DPDP compliance, minus the legalese.
Practical guides to the DPDP Act for Indian founders and engineers, plus teardowns of real Indian brand privacy policies against the exact sections they meet and miss.
18 articles7 teardowns11 guides
We read their privacy policies so you don't have to.
Real Indian brands, read against the exact sections of the DPDP Act they meet and miss. Brands we work with never become teardowns.
Flipkart's Privacy Policy vs the DPDP Act: 500 Million Users, Zero Mentions
- Prescription data with no health-specific safeguard (§8, Rule 6)
- KYC and financial data under blanket consent (§6)
- Retention with no schedule (Rule 8)
Zepto's Privacy Policy vs the DPDP Act: A Section-by-Section Teardown
- Retention with no number (Rule 8)
- Consent by usage (§6)
- The Act is never named
Swiggy's Privacy Policy vs the DPDP Act: One Clause That Won't Survive November
- Prescription data, general-purpose safeguards (§8, Rule 6)
- AI data sharing without separate consent (§6)
- No retention periods (Rule 8)
Zomato, Blinkit, and the DPDP Act: When a Household Profile Becomes a Liability
- Blinkit and Zomato: two datasets, one household
- Three gaps the 2021 breach made visible
CRED and the DPDP Act: What Happens When Your Business Model Is a Consent Transaction
- Itemised or bundled: the §6 question
- Withdrawal without detriment
MobiKwik's 8.2TB Breach and the DPDP Act's 72-Hour Clock
- When does the 72-hour clock start? (Rule 7)
- KYC data at the top of the harm scale (§8, Rule 6)
boAt's Privacy Policy vs the DPDP Act: The Best Policy We've Read Still Has Two Gaps
- No retention period (Rule 8)
- English only (§5(3))
Start here
New to the DPDP Act? Read these in order and you will know what applies to you, and what you have to do about it.
Templates
The documents the Act expects you to actually have.
Record of Processing Activities (RoPA) Template for the DPDP Act
The DPDP Act never uses the phrase RoPA. It just expects you to be able to answer, for any data category, every question a RoPA is designed to answer.
DPIA Under the DPDP Act: Data Protection Impact Assessment Template
DPIAs are only legally mandatory for Significant Data Fiduciaries. Here is the template anyway, and why running one voluntarily is worth doing before you are told to.
Vendor Management Under the DPDP Act: What Your Data Processing Agreements Need
Your analytics tool, your support platform, your AI vendor: under the DPDP Act, their security gap is your liability, not theirs. Here is what the contract needs to say.
Retention by sector
How long you may keep data, where the rules bite hardest.
Data Retention Periods for Fintech Companies in India Under DPDP
The DPDP Act says "as long as necessary" is not a retention policy. For fintech, "necessary" is actually defined, just by three different regulators at once.
Data Retention Periods for Healthtech Companies in India Under DPDP
The DPDP Act treats health data like any other personal data, with safeguards scaled to harm. Clinical and medical council rules are where the specific retention numbers actually come from.
Compliance Score
Reading about gaps is one thing. Knowing yours is another.
Run the same scan we use in these teardowns on your own website: privacy policy, cookie consent, and retention posture, scored against the DPDP Act in 60 seconds. No signup.
Run a free Compliance Score