DPDP Act 2023 Compliance

Digital Personal Data Protection Act, 2023

How Vakalat Diary complies with India's landmark data protection law — and what it means for you.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection law enacted by Parliament. It governs how organisations collect, process, store, and delete personal data of Indian citizens. It grants individuals (Data Principals) clear rights over their personal data and imposes obligations on organisations (Data Fiduciaries) that process it.

As a platform used by legal professionals who handle highly sensitive client information, full DPDP compliance is not optional for us — it is a professional and ethical obligation.

Our Compliance Commitments

Lawful Purpose

We collect and process personal data only for the explicit purpose of providing legal practice management services. No secondary use without fresh consent.

Explicit Consent

Users provide free, informed, specific consent at registration. Consent can be withdrawn at any time. Consent records are maintained.

Data Minimisation

We collect only data that is necessary. We do not collect audio recordings, biometrics, sensitive financial data, or health data.

Data Accuracy

Users can update their personal information at any time via profile settings. We do not retain outdated personal data.

Storage Limitation

Personal data is retained only for as long as necessary. Upon account deletion, all personal data is erased within 30 days.

Right to Erasure

Users may request complete deletion of their account and all associated data at any time. Requests are fulfilled within 30 days.

Right to Access

Users may request a full export of their personal data at any time. We provide this in machine-readable JSON/CSV format within 7 days.

Grievance Redressal

A designated Grievance Officer is reachable at privacy@vakalat.in. 72-hour acknowledgement, 30-day resolution.

No Cross-Border Transfer

All personal data and case data is stored exclusively on India-based servers. No transfer to foreign jurisdictions.

Security Safeguards

TLS 1.3 in transit, AES-256 at rest, bcrypt password hashing, rate limiting, session expiry, and regular security audits.

No Profiling / No Ads

We do not profile users, display advertisements, or share data with marketing platforms. No tracking pixels. No Google Analytics on authenticated pages.

Breach Notification

In the event of a data breach, affected users will be notified within 72 hours as per DPDP Act requirements. CERT-In will be notified per IT Rules.

Your Rights as a Data Principal

Right to Access — Know what data we hold about you

Right to Correction — Fix any inaccurate information

Right to Erasure — Delete your account and all data

Right to Withdraw Consent — Stop processing at any time

Right to Grievance Redressal — Raise complaints within the platform

Right to Nominate — Assign someone to exercise rights on your behalf

To exercise any right: email privacy@vakalat.in from your registered email address.