Prospecx

Legal — Indian Data Protection

DPDP Act 2023 Compliance

LAST UPDATED: May 4, 2026

DPDP-ACT 2023 COMPLIANT  ·  CERT-IN EMPANELLED AUDIT PENDING

This page explains how Prospecx implements compliance with India's Digital Personal Data Protection Act 2023 (DPDP Act). The DPDP Act establishes the framework for how organisations collect, process, and protect the personal data of Indian residents. We take this obligation seriously — not as a checkbox, but as a structural commitment to the founders who trust us with their business data.

1. What Is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India's landmark data protection legislation, receiving Presidential assent on 11 August 2023. It establishes rights for "Data Principals" (individuals whose data is processed) and obligations for "Data Fiduciaries" (organisations that determine the purpose and means of processing). Key principles include:

  • Lawful processing based on consent or a legitimate use
  • Collection of only the data necessary for the stated purpose
  • Accuracy and completeness of data
  • Storage limitation — data retained only as long as necessary
  • Security safeguards to prevent breaches
  • Accountability of Data Fiduciaries for third-party processors

2. How Prospecx Complies

Data residency in India. All personal data — account information, prospect contacts, usage logs — is stored exclusively on servers located in India. We do not transfer personal data to servers outside India. Our infrastructure is hosted in an Indian data centre, ensuring that your data remains subject to Indian jurisdiction at all times.

Consent-first data collection. We collect personal data only with your explicit consent at registration or at the point of each data collection event. Our consent notices are written in plain English, state the specific purpose of collection, and are presented before any data is taken. Consent is not bundled — you can consent to transactional communications without consenting to marketing.

Purpose limitation. Data collected for one purpose is not used for another purpose without fresh consent. Prospect data you enter is used solely to power your outreach workflows. It is not used for Prospecx's own marketing, not shared with other customers, and not processed by AI models trained on customer data.

Data minimisation. We collect only the fields necessary to operate the Service. We do not require government ID, Aadhaar, or PAN at any stage. Optional fields are clearly marked.

Breach notification. In the event of a personal data breach, we will notify affected users and the Data Protection Board of India within the timeframes prescribed by the DPDP Act and any rules notified thereunder. Our incident response process is documented and rehearsed quarterly.

Audit trail. We maintain logs of data access, processing activities, and consent records. These logs are immutable and retained for the period required by the Act. Our Data Protection Officer reviews access logs monthly.

3. Your Rights Under the DPDP Act

As a Data Principal, you have the following rights, all exercisable by emailing privacy@prospecx.in:

  • Right to Access (Section 11). Request a summary of your personal data being processed and the purposes for which it is being processed. We will respond within 30 days.
  • Right to Correction and Erasure (Section 12). Request correction of inaccurate data or erasure of data that is no longer necessary. Erasure requests are completed within 30 days (see our SLA below).
  • Right to Grievance Redressal (Section 13). Lodge a complaint with our Data Protection Officer if you believe your rights have been violated. We will acknowledge within 48 hours and resolve within 30 days.
  • Right to Nominate (Section 14). Nominate an individual to exercise your rights on your behalf in the event of your death or incapacity.

4. Data Protection Officer

Prospecx has appointed a Data Protection Officer (DPO) responsible for overseeing DPDP Act compliance, handling data subject requests, and liaising with the Data Protection Board of India.

  • Contact: privacy@prospecx.in
  • Organisation: Prospecx
  • Location: Bengaluru, Karnataka, India
  • Response SLA: 48-hour acknowledgement, 30-day resolution

5. Erasure SLA — 30 Days

When you request erasure of your personal data (whether through account cancellation, an explicit erasure request, or withdrawal of consent), we commit to completing permanent deletion within 30 calendar days. This applies to:

  • Account profile data (name, email, phone number)
  • Prospect and lead data you have entered into the Service
  • Usage logs and session data linked to your identity
  • Backups — we run a 30-day backup cycle; erasure from live systems is immediate, and your data will age out of backups within the 30-day window

Exceptions: we are required by law to retain billing records (including GST invoices) for 7 years under the Income Tax Act 1961 and GST Act. These financial records will be retained in a segregated, access-restricted store and will not be used for any other purpose.

On completion of erasure, we will send you a confirmation email. If we are unable to complete erasure within 30 days for any reason, we will notify you with an explanation and an updated timeline.

6. Sub-Processor Obligations

We bind all sub-processors to data processing agreements that require them to: process data only on our documented instructions; implement security measures equivalent to or exceeding our own; notify us immediately of any breach; permit audits; and delete or return data at the end of their engagement. We review sub-processor compliance annually.

7. Contact

For any questions about our DPDP Act compliance, email privacy@prospecx.in. For general support, email hello@prospecx.in.