Privacy Notice
What Saral Privacy collects, why, who we share it with, and where it is stored.
Last updated: July 2026 | Version 2.0
We practice what we preach. We sell DPDPA readiness, so this notice names every processor we use, tells you where your data physically sits, and avoids the vague “we may share with selected partners” language we tell our own customers to delete.
1. Who We Are
Saral Privacy (saralprivacy.com) is a DPDPA readiness platform for Indian businesses. We publish daily briefings, industry assessments, and practical compliance tools.
For everything described in this notice, Saral Privacy is the Data Fiduciary — we decide why and how your personal data is processed.
Data Protection Officer: Dilip Sahu
Contact: dpo@saralprivacy.com
2. What We Collect
Only what the thing you asked for actually needs:
| Data | Why | Legal basis |
|---|---|---|
| Name and email address | To send the briefings, guide, or report you asked for | Your consent |
| Mobile number (optional) | To reach you about a consultation you requested | Your consent |
| Company, industry, company size | To make the content and assessment results relevant to your business | Your consent |
| Assessment and discovery answers | To generate your readiness score and report | Contractual necessity — it is the service you asked for |
| IP address and approximate location | Recorded with your consent record, to evidence when and where consent was given | Legitimate use — Section 7 |
| Pages visited (aggregated) | Website analytics — understanding which pages are useful | Not personal data — no cookie, no cross-day identifier |
On high-impact data: our assessments ask how your business handles categories like health or financial data. Those answers describe your practices — we never ask for, and you should never send us, the underlying customer records themselves. We do not collect Aadhaar, PAN, financial account details, health records, or biometrics through this platform.
3. Why We Collect It
Briefings and guides — to deliver what you subscribed to or downloaded, and to send follow-up content where you separately consented to that.
Assessments and discovery — to score your answers, generate your report, and email it to you.
Consultations — to schedule the session you requested and follow up afterwards.
Analytics — to understand which pages are useful so we can improve them. Our analytics are cookieless and aggregated: we can see that a page was read, not who read it.
We do not:
- Sell your personal data
- Share it with third parties for their own marketing
- Send you marketing you did not consent to
- Use your assessment answers for anything except producing your report
- Use analytics cookies, or track you across sessions or other websites
4. Our Legal Basis
Under the DPDPA we rely on:
Your consent — for briefings, marketing, and optional contact permissions. You opted in, and you can opt out just as easily.
Contractual necessity — to deliver a report, guide, or consultation you specifically asked for.
Certain legitimate uses (Section 7) — narrowly, to keep the consent record that evidences your own opt-in.
We do not use "legitimate uses" as a backdoor for marketing. If you did not consent to it, we do not send it.
5. Who We Share It With
These are every third party that touches your personal data. Each acts as a Data Processor on our instructions — none may use your data for their own purposes.
Our database and file storage — where your records actually live
Receives: Name, email, phone, company, and your assessment and discovery answers
Website hosting and the serverless functions behind our tools
Receives: IP address, access logs, and form submissions in transit
Storage for generated PDFs — reports, guides, and checklists
Receives: Report files, which may contain the details you entered
Sending our briefings and transactional email
Receives: Name, email address, and delivery events (sent, opened, bounced)
Website analytics — understanding which pages are useful
Receives: Page views, aggregated. No cookies. Visitors are counted with a hash that resets every day, so you cannot be tracked between days or across sites
We do not sell your personal data, and we do not share it with anyone for their own marketing. If we add a processor, this list changes in the same release.
A note on AI: we use AI tools (Anthropic's Claude) to help write our briefings and blog posts. Only our own editorial content is sent to them — never your personal data, and never your assessment answers. That is why AI does not appear in the list above: it is not a processor of your data.
6. Where Your Data Is Stored
Your records are stored in Singapore, not the United States. The substantive personal data we hold — your contact details and your assessment answers — lives in our database's Singapore region.
Supporting services process data in the United States: our hosting, email delivery, and analytics. The exact split is in the table above.
Section 16 of the DPDPA permits transferring personal data outside India, except to countries the Central Government has specifically restricted. Neither Singapore nor the United States is restricted.
To be precise: this is lawful cross-border processing — it is not data localisation, and we do not claim it is. If your own business is subject to sectoral localisation rules (for example RBI directions on payment data), those are separate obligations that the DPDPA does not displace.
7. How Long We Keep It
| Record | Retention |
|---|---|
| Briefing subscribers | Until you unsubscribe. We then keep a minimal suppression record (your email + the date) so we never email you again — full deletion on request via Your Rights |
| Assessment and discovery reports | 24 months from completion |
| Guide and template downloads | 24 months from download |
| Consultation records | 12 months from the consultation |
| Analytics | Aggregated only; the daily visitor hash is discarded after 24 hours |
You can ask us to delete your data sooner — see your right to erasure. We review these periods annually.
8. How We Protect It
Your data is encrypted in transit (HTTPS everywhere) and at rest by our storage providers. Access to production data is limited to those who need it and protected by authentication.
No system is perfectly secure, and we will not pretend otherwise. If a breach affects your personal data, we will notify you and the Data Protection Board of India as the DPDPA requires.
9. Your Rights
Under the DPDPA you can ask us to show you your data, correct it, delete it, nominate someone to act for you, or hear your complaint. You can withdraw consent at any time. All of it is free, and we respond within 30 days.
- Access — a summary of what we hold (Section 11)
- Correction and erasure — fix it or delete it (Section 12)
- Withdraw consent — as easily as you gave it (Section 6)
- Nomination — appoint someone to act for you (Section 14)
- Grievance redressal — complain to us first (Section 13)
10. Children's Data
Our platform is built for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18.
Under Section 9 of the DPDPA, processing a child's data requires verifiable parental consent, and behavioural advertising to children is prohibited. We do not do either.
If you believe a child has given us personal data, email dpo@saralprivacy.com and we will delete it.
11. Changes to This Notice
We may update this notice as our platform changes. The version and date are shown at the top of this page and in our footer.
If a change is material — a new processor, a new purpose, a new category of data — we will email subscribed users rather than quietly editing the page.
12. Contact and Grievances
For any privacy question, request, or complaint, our Data Protection Officer is Dilip Sahu.
Email: dpo@saralprivacy.com
We respond within: 30 days
If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
Data Protection Officer — Dilip Sahu
For access, correction, erasure, or any privacy question: dpo@saralprivacy.com