DPDPA Workflow

How we handle your data

Privacy Policy

Last updated · 20 June 2026

DPDPA Workflow ("DPDPA Workflow", "we", "us", or "our") provides a web-based software application that helps organisations run a structured gap assessment and manage their compliance programme under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Digital Personal Data Protection Rules, 2025 (the "DPDP Rules").

This Privacy Policy explains what personal data we collect about you, why we process it, the lawful basis for that processing, how long we keep it, and the rights available to you. We have written this notice to comply with Section 5 of the DPDP Act and to model the disclosure practices we help our customers build.

In this Policy we use the terms defined in the DPDP Act. You are a "Data Principal" — the individual to whom the personal data relates. In respect of the personal data described below, DPDPA Workflow is the "Data Fiduciary" — the entity that determines the purpose and means of processing.

A note on dates. The DPDP Rules, 2025 were notified in November 2025. Procedural provisions (including the establishment of the Data Protection Board of India) took effect from 14 November 2025, and the substantive obligations of Data Fiduciaries become enforceable from 13 May 2027. We have chosen to apply these standards now.

1. The personal data we collect and why we process it

The table below itemises the personal data we collect and the specific purpose for which each item is processed, as required by Section 5(1)(i) of the DPDP Act. We collect only such personal data as is necessary for the stated purpose.

CategoryWhat it includesPurpose of processingLawful basis
Google account identityYour name, email address and profile photograph, received from Google when you sign in via Google OAuthTo create and authenticate your account, identify you within your organisation’s workspace, and communicate with you about the serviceYour consent (Section 6)
Compliance-assessment contentThe information you enter — answers to gap-assessment questions, notes, evidence references, task and remediation records, and other workspace dataTo provide the core service: generating, storing and presenting your DPDP compliance assessment and programmeYour consent (Section 6); performance of our contract with your organisation
Technical and usage logsIP address, browser and device type, timestamps, pages and features accessed, and error/diagnostic logsTo operate, secure and troubleshoot the service, prevent abuse, and maintain an audit trailOur legitimate need to provide a secure, functioning service; your consent
Cookies and session dataStrictly necessary session and authentication cookiesTo keep you signed in and maintain session securityYour consent; strictly necessary for the service you request

We do not sell your personal data, and we do not use your compliance-assessment content for advertising or for training machine-learning models.

2. Lawful basis and your consent (Section 6)

Where we rely on consent, that consent is — consistent with Section 6(1) of the DPDP Act — free, specific, informed, unconditional and unambiguous, given by a clear affirmative action (your act of signing in and accepting this Policy), and limited to the personal data necessary for the purposes stated above.

Withdrawing consent. Under Section 6(4), you may withdraw your consent at any time, and we will make it as easy to withdraw as it was to give. You can withdraw consent by writing to us at hello@deepdivelabs.tech or by deleting your account from within the application. When you withdraw consent, we will, within a reasonable time, stop processing the affected personal data and direct any of our data processors to do the same, unless continued processing is required or authorised under the DPDP Act, the DPDP Rules, or any other law in force in India.

Withdrawing consent does not make any processing carried out before the withdrawal unlawful, and may mean we can no longer provide some or all of the service.

3. Where your data is shared

We share personal data only as necessary to run the service:

  • Service providers (Data Processors). We use vetted infrastructure, hosting and email providers who process personal data on our behalf, under contract, and only on our instructions.
  • Google. Sign-in is handled by Google's OAuth service. Google's handling of your data is governed by Google's own privacy policy.
  • Within your organisation. If you use DPDPA Workflow as part of an organisational workspace, your assessment content may be visible to authorised administrators of that workspace.
  • Legal and regulatory. We may disclose personal data where required to comply with applicable law, a lawful request, or to protect our rights, users or the public.

4. Data retention and erasure (Section 8(7))

In line with Section 8(7) of the DPDP Act, we erase personal data when you withdraw your consent, or as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served — whichever is earlier — unless retention is required for the specified purpose or to comply with any law in force.

  • Account identity and assessment content are retained for as long as your account is active.
  • On account deletion or consent withdrawal, we delete or irreversibly anonymise your personal data within a reasonable period, save for limited records we are legally required to keep.
  • Technical logs are retained only for as long as needed for security and operational purposes, then deleted or anonymised.

5. How we protect your data (Section 8(5))

As required by Section 8(5) of the DPDP Act and Rule 6 of the DPDP Rules, we take reasonable security safeguards to prevent a personal data breach. These include:

  • Encryption of personal data in transit and at rest;
  • Role-based access controls and the principle of least privilege;
  • Logging and monitoring of access to personal data;
  • Secure, access-controlled backups and business-continuity measures; and
  • Contractual security obligations imposed on our data processors.

No system can be guaranteed perfectly secure, but we work to maintain safeguards appropriate to the sensitivity of the data we hold.

6. Personal data breach notification (Section 8(6) and Rule 7)

If a personal data breach occurs, we will act in accordance with Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules. Specifically:

  • We will, without delay, intimate each affected Data Principal in a concise, clear and plain manner, describing the breach and the steps you can take to protect your interests;
  • We will give the Data Protection Board of India an initial intimation of the breach without delay; and
  • We will provide the Board a detailed report within 72 hours of becoming aware of the breach (or such longer period as the Board may allow), covering the circumstances and causes, the mitigation measures taken, and a summary of the notifications issued to affected Data Principals.

7. Children's data (Section 9)

DPDPA Workflow is a business-to-business tool intended for use by employees and professionals aged 18 and over. It is not directed at children, and we do not knowingly collect the personal data of a child.

Consistent with Section 9 of the DPDP Act, we do not undertake tracking, behavioural monitoring of children, or targeted advertising directed at children. If we become aware that we have collected the personal data of a child without verifiable parental or lawful-guardian consent, we will delete it promptly.

8. Cross-border transfer (Section 16)

We primarily process and store personal data on infrastructure located in India. Where any processing involves a transfer of personal data to a country or territory outside India (for example, where a sub-processor operates abroad), we do so consistent with Section 16 of the DPDP Act, and we will not transfer personal data to any country or territory that the Central Government has restricted by notification. Our data-processing arrangements require equivalent protection for your personal data wherever it is processed.

9. Your rights as a Data Principal (Sections 11–14)

The DPDP Act gives you the following rights, which you can exercise by contacting us at hello@deepdivelabs.tech. Many of these can also be exercised directly within the application.

  • Right to access information (Section 11). You may request a summary of the personal data we are processing about you and the processing activities we undertake, along with the identities of any other Data Fiduciaries or Data Processors with whom it has been shared.
  • Right to correction and erasure (Section 12). You may request that we correct, complete, update or erase your personal data. We will erase it on request unless retention is necessary for the specified purpose or required by law.
  • Right of grievance redressal (Section 13). You have the right to a readily available means of raising grievances about how we handle your personal data. See section 10 below.
  • Right to nominate (Section 14). You may nominate another individual to exercise your rights under the Act in the event of your death or incapacity. Contact us to record a nomination.

We will respond to a rights request within the period we publish for this purpose, which will not exceed ninety (90) days as contemplated by Rule 14(3) of the DPDP Rules. We may need to verify your identity before acting on a request.

10. Grievance redressal and contact

We have a readily available grievance-redressal mechanism, as required by Section 13 of the DPDP Act.

Grievance / Data Protection Contact — DPDPA Workflow · Email: hello@deepdivelabs.tech

Please include enough detail for us to identify your account and understand your concern. We will acknowledge and respond to your grievance within the period we publish for this purpose, which will not exceed ninety (90) days (consistent with Rule 14(3) of the DPDP Rules).

Escalation to the Data Protection Board of India. If you are not satisfied with our response, or if we fail to respond within the prescribed period, you have the right to make a complaint to the Data Protection Board of India (the regulator established under the DPDP Act), in the manner prescribed under the DPDP Rules. We will provide details of how to reach the Board on request.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our service, the law, or regulatory guidance. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you within the application or by email. Your continued use of the service after an update constitutes acknowledgement of the revised Policy.

This Privacy Policy is provided by DPDPA Workflow for transparency about our own data practices. It is not legal advice and does not create any compliance position for your organisation under the DPDP Act.