Data Protection Policy
Effective Date: 25 March 2026
India's Digital Personal Data Protection Act, 2023 (DPDP Act)
This policy describes the obligations of Inovitrix Technologies as a Data Fiduciary under the DPDP Act and your rights as a Data Principal. The DPDP Act governs the processing of digital personal data within India.
1. Overview & Applicability
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India's primary legislation governing personal data. Inovitrix Technologies is a “Data Fiduciary” — an entity that determines the purpose and means of processing personal data. You, the user or your contacts whose data is stored in the Service, are “Data Principals.” This policy applies to all digital personal data collected or processed by the Company in India or relating to Data Principals located in India.
2. Personal Data We Process
As a Data Fiduciary, we process the following categories of personal data:
| Category | Examples | Role |
|---|---|---|
| Account holder data | Name, email, phone, password hash | Data Fiduciary |
| Contact data (uploaded by you) | Recipient names, phone numbers | Data Processor acting on your instructions |
| Usage & log data | IP addresses, access logs, audit logs | Data Fiduciary |
| Message content | Campaign text, templates, media | Data Processor acting on your instructions |
| Payment data | Transaction IDs, billing details | Data Fiduciary |
Important: Inovitrix Technologies acts as a Data Processor with respect to your contacts' data. You, as the Account holder, are the Data Fiduciary for that data and are responsible for obtaining valid consent from your contacts before messaging them.
3. Grounds for Processing
Under the DPDP Act, personal data may be processed on one of the following grounds:
- Consent — You provide explicit consent at account registration. You can withdraw consent at any time; however, withdrawal may limit your ability to use the Service.
- Legitimate uses — Processing necessary for the performance of a contract (your subscription), compliance with a legal obligation (tax, audit), or to protect vital interests.
We maintain records of the lawful basis for each processing activity.
4. Notice & Consent Obligations
In compliance with the DPDP Act's notice requirements:
- We provide a clear notice before collecting personal data describing what data is collected, its purpose, and how it will be used.
- Consent is obtained through an affirmative, free, specific, informed, and unambiguous action (e.g., the checkbox during account registration).
- Consent requests are presented separately from other terms — not bundled with acceptance of the Terms of Service.
- You may withdraw consent at any time by contacting us. Withdrawal will not affect the lawfulness of processing before withdrawal.
5. Your Rights as a Data Principal
Under the DPDP Act, you have the following rights:
Right to Access
Obtain a summary of personal data processed, the processing activities undertaken, and the identities of Data Processors and third parties with whom data has been shared.
Right to Correction & Erasure
Request correction of inaccurate or incomplete data, and erasure of data no longer necessary for the purpose it was collected (subject to legal retention requirements).
Right to Grievance Redressal
Have your grievances redressed promptly. If we fail to resolve your grievance within 30 days, you may escalate to the Data Protection Board of India.
Right to Nominate
Nominate an individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent
Withdraw consent at any time. We will cease processing within 30 days of receiving a valid withdrawal request.
To exercise any right, submit a request to dpo@inovitrix.com. We will acknowledge your request within 72 hours and resolve it within 30 days.
6. Obligations as Data Fiduciary
Inovitrix Technologies commits to the following obligations under the DPDP Act:
- Purpose limitation: Collect only data necessary for the stated purpose; do not use it for incompatible purposes.
- Data minimisation: Process only the minimum data required.
- Storage limitation: Retain data only as long as necessary, per the retention schedule in our Privacy Policy.
- Accuracy: Take reasonable steps to ensure data is accurate and up to date.
- Security safeguards: Implement appropriate technical and organisational measures to prevent unauthorised access, loss, or destruction.
- Breach notification: Notify the Data Protection Board of India and affected users of any personal data breach in the manner and timeline prescribed by the DPDP Act.
7. Data Processors & Sub-processors
We engage the following Data Processors to support our Service:
| Processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. | WhatsApp message delivery | USA |
| Amazon Web Services | Cloud infrastructure | Global |
| Razorpay | Payment processing | India |
| Email delivery provider | Transactional emails | India / Global |
All processors are bound by data processing agreements requiring them to protect personal data to standards equivalent to this policy.
8. Cross-Border Data Transfers
The DPDP Act restricts transfer of personal data to countries not approved by the Indian government. Where we transfer data to Meta (USA) or AWS (outside India), we rely on: (a) Meta's and AWS's compliance with applicable data transfer mechanisms; (b) Standard Contractual Clauses where applicable; and (c) our assessment that adequate protections are in place. We will update this policy to reflect any government-notified restrictions on specific countries.
9. Data Breach Response
In the event of a personal data breach:
- We will assess the scope and impact within 24 hours of discovery.
- We will notify the Data Protection Board of India as required by the DPDP Act (timeline to be prescribed by rules).
- Affected Data Principals will be notified promptly with details of the breach and remedial measures.
- We will take immediate steps to contain and mitigate the breach.
10. Children's Data
The Service is not intended for children under 18. Per the DPDP Act, we do not process data of children without verifiable parental consent, and we take reasonable steps to identify and address access by minors. If we become aware that a minor has registered, we will delete their data promptly.
11. Grievance Redressal
We have designated a Data Protection Officer (DPO) to handle privacy-related complaints:
Our grievance redressal process:
- Submit your grievance to the DPO via email.
- We will acknowledge receipt within 72 hours.
- Resolution will be provided within 30 days.
- If unsatisfied, you may escalate to the Data Protection Board of India once operational under the DPDP Act.
12. Updates to This Policy
This policy will be updated to reflect changes to the DPDP Act's rules and regulations as they are notified by the Indian government. Material changes will be communicated by email to all registered users at least 14 days prior to taking effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
© 2026 Inovitrix Technologies. All rights reserved.