See exactly where your business stands on DPDPA
Pick your business type for an instant read on what applies, where you're exposed, and what to do next — in plain English, no legal degree required.
Significant gaps — start a focused fix plan now.
Top gap: reports shared over WhatsApp with no consent or retention limit.
First fix: add a consent line and a 6-month retention rule.
Pick your business on the left to see your own read.
Educational, not alarmist
We explain what DPDPA actually requires in language that founders and operations teams can act on, not fear-mongering.
Practical and actionable
Every briefing ends with a checklist. Every assessment ends with a roadmap. We focus on what to do, not just what the law says.
Built for Indian businesses
Not a GDPR guide repurposed for India. Every piece of content is written specifically for Indian business contexts and data practices.
Not legal advice
We are an intelligence and education platform. For formal legal opinions, engage a qualified data protection lawyer. We tell you what to prepare.
As seen in
SaralPrivacy's DPDPA readiness assessment has been featured in ANI, Business Standard, The Tribune, Lokmat Times, and Latestly.
What is DPDPA?
DPDPA is India's framework for handling digital personal data, and the DPDP Rules, 2025 have now been notified. For Indian businesses, the real work is operational: fix your notices, consent flows, rights handling, retention logic, and vendor controls. SaralPrivacy helps you understand what matters, assess your risk, and prioritise the next 30 to 90 days.
Follow the data. The risk becomes visible.
Most Indian businesses don't lack a privacy policy. They lack visibility into where personal data actually lives.
- WhatsAppConsent gap
- Google DriveAccess gap
- Excel / SheetsRetention gap
- CRM / softwareVendor gap
- Email inboxesAccess gap
- CCTV / footageEvidence gap
- Old archivesRetention gap
- Third-party vendorsVendor gap
DPDPA risk usually hides in ordinary workflows — not in legal documents.
See what your verdict looks like
Every assessment ends in a scored, sector-specific report. Here is a live preview — pick a sector to see its shape.
Top gap: Reports shared over WhatsApp with no consent line or retention limit.
Start anywhere. It's all free to try.
Four steps to DPDPA-ready — follow them in order, or jump straight to what you need.
Same law. Different data. Different fixes.
A clinic, a CA firm and a D2C brand all hold personal data — but the risks, obligations and fixes are completely different. Pick yours.
Recruitment Agencies
Candidate ID & CV risk- CV databases & candidate data
- Client profile sharing
- Background check documents
- Cross-border data flows
Find out whether your recruitment workflows create DPDPA exposure in 3–5 minutes.
CA Firms
PAN / Aadhaar / ITR risk- PAN / Aadhaar / bank data
- Client payroll records
- Cloud drives & shared folders
- Sensitive financial documents
Understand your DPDPA obligations for client records, payroll data, and firm operations.
Training Institutes
Student & parent data risk- Student & parent data
- Admissions & lead forms
- Digital marketing consent
- Placement data retention
Check whether your admissions, marketing, and student data workflows are DPDPA-ready.
D2C Brands
Marketing & pixel-data risk- Email / SMS / WhatsApp marketing
- Third-party analytics & pixels
- Customer loyalty data
- Retention of inactive customers
See whether your customer acquisition and retention stack creates DPDPA risk.
Clinics & Diagnostic Labs
Health-data risk- Prescriptions & lab reports
- WhatsApp report sharing
- Reception & lab staff access
- Old patient-record retention
Check whether your patient-data and report-sharing workflows are DPDPA-ready.
Schools & Colleges
Children's-data risk- Children's data & parent consent
- School apps, ERP & LMS
- CCTV, biometric & transport GPS
- Student photos & old records
Check whether your student-data, parent-consent and monitoring workflows are DPDPA-ready.
Law Firms & Legal Consultants
Sensitive case-file risk- Client KYC & evidence files
- Junior / intern / ex-staff access
- WhatsApp & email document sharing
- Closed matter-file retention
Check whether your matter intake, sensitive-file access and sharing workflows are DPDPA-ready.
Real Estate & Property Firms
KYC & broker-sharing risk- Buyer/tenant KYC & PAN/Aadhaar
- WhatsApp lead & document sharing
- Broker networks & loan partners
- Old lead-database retention
Check whether your KYC handling, broker sharing and lead retention workflows are DPDPA-ready.
Hotels, Hospitality & Travel
Guest-ID retention risk- Guest IDs & passport copies
- OTA & travel-vendor sharing
- WhatsApp confirmations & CCTV
- Old guest-record retention
See whether your guest IDs, OTA sharing, travel documents and record retention are DPDPA-ready.
Pharmacies & Online Pharmacies
Prescription-data risk- Prescriptions & medicine history
- WhatsApp orders & health indicators
- Delivery-partner data sharing
- Old prescription retention
Check whether your prescriptions, medicine-history handling and vendor sharing are DPDPA-ready.
Fintech, NBFC & Digital Payments
KYC & profiling risk- KYC, PAN/Aadhaar & bank data
- Bureau checks & credit profiling
- DSAs & collection-agent access
- Old application & KYC retention
See whether your KYC, profiling, partner sharing and agent access are DPDPA-ready.
Gyms, Salons & Spas
Photo & health-data risk- Health & body measurements
- Customer & before-after photos
- WhatsApp campaigns & staff phones
- Old member-record retention
Check whether your photo consent, health-data handling and staff access are DPDPA-ready.
Stay ahead of DPDPA developments
Clear, actionable briefings on DPDPA updates, enforcement signals, and compliance guidance, written for business owners, not lawyers.
Latest Updates
assessIs your clinic sharing reports the wrong way?
Your clinic's WhatsApp could break privacy law
Who else is reading your patient's report?
Your clinic collects data all day. Are you ready?
The complete DPDPA guidefor Indian businesses
A practitioner-grade guide, now in 7 Indian languages, that covers everything your business needs to know about DPDPA, from applicability to enforcement, without the legalese.
- What DPDPA is and who it applies to, in plain English
- Obligations for Data Fiduciaries: consent, notice, security, breach
- Risk snapshots for all 12 sectors, plus the OPERATE framework
- Rights of individuals and how businesses must respond
- Enforcement timeline and penalty structure
- Your 90-day privacy readiness action plan
Requires name, work email, and industry. Separate consent options for follow-up.
Download all 7 languages · Free · with consent
Frequently asked questions
Quick answers to the questions Indian business owners ask most about DPDPA.
The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection legislation. It governs how personal data of Indian citizens can be collected, stored, processed, and used by businesses and organisations. The Act was passed by Parliament in August 2023. The DPDP Rules, 2025 have been notified, with phased commencement, making this implementation time for businesses. It establishes rights for individuals over their personal data and obligations for businesses that process that data.
DPDPA briefings, delivered to your inbox
Get practical DPDPA updates, compliance tips, and regulatory developments: a short daily briefing, written for business owners, not lawyers.