Privacy Policy

This website, dpdparready.in, is owned and operated by Memorylane Digital LLP, a limited liability partnership registered in India with its registered office in New Delhi. Memorylane Digital LLP is the Data Fiduciary for personal data processed through this website within the meaning of Section 2(i) of the Digital Personal Data Protection Act, 2023 (DPDPA).

DPDPAReady is our product offering — a compliance platform that helps Indian organisations operationalise DPDPA obligations. This Privacy Policy covers only the personal data we collect from visitors to this website and prospective customers. When we process personal data on behalf of our enterprise customers under a service contract, we act as a Data Processor under Section 8(3), and the customer's own privacy notice governs that processing.

You can reach us at contact@dpdpaforschools.in for any question about this notice.

We aim to collect the minimum personal data needed for each purpose, in line with Section 4 and Section 8(3) of the DPDPA. The categories we collect are:

• Information you submit through forms — name, work email address, phone number, organisation name, role, country, and any free-text message you send via our contact, demo-request, newsletter or download forms.
• Account data — if you create an account on our platform: login email, hashed password, organisation identifiers, and audit logs of actions you take.
• Technical and device data — IP address, browser type and version, operating system, device type, referring URL, pages visited, time on page, and approximate location derived from IP.
• Cookie and analytics data — first-party cookies for session continuity and consent state, and analytics identifiers (see Cookies section below).
• Communication records — emails, support tickets, and call notes when you contact us.

We do not intentionally collect any special categories of data through this website, and we do not knowingly collect data from children (see Children section).

We process the personal data described above only for the specific, lawful purposes listed below. Where consent is the basis, we rely on your free, specific, informed, unconditional and unambiguous consent under Section 6 of the DPDPA, given by a clear affirmative action (such as ticking a consent box or submitting a form after reading this notice).

• Respond to enquiries and demo requests — to contact you about the product, schedule demos, and answer questions.
• Provide and secure the platform — authenticate users, prevent abuse, detect fraud, and maintain audit logs.
• Send service communications — transactional emails about your account, security alerts, and policy updates.
• Send marketing communications — newsletters and product updates, only where you have opted in, with a one-click unsubscribe in every message.
• Improve the website — aggregate analytics on which pages are useful, with consent for non-essential analytics.
• Comply with law — respond to lawful requests from courts, regulators or the Data Protection Board of India.

You can withdraw consent at any time under Section 6(4) by writing to our Data Protection Officer at the address below. Withdrawal does not affect processing already carried out.

For a narrow set of processing activities we rely on the certain legitimate uses grounds in Section 7 of the DPDPA, instead of consent:

• Section 7(a) — voluntarily provided data: where you have voluntarily given us personal data for a specified purpose (for example, submitting a contact form to request information) and have not indicated that you do not consent to that use.
• Section 7(i) — compliance with law: to comply with any judgment, decree or order issued under any law in India, including responding to lawful demands by regulators.
• Section 7(j) — security and prevention: to prevent, detect, investigate or address fraud, security breaches, or unauthorised access to our systems.

We do not use Section 7 grounds to send marketing communications — those always require opt-in consent.

Some personal data reaches us indirectly:

• Hosting and edge infrastructure (Netlify) — our hosting provider automatically captures your IP address and request metadata to deliver pages, block attacks, and produce server logs.
• Analytics providers — when you consent to analytics, our analytics provider sets identifiers and reports aggregate usage to us.
• Form and email tooling — if you reach us via a partner integration (for example a calendar booking tool), that tool shares the booking details with us.
• Public business sources — for B2B prospects who have submitted enquiries, we may verify role and organisation against publicly available business sources before responding.

We do not buy contact lists or scrape personal data from social networks.

We share personal data with carefully selected Data Processors who process it only on our documented instructions under a valid contract, as required by Section 8(2) of the DPDPA. Current categories of processors are:

• Netlify, Inc. — website hosting, edge delivery, form submission storage.
• Email service provider — transactional and marketing email delivery, bounce handling.
• Analytics provider — first-party website analytics, only when you have consented.
• Anthropic, PBC — large-language-model inference for AI-assisted content generation features inside the product. Inputs are not used to train Anthropic's models under our enterprise terms.
• Customer support and CRM tooling — to manage your enquiry and account history.
• Payment processor — for paid subscriptions, the payment processor handles card data directly; we receive only a tokenised reference.

We remain accountable as the Data Fiduciary for any breach by these processors and conduct due diligence before onboarding any new processor.

Some of our processors are located outside India. The DPDPA, under Section 16, permits cross-border transfer to any country except those specifically notified by the Central Government on a negative list. We monitor that notified list and will stop transfers to any country added to it.

Where personal data is transferred outside India, we put in place additional safeguards:

• Contractual commitments requiring the processor to meet DPDPA-equivalent standards of confidentiality, security, and breach notification.
• Data minimisation — we send only the personal data strictly required for the service.
• Encryption in transit (TLS 1.2+) and at rest where supported by the processor.

If you would like a list of countries to which your data may be transferred, write to our Data Protection Officer.

In line with Section 8(7) of the DPDPA, we keep personal data only as long as necessary for the purpose for which it was collected, or for as long as the law requires. After that, we erase it or irreversibly anonymise it.

• Contact and demo enquiries — 24 months from your last interaction, then erased.
• Newsletter subscribers — until you unsubscribe, then erased within 30 days.
• Customer account data — for the life of the account plus 3 years after termination, to handle disputes and meet tax/contract record-keeping obligations.
• Server and security logs — 12 months, then erased or anonymised.
• Analytics data — 14 months in identifiable form, aggregated thereafter.
• Support tickets and email correspondence — 3 years from closure.
• Statutory tax and accounting records — 8 years, as required by Indian tax law.

We will also erase your personal data sooner if you withdraw consent and we have no other lawful basis to retain it.

Under Section 11 to Section 14 of the DPDPA you have the following rights in respect of personal data we hold about you:

• Right to access (Section 11) — a summary of your personal data, the processing activities, and the identities of Data Fiduciaries and processors with whom it has been shared.
• Right to correction and erasure (Section 12) — to correct inaccurate or misleading data, complete incomplete data, update outdated data, and erase data no longer needed for the purpose for which it was collected.
• Right to grievance redressal (Section 13) — to a readily available means of grievance redressal from us before approaching the Data Protection Board.
• Right to nominate (Section 14) — to nominate any other individual to exercise these rights in the event of your death or incapacity.
• Right to withdraw consent (Section 6(4)) — at any time, as easily as you gave it.

You also have duties as a Data Principal under Section 15, including not impersonating another person and not filing false or frivolous grievances.

To exercise any right above, or to raise a grievance about how we handle your personal data, contact our designated Grievance Officer / Data Protection Officer:

• Name of office: Grievance Officer, Memorylane Digital LLP
• Email: contact@dpdpaforschools.in
• Postal address: Memorylane Digital LLP, New Delhi, India (full address provided on request)

We will acknowledge your request within 3 working days and resolve it within 30 days, in line with the timelines expected under the DPDPA Rules. We may need to verify your identity before acting on a request. If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India established under Section 18 of the DPDPA.

This website and the DPDPAReady platform are intended for use by adult professionals representing organisations. We do not knowingly collect personal data of individuals under the age of 18, and we do not undertake behavioural monitoring or targeted advertising directed at children, as required by Section 9 of the DPDPA.

If we learn that we have inadvertently collected personal data of a child without verifiable consent of the parent or lawful guardian, we will erase it without undue delay. If you believe a child has provided us personal data, please contact our Grievance Officer immediately.

Note: when DPDPAReady is deployed by a school customer to manage student data, the school is the Data Fiduciary for that student data and is responsible for obtaining parental consent. We act only as a Data Processor in that context.

We use a small number of cookies and similar technologies on this website:

• Strictly necessary cookies — required to load the site, remember your consent choices and protect against fraud. These are set without consent because the site cannot function without them.
• Analytics cookies — first-party analytics to measure aggregate usage. Loaded only after you accept via the consent banner.
• Preference cookies — to remember language or theme choices.

We do not use third-party advertising cookies, cross-site tracking pixels, or social media tracking on this website. You can withdraw cookie consent at any time using the "Cookie settings" link in the site footer, and you can also block cookies in your browser settings.

We may update this Privacy Policy from time to time to reflect changes in our processing, in the DPDPA, or in guidance from the Data Protection Board of India. The "Effective" date at the top of this page shows when it was last updated.

When we make material changes — for example, adding a new category of processor, a new purpose, or a new category of personal data — we will notify registered users by email and display a prominent notice on the website for at least 30 days before the change takes effect. We encourage you to review this page periodically.

Earlier versions of this policy are available on request from our Grievance Officer.

For any question about this Privacy Policy, our DPDPA compliance, or how we handle your personal data, contact:

• Data Fiduciary: Memorylane Digital LLP
• Product: DPDPAReady
• Email: contact@dpdpaforschools.in
• Registered office: New Delhi, India

If you believe we have not addressed your concern satisfactorily, you have the right to lodge a complaint with the Data Protection Board of India. Details of the Board's complaints process will be published by the Central Government under Section 27 of the DPDPA.