Comply DP

Privacy Notice (DPDP Act 2023)

Last updated: January 20, 2026Applies to: https://www.complydp.com and all related services

This Privacy Notice explains how NIHONIUM LABS PRIVATE LIMITED ("ComplyDP", "we", "us") processes your personal data. Under the Digital Personal Data Protection Act, 2023, we are the Data Fiduciary and you are the Data Principal.

This notice is written in clear, plain language as required by DPDP Act to enable informed consent.

Notice Before Consent (Section 5, DPDP Act)

This notice must be provided to you before or at the time of requesting your consent for processing personal data. You will see this notice (or a summary linking to it) on:

  • Sign-up and registration forms
  • Contact and enquiry forms
  • Cookie consent banner (see Cookie Policy)
  • Account dashboard settings
  • Service request pages

By proceeding after viewing this notice, you provide free, specific, informed, unconditional, and unambiguous consent via clear affirmative action (e.g., checking boxes, clicking "I Agree").

Quick Navigation

→ What data we collect→ Why we collect it→ How long we keep it→ Your rights→ How to exercise rights→ Grievance Officer contact→ Breach notification→ Cross-border transfers→ Consent & withdrawal→ Children's data→ Automated decisions→ SDF classification

1Who We Are (Data Fiduciary)

Legal Entity

NIHONIUM LABS PRIVATE LIMITED

CIN

U62013KA2025PTC198022

Registered Address

No 235, 13th Cross, Indiranagar
Bangalore North, Bangalore - 560038
Karnataka, India

2Personal Data We Collect (Itemised)

A) Data You Provide to Us

  • Contact Information

    Full name, email address, phone number, company name, job title/role

  • Account Data

    Login credentials (email/phone), password (hashed and salted), profile settings, preferences

  • Communication Content

    Messages, enquiry text, support tickets, attachments you upload

  • Business Information

    Organization details, website URLs, industry sector, compliance requirements

  • Payment Information

    Billing address, payment method details (processed via secure payment processors)

B) Data Collected Automatically

  • Technical Data

    IP address, browser type and version, device type, operating system, screen resolution

  • Usage Data

    Pages visited, time spent, clickstream data, referrer URL, UTM parameters, session duration

  • Cookie & Identifier Data

    Cookie IDs, local storage data, consent preferences (see Cookie Policy)

  • Security & Log Data

    Access logs, error logs, security event logs, authentication attempts

Data Minimization: We limit collection to only what is necessary for the specified purposes below.

3Why We Process Your Data (Specific Purposes)

1. Service Delivery

To provide DPDP compliance audits, readiness scans, gap analysis, and other requested services

Data used: Contact info, account data, business info

2. Communication & Support

To respond to enquiries, provide customer support, schedule demos, send transactional notifications

Data used: Contact info, communication content

3. Account Management

To create, maintain, and secure your account; manage authentication and preferences

Data used: Account data, login credentials, preferences

4. Payment Processing

To process payments, manage subscriptions, issue invoices, and handle refunds

Data used: Payment info, billing address, transaction history

5. Website Improvement

To analyze usage patterns, improve user experience, and optimize website performance (only with consent)

Data used: Usage data, technical data (anonymized where possible)

6. Security & Fraud Prevention

To detect and prevent unauthorized access, security incidents, fraudulent activities, and maintain audit logs

Data used: Security logs, IP addresses, access patterns

7. Legal Compliance

To comply with legal obligations, enforce our terms, respond to legal requests, and maintain records

Data used: All categories as needed for legal compliance

8. Marketing Communications

To send promotional content, product updates, newsletters (only with explicit consent, easy to withdraw)

Data used: Contact info, communication preferences

4Data Retention Periods

Data CategoryRetention PeriodReason
Account data (active users)Duration of account + 90 daysService provision, reactivation grace period
Communication records3 years from last interactionSupport history, legal compliance
Transaction/payment records7 yearsTax and accounting requirements
Marketing consent dataUntil consent withdrawn + 30 daysCompliance with consent preferences
Security & access logs1 yearSecurity monitoring, incident response
Analytics data (anonymized)2 yearsTrend analysis, service improvement

Automatic Erasure: Upon withdrawal of consent or when the purpose is no longer served, we erase your data (and instruct processors to do the same) unless retention is required by law.

5Your Rights as Data Principal

1. Right to Access

Request a summary of personal data we process about you, including:

  • What data we hold
  • Processing activities
  • Third parties we shared with
  • Description of shared data

2. Right to Correction

Request correction, updating, or completion of inaccurate or incomplete personal data

3. Right to Erasure

Request deletion of your personal data (unless retention is necessary for legal compliance or ongoing service)

4. Right to Nominate

Nominate another individual to exercise your rights in case of death or incapacity

5. Right to Grievance Redressal

File a complaint or grievance through readily available means (see Grievance Officer details below). We will respond within 90 days as per DPDP Act requirements.

6How to Exercise Your Rights

Submit Your Request

Online Portal

Data Principal Request Portal →

Email

privacy@complydp.com

Phone

+91 9958445845

What to Include in Your Request:

  • Your full name and contact information
  • Specific right you wish to exercise (access, correction, erasure, etc.)
  • Details to help us locate your data (account email, phone, approximate dates)
  • Identity verification may be required for security

Response Time: We will acknowledge your request within 72 hours and provide a complete response within 90 days (as mandated by DPDP Act).

Consent Withdrawal: You can withdraw consent at any time. Withdrawal is as easy as giving consent - just use any of the methods above or click "Manage Preferences" in our Cookie Banner.

7Grievance Officer / Data Protection Contact

GO

Grievance Officer

DPDP Act 2023 Designated Contact

Name

Data Protection Officer, ComplyDP

Designation

Chief Privacy Officer

Email

sanket@complydp.com

Monitored 24/7, response within 72 hours

Phone

+91 9958445845

Mon-Fri, 9 AM - 6 PM IST

Address for Grievances

Grievance Officer
NIHONIUM LABS PRIVATE LIMITED
No 235, 13th Cross, Indiranagar
Bangalore North, Bangalore - 560038
Karnataka, India

Online Grievance Form

Submit a detailed grievance or complaint through our secure online portal:

File a Grievance

8Personal Data Breach Notification

Our Commitment to Security

We implement reasonable security safeguards to prevent personal data breaches, including encryption, access controls, security monitoring, and regular audits.

If a Breach Occurs:

1

Immediate Notification to You

We will notify affected individuals without undue delay, ideally within 72 hours of becoming aware via email, in-app notification, or other appropriate means. The notification will include:

  • Description of the breach: Nature of data affected, when it occurred
  • Potential consequences: Risks to your rights and freedoms
  • Mitigation measures taken: Our immediate response actions
  • Safety steps you should take: Recommended actions (e.g., password change, monitor accounts)
  • Contact information for queries: Dedicated breach hotline and email

Example Notification: "On [date], we detected unauthorized access to [data category]. Affected: [X] users. Immediate actions: [measures]. Your steps: [recommendations]. Questions: breach-response@complydp.com"

2

Notification to Data Protection Board

We will also notify the Data Protection Board of India as required, with detailed updates within 72 hours (or as permitted by the Board).

3

Remediation & Follow-up

We will take immediate steps to contain the breach, investigate root causes, strengthen security measures, and provide ongoing updates to affected individuals.

Your Action: If you suspect unauthorized access to your account, immediately change your password and contact us at privacy@complydp.com.

9Cross-Border Data Transfers

International Data Processing

We primarily store and process personal data within India. However, some data processors we use may process data outside India.

When Cross-Border Transfers Occur:

  • Cloud hosting services with data centers in multiple regions (e.g., AWS, GCP with India region preference)
  • Customer support platforms with global infrastructure
  • Email and communication services (e.g., transactional email providers)
  • Analytics and monitoring tools (only with your consent)

Safeguards We Implement:

  • Only use processors with strong data protection commitments and certifications (ISO 27001, SOC 2, etc.)
  • Require contractual commitments to DPDP-equivalent standards
  • Encrypt data in transit and at rest
  • Comply with any restrictions notified by the Government of India under Section 16 of DPDP Act
  • Maintain data processing agreements with all processors

Restricted Countries (Section 16)

Current Status (as of January 2026): No countries or territories have been notified as "restricted" by the Government of India for cross-border data transfers under Section 16 of DPDP Act.

We continuously monitor official notifications from the Ministry of Electronics & Information Technology (MeitY) and the Data Protection Board. Should restrictions be notified, we will immediately cease transfers to such countries and notify affected users within 48 hours.

Your Control: If you prefer your data to remain only in India, please contact us atprivacy@complydp.com to discuss options and potential limitations.

10Data Sharing & Processors

We may share your personal data with Data Processors (third-party service providers) only as necessary to provide our services. We remain responsible for their processing activities.

Categories of Processors:

Infrastructure

Cloud hosting, CDN, database services

Communication

Email, SMS, WhatsApp delivery providers

Payment

Payment gateways, billing processors

Analytics

Website analytics, usage monitoring (with consent)

Customer Support

Help desk, ticketing systems

Security

Bot protection, DDoS mitigation, security monitoring

Processor Obligations: All processors are bound by valid contracts requiring DPDP-compliant processing, security safeguards, confidentiality, and data deletion upon request.

12Children's Data (Section 9, DPDP Act)

Age Restrictions & Parental Consent

Our services are designed for business users aged 18 years or older. We do not knowingly collect personal data from children under 18 without verifiable parental or legal guardian consent.

If You Are Under 18:

Please do not use our services or provide personal data without consent from your parent or legal guardian. If we discover that we have collected data from a child under 18 without proper consent, we will delete it promptly.

For Parents/Guardians:

If you believe your child has provided personal data to us without your consent:

  • Contact us immediately at privacy@complydp.com
  • We will verify your identity and relationship to the child
  • We will delete the child's data within 72 hours of verification
  • You can exercise all Data Principal rights on behalf of your child

Verifiable Parental Consent: If children's data processing becomes necessary for future services, we will implement verifiable parental consent mechanisms as required by Section 9 and Rule 7 of DPDP Act.

13Data Minimization & Accuracy

Data Minimization (Section 8(3))

We collect only the minimum personal data necessary for the specified purposes. We regularly review data collection practices to ensure compliance.

How We Minimize:

  • Optional vs. required fields clearly marked
  • Purpose-limited collection
  • Regular data audits and deletion
  • No excessive profiling

Data Accuracy (Rule 3)

We ensure personal data is accurate, complete, and up-to-date. You can request corrections at any time.

Your Control:

  • Update profile data in dashboard
  • Request corrections via rights exercise
  • We verify and update within 30 days
  • Automated validation where possible

14Automated Decision-Making & AI

No Solely Automated Decisions with Legal Effects

We do not make decisions that have legal or similarly significant effects on you based solely on automated processing (including AI/ML) without human involvement.

Examples of decisions NOT made solely by automation:

  • Denying service access
  • Contract termination
  • Price discrimination
  • Credit/financial decisions

How We Use AI/ML

We may use automated tools (including AI/machine learning) for:

✓ Compliance Audits

Analyzing website content for DPDP compliance (with human review)

✓ Risk Detection

Identifying potential security threats (monitored by humans)

✓ Recommendation

Suggesting compliance improvements (advisory only)

✓ Analytics

Aggregated insights (anonymized data)

Human Oversight: All automated outputs are reviewed by qualified professionals before any action affecting your rights or services is taken.

15Significant Data Fiduciary (SDF) Status

SDF Classification (Section 10, Rule 10)

Under DPDP Act, certain data fiduciaries processing large volumes of personal data or posing significant risk are classified as "Significant Data Fiduciaries" with additional obligations.

Current Status: We are not currently classified as a Significant Data Fiduciary (SDF)based on the criteria notified by the Data Protection Board of India.

Classification criteria include processing volume thresholds, risk assessment, and other factors as determined by the Board. We continuously monitor our data processing activities to ensure compliance.

If We Become an SDF:

Should we meet SDF criteria in the future, we will implement additional safeguards:

Appoint Data Protection Officer (DPO)

Based in India, publicly listed

Independent Data Audits

Annual audits by certified auditors

Data Protection Impact Assessments

For high-risk processing activities

Periodic Policy Reviews

Mandatory review cycles

Note: Even without SDF classification, we voluntarily adopt many SDF-level practices (Data Protection Officer, security audits, impact assessments) to demonstrate our commitment to data protection excellence.

16Language Options

As required by DPDP Act, this Privacy Notice is available in English and all languages specified in the Eighth Schedule to the Constitution of India (22 scheduled languages).

Available Languages:

Assamese
Bengali
Gujarati
Hindi
Kannada
Kashmiri
Konkani
Malayalam
Manipuri
Marathi
Nepali
Odia
Punjabi
Sanskrit
Santali
Sindhi
Tamil
Telugu
Urdu
Bodo
Dogri
Maithili

To view this notice in your preferred language, please use the language selector at the top of the page or contact us at privacy@complydp.com.

Translation Note: Machine translations may be used for initial accessibility. For official legal versions in any language, please contact us.

17Policy Updates & Version History

How We Update This Policy

We may update this Privacy Notice from time to time to reflect changes in:

  • Our data practices or services
  • Legal or regulatory requirements
  • Security or technology improvements
  • User feedback or best practices

Notice of Material Changes

For significant changes that affect your rights or how we process your data, we will:

📧 Email Notification

Sent to registered users 30 days before changes take effect

🔔 Dashboard Alert

Prominent banner requiring acknowledgment

📄 Website Notice

Homepage banner for 30 days

📜 Version Archive

Previous versions available on request

Current Version Information

Version

v2.0.0

Last Updated

January 20, 2026

Effective Date

January 21, 2026

Previous Versions

Continued Use: Your continued use of our services after policy updates constitutes acceptance of the revised notice. If you do not agree with changes, you may withdraw consent and discontinue use.

18Contact Us for Privacy Queries

If you have any questions about this Privacy Notice, our data practices, or your rights, please reach out to us:

Email

privacy@complydp.com

Phone

+91 9958445845

Address

No 235, 13th Cross
Indiranagar, Bangalore
Karnataka - 560038

Contact Form

Last Updated: January 20, 2026

This Privacy Notice complies with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025.

We may update this notice from time to time. Significant changes will be communicated via email or prominent website notice. Continued use of our services after updates constitutes acceptance of the revised notice.