Terms of Service & Privacy Policy

Your Privacy Policy and Terms of Service are not legal formalities buried in a footer — they are the enforceable contracts that govern every user relationship, every enterprise deal, and every regulator interaction your product will ever have. The DPDP Act 2023 makes a compliant Privacy Policy a statutory requirement for every Data Fiduciary processing personal data of Indian users, with penalties reaching ₹250 crore per breach category and an independent Data Protection Board of India now fully operational to adjudicate complaints.

Most founders copy a competitor's policy or generate one with a free template tool. Neither survives a Data Protection Board inquiry, an app store compliance review, or the data governance section of a Series A due diligence. What you need is a policy set drafted to your actual product, your real data flows, the sub-processors you actually use, and the specific sector regulator — RBI, IRDAI, NHA, or SEBI — that governs your space.

At a Glance

• Who needs it: Every Indian website, app, marketplace, SaaS, fintech, healthtech, edtech, or platform collecting personal data of users in India — and any global product with Indian users, regardless of where the company is incorporated.
• Governing law: DPDP Act 2023; IT Act 2000 (Sections 43A, 72A, 79); IT (Reasonable Security Practices) Rules 2011; IT Intermediary Guidelines 2021; GDPR and UK GDPR where EU or UK users are served.
• Turnaround: 7–12 working days from completion of the data inventory call.
• Key thresholds: DPDP Act applies to any entity processing personal data in India or targeting Indian users; GDPR's extra-territorial scope under Article 3 covers any EU-facing product regardless of where the company sits.
• Grievance Officer: Mandatory under IT Intermediary Rules 2021 for all intermediaries; acknowledgment within 24 hours, resolution within 15 days; the officer's name and contact details must be published on your website and app.
• Penalty exposure: Up to ₹250 crore per breach under DPDP Act 2023; up to €20 million or 4% of annual global turnover under GDPR — whichever is higher.
• Children's data: Verifiable parental consent is now mandatory under DPDP Rules 2025 for any platform likely to be accessed by users under 18.

What's New for FY 2026-27

The DPDP Act's subordinate rules and several sector-specific developments in 2025 changed what a compliant Privacy Policy must say. These are the changes your documents need to reflect before you publish or renew.

• DPDP Rules 2025 in force: The Digital Personal Data Protection Rules 2025 prescribe the consent notice format, data retention obligations, 72-hour breach notification timelines to the Data Protection Board, and the Consent Manager framework — all must now appear explicitly in your Privacy Policy.
• Data Protection Board live: The DPB is operational and accepting electronic complaints; your Privacy Policy must publish the DPB's contact details and the procedure for filing a complaint, as required by the Rules.
• Significant Data Fiduciary designations: The first batch of SDFs was notified in 2025; if your platform handles large volumes of sensitive or children's data, you may be designated — triggering mandatory DPO appointment, Data Protection Impact Assessments (DPIAs), and annual independent audits.
• Children's data obligations active: Age verification and verifiable parental consent are now operational requirements for any platform likely to be accessed by users under 18; edtech, gaming, and social apps must update consent flows immediately.
• GDPR transfer mechanisms: No EU-India adequacy decision has been reached; Standard Contractual Clauses (SCCs) remain the primary transfer mechanism; DPDP Act Schedule III negative-list jurisdictions are confirmed and must be disclosed in cross-border transfer clauses.

Why Every Business Needs This Right Now

• Statutory obligation: DPDP Act 2023 makes a compliant Privacy Policy mandatory for every Data Fiduciary; the absence of a compliant policy is itself a violation, independent of any actual data breach having occurred.
• App store gating: Google Play and Apple App Store both require a valid, accurate Privacy Policy URL before publishing or updating an app; non-compliant or missing policies trigger app rejection or removal from the store.
• B2B deal-closer: Enterprise buyers now require a signed Data Processing Agreement (DPA) before any contract; without one, high-value deals cannot close regardless of how strong the product is.
• Investment due diligence: VCs and PE funds check data governance documents at Series A and beyond; missing or non-compliant policies are flagged in legal due diligence and routinely delay or kill term sheets.
• Consumer Protection Act 2019: Unfair and one-sided Terms of Service are actionable before Consumer Disputes Redressal Commissions; courts have treated standard-form contracts with unreasonable exclusion clauses as void.
• Cyber insurance eligibility: Most cyber liability policies require documented data governance; gaps in your Privacy Policy or Terms of Service affect both eligibility for coverage and payout in the event of a breach claim.

How It Actually Works

The drafting process follows a fixed six-step sequence to ensure your policies describe what your product actually does — not what a competitor's product does and not what you hope your product will do.

Step 1: Product & Data Mapping (1–2 Days)

Before a single clause is drafted, the team maps every data touchpoint in your product. What personal data is collected, from whom, for what purpose, and where does it go? Sub-processors, third-party SDKs, analytics tools, payment gateways, and cloud infrastructure are all catalogued. The DPDP Act 2023 requires your Privacy Policy to describe the actual data collected and its actual purpose — this step makes that description accurate rather than aspirational.

Step 2: Risk & Compliance Brief (1 Day)

The mapped data flows are checked against DPDP Act 2023 obligations, IT Act Section 43A (reasonable security practices), IT Intermediary Rules 2021, GDPR Article 6 legal basis where EU or UK users are present, and any sector regulator applicable to your product. Gaps in current operations — consent flows that do not meet DPDP consent standards, missing deletion workflows, unnamed Grievance Officers — are identified before drafting begins, not discovered after publication.

Step 3: Drafting (3–5 Days)

Terms of Service, Privacy Policy, Cookie Policy, Grievance Officer policy, breach response plan, and a Data Processing Agreement (DPA) template for B2B engagements are drafted as one internally consistent set. Each document cross-references the others so there are no contradictions — a common failure in copy-paste policies. Plain-language summaries accompany each document so your users, not just lawyers, understand what they are agreeing to.

Step 4: Engineering & UX Alignment (1–2 Days)

Policies only work when the product matches the text. This step designs the consent capture flow, cookie banner UX with granular opt-in categories, account deletion and data export workflows, and the grievance submission form — alongside your engineering team. The result is a product that behaves exactly as the policy describes, which is essential for DPDP compliance and GDPR Article 7 consent validity.

Step 5: Review & Sign-Off (1–2 Days)

The complete document set is walked through with the founder, legal counsel, and compliance team. Mark-ups are incorporated, final acceptance is recorded, and the policies are published on your website and submitted to app stores with version history. Publication date and version number are documented for future regulator reference.

Step 6: Annual Refresh & Regulator Watch

Data protection law does not stay still. An annual review checks your policies against new DPDP rules, sector regulator updates, and GDPR changes. Each refresh is published with a version date, and users are notified where the change is material — meeting both DPDP and GDPR user notification obligations before those changes take effect.

A Real Example: Lending SaaS, 80,000 Users

Consider a Bengaluru-based lending SaaS with 80,000 registered users. The product collects Aadhaar-linked KYC data via a bureau API, stores credit scores, uses three analytics SDKs, and has just signed enterprise contracts with two clients in Germany. Here is what a compliant policy set must cover — and what the company's current copy-paste policy misses entirely.

• Sensitive personal data: Aadhaar-linked data and credit information require explicit consent under DPDP Act 2023, limited strictly to the lending decision lifecycle, with a documented retention and deletion schedule.
• IT Act Section 43A: As a body corporate handling sensitive personal data, reasonable security practices — ISO 27001 or equivalent — must be implemented and disclosed in the Privacy Policy.
• GDPR for German clients: The two enterprise contracts trigger GDPR — Article 6 legal basis (contract performance), a Data Subject Rights section, and SCCs for data transferred from Germany to India must all appear in the policy.
• DPA requirement: Each German enterprise client requires a signed Data Processing Agreement under GDPR Article 28 before contract execution; without one, the contracts cannot legally proceed under EU law.
• Grievance Officer absent: The current policy lists no named Grievance Officer — a violation of IT Rules 2021 and DPDP Rules 2025 regardless of whether any complaint has yet been received.

The full policy set — Terms, Privacy Policy, Cookie Policy, DPA template, and breach response plan — resolves every one of these gaps and gives the company and its enterprise clients the documented compliance they need before a complaint arrives, not after.

What Backs Up Each Policy: Operational Compliance

Publishing a policy is step one. What keeps you compliant is the product behaviour that supports every commitment in the text. These are the operational elements your team must build and maintain to make each promise real.

• Consent logs: Every consent capture must be timestamped, versioned, and auditable; you must be able to produce a consent trail for any Data Principal within the statutory period on request from the Data Protection Board.
• Deletion workflow: Your Privacy Policy commits to erasure on request; the product must actually execute the deletion, confirm it to the user, and log the action with a timestamp for audit purposes.
• Data portability: Users must be able to download their personal data in a machine-readable format; this is a product engineering requirement, not a policy aspiration, under both DPDP Act and GDPR.
• Grievance response log: Every complaint received by the Grievance Officer must be logged with receipt timestamp, resolution action, and closure date — available for Data Protection Board inspection at any time.
• Breach response drill: The 72-hour DPB notification window is unforgiving; your team must have a tested runbook with clear ownership and escalation paths, not just a policy paragraph describing the process.
• Annual internal audit: For all Data Fiduciaries, documented internal audit findings demonstrate good-faith compliance; for Significant Data Fiduciaries, an independent audit report must be filed with the DPB annually.

A policy that describes a deletion workflow your product cannot execute is a DPDP violation waiting to happen — operational alignment between your documents and your engineering is not optional.

Where It Goes Wrong: Common Mistakes

• Copy-pasting from a competitor: Another company's policy describes their data flows and sub-processors, not yours; using it means your Privacy Policy is factually inaccurate — itself a DPDP Act violation that does not require a breach to trigger.
• Single combined document: Merging Terms of Service and Privacy Policy into one document creates ambiguity and weakens both; Indian regulators expect a standalone Privacy Policy meeting DPDP requirements specifically.
• Cookie banner without real consent: Publishing a Cookie Policy without a functioning cookie banner offering granular opt-in and easy withdrawal is non-compliant; users must actively consent, not merely be informed by a notice they cannot act on.
• Grievance Officer as a generic inbox: The officer must be a named individual with a job title and direct contact details; a shared support inbox does not meet IT Rules 2021 requirements and will fail a regulator inspection.
• Ignoring GDPR for EU users: DPDP compliance does not satisfy GDPR; the two regimes have distinct requirements including a named legal basis under Article 6, DPO appointment where thresholds are met, and supervisory authority breach notification within 72 hours.
• Policies not updated after product changes: Adding a new analytics SDK, a new sub-processor, or expanding data collection to a new purpose triggers a policy update obligation; most companies have no process for this, resulting in a policy that no longer describes the product.
• Children's data without age gating: Any platform accessible to users under 18 must implement age verification and verifiable parental consent under DPDP Rules 2025; this is an enforcement priority for the Data Protection Board in FY 2026-27.

What You Receive at the End

• Finalised Terms of Service (click-wrap ready; India governing law; dual-jurisdiction clause where needed)
• Finalised Privacy Policy (DPDP Act 2023 plus IT Act 2000; GDPR and UK GDPR layer where applicable)
• Cookie Policy with granular consent categories and easy withdrawal mechanism
• Data Processing Agreement (DPA) template for B2B and enterprise customers, GDPR Article 28 compliant
• Grievance Officer policy and appointment letter template with statutory acknowledgment and resolution timelines
• Breach response plan with 72-hour Data Protection Board notification checklist and user-facing communication templates
• Engineering implementation brief covering consent capture flow, cookie banner UX, data deletion workflow, portability endpoint, and grievance submission form
• Version history document and publication checklist for website and app stores
• Annual refresh schedule and regulatory watch list covering DPDP, GDPR, and sector-specific updates

How to Get Started

The process begins with a 60-minute product walkthrough and data inventory call. You share what personal data your product collects, from whom, where it goes, and which sub-processors handle it. You also bring your existing policies if any, your sectoral licences, and the name of the person who will serve as Grievance Officer. A data inventory template is shared beforehand so the call is focused and produces a complete picture on the day.

From that call, the compliance brief is ready within one working day and drafting begins within two. The full policy set — Terms of Service, Privacy Policy, Cookie Policy, DPA template, Grievance Officer policy, and breach response plan — is delivered within 7–12 working days, ready for publication on your website and submission to app stores. Contact Legal Suvidha with your product details and existing documents to begin.