Legal

Data Protection (DPDP Act 2023)

Last updated: April 26, 2026

Overview

BizPulse AI is committed to compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), India's comprehensive data protection law. We also comply with the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

This page explains your rights as a Data Principal, our obligations as a Data Fiduciary, and how we handle personal data in accordance with Indian law.

Our role under the DPDP Act

Data Fiduciary

BizPulse AI is the Data Fiduciary — we determine the purpose and means of processing your personal data and are responsible for safeguarding it.

Data Principal

You are the Data Principal — the individual to whom the personal data relates. You have rights over your data as described below.

Data Processors

We engage third-party Data Processors (Supabase, Vercel, Razorpay, Resend, Anthropic) to assist in providing the service. All processors operate under contractual obligations to protect your data.

Lawful basis for processing

Under the DPDP Act 2023, personal data may be processed on the following bases:

  • Consent: We obtain your free, informed, specific, and unambiguous consent at account creation for processing your personal data. You may withdraw consent at any time.
  • Legitimate uses: Fraud prevention, compliance with legal obligations, provision of services to the state, and processing for research or statistical purposes using anonymised data.
  • Legal obligation: Retaining financial and tax records as required under Indian law (GST Act, Income Tax Act) for up to 7 years.

Your rights under the DPDP Act 2023

Right to access information (Section 11)

Request a summary of your personal data being processed by us and the identities of all Data Processors we share it with.

Right to correction and erasure (Section 12)

Request correction of inaccurate or misleading personal data. Request erasure of personal data that is no longer necessary for the purpose for which it was collected.

Right to grievance redressal (Section 13)

Raise a complaint with our Grievance Officer. We will respond within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India.

Right to nominate (Section 14)

Nominate another individual to exercise your data rights in the event of your death or incapacity.

Right to withdraw consent (Section 6)

Withdraw consent for processing at any time. We will stop processing within a reasonable period. Note: withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any right, email support@bizpulseanalytics.com with subject line: Data Rights Request – [your request type]. We will respond within 30 days.

Obligations as Data Fiduciary

Under the DPDP Act 2023, we fulfil the following obligations:

  • Purpose limitation: We process personal data only for the purposes disclosed in our Privacy Policy and for which consent was obtained.
  • Data minimisation: We collect only the data necessary to provide the service.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and up to date.
  • Storage limitation: Personal data is deleted once it is no longer necessary for the stated purpose (within 30 days of account deletion, subject to legal retention obligations).
  • Security safeguards: We implement reasonable security measures as prescribed under the SPDI Rules 2011 — including AES-256 encryption, TLS 1.3, and bcrypt password hashing.
  • Breach notification: In the event of a personal data breach, we will notify affected Data Principals and the Data Protection Board of India as required by law.

Cross-border data transfers

Our infrastructure involves processors located outside India. We ensure all cross-border transfers comply with the DPDP Act 2023 and applicable government notifications:

  • Vercel (USA) — Application hosting; transfers under applicable safeguards
  • Anthropic (USA) — AI analysis; only anonymised signal values are sent, never personal identifiers
  • Supabase (USA/EU) — Database hosting; EU region available on request
  • Resend (USA) — Email delivery

All processors operate under binding contractual obligations consistent with the DPDP Act 2023 and SPDI Rules 2011.

Sensitive personal data (SPDI Rules 2011)

Financial data you share with us (bank account information synced via Plaid, accounting data via QuickBooks, revenue data via Stripe) constitutes Sensitive Personal Data or Information (SPDI) under the IT Rules 2011. We handle SPDI with enhanced protections:

  • Explicit consent is obtained before collecting any SPDI
  • SPDI is processed only to provide the health monitoring service
  • SPDI is not transferred to third parties except as required to provide the service
  • Read-only OAuth scopes are used — we cannot modify or transact on your financial accounts

Grievance Officer

As required under the IT Act 2000, SPDI Rules 2011, and DPDP Act 2023, we have designated a Grievance Officer:

Grievance Officer: BizPulse AI Team
Email: support@bizpulseanalytics.com
Subject: Data Grievance – [brief description]
Response time: Within 30 days of receipt

Data Protection Board of India

If you believe we have not handled your data in accordance with the DPDP Act 2023 and are unsatisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India once it is constituted under the Act. Information on the Board will be published at the Ministry of Electronics and Information Technology (MeitY) website.

Contact

Email: support@bizpulseanalytics.com
Subject line: DPDP Request – [your request type]

For full details on data collection and processing, see our Privacy Policy.