Skip to content

DPDP Compliance Checklist for India SaaS (2026)

India's Digital Personal Data Protection Act (DPDP) is enforceable — and most Indian SaaS founders haven't read it. Here's what your app needs before you accept your first paying Indian user.

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India's national data protection law — comparable to GDPR for the EU. It governs how "data fiduciaries" (that's you, the SaaS founder) collect, process, and store personal data of Indian citizens.

Key facts for founders:

  • Applies to any app that processes personal data of people in India — regardless of where the company is incorporated
  • Penalties up to ₹250 crore (~$30M USD) for significant data breaches
  • Data principals (your users) have the right to correction, erasure, and grievance redressal
  • Explicit, informed consent is required before collecting personal data

DPDP compliance checklist

✅ Consent Management (Section 6 & 7)

  • Obtain explicit, informed consent before collecting any personal data — not buried in terms of service
  • Consent must be specific to each purpose — a blanket "I agree" is not valid
  • Users must be able to withdraw consent at any time, as easily as they gave it
  • Consent must be in simple language; if you serve Hindi-speaking users, provide a Hindi option
  • Do not collect data you don't need — purpose limitation is a core principle

✅ Data Principal Rights (Section 11–14)

  • Users can request a copy of their data — you must be able to export it within a reasonable timeframe
  • Users can request correction of inaccurate data — you must have a mechanism to action this
  • Users can request erasure (right to be forgotten) — implement a working "Delete my account" feature that removes all PII
  • Users can nominate a representative to exercise rights on their behalf

✅ Grievance Redressal Officer (Section 13)

  • Appoint a Data Protection Officer (DPO) or designate a grievance redressal contact
  • Publish the contact details on your privacy policy page — this is mandatory
  • Respond to grievances within a timeframe that will be specified in rules (expected: 30 days)
  • For small SaaS: your founder email is acceptable as the DPO contact initially

✅ Data Security (Section 8)

  • Implement "reasonable security safeguards" — encryption in transit (HTTPS/TLS) and at rest
  • Report data breaches to the Data Protection Board of India promptly (exact timeframe TBD in rules)
  • Delete personal data when the purpose for which it was collected is complete and consent is withdrawn
  • Ensure your data processors (Supabase, Razorpay, AWS) have their own DPDP-compatible policies

✅ Children's Data (Section 9)

  • Do not process data of children (under 18) without verifiable parental consent
  • Do not serve targeted advertising to children
  • If your app isn't for children: add an age gate or clearly state "18+ only" in your terms

✅ Privacy Policy Updates

  • Describe what personal data you collect and why — in plain language
  • Name all third parties you share data with (analytics, payments, email)
  • Specify data retention periods for each category of data
  • Include grievance redressal contact details
  • Describe how users can exercise their rights (access, correction, deletion)

DPDP vs GDPR: what's different?

If you're already GDPR-compliant, you're mostly covered for DPDP. The key differences:

  • DPDP currently has no mandatory data localisation requirement (unlike earlier drafts) — Indian user data can be stored abroad unless the government notifies specific categories
  • DPDP penalties are set by the government; current draft: ₹250 crore for breach notification failures
  • DPDP does not have the same level of "legitimate interests" basis that GDPR allows — consent is more central
  • DPDP explicitly covers "digital personal data" — physical records are out of scope

Quick wins for India-first apps

If you accept INR payments through Razorpay and serve Indian founders (which is Vezraa's exact market), these are the three things to do this week:

  1. Add a DPO/grievance email to your privacy policy — takes 5 minutes
  2. Implement a working "Delete my account" flow that removes all PII from your database
  3. Review your Supabase RLS policies — data you can't isolate by user is a DPDP liability

Scan your app for DPDP and GDPR compliance gaps.

Start Scanning →

Related articles

DPDP Compliance Checklist for India SaaS (2026) | Vezraa