Privacy Notice (English - source of truth)(हिन्दी)

Effective 2026-05-08. Bilingual notice published under DPDP Act 2023 Section 5(3) and Rule 3(2). The English version is the source of truth; the Hindi summary is provided for the convenience of Data Principals as one of the Eighth-Schedule languages.प्रभावी 2026-05-08। डीपीडीपी अधिनियम 2023 की धारा 5(3) और नियम 3(2) के तहत द्विभाषी सूचना। अंग्रेजी संस्करण ही आधिकारिक है; हिन्दी सारांश आठवीं अनुसूची की भाषाओं में से एक के रूप में डेटा प्रिंसिपल की सुविधा हेतु प्रकाशित।

Plain summary. DPDP Bridge processes (a) tenant account data — we are the Data Fiduciary, and (b) Data Principal personal data routed through customer integrations — we are the Data Processor on documented instructions of the customer Data Fiduciary. We do not sell personal data, do not train AI models on tenant or Data Principal data, and do not transfer data to a country notified as restricted under Section 16 of the Act.
संक्षेप में। डीपीडीपी ब्रिज (क) टेनेंट खाता डेटा को संसाधित करता है — हम डेटा फिड्यूशियरी हैं, और (ख) ग्राहक एकीकरण के माध्यम से रूट किए गए डेटा प्रिंसिपल डेटा को — हम ग्राहक डेटा फिड्यूशियरी के लिखित निर्देश पर डेटा प्रोसेसर हैं। हम व्यक्तिगत डेटा न बेचते हैं, न उस पर AI मॉडल प्रशिक्षित करते हैं, न ही धारा 16 के तहत प्रतिबंधित अधिसूचित देशों को डेटा भेजते हैं।

Contents

विषय-सूची

  1. Who we are / हम कौन हैं
  2. Roles under DPDP / डीपीडीपी भूमिकाएँ
  3. Section 5 itemised notice / धारा 5 सूचना
  4. Section 6 consent / धारा 6 सहमति
  5. Section 8 obligations / धारा 8 दायित्व
  6. Section 9 children / धारा 9 बच्चे
  7. Sections 11–14 rights / धारा 11–14 अधिकार
  8. Section 16 cross-border / धारा 16 सीमा-पार
  9. Retention & ledger / प्रतिधारण
  10. Sub-processors / उप-प्रोसेसर
  11. DPB complaint / डीपीबी शिकायत
  12. Grievance officer / शिकायत अधिकारी

1. Who we are

DPDP Bridge ("we", "us", "the Company") operates the dpdp-bridge.com website and the DPDP Bridge SaaS product, an India-DPDP-Act-2023 self-serve compliance middleware for global SaaS. Registered support email: hi@dpdp-bridge.com. Postal correspondence: c/o the Indian grievance officer at the address printed on every individual notice (see §12).

2. Roles under the DPDP Act 2023

The DPDP Act recognises three roles. We hold two of them simultaneously, and the boundary is non-trivial:

Where this notice describes our processing of tenant data we act as Data Fiduciary. Where it describes processing of Data Principal data routed by a customer we act as Data Processor — the Data Principal must direct rights requests to that customer, who is the Data Fiduciary for that data.

3. Itemised notice (Section 5 + Rule 3)

Section 5(1) requires that, before or at the time of consent collection, the Data Principal receives an itemised notice describing the personal data, the purpose, and the means of exercising rights. Rule 3 further specifies that the notice be in the English language or one of the languages set out in the Eighth Schedule to the Constitution of India, presented separately from any other information, and clear, plain and understandable.

For tenant account data the items collected, the purposes, and the consequences of refusal are:

Personal dataPurposeLawful basisConsequence of refusal
Email, hashed password, organisation nameAccount creation, authentication, billingSection 4 — consent & contract performanceCannot create or maintain a tenant
Stripe customer ID, subscription metadataSubscription billing, invoices, tax complianceContract performance, statutory record keepingCannot complete payment
API keys, JWTs (hashed)Authenticating SDK and admin requestsContract performanceCannot use the API
Server logs (IP, user agent, request path) retained 30 daysSecurity, abuse prevention, debuggingSection 7 legitimate uses (lit. (a) self-serve; lit. (b) employment necessity for our staff)Service unavailable

For Data Principal data routed by a customer the customer Data Fiduciary issues its own Section 5 notice via the DPDP Bridge consent SDK; we are the Data Processor for that data and do not issue an independent notice.

4. Consent (Section 6) and grant via dpToken

Section 6(1) defines consent as free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action. Section 6(4)–(5) requires that withdrawal be as easy as the granting was. We collect consent for tenant account data through the standard sign-up flow with explicit per-purpose checkboxes (no pre-ticked options, no bundled consent). For analytics or non-essential cookies, see the cookie banner described in §9.

Data Principals exercise rights against the Data Fiduciary (the customer) via the customer's user interface; that interface mints a short-lived dpToken on the Data Principal's behalf and submits the request to DPDP Bridge with a server-to-server API key plus the dpToken. The dpToken binds the request to the currently logged-in Data Principal so a stolen API key alone cannot forge a request.

5. Data Fiduciary obligations (Section 8)

For tenant account data we comply with the obligations of Section 8:

6. Children (Section 9 + Rule 10)

Section 9(1) requires verifiable parental consent before processing the personal data of children (under 18). Section 9(3) prohibits behavioural tracking and targeted advertising directed at children. Rule 10 details the methods for verifying parental consent (government ID, virtual ID via DigiLocker, or an alternative published by the Board).

DPDP Bridge is a B2B SaaS not intended for use by children. We do not knowingly collect personal data of children. If a tenant administrator confirms they are under 18, we will refuse the registration and erase any data already submitted. Customer Data Fiduciaries that process children's data must use the children-specific configuration of the consent SDK, which enforces a parental-consent gate and disables targeted advertising purposes.

7. Data Principal rights (Sections 11 to 14)

We facilitate the following rights for tenants (Data Fiduciary mode) and provide processor-side tooling for our customers to honour the same rights for their Data Principals:

8. Cross-border transfer (Section 16)

Section 16 permits cross-border transfer of personal data outside India unless the Central Government, by notification, restricts transfer to a particular country or territory. As of the effective date of this notice, no country has been restricted; we will update this section within 5 business days of any restriction notification.

Storage region: cloud customers' data is stored in our default cloud region (currently AWS Mumbai — ap-south-1). Self-hosted customers control their own region entirely. We will give 30 days' notice of any material change in storage region.

9. Retention & compliance ledger (Rule 13)

Rule 13 ties retention to defined retention periods, and the Third Schedule of the Rules sets specific retention rules for e-commerce, social-media intermediary and online-gaming Data Fiduciaries with more than 2 crore users. Our retention is:

The audit ledger is append-only, signed at row level, and surfaces in /tenant/audit-log. Cookie banner consent tokens are written to the audit ledger on grant and on withdrawal so an investigation can reconstruct user choice without leaving the platform.

10. Sub-processors and breach notification

The current list of sub-processors is published in our DPA (/dpa.html) and reproduced here for convenience: AWS Mumbai (compute and storage, ap-south-1), Stripe (billing), Resend (email delivery), Sentry (error monitoring). We notify customers of any new sub-processor at least 30 days before engagement, with a right to terminate in lieu of consent.

If a personal data breach occurs we notify affected customer Data Fiduciaries without undue delay so they can satisfy Section 8(6) and Rule 7 within the 72-hour window. Where DPDP Bridge itself is the breached Data Fiduciary (tenant account data) we notify the Data Protection Board within 72 hours and the affected Data Principals as soon as is practicable.

11. Right to complain to the Data Protection Board

Section 27 establishes the Data Protection Board of India ("DPB") as the adjudicatory body. After exhausting our grievance mechanism (§12) you may file a complaint with the Board at dpb.gov.in. The DPB acknowledges receipt and is required to resolve the matter within the timelines set by Rule 15.

12. Grievance officer (Section 8(9))

Email hi@dpdp-bridge.com with the subject line "Grievance". Response within 30 days as required by Rule 14. If you do not receive a satisfactory response you may escalate to the Data Protection Board (§11).

13. Changes

We post material changes at this URL with a revised effective date and email tenant administrators 30 days before the new version takes effect.

1. हम कौन हैं

डीपीडीपी ब्रिज ("हम", "कंपनी") dpdp-bridge.com वेबसाइट और डीपीडीपी ब्रिज SaaS उत्पाद का संचालन करता है — वैश्विक SaaS के लिए भारतीय डीपीडीपी अधिनियम 2023 अनुपालन मिडलवेयर। संपर्क: hi@dpdp-bridge.com

2. डीपीडीपी अधिनियम 2023 के अंतर्गत भूमिकाएँ

3. धारा 5 सूचना

धारा 5(1) के तहत सहमति लेने से पूर्व या उसी समय डेटा प्रिंसिपल को व्यक्तिगत डेटा, उद्देश्य और अधिकारों के प्रयोग की प्रक्रिया का विस्तृत विवरण देना आवश्यक है। नियम 3 के अनुसार सूचना अंग्रेजी या आठवीं अनुसूची की किसी भाषा में अलग, सरल और स्पष्ट होगी।

4. सहमति (धारा 6) और dpToken

धारा 6(1) सहमति को स्वतंत्र, विशिष्ट, सूचित, बिना शर्त और स्पष्ट सकारात्मक कार्रवाई द्वारा दी गई बताती है। धारा 6(4)–(5) के अनुसार सहमति वापस लेना देने जितना ही आसान होगा। डेटा प्रिंसिपल अधिकार ग्राहक के UI से प्रयोग करते हैं; वह UI एक अल्पकालीन dpToken जारी कर अनुरोध को प्रमाणित करता है।

5. धारा 8 दायित्व

6. बच्चे (धारा 9 + नियम 10)

धारा 9(1) बच्चों के डेटा प्रसंस्करण से पहले सत्यापन योग्य माता-पिता की सहमति अनिवार्य करती है। धारा 9(3) बच्चों पर लक्षित विज्ञापन और व्यवहार ट्रैकिंग पर रोक लगाती है। नियम 10 सरकारी ID, DigiLocker के माध्यम से वर्चुअल ID, या बोर्ड द्वारा प्रकाशित अन्य विधियाँ निर्धारित करता है। डीपीडीपी ब्रिज B2B SaaS है — बच्चों के उपयोग हेतु अभिप्रेत नहीं।

7. डेटा प्रिंसिपल अधिकार (धारा 11–14)

8. धारा 16 सीमा-पार स्थानांतरण

धारा 16 तब तक भारत के बाहर डेटा स्थानांतरण की अनुमति देती है जब तक केंद्र सरकार किसी देश को प्रतिबंधित अधिसूचित न करे। प्रभावी तिथि तक कोई देश प्रतिबंधित नहीं है।

9. प्रतिधारण (नियम 13)

11. डेटा संरक्षण बोर्ड में शिकायत

धारा 27 के अंतर्गत डेटा संरक्षण बोर्ड (DPB) में शिकायत: dpb.gov.in

12. शिकायत अधिकारी

ईमेल hi@dpdp-bridge.com, विषय "Grievance"। नियम 14 के तहत 30 दिन में उत्तर।