Advanced enterprise-grade compliance workflow platform for Digital Personal Data Protection Act (DPDPA) implementation across multiple industries. Check off tasks to track your compliance in real time.
Core compliance controls mandatory for every organisation that collects, processes, or stores personal data of Indian citizens — the baseline before any sector-specific layer applies.
Enterprise-wide data classification and inventory.
Granular, purpose-specific and revocable consent framework.
Rights handling, DPO and grievance workflows.
Advanced security architecture and breach management.
DPIA, audit framework and board-level oversight.
Enhanced duties for entities designated SDF by the Central Government.
Absolute obligations applicable to every sector before any industry-specific layer.
Section 11 & 12 — portable format delivery and posthumous rights.
72-hour DPBI pipeline — detection, classification, notification and post-incident report.
Document and review legal basis for every processing activity in the DPR.
Collect only what is necessary; process only for stated purpose.
SCCs, whitelist countries and transfer impact assessments.
DPA execution, sub-processor oversight and vendor audits.
Embed privacy into product architecture and engineering.
High-risk financial data governance aligned with RBI, SEBI, PCI-DSS, UIDAI, and DPDPA. Entities with large user bases are likely Significant Data Fiduciaries with enhanced obligations including a mandatory DPO.
Critical financial and transaction data governance.
Profiling, cross-sell, and Account Aggregator alignment.
SWIFT, card networks, and offshore processor governance.
Algorithmic fairness, explainability and audit controls.
PMLA obligations and DPDPA dual-compliance for financial crime data.
RBI Digital Lending Guidelines 2022 + DPDPA compliance for credit apps.
Policyholder and claims data aligned with IRDAI guidelines and DPDPA.
VDA tax, DeFi and co-branded fintech product data controls.
Dual reporting to DPBI + RBI/SEBI/IRDAI within mandated timelines.
API gateway controls for fintech partner data flows.
Health data is sensitive personal data under DPDPA. Hospitals, diagnostic labs, telemedicine platforms, and health-tech apps face the strictest obligations, overlapping with DISHA (pending) and NHA/ABDM guidelines.
EHR, ABHA, diagnostics and wearable data protection.
Condition-specific and purpose-limited consent design.
Statutory medical obligations vs DPDPA rights.
Pharma, CRO and international health data flows.
Lab reports, radiology images and reference lab data governance.
Prescription data, e-pharmacy and pharmacovigilance controls.
Third-party administrator data flows and underwriting controls.
AYUSH records, wellness apps and MoAYUSH portal data compliance.
Deceased patient data governance and nominee disclosure controls.
Video consultations, AI diagnostics and remote monitoring data.
Highest-sensitivity data categories requiring maximum protection.
Large platforms are likely Significant Data Fiduciaries. Dual compliance required with Consumer Protection (E-Commerce) Rules 2020. Personalisation dark patterns and children's data are under active regulatory scrutiny.
Browsing, purchase and recommendation engine tracking.
Tokenisation, PCI-DSS and UPI data controls.
No profiling or targeting of users under 18.
Logistics, affiliate and seller data governance.
Content creator data, UGC in live commerce and ONDC network flows.
Foreign platform obligations and international buyer/seller data controls.
Recurring billing consent, cancellation ease and payment-on-file controls.
Consumer Protection Rules + DPDPA anti-manipulation controls.
Reward points, refund history and user-generated content governance.
EdTech platforms with student users under 18 face the most stringent children's data obligations. No profiling or behavioural targeting of students is permitted — even with parental consent. Overlaps with NEP 2020 data governance norms.
Mandatory before onboarding any minor user.
No AI targeting or behavioural profiling of students.
Purpose-limited use of academic and performance data.
Exam recording consent, AI behaviour analysis and biometric verification.
JEE, NEET, UPSC and state PSC data — critical national data governance.
Education finance data, NSP and family income data governance.
Passport, visa, foreign partner data and study-abroad controls.
Staff data governance and school partnership controls.
TSPs and ISPs will almost certainly be designated Significant Data Fiduciaries. Overlaps with TRAI Customer Data Regulations and the Telecom Act 2023. CDR and real-time location data carry the highest processing risk in this sector.
CDR, location intelligence and IPDR governance.
DoT and UIDAI dual-compliance framework.
OTT, analytics and third-party API controls.
Network slicing, edge node data and subscriber analytics controls.
DPDPA-mandated portal for CDR access, consent management and grievances.
Three-regulator breach matrix — reconciled playbook for telecom incidents.
LI data separation, surveillance governance and security log controls.
Cross-border subscriber data and mobile financial flows.
Government entities processing for sovereign functions are largely exempt. However, PSEs, digitalisation projects (DigiLocker, e-RUPI) and outsourced e-gov vendors are fully subject to DPDPA. Scoping the exemption boundary is the first critical step.
Exempt sovereign functions vs commercial operations.
Purpose limitation and inter-departmental sharing controls.
Critical data storage and MeitY cybersecurity alignment.
Law enforcement disclosures, research exemptions and exemption register.
Formal designation of security exemptions and boundary documentation.
IT vendor due diligence, DPAs and MeitY-empanelled cloud selection.
DBT, welfare scheme data controls and statistical publication standards.
UIDAI compliance in government digital service delivery.
Cloud-native SaaS companies act as Data Processors for client fiduciaries. Indian customer data triggers DPDPA even if the platform is hosted abroad. Strong sub-processor agreements, tenant isolation and cross-border governance are non-negotiable.
Multi-tenant isolation and API gateway monitoring.
Sub-processor chain and SCC governance.
72-hour DPBI reporting and customer alert pipeline.
Verifiable data destruction across all environments and sub-processors.
Customer data use in AI training, inference logging and automated decisions.
PETs, synthetic data, differential privacy and re-identification risk.
P1/P2/P3 severity tiers, customer notification SLAs and breach drills.
Privacy engineering gates and secure development lifecycle.
Industrial organisations handle workforce biometrics, IoT telemetry and plant data. OT/SCADA security intersects directly with employee personal data. Biometric attendance systems require careful consent governance under DPDPA.
Fingerprint, face recognition and access control data.
SCADA, machine telemetry and sensor data controls.
GPS tracking and shop-floor worker monitoring.
Consumer IoT, connected product telemetry and firmware update controls.
Service records, authorised service centres and customer survey governance.
Industrial accident records, safety monitoring and near-miss anonymisation.
Joint controller obligations and agency staff biometric consent.
Supplier, distributor and channel partner data governance.
HR platforms process payroll, interview recordings, PAN, bank details and biometrics — among the most sensitive personal data categories. Lifecycle governance from hire to secure offboarding deletion is mandatory under DPDPA.
Hire-to-retire governance and secure deletion.
Resume, video interview and candidate assessment governance.
Payroll outsourcing, ESOP and benefits platform governance.
Wellness programme, mental health and occupational health data controls.
Itinerary, expense claims and international travel personal data controls.
Platform workers, gig economy data and freelancer tax record governance.
Sensitive union membership, grievance records and whistleblower protection.
Post-separation retention, reference requests and alumni programme controls.
Sensitive HR categories requiring enhanced governance.
188 mandatory DPDPA policies across 10 sectors. Each entry shows purpose, scope, key requirements and a sample clause. Click any row to expand. Check the box to mark as Approved.
"We collect your name, email and transaction history solely to provide and improve our services. We do not sell your personal data. You may withdraw consent, request access or deletion at any time by writing to dpo@company.com. This Notice is effective from [DATE] and supersedes all prior versions."
"The DPR shall be maintained by the DPO and updated within 14 days of any new or changed processing activity. Each record shall include: (a) data category; (b) legal basis; (c) processor and sub-processor details; (d) retention schedule; (e) cross-border transfer safeguards."
"Consent shall be obtained for each distinct processing purpose separately. A data principal may withdraw consent at any time through the privacy dashboard or by writing to the DPO. Withdrawal shall take effect within 24 hours and shall not affect the lawfulness of processing carried out before withdrawal."
"Personal data shall be retained only as long as necessary for the stated purpose. Upon expiry of the retention period, data shall be securely deleted or irreversibly anonymised within 30 days. Where a data principal requests erasure and no legal hold applies, deletion shall be completed within 30 days and confirmed in writing."
"Upon confirmation of a P1 breach, the DPO shall notify the Data Protection Board of India within 72 hours. The notification shall state: (i) nature of the breach; (ii) categories and approximate number of data principals affected; (iii) likely consequences; (iv) measures taken. Affected data principals shall be notified without undue delay."
"Any data principal may submit rights requests through the privacy portal or by writing to the DPO. The organisation shall respond to access requests within 72 hours, correction requests within 7 working days and erasure requests within 30 days of verified identity. Unresolved grievances may be escalated to the Data Protection Board of India."
"As an SDF designated under Section 10 of DPDPA 2023, the organisation shall appoint a qualified Data Protection Officer reporting directly to the Board. The DPO shall conduct DPIAs for all high-risk processing and submit an annual compliance report to the DPBI. The DPO's contact details shall be published on the organisation's website."
"No personal data of any person below 18 shall be processed without verifiable parental consent. Irrespective of consent, the organisation shall not engage in behavioural profiling, targeted advertising or monitoring of any user who is, or is reasonably believed to be, below 18 years of age."
"The organisation shall not process any personal data without identifying and documenting the applicable legal basis. Where processing relies on a legal obligation, the specific provision of law shall be cited in the DPR. Processing activities without a documented basis shall be suspended immediately pending DPO review."
"On confirmation of a P1 breach: (1) CISO notifies DPO within 2 hours; (2) DPO and Legal prepare DPBI notification within 48 hours; (3) DPO submits notification within 72 hours; (4) Affected data principals notified without undue delay; (5) Post-incident report submitted to DPBI within 30 days."
"Before commencing any high-risk processing, the business unit shall complete a DPIA using the approved template and submit it to the DPO. The DPO shall provide written opinion within 15 working days. Processing shall not commence until the DPO confirms residual risks are acceptable."
"No personal data shall be shared with any third-party processor without a signed Data Processing Agreement. Processors shall notify the organisation of any personal data breach within 6 hours of discovery. The processor register shall be updated within 7 days of any change."
"Personal data shall be transferred outside India only to countries on the MeitY-approved whitelist or under Standard Contractual Clauses approved by the DPO and Legal. A Transfer Impact Assessment shall be completed for every country where data is processed by a sub-processor."
"All new products processing personal data shall undergo a Privacy Impact Assessment before development commences. Default settings shall collect and process the minimum personal data necessary. No personal data from production shall be used in development or testing without prior DPO approval and mandatory anonymisation."
"All employees with access to personal data shall complete mandatory DPDPA awareness training within 30 days of joining and annually thereafter. Completion shall be recorded in the Learning Management System. Non-completion within the stipulated period shall be escalated to the relevant department head."
"The organisation shall collect only such personal data as is strictly necessary for the stated purpose. No personal data shall be used for any purpose other than the purpose for which it was collected without obtaining fresh consent. Processing exceeding its stated purpose shall be immediately suspended pending DPO review."
"Any data principal may request a portable copy of their personal data through the privacy portal. The organisation shall provide a machine-readable copy within 72 hours of the verified request. Data principals may register a nominee who may exercise all data protection rights on their behalf upon verified proof of death or incapacity."
"Prior to granting access to personal data, the Information Security team shall conduct a security assessment proportionate to the vendor's risk level. Vendors accessing sensitive personal data of more than 10,000 principals shall provide SOC 2 Type II or ISO 27001 evidence. Assessments shall be repeated annually."
"The organisation shall conduct a comprehensive DPDPA compliance audit at least once every calendar year. The audit report shall be presented to the Board within 30 days of conclusion. All critical findings shall be remediated within 30 days. Audit records shall be maintained for a minimum of 5 years."
"All privacy notices shall be written in clear, plain language comprehensible by the average user without legal expertise. Privacy communications shall avoid technical legal terminology and passive voice constructions. All notices shall be reviewed jointly by Legal and the Data Protection team before publication."
"KYC data including PAN number, Aadhaar Virtual ID and bank account details shall be classified as sensitive personal data and shall be processed only for the purposes of identity verification and statutory regulatory compliance. No KYC data shall be used for marketing, profiling or cross-sell purposes without fresh explicit consent."
"AML/CFT data processed for compliance with the Prevention of Money Laundering Act 2002 shall be retained for the period mandated by PMLA, notwithstanding any erasure request under DPDPA. Where a data principal requests erasure, the organisation shall communicate in writing the statutory basis for retaining the data and the expected retention end date."
"The organisation's digital lending application shall not request access to the borrower's device contacts, photographs, call logs, location data or any other device data not strictly necessary for the credit assessment process. Loan data shall not be used for any commercial purpose other than loan processing and recovery."
"The organisation shall not store, process or transmit full payment card numbers in unencrypted form. All card data shall be tokenised in accordance with the RBI Tokenisation Guidelines and PCI-DSS requirements. The CVV shall not be stored after completion of the authorisation transaction under any circumstance."
"Data received through the Account Aggregator framework shall be used solely for the specific financial product purpose for which consent was granted. Consent for different financial products (lending, insurance, investment) shall be obtained separately. Consent revocation shall be implemented within 2 hours of the data principal's request."
"Where a credit or lending decision is made wholly or partially through automated means, the data principal shall be informed of this and shall have the right to request a review by a human officer. The organisation shall maintain documentation explaining the key factors that influenced any automated credit decision."
"Health data shall be classified into three tiers based on sensitivity. Tier 1 data including genetic information, biometric identifiers, mental health records, HIV status and addiction treatment records shall be processed only with explicit consent and shall be stored with the highest available encryption standard. Every access to Tier 1 data shall be logged and reported to the Data Protection Officer."
"Consent for the use of patient health data for research purposes shall be obtained separately from consent for clinical treatment. A patient's refusal to consent to research data use shall not affect the quality of clinical care provided. Insurance data sharing shall require a separately signed consent form distinct from the treatment consent."
"Where a patient requests erasure of their health records and such records are subject to a statutory retention obligation under NMC or NABH guidelines, the organisation shall communicate in writing the specific legal basis for retaining the data, the expected retention end date, and confirm that all non-statutory data has been deleted immediately."
"Mental health records, genetic data, HIV status, addiction treatment records and reproductive health data shall be stored in a segregated environment with access restricted to the treating clinical team. These records shall not be disclosed to any insurer, employer or third party without the patient's explicit, written and separately obtained consent."
"Data shared with Third-Party Administrators for claims processing shall be limited to the minimum necessary for claim settlement: the patient's name, policy number, diagnosis code (ICD-10), treatment code and billed amount. Full clinical notes, investigation reports and detailed medical history shall not be shared with TPAs without specific patient consent."
"Access to a patient's health records through the ABHA system shall require the patient's consent through the ABDM-certified consent manager for each health record accessed. The organisation shall not access, aggregate or store ABHA-linked records beyond the scope authorised by the patient's consent artefact."
"The organisation shall obtain separate, explicit consent before using a customer's browsing history, purchase data or wishlist information for the purpose of personalising product recommendations or targeted advertising. A customer who withdraws consent for personalisation shall continue to receive full access to the platform's core services."
"No account shall be created for a user below 18 years without verifiable consent from a parent or guardian. The organisation shall not display personalised advertisements to users identified or reasonably believed to be below 18 years of age, irrespective of parental consent."
"The organisation's user interfaces shall not employ any dark patterns, deceptive designs or interface elements that manipulate users into consenting to data collection beyond what they would freely choose. Account deletion and subscription cancellation shall be accessible through a clearly labelled path requiring no more than three steps from the user's account settings page."
"The organisation shall deploy tracking cookies, web beacons, pixels or similar technologies for analytics, marketing or personalisation purposes only after obtaining the user's explicit consent. The consent interface shall not pre-select any non-essential cookies and shall provide a 'Reject All' option as prominent as the 'Accept All' option."
"Student personal data including learning progress, assessment scores, attendance records and class interactions shall be used solely for the purpose of delivering educational services and improving learning outcomes. Student data shall not be sold, licensed or transferred to any third party for marketing, advertising, profiling or any commercial purpose."
"Before a student installs proctoring software, the organisation shall obtain explicit, informed consent that details every category of data collected, how it is analysed and the retention period. Where AI behaviour analysis flags potential malpractice, the student shall have the right to request review by a human invigilator before any formal action is taken."
"The organisation shall not engage in behavioural profiling, monitoring, targeting or personalised advertising directed at any student below 18 years of age. This prohibition applies irrespective of parental consent. AI-driven personalisation systems shall be disabled for all accounts identified as belonging to users below 18."
"Call Detail Records shall be used solely for network management, billing and statutory compliance purposes. CDR data shall not be shared with any third party for analytics, marketing or commercial purposes without the subscriber's explicit consent. All CDR access by internal teams shall be logged and reviewed monthly by the DPO."
"On confirmation of a breach affecting subscriber personal data, the organisation shall simultaneously initiate: (1) CERT-In notification within 6 hours in the prescribed format; (2) DPBI notification within 72 hours per DPDPA; (3) DoT notification per the Telecom Act 2023 timeline. The DPO shall co-ordinate all three notifications and maintain a unified breach log."
"The organisation shall operate a self-service privacy portal accessible to all subscribers through the mobile app and website. Through this portal, subscribers shall be able to: (a) request a copy of their CDR; (b) view and manage all active service consents; (c) file and track privacy grievances; and (d) exercise their right to access, correction or erasure without requiring a call centre interaction."
"The organisation shall obtain and maintain a legal opinion identifying each processing activity as either (a) sovereign function exempt from DPDPA under Section 17, or (b) fully subject to the DPDPA. Commercial activities and citizen services conducted by PSEs and autonomous bodies shall be treated as DPDPA-applicable irrespective of government ownership."
"Data disclosed to law enforcement or intelligence agencies shall be logged in the Exemption Register with the specific statutory authority, date, case reference and category of data disclosed. This log shall be reviewed by the DPO monthly. No data disclosed under a Section 17 exemption shall be repurposed for any commercial, marketing or non-exempt activity."
"Personal data collected from citizens in the course of delivering government services and welfare schemes shall be used solely for the purpose of delivering those specific services. Citizens may exercise their rights of access, correction and grievance through the designated citizen rights portal. Inter-departmental sharing of citizen data shall require documented authorisation citing the specific legal basis."
"The organisation shall maintain strict logical and cryptographic separation between the data of each customer tenant. Tenant identifiers shall be enforced at the application, database and API layers. Any cross-tenant data access detected by the security monitoring system shall trigger an immediate alert and be treated as a P1 security incident."
"The organisation as Data Processor shall process personal data only on the documented instructions of the customer as Data Fiduciary. The organisation shall notify the customer of any personal data breach within 24 hours (Enterprise tier) or 48 hours (SMB tier) of discovery. The organisation shall not engage any new sub-processor without providing 30 days' advance notice to the customer."
"Upon termination or expiry of the customer contract, the organisation shall securely delete all customer personal data from all systems and environments within 30 days. The organisation shall issue a signed deletion certificate to the customer confirming the scope and completion of deletion. Sub-processor deletion confirmations shall be obtained and provided to the customer on request."
"Employee biometric data shall be collected only with the employee's informed written consent and shall be used solely for the purposes of attendance recording and physical access control. Employees who do not consent to biometric enrolment shall be provided with an alternative attendance mechanism. Biometric templates shall be permanently deleted within 30 days of the employee's last working day."
"The organisation shall maintain strict network segmentation between operational technology (OT/SCADA) systems and information technology (IT) systems. Personal data processed in IT systems shall not flow into OT environments. Machine telemetry data that can identify individual worker behaviour or performance shall be anonymised before use in plant-level analytics."
"Employee personal data shall be collected only for the purposes of employment management and statutory compliance. Access to payroll data, PAN numbers, Aadhaar details and health insurance records shall be restricted to authorised HR and Finance personnel. Upon an employee's separation, all non-statutory personal data shall be automatically deleted within the applicable retention window."
"Union membership data shall be classified as sensitive personal data and stored in a segregated, access-controlled environment. Management personnel shall not have access to union membership records unless specifically authorised by court order. Whistleblower reports shall be accessible only to the members of the designated investigation committee and the identity of the whistleblower shall not be disclosed without their express written consent."
"Candidates who are not offered employment shall have their interview recordings, psychometric assessment results and AI-generated evaluation reports deleted within 90 days of the final recruitment decision. Where an AI tool is used to evaluate a candidate, the candidate shall be informed and shall have the right to request review of the automated assessment by a human recruiter."
"Data from employee wellness programmes, Employee Assistance Programmes and mental health support services shall be collected with separate explicit consent and shall be held in a confidential record entirely distinct from the employee's general HR file. This data shall not be accessible to the employee's manager, used in performance evaluations or considered in any employment decision."
Comprehensive tracking of all consent design requirements, notice obligations, withdrawal mechanisms, children's consent, and audit trail controls mandated by Section 5–7 of DPDPA 2023.
Six-phase DPDPA implementation roadmap with universal and industry-specific milestones. Click any phase to expand milestones. Check off each milestone as it is completed.
Month 1–2 | Foundation for all compliance activities
Month 2–4 | CMP, notices and consent workflows
Month 4–5 | Self-service rights portal and DPO office
Month 5–7 | Encryption, SIEM, DLP and breach pipeline
Month 7–9 | Sector regulatory overlays and SDF obligations
Month 9–12 | Annual audit, training and board reporting
Complete enterprise-wide data inventory, DPR creation and third-party processor mapping across all business units.
Deploy enterprise consent management platform — granular, purpose-specific, revocable consent with immutable audit logs.
Build self-service rights portal — access, correction, erasure and DPO-led grievance escalation workflows.
SIEM, DLP, MFA rollout, encryption enforcement and 72-hour breach detection pipeline commissioning.
Sector-specific overlays — RBI/TRAI/NMC compliance alignment, children's data controls, cross-border transfer SCCs.
Annual DPDPA audit, DPIA for high-risk processing, DPO appointment, employee training and board reporting.
AI-powered DPDPA compliance recommendations, risk prioritisation, DPIA generation, audit preparation and automated governance insights — tailored to your industry and real-time task completion status.
Complete lifecycle-mapped compliance controls for 10 sectors. Every control — from data discovery through governance — organised by DPDPA implementation stage. Includes consent & notice controls and required policy tracker per industry.
These controls are mandatory for every organisation that collects, processes or stores personal data of Indian citizens — regardless of sector. Complete all stages before applying any industry-specific layer.
Enterprise-wide personal data identification and classification.
End-to-end mapping of all processors, sub-processors and cross-border flows.
Plain-language, accessible notice before or at the point of consent.
Multi-channel notice delivery — web, app, offline, IVR, physical.
Free, specific, informed and unambiguous consent architecture.
Withdrawal as easy as consent; 24-hour SLA; downstream propagation.
Verifiable parental consent and absolute profiling prohibition.
Document deemed-consent grounds; no undocumented processing.
Collect only what is necessary; process only for stated purpose.
Encryption, access control, SIEM, DLP and penetration testing.
DPAs, sub-processor oversight and vendor security assessments.
SCCs, whitelist monitoring and Transfer Impact Assessments.
Access, correction, erasure, portability, nomination and grievance SLAs.
72-hour DPBI notification; P1/P2/P3 severity matrix; post-incident report.
Scheduled deletion, statutory holds and deletion certificates.
DPIA, annual audit, training and board-level oversight.
DPDPA compliance mapped to RBI, SEBI, IRDAI, and PCI-DSS requirements. Covers KYC data, credit decisioning, payment tokenisation, and cross-border SWIFT flows.
Map all personal & sensitive financial data collected for KYC, credit and transactions.
Map personal data used for anti-money laundering and transaction monitoring.
Clear, layered privacy notice at account opening covering all KYC purposes.
AA framework (NBFC-AA) consent artefact standards for financial data sharing.
Separate consent for payment processing vs. cross-sell/upsell marketing.
Govern personal data use in automated credit scoring and loan underwriting.
Card data security, tokenisation, and network-level encryption controls.
Ensure payment system data is stored only in India as per RBI circular.
Govern personal data in cross-border wire transfers under DPDPA and FEMA.
Statutory rights fulfilment within DPDPA timelines for banking customers.
Coordinate breach notification to DPB and RBI CIRT within parallel timelines.
Balance PMLA 5-yr, IT Act 7-yr, RBI 10-yr mandates against DPDPA deletion rights.
Structured compliance reporting to RBI, SEBI, IRDAI and DPB accountability.
DPDPA compliance for hospitals, clinics, telemedicine, diagnostics, and pharma. Sensitive personal data obligations for health records, genetic data, and mental health information under Section 2(t).
Catalogue all sensitive personal data in EMR/EHR systems and lab integrations.
Plain-language health data notice at point of care registration.
Explicit consent for health SPD before collection, processing, and sharing.
Heightened purpose restriction for highest-sensitivity health data categories.
Technical safeguards for electronic health records and clinical network.
Govern health data shared with third-party administrators and insurance companies.
Patient rights to access, correct, and port health records under DPDPA + DISHA.
Rapid response for health SPD breaches with clinical and regulatory notifications.
Balance NMC/MCI mandates with DPDPA necessity and deletion obligations.
Governance structure for health data fiduciary obligations and DPIA process.
DPDPA compliance for marketplaces, D2C brands, payment aggregators, and quick-commerce. Focus on behavioural profiling, dark patterns, children's data, and payment data minimisation.
Map all customer behavioural data: browsing, purchase history, wish lists, recommendations.
Layered notice at checkout covering payment, profiling, and delivery data uses.
Eliminate consent dark patterns and ensure free, unambiguous marketing opt-in.
Limit customer data flowing to third-party sellers to fulfilment purposes only.
PCI-DSS compliance and payment tokenisation for e-commerce checkout.
Control customer data shared with last-mile delivery and returns partners.
In-app rights portal for access, correction, deletion, and data export.
Rapid notification for payment or account credential breaches.
Balance GST/tax records with DPDPA necessity and customer deletion requests.
DPDPA governance for marketplace operators and their seller ecosystem.
DPDPA compliance for online learning platforms, competitive exam prep, LMS providers, and schools. Strong focus on children's data, parental consent, anti-profiling, and proctoring data governance.
Catalogue all student personal data across LMS, assessments, and payment systems.
Age-appropriate notice to students and parallel notice to parents for under-18 learners.
Robust parental consent mechanism for children under 18 before data collection.
Prohibit behavioural profiling of students for commercial targeting and external sale.
Secure handling of biometric and behavioural proctoring data during assessments.
Govern student data shared with schools, universities, and employer partners.
Rights fulfilment for students and parents covering access, correction, and deletion.
Heightened response for breaches involving minors' data.
Academic record retention vs. DPDPA deletion rights for inactive students.
Governance structure with child safety officer and DPDPA compliance programme.
DPDPA compliance for TSPs, ISPs, and VAS providers. Covers CDR/subscriber data, SIM KYC, 5G/Edge data flows, lawful interception boundaries, and dual DPDPA + TRAI breach reporting.
Catalogue all call detail records, location data, and subscriber profile data.
TRAI-compliant privacy notice for mobile and broadband subscribers.
Subscriber-facing consent management for location, marketing, and VAS data uses.
Restrict CDR and location data use to network operations and disclosed purposes.
Telecom-grade security for CDR, subscriber systems, and 5G network elements.
Control personal data shared with VAS providers and international roaming partners.
Access, correction, and erasure rights for telecom subscribers.
Coordinate CDR and subscriber data breach notifications to DPB and TRAI/DoT.
Balance DoT 2-year CDR mandate with DPDPA purpose limitation and deletion.
Governance for TSPs with dual compliance to TRAI regulations and DPDPA.
DPDPA compliance for central and state government bodies, public sector undertakings, and e-governance platforms. Covers Section 17 exemptions, Aadhaar-linked services, citizen data sovereignty, and e-Gov vendor controls.
Map all citizen personal data in government databases, beneficiary systems, and portals.
Plain-language notice to citizens about government data collection and processing.
Document lawful basis for each processing activity: law, consent, or legitimate state function.
Limit citizen data sharing between agencies to declared lawful purposes only.
CERT-In compliant security for citizen data and e-governance infrastructure.
Govern private vendors who operate or maintain government citizen data systems.
Government data access, correction, and grievance mechanisms for citizens.
Coordinate citizen data breach between CERT-In, DPB, and ministry notification chains.
Balance Public Records Act, Right to Information, and DPDPA deletion obligations.
Institutional governance framework for DPDPA compliance across government bodies.
DPDPA compliance for cloud SaaS providers, IT outsourcing, and managed service providers. Focus on multi-tenant data isolation, processor agreements, DevSecOps, and customer offboarding data deletion.
Catalogue all personal data stored across tenants, environments, and cloud regions.
Layered notice to enterprise customers (B2B) and their end-users processed through the SaaS.
Robust DPAs with enterprise customers covering DPDPA processor obligations.
Embed privacy by design in development lifecycle to prevent purpose creep.
Tenant isolation, encryption, and access controls for shared SaaS infrastructure.
Control personal data sharing with sub-processors and third-party integrations.
Complete customer data deletion and export on contract termination.
Tiered breach response covering processor notification and customer communication.
Contractual retention periods, backup lifecycle, and automated deletion pipelines.
Privacy-as-a-product governance framework for SaaS and IT service organisations.
DPDPA compliance for factories, industrial enterprises, and smart-product manufacturers. Covers employee biometrics, IoT/OT data, workforce surveillance, product telemetry, and supply chain data sharing.
Catalogue employee biometric, attendance, IoT sensor, and product telemetry data.
Notice to factory workers and smart-product consumers about personal data collection.
Explicit, free consent for biometric enrolment and workforce surveillance systems.
Restrict CCTV and monitoring data to safety and security — not productivity surveillance.
Cybersecurity for operational technology and biometric systems storing personal data.
Control personal data shared with dealers, distributors, and service partners.
Rights fulfilment for factory workers (biometrics) and product consumers (telemetry).
Response protocol for biometric system compromise and OT/IoT cyber incidents.
Retention schedule for biometric, CCTV, product telemetry, and HR data.
DPDPA governance for industrial organisations with worker and consumer data obligations.
DPDPA compliance for HR management systems, payroll processors, and workforce platforms. Covers full employee lifecycle — recruitment through alumni — including health/EAP data, gig workers, and third-party HR vendors.
Catalogue all personal data across hire-to-retire and contractor lifecycle stages.
Comprehensive workforce privacy notice covering all HR processing activities.
Map each HR processing activity to correct DPDPA legal basis — contract, legal obligation, or consent.
Strict purpose limitation for employee health, insurance, and assistance programme data.
Access controls, encryption, and audit logging for HR system security.
DPAs with payroll, benefits, background check, and learning platform vendors.
Rights fulfilment for current employees, ex-employees, and gig workers.
Employee notification and regulator reporting for HR and payroll data breaches.
Balance labour law mandates, PF/ESI requirements, and DPDPA deletion rights.
DPDPA governance framework for HR data fiduciary with union and works council alignment.
188 mandatory policies across 10 sectors · Each policy includes Purpose, Scope, Key Requirements and a Sample Clause · Click any policy to expand
"We collect your name, email address, mobile number and usage data solely to provide and continuously improve our services. We do not sell your personal data to third parties. You may withdraw consent, request access to your data or ask for its deletion at any time by writing to our Data Protection Officer at dpo@company.com. This Privacy Notice is effective from [DATE] and supersedes all prior versions."
"The Data Processing Register shall be maintained by the DPO and updated within 14 days of any new or changed processing activity. Each record shall include: (a) nature and category of personal data; (b) the legal basis; (c) processor and sub-processor details; (d) the retention schedule; (e) cross-border transfer safeguards. The DPR shall be made available to the DPBI within 72 hours of any request."
"Consent shall be obtained for each distinct processing purpose separately. No single consent form shall cover multiple processing purposes. A data principal who wishes to withdraw consent may do so at any time through the designated privacy dashboard or by email to the DPO. Withdrawal shall take effect within 24 hours of the request and shall not affect the lawfulness of processing carried out before withdrawal."
"Personal data shall be retained only for as long as necessary to fulfil the purpose for which it was collected, or for such longer period as may be required by applicable law. Upon expiry of the retention period, personal data shall be securely deleted or irreversibly anonymised within 30 days. Where a data principal requests erasure and no legal hold applies, deletion shall be completed within 30 days and confirmed in writing."
"Upon confirmation of a P1 breach, the DPO shall notify the Data Protection Board of India within 72 hours. The notification shall state: (i) nature of the breach; (ii) categories and approximate number of data principals affected; (iii) likely consequences; (iv) measures taken or proposed. Affected data principals shall be notified without undue delay in plain language."
"Any data principal may submit rights requests through the privacy portal or by writing to the DPO. The organisation shall respond to access requests within 72 hours, correction requests within 7 working days and erasure requests within 30 days of verified identity. Unresolved grievances may be escalated to the Data Protection Board of India at dpbi.gov.in."
"As a Significant Data Fiduciary designated under Section 10 of DPDPA 2023, the organisation shall appoint a qualified Data Protection Officer who shall report directly to the Board. The DPO shall conduct Data Protection Impact Assessments for all high-risk processing activities and shall submit an annual compliance report to the Data Protection Board of India. The DPO's identity and contact shall be prominently published on the organisation's website."
"No personal data of any person below the age of 18 shall be processed without verifiable parental or guardian consent. Irrespective of parental consent, the organisation shall not engage in behavioural profiling, targeted advertising, tracking or monitoring of any user who is or is reasonably believed to be below 18 years of age."
"The organisation shall not process any personal data without identifying and documenting the applicable legal basis under DPDPA 2023. Where processing relies on a legal obligation, the specific provision of law shall be cited in the DPR entry. Processing activities without a documented legal basis shall be suspended immediately pending DPO review."
"On confirmation of a P1 breach: (1) CISO notifies DPO within 2 hours; (2) DPO and Legal prepare DPBI notification within 48 hours; (3) DPO submits notification to DPBI portal within 72 hours of breach confirmation; (4) Affected data principals notified without undue delay using the pre-approved communication template; (5) Post-incident report submitted to DPBI within 30 days."
"Before commencing any high-risk processing activity, the business unit shall complete a DPIA using the approved template and submit it to the DPO. The DPO shall provide written opinion within 15 working days. Processing shall not commence until the DPO confirms in writing that the residual risks are acceptable."
"No personal data shall be shared with any third-party processor without a signed DPA that complies with DPDPA 2023. Processors shall notify the organisation of any personal data breach within 6 hours of discovery. The processor register shall be updated within 7 days of any change."
"Personal data of Indian data principals shall be transferred outside India only to countries on the MeitY-approved whitelist, or under Standard Contractual Clauses approved by the DPO and Legal, or under such other safeguards as may be prescribed. A Transfer Impact Assessment shall be completed for every country where data is processed by a sub-processor."
"All new products processing personal data shall undergo a Privacy Impact Assessment before development commences. Default settings shall collect and process the minimum personal data necessary. No personal data from production environments shall be used in development or testing without prior DPO approval and mandatory anonymisation."
"All employees with access to personal data shall complete mandatory DPDPA awareness training within 30 days of joining and annually thereafter. Completion shall be recorded in the LMS. Non-completion within the stipulated period shall be escalated to the relevant department head."
"The organisation shall collect only personal data strictly necessary for the stated purpose. No personal data shall be used beyond the purpose for which it was collected without fresh consent or a new lawful basis. Processing that exceeds its stated purpose shall be immediately suspended pending DPO review."
"Any data principal may request a portable copy of their personal data through the privacy portal. The organisation shall provide a machine-readable copy within 72 hours of the verified request. Data principals may register a nominee to exercise all data protection rights on their behalf upon verified proof of death or incapacity."
"Prior to granting any vendor access to personal data, the Information Security team shall conduct a security assessment proportionate to the vendor's risk level. Vendors accessing sensitive personal data of more than 10,000 principals shall provide SOC 2 Type II or ISO 27001 evidence. Assessments shall be repeated annually."
"The organisation shall conduct a comprehensive DPDPA compliance audit at least once every calendar year. The audit report shall be presented to the Board within 30 days of conclusion. All critical findings shall be remediated within 30 days. Audit records shall be maintained for a minimum of 5 years."
"All privacy notices shall be written in clear, plain language comprehensible by the average user without legal expertise. Privacy communications shall avoid technical legal terminology and passive voice constructions. All notices shall be reviewed jointly by the Legal and Data Protection teams before publication."
"KYC data including PAN number, Aadhaar Virtual ID and bank account details shall be classified as sensitive personal data and processed only for identity verification and statutory regulatory compliance. No KYC data shall be used for marketing, profiling or cross-sell purposes without fresh explicit consent."
"The organisation shall not store the full 12-digit Aadhaar number of any individual. Only the Masked Aadhaar or UIDAI-generated Virtual ID shall be retained post-verification. PAN data shall be used exclusively for statutory tax reporting and identity verification purposes and shall not be used for any commercial profiling, marketing or analytics."
"The organisation shall not store, process or transmit full payment card numbers in unencrypted form. All card data shall be tokenised in accordance with RBI Tokenisation Guidelines and PCI-DSS requirements. CVV shall not be stored after completion of the authorisation transaction under any circumstance."
"In compliance with the Reserve Bank of India's data localisation mandate, all data related to payment systems shall be stored only within India. Where payment transactions require processing by overseas entities such as card networks, end-to-end transaction data shall be brought back to India within 24 hours and retained only in India thereafter."
"AML/CFT data processed for compliance with PMLA 2002 shall be retained for the period mandated by PMLA, notwithstanding any erasure request under DPDPA. Where a data principal requests erasure, the organisation shall communicate in writing the statutory basis for retaining the data and the expected retention end date."
"The organisation's digital lending application shall not request access to the borrower's device contacts, photographs, call logs, location data or any other device data not strictly necessary for the credit assessment process. Loan data shall not be used for any commercial purpose other than loan processing and recovery."
"On confirmation of a breach affecting customer financial data: (1) RBI notified within 6 hours per RBI Cyber Security Framework; (2) DPBI notified within 72 hours per DPDPA; (3) SEBI notified within 24 hours for capital market entities; (4) Affected customers notified in plain language without undue delay. The DPO shall coordinate all notifications."
"Data shared with recovery agents shall be strictly limited to: the borrower's name, outstanding loan amount, EMI schedule, the date of last payment and the borrower's registered contact number. KYC documents, Aadhaar, PAN, bank account details and family contacts shall not be disclosed to recovery agents under any circumstance."
"Credit score data and credit bureau reports shall be used solely for the purposes of credit assessment and risk management. Where a lending decision adverse to the applicant is made based wholly or partly on credit score data, the applicant shall be informed of this and provided the right to seek an explanation and request human review."
"Data received through the Account Aggregator framework shall be used solely for the specific financial product purpose for which consent was granted. Consent for different financial products shall be obtained separately. Consent revocation through the AA framework shall be implemented within 2 hours of the data principal's request."
"Where a credit or lending decision is made wholly or partly through automated means, the data principal shall be informed of this and shall have the right to request review by a human officer. The organisation shall maintain documentation explaining the key factors that influenced any automated credit decision."
"Investor personal data including portfolio holdings, transaction history and KYC information shall be used solely for providing investment services and for statutory reporting to SEBI and other regulatory bodies. Portfolio data shall not be used to market financial products to the investor without their explicit consent."
"Policyholder health data used for underwriting shall be collected under separate explicit consent and used solely for the purposes of insurance underwriting and claims management. This data shall not be shared with any non-insurance entity or used for marketing, profiling or any purpose beyond the insurance relationship."
"API responses to fintech partner applications shall be restricted to the minimum data fields required for the specific purpose authorised under the Data Processing Agreement. Consent revocation by a data principal shall be propagated to all connected API partners within 2 hours through the consent revocation webhook."
"Financial personal data transferred to overseas processors for payment processing or correspondent banking shall be covered by Standard Contractual Clauses unless the destination country is on the MeitY-approved whitelist. All such transfers shall comply with RBI data localisation requirements in addition to DPDPA Section 16."
"Payment gateway vendors shall be required to provide an annual PCI-DSS QSA assessment report confirming their compliance status. Gateways shall not store raw card numbers and shall notify the organisation of any security incident affecting payment data within 4 hours of discovery."
"Upon request, the organisation shall provide the customer with a portable copy of their financial data including account statements, transaction history for the preceding 3 years, and loan account summaries in a machine-readable format within 72 hours. The portable data shall be delivered through a secure, time-limited download link."
"Virtual Digital Asset transaction data, wallet addresses and associated personal data shall be classified as financial personal data under DPDPA 2023 and shall be subject to the same security and access controls as other financial data. VDA tax reporting data shall be retained only for the statutory period under the Income Tax Act."
"Before sharing any customer repayment data with a credit bureau, the organisation shall obtain the customer's explicit consent. BNPL transaction and repayment data shall be used solely for credit risk management. Late payment information shall not be shared with merchants, advertisers or any third party other than licensed credit bureaus."
"No third-party API integration shall be authorised to access customer personal data without a signed Data Processing Agreement and a satisfactory security assessment. API responses shall be filtered at the gateway to return only the minimum data fields required for the stated purpose. All API integrations shall be registered in the Data Processing Register."
The 6 priority Healthcare policies are shown expanded in the main dashboard Policy Register tab. All 20 are listed here — click to expand each for full content.
"Health data shall be classified into three tiers based on sensitivity. Tier 1 data including genetic information, biometric identifiers, mental health records and HIV status shall be processed only with explicit consent and stored with the highest available encryption standard. Every access to Tier 1 data shall be logged and reported to the DPO."
"Where a patient requests erasure and records are subject to NMC or NABH statutory retention, the organisation shall communicate the specific legal basis for retaining the data, the expected retention end date, and confirm that all non-statutory data has been deleted immediately."
"Consent for use of patient health data for research shall be obtained separately from treatment consent. A patient's refusal to consent to research shall not affect the quality of clinical care. Insurance sharing requires a separately signed consent form distinct from all other consents."
"Where health data is processed for emergency medical treatment without prior consent, the treating clinician shall document the emergency within 4 hours. Processing under this exemption shall cease when the emergency resolves. The patient shall be informed of what data was processed at the earliest practicable opportunity."
"Laboratory test reports shall be accessible only to the ordering physician and the patient through a secure portal. Reference laboratories receiving patient samples shall be bound by DPAs prohibiting secondary analytics use of patient data. NABL accreditation reports shall contain only anonymised quality data."
"Data shared with Third-Party Administrators shall be limited to: patient name, policy number, diagnosis code (ICD-10), treatment code and billed amount. Full clinical notes, investigation reports and medical history shall not be shared with TPAs without specific patient consent."
"Mental health records, genetic data, HIV status and addiction treatment records shall be stored in a segregated environment with access restricted to the treating clinical team. These records shall not be disclosed to any insurer, employer or third party without the patient's explicit, written and separately obtained consent."
"Before any telemedicine session is recorded or AI-transcribed, the patient shall be informed and their explicit consent obtained. Session recordings shall be end-to-end encrypted, stored in India and deleted 90 days after the session unless the clinician certifies they are required for ongoing care."
"Patient data shared with clinical research organisations for research purposes shall be anonymised or pseudonymised before sharing. All research involving identifiable patient data shall require prior approval from the ICMR Ethics Committee and separate research consent from the patient."
"Access to a patient's health records through ABHA requires consent through the ABDM-certified consent manager for each health record accessed. The organisation shall not access, aggregate or store ABHA-linked records beyond the scope authorised by the patient's consent artefact."
"Prescription data shall not be used for pharmaceutical marketing or shared with drug manufacturers without the patient's explicit consent. Pharmacovigilance and adverse event reports submitted to CDSCO shall contain no identifiable patient information."
"All research using identifiable patient data shall obtain prior approval from the ICMR Ethics Committee. Patient data used in published research shall be anonymised to at least k=5 anonymity. Re-identification risk assessment shall be conducted before any dataset is released to external researchers."
"AI-generated diagnostic outputs shall not be acted upon without review and confirmation by a qualified clinician. Patients shall be informed when AI systems contribute to their diagnosis and shall have the right to request that their case be reviewed without AI assistance."
"Patient health data shall not be transferred to any country outside India without the patient's explicit consent and compliance with DPDPA Section 16. Where the destination country is not on the MeitY whitelist, Standard Contractual Clauses covering health data shall be executed before any transfer."
"Data collected from wearable health devices shall be owned by the patient and shall be used only for the clinical purpose for which the monitoring was initiated. This data shall not be shared with employers, insurers or pharmaceutical companies without the patient's separate explicit written consent."
"Treatment records for Ayurveda, Yoga, Naturopathy, Unani, Siddha and Homeopathy shall be classified as health data under DPDPA 2023 and shall be subject to the same consent, access and deletion controls as allopathic medical records."
"Following a patient's death, the patient's personal health data shall be accessible only to the registered nominee or legal heir. Cause of death and post-mortem records shall be disclosed to third parties only upon presentation of a court order or verified proof of legal heirship."
"No third-party vendor shall access patient personal data without a signed Data Processing Agreement. All vendor personnel with access to patient data shall complete mandatory DPDPA and health data privacy training before access is granted. Access shall be revoked within 24 hours of contract termination."
"Patients may exercise their data protection rights by submitting a request through the hospital's patient rights portal, at the patient relations desk, or by writing to the DPO. The hospital shall acknowledge grievances within 48 hours and resolve them within 30 days. Unresolved grievances may be escalated to the Data Protection Board of India."
"The organisation shall monitor the progress of the Digital Information Security in Healthcare Act (DISHA) and shall conduct an internal gap analysis within 90 days of enactment. All DPDPA-compliant health data controls shall be reviewed for DISHA alignment and updated as required."
All 20 E-Commerce policies with full content (purpose, scope, requirements, sample clauses) are available in the main dashboard → Policy Register → E-Commerce tab. The 20 policies cover: Behavioural Profiling, Cookie & Tracking, Children's Data, Payment Tokenisation, Dark Patterns, Marketplace Seller, Consumer Protection Rules, Cross-Border Commerce, Subscription Billing, Anti-Fraud, ONDC Network, Social Commerce, Loyalty/Referral, BNPL, Returns/Refunds, UGC/Reviews, Delivery Partner, Recommendation Algorithm, Account Deletion, Abandoned Cart Retention.
All 20 EdTech policies cover: Student Data Protection, Parental Consent, Anti-Profiling (Minors), Online Proctoring, Competitive Exam Data, EdTech Vendor/Ad-Tech, Breach Response, Learning Analytics, Video Recording, School Partnerships, AI Learning Tools, Student Loans, International Students, Assessment/Certification, Teacher/Faculty Data, Account Deletion, NEP 2020 Alignment, Parental Transparency, Disability Data, Student Grievance.
All 20 Telecom policies cover: CDR & Network Data, Location Tracking, SIM KYC, Lawful Interception, Dual Breach Reporting (DoT+DPBI+CERT-In), TRAI Compliance, Telecom Act 2023, Subscriber Rights Portal, IPDR Retention, VAS/OTT Consent, Subscriber Consent, International Roaming, Mobile Money/UPI, Emergency Services, 5G/Edge Computing, Network Security Logs, Anti-SPAM, Subscriber Portability, SIM Swap Fraud, Tower/Infrastructure Data.
All 20 Government policies cover: Sovereign Function Exemption, Section 17 Exemptions Governance, Citizen Data Governance, Inter-Departmental Sharing, Aadhaar Integration, National Security Boundaries, Sovereign Cloud, Law Enforcement Disclosure, e-Gov Vendor Onboarding, Citizen Rights & Grievance, Welfare Scheme Minimisation, MeitY CSCRF, Public Procurement, DigiLocker/UMANG, DBT Data, Census/Population, e-Gov Portal Notice, Citizen Biometric Data, Government AI Policy, CERT-In Compliance.
All 20 SaaS policies cover: Multi-Tenant Isolation, Sub-Processor Management, Customer DPA Template, Cross-Border Transfer Assessment, Breach Detection & Notification, Incident Classification Matrix, Customer Offboarding & Deletion Certificate, Employee Access to Customer Data, DevSecOps/Secure SDLC, API Security, SOC 2/ISO 27001 Maintenance, Privacy by Design, AI-SaaS Model Training, Privacy Engineering Controls, Tenant Data Portability, Vulnerability Management, Data Residency, Third-Party SDK Governance, Synthetic Test Data, Logging & Audit Trail Retention.
All 20 Manufacturing policies cover: Employee Biometric Data, Biometric Offboarding Deletion, OT/SCADA Network Security, Contract Worker/Agency Staff, CCTV & Surveillance, Workforce Monitoring/GPS, IoT Device Governance, Smart Product/Connected Device, Third-Party IoT Vendor, Factory Access Control Data, Employee Health & Safety, Migrant/Contractual Labour, Supply Chain/Supplier Data, Customer/Dealer Data, Warranty/After-Sales, Industrial Safety/Incident, Environmental Monitoring, Product Registration, B2B Contact Data, Plant/OT System Governance.
All 20 HRMS policies cover: Employee Data Lifecycle, Payroll & Financial Data, Employee Health/Wellness/EAP, Employee Biometric Data, Union/Grievance/Collective Bargaining, Whistleblower Confidentiality, Recruitment & Candidate Data, BGV Vendor Policy, Performance Management/PIP, AI Hiring Tools, Diversity/Equity/Inclusion, Third-Party HR Vendors, Employee Monitoring/Surveillance, Gig/Freelancer/Contract Worker, Employee Data Portability, DPDPA Rights & Training, Employee Benefits & Insurance, Travel/Expense/Corporate Card, Alumni/Former Employee, Contractor/Alumni Retention.
CyberSigma delivers end-to-end DPDP Act compliance — gap assessment, DPIA, consent architecture, policy drafting and DPO-as-a-service — with CERT-In empanelled senior auditors.
© CyberSigma Consulting Services LLP · Privacy Policy