)
- Optional: Date of birth, profile picture, product preferences, customer reviews
Sensitive Personal Data We Collect:
- Payment processors (Razorpay, PayU) provide payment confirmation and transaction reference
- Shipping partners (UPS, Fedex) provide delivery tracking and status updates
- Marketing platforms (Facebook, Google) provide audience insights (anonymized, aggregate level only)
- Payment card data: Card number (last 4 digits only), expiry, CVV - handled by certified payment processors, never stored by us
- Government ID data: PAN number (for orders over Rs. 1 lakh), Aadhaar number (optional for verified checkout) - encrypted, retained 7 years for tax compliance
3. Purpose of Data Processing
What to include:
- Specific purposes for which data is used
- Legal basis for each purpose (consent, contract, law, vital interest)
- Distinction between required and optional purposes
Sample Language:
Purpose 1: Fulfilling Your Purchase Order (Legal Basis: Contract)Purpose 2: Improving Our Services (Legal Basis: Legitimate Interest)
- Process payment and prevent fraud
- Arrange shipment and delivery
- Send order confirmation and shipping updates
- Handle returns and refunds
Purpose 3: Marketing Communications (Legal Basis: Consent)
- Analyze user behavior to improve website usability
- Identify technical issues and bugs
- Test new features before launch
Purpose 4: Complying with Laws (Legal Basis: Legal Obligation)
- Send promotional offers matching your interests
- Notify you of new product launches
- Conduct customer surveys and feedback collection
- Note: You can opt out of marketing anytime by clicking "Unsubscribe" in emails or updating preferences in your account settings.
- Verify your identity for KYC/AML (Anti-Money Laundering) compliance
- Respond to government requests for data
- Maintain financial records for tax authorities
4. Data Sharing & Third Parties
What to include:
- Categories of recipients (logistics, payment processors, analytics, advertisers)
- Specific data shared with each category
- Safeguards in place for shared data
- Data Processing Agreements in place
- Whether third parties process data in India or outside
Sample Language:
We Share Data With: 1. Logistics & Shipping Partners (UPS, Fedex, Local Couriers)2. Payment Processors (Razorpay, PayU, HDFC)
- Data shared: Name, phone number, delivery address
- Purpose: Delivery of your order
- Data location: India
- Data Protection Agreement: Yes, in place
- Retention: Deleted 30 days after delivery
3. Analytics Providers (Google Analytics, Mixpanel)
- Data shared: Payment method, transaction amount, transaction date (NOT card number or CVV - handled directly by processor)
- Purpose: Processing your payment
- Data location: India for payment processing, but data may also reside in servers outside India per processor's infrastructure
- Data Protection Agreement: Yes, and processor is PCI-DSS certified
4. Customer Support Platform (Zendesk, Freshdesk)
- Data shared: Anonymized usage data (pages visited, time on site, device type), NOT personal identifying information
- Purpose: Understanding website usage to improve user experience
- Data location: Data servers primarily outside India
- Retention: Automatically deleted after 14 months by provider
- Your Control: You can opt out of Google Analytics tracking at https://tools.google.com/dlpage/gaoptout
5. Marketing Platforms (Facebook, Google, HubSpot)
- Data shared: Your chat messages, email, support tickets, and associated personal data
- Purpose: Responding to your customer service inquiries
- Data location: Servers primarily in India, but with replication outside India
- Retention: Deleted 2 years after ticket closure
We DO NOT Share With:
- Data shared: Only your email address and purchase category (e.g., "Electronics Buyer"), NOT full purchase history
- Purpose: Showing you relevant advertisements
- Data location: Outside India (USA, EU)
- Your Control: You can adjust ad preferences in your account settings or on Facebook/Google.
Data Processing Agreements: All third-party vendors who process your personal data have signed Data Processing Agreements (DPAs) committing to DPDPA compliance. If you request, we can provide summaries of these agreements.
- Data brokers or data aggregators for commercial purposes
- Third parties for their independent marketing without your explicit consent
- Financial, health, or government ID data with any third party except as required by law
5. Data Retention & Deletion
What to include:
- How long each type of data is retained
- Justification for retention periods
- Process for data deletion
- How to request data deletion
Sample Language:
How Long We Retain Your Data: | Data Type | Retention Period | Justification | |-----------|------------------|---------------| | Account information (name, email) | Active account + 1 year | Account recovery, legal disputes | | Purchase history | 7 years | Tax compliance, warranty claims | | Billing records | 7 years | Government tax authority requirements | | Customer support tickets | 2 years after resolution | Service quality review, complaint handling | | Marketing preferences | Until you unsubscribe | Compliance with your opt-out request | | Payment card data | None - handled by payment processor | We do not store card data | | Website analytics | 14 months | Google Analytics default retention | | Cookies | 1-2 years (varies by cookie) | See our Cookie Policy | Data Deletion Process: When data reaches its retention period, we automatically delete or anonymize it through our data deletion schedule. You can request earlier deletion by contacting privacy@xyz.com. We will comply with deletion requests within 30 days, unless a legal basis requires retention.
6. Your Rights Under DPDPA
What to include:
- Right to access personal data
- Right to correct inaccurate data
- Right to delete (erasure)
- Right to data portability
- Right to object/opt-out of processing
- Process and timeline for exercising rights
Sample Language:
Your Data Rights: You have the following rights under DPDPA regarding your personal data: 1. Right to Access: You can request a copy of all personal data we hold about you.2. Right to Correct: If your data is inaccurate or incomplete, you can request corrections.
- How to request: Email privacy@xyz.com with "Subject: Data Access Request"
- Timeline: We will provide data within 30 days
- Format: Data will be provided in a machine-readable format (CSV/PDF)
- Cost: Free
3. Right to Deletion (Erasure): You can request deletion of your personal data.
- Self-service correction: Most data can be updated directly in your account settings (Profile page)
- Manual correction: Email privacy@xyz.com with specific data corrections. Include your account ID and reason for correction.
- Timeline: We will confirm corrections within 30 days
4. Right to Data Portability: You can request your data in a portable format to transfer to another service.
- How to request: Email privacy@xyz.com with "Subject: Data Deletion Request"
- What we delete: All non-essential data (account info, purchase details, preferences). Exceptions: data we must retain by law (tax records for 7 years, transaction records).
- Timeline: Non-exempt data deleted within 30 days. Exempt data will be noted in our response.
- Account deletion: Account closure will delete associated data, except legally required retention.
5. Right to Opt-Out of Processing (Where Applicable):
- How to request: Email privacy@xyz.com with "Subject: Data Portability Request"
- Format provided: CSV (spreadsheet) or JSON (machine-readable) format
- Data included: Account info, purchase history, profile, preferences
- Timeline: Within 30 days
How to Exercise Your Rights:
- Marketing emails: Click "Unsubscribe" in any marketing email, or email privacy@xyz.com
- Marketing SMS: Reply STOP to any marketing SMS
- Analytics tracking: Install browser extension at https://tools.google.com/dlpage/gaoptout
- Personalized ads: Manage ad preferences on Facebook (facebook.com/ads/preferences) or Google (myaccount.google.com/ads)
Escalation: If you believe we have not properly handled your rights request, you can escalate to the Data Protection Board of India. Contact information: [DPB contact].
- Contact method: Email privacy@xyz.com or submit form at [website]/privacy-rights
- Identification: Provide sufficient information to verify your identity (email, account ID, last 4 digits of card)
- Timeline: We aim to respond within 30 days; maximum 60 days in complex cases
- No cost: Exercising your rights is free
- No penalty: We will not charge you more or deny service for exercising your rights (except where doing so would make service impossible)
7. Security Measures
What to include:
- High-level description of security measures (encryption, access controls, etc.)
- Data residency information
- No false security claims
Sample Language:
How We Protect Your Data: We implement technical, organizational, and legal measures to protect your personal data: Technical Security:Organizational Measures:
- Encryption in Transit: All data transmitted between you and our servers is encrypted using TLS 1.3 (HTTPS)
- Encryption at Rest: Sensitive data (payment info, government IDs) is encrypted using AES-256 encryption on our servers
- Access Controls: Only authorized employees can access personal data, and only those who need it for their role
- Firewalls & Intrusion Detection: Our servers are protected by firewalls and 24/7 monitoring for suspicious activity
- Regular Security Updates: We regularly update software and security patches
Data Residency: Your personal data is processed and stored primarily in servers located in India, in compliance with DPDPA requirements for sensitive data. Some non-sensitive data (such as analytics) may be processed on international servers per your consent. Limitations: While we implement strong security, no system is 100% secure. We cannot guarantee absolute security against all cyber threats. We will notify you of material security breaches per our Breach Notification Policy.
- Data Protection Officer: A dedicated officer oversees data protection compliance
- Employee Training: Staff handling data receive annual privacy and security training
- Access Logging: All access to personal data is logged and reviewed for suspicious patterns
- Vendor Security: Third-party vendors must meet security standards defined in our Data Processing Agreements
8. Automated Decision-Making & Profiling
What to include (if applicable):
- Whether automated decision-making is used
- What decisions are made (credit scoring, recommendations, etc.)
- Right to human review
- Factors used in decisions
Sample Language:
Automated Decision-Making: We use automated systems for certain decisions: 1. Fraud Detection (Automated):2. Product Recommendations (Automated):
- Decision: Whether to approve or flag a transaction as potentially fraudulent
- Factors: Payment amount, frequency, location, device, historical pattern
- Your rights: If flagged as fraud, you will receive notification. You can request manual review by contacting our fraud team within 24 hours.
- Human review: Our team manually reviews flagged transactions before taking action
3. Customer Service Routing (Automated):
- Decision: Which products we recommend to you based on browsing and purchase history
- Factors: Products you viewed, purchases, category interests, ratings you gave
- Your rights: You can opt out of personalized recommendations in your settings. All users see base recommendations regardless of opt-out.
- Not used for: These recommendations do NOT affect your access to products or pricing.
Not Automated:
- Decision: Assigning support tickets to the most appropriate support team based on issue category
- Factors: Keywords in your message, history of similar issues, team workload
- Your rights: You can request a different team if you're not satisfied with routing. Human review is always available.
- Credit limit decisions - always reviewed by human
- Account suspension/termination - always reviewed by human
- Employment decisions (if applicable) - always reviewed by human
9. Children's Data (if applicable)
What to include:
- Minimum age requirement
- Parental consent process
- What data is collected from children
- Special protections for children
Sample Language (for platforms serving children):
Children's Privacy: Our service is not intended for individuals under 13 years old. If you are under 13, please do not use our service. For users aged 13-18, we require parental consent:
- Parental Consent Process: Parent/guardian must create account and provide explicit consent before child can create profile
- Data Collected from Children: Name, email (for account verification), age, profile picture (optional)
- Data NOT Collected: We do not collect biometric data from children. We do not create behavior profiles for marketing.
- Marketing: Children will not receive targeted advertising based on their behavior
- Parental Rights: Parents can access, correct, delete child's data anytime by contacting privacy@xyz.com
10. Cookie Policy & Tracking
What to include:
- Types of cookies used
- Purposes of each cookie
- How to manage cookie preferences
- Third-party cookies
Sample Language:
Cookies & Tracking Technologies: We use cookies and similar tracking technologies to enhance your experience. Cookies are small text files stored on your device. Types of Cookies: | Cookie Type | Purpose | Duration | Your Control | |-------------|---------|----------|--------------| | Essential/Functional | Log you in, remember preferences, prevent fraud | Session or 1 year | Cannot disable (service won't work without these) | | Analytics | Understand how users interact with site | 14 months | Opt out via Google Analytics consent or browser settings | | Marketing/Advertising | Show you relevant ads based on browsing | 1 year | Opt out in cookie settings or ad preference centers | | Social Media | Allow sharing on Facebook, Instagram | Varies | Disable in social media settings | Your Cookie Choices:Third-Party Cookies: Our marketing partners (Facebook, Google) may place cookies on your device. This is governed by their privacy policies, not ours. We provide links to their privacy controls on our Settings page.
- Cookie Banner: When you first visit, you can choose which cookies to accept (essential always required; others optional)
- Browser Settings: You can disable cookies in your browser settings (Chrome, Safari, Firefox, Edge all have cookie management)
- Opt-out Tools: Google Analytics opt-out, Facebook Ad Preferences, Do Not Track header
- Effect of Disabling: Disabling marketing cookies won't affect service functionality but may affect your browsing experience
11. International Data Transfers (if applicable)
What to include:
- Whether data is transferred outside India
- Why transfers occur
- Safeguards in place
- Your consent for transfers
12. Breach Notification
What to include:
- How you'll be notified of data breaches
- Timeline for notification
- What information will be provided
- What steps you should take
13. Grievance Redressal & Contact
What to include:
- Contact information for privacy inquiries
- Grievance complaint process
- Escalation to Data Protection Board
- Average response timeframe
Sample Language:
Contact Us & Grievance Resolution: For Privacy Inquiries:Filing a Complaint (Grievance): If you believe we have violated your data rights under DPDPA:
- Email: privacy@xyz.com
- Phone: +91-[Phone]
- Postal: Data Protection Officer, XYZ Company, [Address]
- Response Time: We aim to respond within 15 days
- Contact us at privacy@xyz.com with details of the grievance
- We will investigate and respond within 45 days
- If you're not satisfied, you can escalate to the Data Protection Board of India
- Online Portal: [DPB portal URL]
- Email: grievances@dpb.gov.in
Tailoring Your Privacy Policy: Industry-Specific Considerations
For E-Commerce Platforms:
- Payment card data handling and PCI-DSS compliance
- Shipping partner data sharing details
- Return/refund data retention
- Customer review data usage
For SaaS/Software Products:
- Customer usage data and analytics
- Log files and system activity data
- API data exchange specifications
- Data exports and backup procedures
For Financial Services (Banks, Fintech):
- KYC/AML compliance and document retention
- Credit scoring and algorithmic decision-making
- RBI data localization requirements
- Sensitive financial data security measures
For Healthcare/Medical Platforms:
- Patient medical records retention (7 years minimum)
- HIPAA/equivalent compliance
- Telemedicine data security
- Research data anonymization
For Social Media/UGC Platforms:
- User-generated content ownership and usage
- Recommendation algorithms and personalization
- Children's privacy protections
- Third-party advertiser data sharing
Plain Language & Readability: Making Policies Understandable
Common Readability Problems:
Many organizations bury DPDPA requirements in dense legal language. Under DPDPA Section 8, information must be provided in "clear and intelligible manner." This means:
- Sentences under 20 words (average: 15 words per sentence)
- Short paragraphs (3-5 sentences maximum)
- Bullet points and numbered lists
- Headers and subheaders for navigation
- Plain English instead of legal jargon
- 8th-grade reading level (Flesch-Kincaid score above 60)
- Use "you" and "we" pronouns (conversational tone)
- Active voice ("we collect your email" not "email is collected")
- Avoid: "notwithstanding," "pursuant to," "heretofore," "aforementioned"
Implementing Your Privacy Policy: Practical Steps
- Conduct Audit (Week 1-2): Document what personal data your organization actually collects and processes
- Draft Policy (Week 2-4): Use this guide's sections as template; customize to your actual practices
- Legal Review (Week 4-5): Have a data protection attorney review for DPDPA compliance and accuracy
- Readability Test (Week 5): Test with non-legal employees - they should understand without calling legal team
- Internal Alignment (Week 5-6): Ensure all departments (Product, IT, Marketing, Support) confirm policy accurately describes practices
- Publication (Week 6): Post privacy policy prominently on website, in app, at registration
- Implementation (Week 6+): Update systems to comply with everything stated in policy
- Training (Ongoing): Train all staff on privacy policy requirements and their role in compliance
- Maintenance (Quarterly): Review and update policy as business practices change
Common Mistakes to Avoid
- Promising more security than you deliver: Don't claim "military-grade encryption" unless you actually use it
- Being vague about data sharing: Specify exactly which third parties get which data
- Hiding controversial practices: If you use facial recognition, algorithmic decision-making, or cross-border transfers, disclose it clearly - don't bury in fine print
- Bundling consent: Each type of processing should have separate consent checkbox
- Outdated policies: Update whenever business practices change (new third parties, new data types, etc.)
- Not providing contact information: Make it easy for people to reach your privacy team
- Inconsistent with actual practice: If policy says you delete data after 1 year but you actually keep it for 5, that's a violation
Conclusion: Privacy Policy as Trust Foundation
A DPDPA-compliant privacy policy is more than a legal checkbox - it's a commitment to transparency and respect for individual rights. Organizations that invest time in clear, honest, practical privacy policies demonstrate serious commitment to data protection, build customer trust, and reduce regulatory risk. In the post-DPDPA landscape, a strong privacy policy is a competitive differentiator.