Why Your Website or App Needs a Proper Privacy Policy
Many businesses in India still operate with a privacy policy that was either copied from a foreign website, generated by a free online tool, or last updated before India's data privacy landscape changed significantly. Here is why that is a problem:
- It may not describe what you actually do. If your policy says you collect only name and email, but you actually also track location, device information, and browsing behaviour, you are misrepresenting your practices — which is a more serious legal problem than having no policy at all.
- It may reference laws that do not apply to you (GDPR, CCPA) while ignoring Indian law (DPDP Act, IT Act) that does.
- It will not protect you in a dispute. Courts and regulators look at whether your stated policy matches your actual practices. A generic policy gives you no protection.
- App stores may reject your app. Both Google Play and Apple App Store review privacy policies for accuracy. A clearly generic policy for an app that collects location data, for example, can cause rejection or removal.
- Investors and enterprise customers check your policies. Any serious B2B contract or due diligence process will include a review of your privacy documentation.
What the DPDP Act 2023 Requires Your Privacy Policy to Say
The Digital Personal Data Protection Act 2023 requires Data Fiduciaries to provide a notice to Data Principals (the individuals whose data you collect) before or at the time of collecting their data. This notice must include:
- The categories of personal data being collected
- The purpose for which the personal data will be processed
- The manner in which the Data Principal can exercise their rights — including the right to access, correct, update, and erase their data
- The manner in which the Data Principal can withdraw consent
- The procedure to make a complaint to the Grievance Officer
- How to make a complaint to the Data Protection Board if the grievance is not resolved
This information must be provided in a clear and plain language notice. The Act also requires that the notice be made available in scheduled languages if the Data Principal requests it — a requirement that many foreign-drafted templates ignore entirely.
What We Cover in Your Custom Privacy Policy
We draft your Privacy Policy after understanding your actual business — not based on assumptions. Here is what a complete, custom privacy policy from us covers:
We list exactly what personal data you collect — from website contact forms, sign-up processes, app permissions, payment processing, customer support interactions, cookies, analytics tools, and any other source. We distinguish between data you collect directly and data collected by third-party tools you embed on your site or app.
For each category of data, we specify the precise purpose — service delivery, marketing, analytics, fraud prevention, legal compliance, customer support, etc. The DPDP Act requires that purpose be specific and documented.
We specify how long each category of data is retained and the criteria for determining retention periods. Data must be erased once the purpose is fulfilled — your policy must state this clearly.
We identify all third parties with whom data is shared — payment gateways (Razorpay, PayU, etc.), cloud hosting providers, analytics platforms (Google Analytics), marketing tools (Mailchimp, etc.), CRM systems, and delivery partners. Each is listed with the purpose of sharing.
We include a clear section on the rights of users under the DPDP Act: right to access information about their data, right to correction, right to erasure (right to be forgotten), right to withdraw consent, right to nominate, and right to grievance redressal. Each right includes a practical mechanism for exercising it.
We include the Grievance Officer's name, designation, and contact details as required under DPDP Act and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
If your service is used by or directed at children (under 18 under DPDP Act), we include the mandatory clauses on verifiable parental consent and the prohibition on tracking, behavioural monitoring, or targeted advertising directed at children.
We describe the technical and organisational security measures you have in place to protect personal data, as required by the Act's security safeguard obligations.
Generic Template vs. DPDP-Compliant Custom Policy
| Aspect | Generic Template | Custom Policy (Our Service) |
|---|---|---|
| Reflects your actual data practices | No | Yes |
| Covers Indian law (DPDP Act, IT Act) | Rarely | Yes |
| Names your actual third-party tools | No | Yes |
| Includes your Grievance Officer details | No | Yes |
| Specifies data retention periods | No | Yes |
| Legally defensible in Indian courts | Questionable | Yes |
Sub-Policies We Also Draft
Cookie Policy
If your website uses cookies — including Google Analytics, Facebook Pixel, Hotjar, or any third-party script — you need a Cookie Policy that discloses what cookies are set, their purpose, their duration, and how users can manage or disable them. This is required both under the IT Act framework and good data governance practice.
Terms of Use / Terms and Conditions
A Terms of Use document governs the relationship between your website or app and its users. It covers acceptable use, intellectual property rights (who owns content on your site), disclaimers, limitation of liability, dispute resolution, and governing law (which should reference Indian jurisdiction for Indian businesses). For e-commerce businesses, it also includes refund, cancellation, and delivery terms as required under the Consumer Protection (E-Commerce) Rules, 2020.
Our Privacy Policy Drafting Process
Send us your website or app URL. We will also send you a short data questionnaire asking about the data you collect, third-party tools you use, and your business processes. Alternatively, a 30-minute briefing call works equally well.
We review your site/app, understand your data flows, and draft a customised Privacy Policy (and Cookie Policy / Terms of Use if required). We ensure it is aligned with the DPDP Act 2023, IT Act, and applicable industry-specific regulations.
We share the draft with you for review. One round of revisions is included — you can request changes to wording, add new information, or ask questions about specific clauses.
We deliver the final policy in an editable format. We also advise you on where to publish it on your website (footer link is standard), how to link it from your contact forms, and how to reference it in your consent notices.
Frequently Asked Questions
Free templates are generic and written for a hypothetical business — they do not reflect your actual data collection practices, your specific third-party tools (like payment gateways, analytics, or CRM software), or your industry-specific obligations. Under the DPDP Act 2023, your privacy notice must accurately describe what data you collect and why. A mismatch between your stated policy and actual practices is itself a compliance violation. A template that describes data you do not collect, or fails to mention data you do collect, creates legal exposure rather than protection. Most free templates are also written for foreign jurisdictions (US or EU) and do not address Indian law at all.
A Privacy Policy is the comprehensive document that covers all personal data your business collects, processes, stores, and shares — whether through your website, app, in-person processes, or third parties. A Cookie Policy is a more focused document that specifically explains what cookies and tracking technologies your website uses, why, and how users can manage them. Websites using analytics tools (like Google Analytics), advertising pixels (Facebook Pixel), or session cookies should have a Cookie Policy in addition to a Privacy Policy. We draft both as part of our website compliance package.
Apps typically collect different types of data than websites — location data, device permissions (camera, microphone, contacts), push notification tokens, and in-app behaviour. Both Google Play Store and Apple App Store require that your app have a privacy policy that accurately describes what data the app collects. If your app collects materially different data from your website, you should have a separate or app-specific privacy policy. We review your app's data collection carefully before drafting, and our app privacy policy will comply with both Play Store and App Store requirements as well as the DPDP Act.
Once we receive your completed data questionnaire or hold a briefing call to understand your business, we typically deliver a first draft within 3 to 5 working days. Simple website privacy policies for small businesses can be turned around faster. The review round and final delivery usually adds another 2 to 3 days. Urgent requirements can be accommodated at a priority fee. We do not rush the process at the cost of quality — a proper policy requires understanding your actual data flows.
Yes. We routinely draft Terms of Use (Terms and Conditions), Privacy Policy, and Cookie Policy as a bundled website legal package. Terms of Use govern the relationship between your website and its users — covering intellectual property, prohibited uses, disclaimers, liability limitations, and dispute resolution. For e-commerce websites, additional clauses relating to refund and cancellation policies, delivery terms, and consumer rights under the Consumer Protection Act 2019 and the Consumer Protection (E-Commerce) Rules 2020 are included. Getting all three documents from a single lawyer ensures they are consistent with each other — which is important when disputes arise.
Get a Custom Privacy Policy That Actually Protects You
Share your website URL or app details with us. We will review, draft, and deliver a privacy policy that reflects your actual data practices and meets DPDP Act 2023 requirements.