ESHOPBOX E-COMMERCE PRIVATE LIMITED (“Eshopbox”) owns and manages the website www.eshopbox.com (“Website”). Eshopbox values your privacy and takes responsibility for your data seriously.
This Privacy Policy (“Privacy Policy”) is published in compliance with inter alia:
The Digital Personal Data Protection Act, 2023 (“DPDP Act”)
Digital Personal Data Protection Rules, 2025 (“Rules”)
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
This Privacy Policy deals with information Eshopbox collect in relation to our Websites and explains:
What information is collected by Eshopbox?
How does Eshopbox collect and use that information?
How can you provide information selectively?
How can you access and update this information?
How does Eshopbox process, share, and protect your information?
By using the Website, you confirm that you accept the terms of this Privacy Policy and that you agree to abide by them. This Privacy Policy is incorporated into and subject to the terms of use available on the Website. This policy may be amended from time to time.
Eshopbox values the trust you place in us. That is why Eshopbox insists upon the highest standards for secure transactions and customer information privacy. This Privacy Policy applies to the personal information Eshopbox collects on the Website. This Privacy Policy inter alia describes the types of personal information Eshopbox collects on the Website, how Eshopbox may use that information, and with whom Eshopbox may share it. Eshopbox also tells you how you can reach Eshopbox to ask it to update your preferences regarding how Eshopbox communicates with you or answer any questions you may have about Eshopbox's privacy practices. Please read the following statement to learn about our information gathering and dissemination practices.
Eshopbox's privacy policy is subject to change at any time, provided notice is given. To stay aware of any changes, please review this policy periodically.
When you access the Website, you accept, without limitation or qualification, the Privacy Policy set forth below and any additional terms of use set forth in the Website. This Privacy Policy constitutes a binding legal agreement between you and Eshopbox. If you do not agree with the Privacy Policy, please discontinue use of the Website. Eshopbox has provided this Privacy Policy to familiarise you with the type of data or information that you share with or provide to Eshopbox and that Eshopbox collects from you, the purpose for the collection of such data or information from you, Eshopbox's information security practices and policies and Eshopbox's Privacy policy on controlling or processing your data or information with third parties. This Privacy Policy may be amended or updated from time to time. We will update the 'Last Updated' date at the beginning of this policy accordingly. Eshopbox suggests that you regularly check this Privacy Policy to apprise yourself of any updates. Your continued use of the Website or provision of data or information thereafter will imply your unconditional acceptance of such updates to this Privacy Policy. The information (which shall also include data) provided by you to Eshopbox or collected from you by Eshopbox may consist of Personal Information and Non-Personal Information. “Personal Information” refers to any information that can be used to uniquely identify or contact you, such as your name, email address, phone number, etc. and “Non-Personal Information” is the de-identified and non-personally identifiable information collected from the Website.
For the purposes of this Privacy Policy, the following definitions apply:
“Sensitive Personal Data” means data related to financial information, health records, biometric data, genetic data, caste, religious beliefs, or other categories defined under applicable law.
“Data Fiduciary” refers to Eshopbox, which determines the purpose and means of processing personal data.
“Data Processor” refers to any third-party service provider processing data on behalf of Eshopbox.
“Data Subject” refers to any individual whose personal data is collected, processed, or stored.
“Processing” means any operation performed on personal data, including collection, storage, usage, and sharing.
“Consent” refers to freely given, informed, and unambiguous agreement by a data subject to the processing of their personal data.
“Cookies” are small data files placed on a user’s device to track and enhance user experience.
“Security Breach” refers to unauthorized access, disclosure, alteration, or destruction of personal data.
“Third-Party Service Provider” refers to external entities engaged by Eshopbox to process personal data, including cloud storage providers, payment processors, and analytics platforms.
The term “Personal Data” as used in this Privacy Policy refers to information such as your name, e-mail address, telephone/mobile number that can be used to identify you and any other information that is directly or indirectly linked to you. Generally, Eshopbox will only process your Personal Data as described in this Privacy Policy. We may also process your Personal Data as permitted or required by applicable laws or in response to lawful requests from government authorities, including to meet national security or law enforcement requirements. We are committed to processing your Personal Data lawfully and fairly, ensuring it is used only for specified, explicit, and legitimate purposes.
Service providers that make user-generated content from their services available to others, such as local business reviews or public social media posts;
Communication service providers, including email providers and social networks, when you permit Eshopbox to access your data on such third-party services or networks. If you choose to register to use the Website using your social network or any such other account details (e.g., Facebook, Website ID, Google), you will provide Eshopbox or allow your social network to provide Eshopbox with your username and public profile;
If you use the Website, Eshopbox may collect the following information by automated means:
Internet Protocol (“IP”) address;
Information about your use of the Website;
Eshopbox may de-identify personal information that Eshopbox have collected from you through the Website and combine it with de-identified information about other users, information from third parties, and/or publicly available information. Eshopbox may also collect information other than Personal Information from you through the Website when you visit and/or use the Website. Such information may be stored in server logs. This Non-Personal Information would not assist Eshopbox to identify you personally. The duration of your stay on the Website is also stored in the session along with the date and time of your access, Non-Personal Information is collected through various ways such as the use of cookies with consent. Eshopbox may store temporary or permanent ‘cookies' on your device.
We ensure that de-identified data cannot be re-associated with you, maintaining your privacy in compliance with applicable laws.
Eshopbox gathers information from the Website activity, such as data on the number of people who visit the Website, the pages they visit, the duration of their stay, etc. Website visitorship information inter alia includes:
Collected on an aggregate, anonymous basis, which means no personally identifiable information is associated with this data;
Gathered through the use of web server logs and cookies;
You may choose to provide Eshopbox with Personal Information through the Website, like:
Contact information, such as your telephone/mobile number and email address;
Your profile searches conducted by you and the reviews submitted by you;
Information obtained from the account you use to login to the Website such as your username, date of birth (wherever applicable), the information you disclose in your user profile, and your photograph or profile video;
Information about services received/ rendered on the Website;
Your location, collected with your consent.
Any other information you choose to provide.
Your use of certain third-party services on the Website also requires Eshopbox to collect such information as is considered necessary for that purpose (“Indirect Information”);
While Eshopbox may collect Indirect Information when You access or use Eshopbox Website, Eshopbox collects User Information only from You with Your prior consent unless there are other legal grounds for doing so, as further specified in this Privacy Policy. Where You provide Eshopbox with User Information of third parties, Eshopbox understands that You have obtained the consent of such third parties, and have sufficient rights, approvals, and licenses to provide such information to Eshopbox. You agree to indemnify and hold Eshopbox harmless from any claims arising from the provision of third-party information without proper consent
We comply with applicable data protection laws in India, including the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 ("DPDP Act").
Sensitive Personal Data
Under the DPDP Act, "Sensitive Personal Data" includes personal data revealing or relating to financial information, health data, official identifiers, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.
Eshopbox does not intentionally collect any of the aforesaid SPDI of any of the users of the Website.
Most Eshopbox services do not require any form of registration, allowing you to visit the Eshopbox Website without telling Eshopbox who you are. However, some services may require you to provide Eshopbox with Personal Information. In these situations, if you choose to withhold any Personal Information requested by Eshopbox, it may not be possible for you to gain access to certain parts of the Website and for Eshopbox to respond to your query.
Eshopbox may collect and use Personal Information to provide you with services that Eshopbox thinks may be of interest to you or to communicate with you for other purposes which are evident from the circumstances or about which Eshopbox informs you when Eshopbox collect Personal Information from you.
Eshopbox is the Data Fiduciary of your Personal Information and processes it as required to fulfill the purposes outlined in this Privacy Policy, in compliance with applicable laws. Eshopbox stores the information collected from the Website, which is used to:
Improve Eshopbox product;
Enhance the end-user experience;
Provide, maintain and protect services, Website and Eshopbox Business;
Communicate with the customers in relation to technical and other administrative matters via emails and other modes of communication;
Personalization of the product and the services;
Product development;
Relevant offers;
Reporting and Business operations;
Conduct and undertake research in order to develop and provide search, learning and productivity tools and additional features to service better experience;
Consulting services;
Ensure that you are old enough to use our Website (as required by law); and
Research wherein Eshopbox investigate and help prevent security issues and abuse.
The information is processed and analysed by automated means to offer a variety of features that you get from using the Website. The information will be used for advanced analytics to offer additional insightful features in the future. Eshopbox may also anonymize (de-personalised) your information Eshopbox collect and combine it with other information sources for the purpose of advanced analytics and future use cases.
If you access third-party services, such as Facebook or Google, to login to the Website or to share information about your usage on the Website with others, these third-party services may be able to collect information about you, including information about your activity on the Website, and they may notify your connections on the third-party services about your use of the Website, in accordance with their privacy policies. We encourage you to review the privacy policies of any third-party services you use, as we are not responsible for their data practices.
We process your Personal Information based on the following legal grounds:
Consent: When you have provided your explicit consent for specific purposes.
Contractual Necessity: To perform a contract with you or to take steps at your request prior to entering into a contract.
Legal Obligations: To comply with legal requirements and regulations.
Legitimate Interests: To pursue our legitimate interests in improving our services, provided these do not override your rights.
We retain your Personal Information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
You have certain rights regarding your Personal Information, including the right to access, correct, or delete your data, and to withdraw consent where applicable. Please refer to the "Your Rights" section below for more information.
Eshopbox access and control the Personal Data provided by you. Accordingly, Eshopbox may store or track information about you as necessary for the purposes outlined in this Privacy Policy, however, Eshopbox shall not be obligated to do so and may delete any information and records, in whole or in part, solely at Eshopbox's discretion. Eshopbox may retain other information pertaining to you for as long as necessary for the purposes detailed within this Privacy Policy. Storing such other information provided by you shall be retained with Eshopbox, on Eshopbox servers located in Mumbai, for the period of time needed for Eshopbox to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce Eshopbox agreements.
Your Communication Preferences: To help Eshopbox make e-mails more useful and informative, Eshopbox often receives a confirmation when you open an e-mail from Eshopbox if Your device supports such capabilities. If you do not want to receive e-mail or other mail from Eshopbox, you may adjust your customer communication preferences in your account settings on the Website.
Information from Other Sources: Eshopbox might receive information about you from other sources and add it to Eshopbox account information as may be required to serve you better and for Eshopbox business enhancement. If we collect sensitive personal data, we will do so only with your explicit consent and use it in accordance with this Privacy Policy. By using or continuing to use Eshopbox Website, you agree to Eshopbox's use of your information in accordance with this Privacy Policy, as may be amended from time to time by Eshopbox at Eshopbox discretion. You also agree and consent to Eshopbox collecting, storing, processing, transferring, and sharing information related to you with third parties or service providers for the purposes as set out in this Privacy Policy. If we need to share your sensitive personal data with third parties, we will do so only with your explicit consent and ensure appropriate safeguards are in place.
Eshopbox may be required to share the aforesaid information with government authorities and agencies for verification of identity or for prevention, detection, or investigation, including cyber incidents, prosecution and punishment of offences.
Eshopbox values the privacy of its customers and ensures that personal data is processed in accordance with applicable laws. However, Eshopbox may disclose certain information as follows:
To Eshopbox employees: For diagnosing and resolving technical issues, providing customer support, or fulfilling contractual obligations. Access is granted on a need-to-know basis.
To service providers: Eshopbox may engage third-party vendors or partners to perform services such as billing, cashback, survey administration, reconciliation, complaint management, technical or customer support, data analytics, and cloud storage. Such disclosures will be governed by contractual obligations ensuring data security and compliance with the DPDP Act.
To business partners for service alerts: Eshopbox may share limited information with business partners to notify you about new services, provided that such communication complies with notice and consent requirements under the DPDP Act. Customers may withdraw consent at any time by opting out or unsubscribing from alerts.
In corporate transactions: In the event of a merger, acquisition, insolvency, restructuring, asset sale, financing, or other business transition, personal data may be transferred to relevant parties under legally binding confidentiality agreements, ensuring continued data protection.
To third-party service providers: Eshopbox may engage third-party companies or individuals to process personal data on its behalf for business operations, subject to compliance with purpose limitation, data minimization, and security safeguards mandated by law. Third-party transfers will be carried out only with explicit consent, unless otherwise exempted under the DPDP Act.
To Eshopbox affiliates: Personal data may be shared with corporate affiliates, parent entities, and subsidiaries, subject to intra-group data-sharing agreements ensuring data protection measures.
For legal and security purposes: Eshopbox may disclose personal data when necessary to comply with applicable laws, legal processes, or government requests, including responding to law enforcement or regulatory inquiries, court orders, or statutory obligations under the DPDP Act.
For fraud prevention and protection: Data may be disclosed to detect, investigate, and prevent fraud, unauthorized transactions, cybersecurity risks, or potential threats to the safety of individuals or Eshopbox’s business interests.
Eshopbox ensures that all disclosures adhere to data protection principles under the DPDP Act, 2023, and that personal data is shared only for legitimate purposes, with adequate safeguards in place.
Eshopbox, along with its vendors and service providers, uses cookies and similar technologies ("Cookies") to automatically collect information, measure and analyze website usage, enhance user experience, and improve Eshopbox services in compliance with the Digital Personal Data Protection (DPDP) Act, 2023.
Cookies are small files placed on your device that enable the Website to provide certain features and functionality. By continuing to use our Website, you consent to the use of Cookies, unless you choose to manage your preferences.
Additionally, Eshopbox allows business partners, advertising networks, and third-party analytics providers to collect information about your online activities using Cookies. These third parties may:
Use collected data to display advertisements tailored to your interests and preferences across different platforms.
Link your contact or subscriber information with your website activity across devices using email, log-in credentials, or device identifiers.
Eshopbox ensures that such third-party data processing aligns with purpose limitation, security safeguards, and consent requirements mandated under the DPDP Act. However, Eshopbox is not responsible for the privacy practices of these third parties, and their data handling is governed by their respective policies.
Managing Cookies & Your Rights
You have the right to refuse, disable, or delete Cookies through your browser settings or Cookie preference tools available on the Website.
Your opt-out selection is device and website-specific—you may need to adjust your settings separately for each device or website session.
Disabling Cookies may limit certain functionalities of the Website, potentially affecting your user experience.
Eshopbox takes the security of your data seriously and implements industry-standard measures to protect it from loss, misuse, unauthorized access, or disclosure.
To enhance its Website and services, Eshopbox may use multiple sources of data. However, in compliance with the DPDP Act, 2023, Eshopbox does not use any of your Personal Information for development purposes without explicit consent, unless permitted by applicable law.
Eshopbox maintains strict security measures, including encryption, access controls, and periodic security audits, to safeguard your data. While Eshopbox follows industry best practices to protect personal data, no security system is completely foolproof. In the event of a personal data breach that is likely to cause harm, Eshopbox will notify you at your registered email address, as required under the DPDP Act.
By accessing the Website, you acknowledge that you have read and agreed to abide by these terms. Eshopbox may include links to websites of partner networks, advertisers, and affiliates. These third-party websites have their own privacy policies, and Eshopbox is not responsible for their practices. Users are advised to review the privacy policies of these third-party sites before providing any personal information.
Eshopbox does not provide your Personal Information to advertisers or any third party without a lawful basis and necessary safeguards, in accordance with the DPDP Act, 2023.
However, Eshopbox engages third-party service providers, including Amazon Web Services (AWS), to host and process data for the Website. These service providers operate under strict contractual obligations to ensure data security and confidentiality.
Notwithstanding anything contained in this Privacy Policy or elsewhere, Eshopbox shall not be held responsible for any loss, damage or misuse of your user information, if such loss, damage or misuse is attributable to a Force Majeure Event.
"Force Majeure Event" shall mean any event that is beyond Eshopbox reasonable control and shall include without limitation, sabotage, fire, flood, explosion, acts of God, epidemic or pandemic, civil commotion, strikes or industrial action of any kind, riots, insurrection, war, acts of government, network errors, computer hacking, technical snags, unauthorized access to computer data and storage device, breach of security and encryption and any other like event beyond Eshopbox control.
Eshopbox is committed to ensuring that individuals have control over their Personal Information in compliance with applicable data protection laws, including the Digital Personal Data Protection (DPDP) Act, 2023, and the General Data Protection Regulation (GDPR) where applicable.
Rights of Individuals Under the DPDP Act, 2023 (For Indian Residents)
If you are a resident of India, you have the following rights under the DPDP Act, 2023:
Right to Access: You can request confirmation on whether Eshopbox is processing your personal data and obtain access to such data.
Right to Correction and Erasure: You can request correction, completion, or deletion of your personal data if it is inaccurate, outdated, or no longer required for the stated purpose.
Right to Grievance Redressal: If you have any concerns regarding the processing of your personal data, you have the right to file a grievance with Eshopbox. If unsatisfied with the resolution, you may escalate it to the Data Protection Board of India.
Right to Consent Management: Where data processing is based on consent, you can withdraw your consent at any time, subject to legal and contractual limitations. However, withdrawal does not affect processing carried out before such withdrawal.
Right to Nominate: You can nominate another person to exercise your data rights in case of incapacity or death.
Rights of Individuals in the European Economic Area (EEA) under GDPR
If you are a resident or citizen of the European Union (EU) or the European Economic Area (EEA), Eshopbox will collect, store, process, and control your personal data in accordance with our Data Protection Policy (DPA) under GDPR (Annexure A). Subject to legal exemptions, you may have the following rights:
Right to Access and Data Portability: You may request confirmation of whether Eshopbox processes your personal data and request a copy of it in a structured, machine-readable format.
Right to Rectification and Erasure: You can request correction, deletion, or restriction of processing where data is inaccurate or unlawfully processed.
Right to Withdraw Consent: If processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.
Right to Object to Processing: You may object to processing based on legitimate interest unless Eshopbox demonstrates compelling legitimate grounds. You also have the right to object to processing for direct marketing purposes.
Right to Lodge Complaints: You can file complaints with the relevant data protection authority in the EEA if you believe your rights have been violated.
Identity Verification and Response Time
Before responding to requests for data rights, Eshopbox may require verification of your identity or account details. Requests will be processed within one month of receiving a valid request, subject to applicable legal provisions.
Eshopbox prioritizes the protection of children’s personal data while they use the internet. Eshopbox encourages parents and guardians to monitor, guide, and participate in their child’s online activities to ensure a safe browsing experience.
In compliance with the Digital Personal Data Protection (DPDP) Act, 2023, Eshopbox does not knowingly collect, process, or store personal data from children under the age of 18 without verifiable parental consent.
If you believe that your child has provided personal information on the Website without parental consent, we strongly encourage you to contact us immediately.
Upon verification, Eshopbox will take prompt steps to delete such information from its records in accordance with applicable legal obligations.
Eshopbox reserves the right to update, modify, or amend any terms of this Privacy Policy at any time, in compliance with the Digital Personal Data Protection (DPDP) Act, 2023. Any updates will be reflected on this page, and Eshopbox encourages you to periodically review the Privacy Policy. Your continued use of the Website after any changes constitutes your acceptance of the revised Privacy Policy.
Eshopbox understands that all Personal Information provided by you is voluntary. The collection, use, and disclosure of Personal Information require your express consent, except where processing is permitted under the DPDP Act or other applicable legal grounds. By accessing or using the Website, or otherwise providing Eshopbox with your Personal Information, you consent to its collection, use, storage, transfer, and disclosure as per this Privacy Policy.
If there is a change in applicable data protection laws in India, your explicit consent to Eshopbox's continued processing of your Personal Information will be assumed to the extent permitted under such law. However, Eshopbox may contact you to obtain additional consents or approvals where legally required. If you choose not to provide such consent, Eshopbox may be unable to continue providing access to the Website or related services.
You may choose to withdraw consent or request deletion of your Personal Information. However, in such cases, Eshopbox may be unable to provide you with certain services or Website functionalities that require the processing of such data.
Eshopbox ensures that your Personal Information is retained only for as long as necessary in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 and other applicable laws.
Eshopbox will implement measures to ensure that your Personal Information is securely deleted or anonymized within five (5) years from the date it is reasonable to assume that:
The purpose for which it was collected is no longer being served, and
Retention is no longer necessary for legal, regulatory, or business purposes.
If you wish for Eshopbox to stop processing your Personal Information in accordance with this Privacy Policy, you may contact Eshopbox to withdraw consent or request deletion of your data.
However, Eshopbox reserves the right to retain, store, and use anonymized or aggregated data for legitimate business purposes, including improving its services. Once anonymized, data may be retained indefinitely, as it no longer identifies you personally.
Please note that withdrawing consent for the use of your Personal Information may result in restricted access to the Website or termination of any existing relationship with Eshopbox if the data is essential for service provision.
Eshopbox implements reasonable security measures to protect your Personal Information. However, despite best efforts, no security system is completely foolproof, and Eshopbox cannot guarantee absolute protection against unauthorized disclosures or breaches beyond its control.
While Eshopbox is committed to safeguarding your privacy, it does not warrant or guarantee that your Personal Information or private communications will always remain confidential. Any transmission of data over the internet carries inherent risks, and you acknowledge and accept this risk when using the Website.
As a user, you assume full responsibility and risk for:
Your use of the Website and any associated services,
The information you post, share, or access, and
Your conduct on and off the Website, including interactions with third parties.
Eshopbox disclaims liability for unintentional disclosures due to security vulnerabilities, cyberattacks, or other unforeseen circumstances. Users are encouraged to take necessary precautions to protect their personal information while using the internet.
You agree to indemnify, defend, and hold harmless Eshopbox, its affiliates, officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of:
Your disclosure of information to third parties, whether through Eshopbox’s Website or any other means.
Your use and access of third-party websites, services, or resources.
Any breach of this Privacy Policy or violation of applicable laws related to data protection.
Eshopbox assumes no liability for any actions, misuse, or breaches by third parties concerning your Information or Personal Information that you have voluntarily disclosed to such third parties. Users are responsible for ensuring the security and confidentiality of their data when engaging with external platforms or entities.
In accordance with the IT Act and rules made thereunder, the name and contact details of the Grievance Officer are provided below. If you have any concerns or questions in relation to the Eshopbox Website or this Privacy Policy, you may address them to the Eshopbox grievance officer.
Name: Mayur Karwa
Email: data-security@eshopbox.com
This Data Protection Policy ("DPA") has been developed to comply with the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection (DPDP) Act, 2023 of India. It applies to all entities that collect or process personal data of individuals within the European Economic Area (EEA) under GDPR and within India under the DPDP Act.
This DPA is an integral part of all agreements currently in place between you and ESHOPBOX E-COMMERCE PRIVATE LIMITED, a company incorporated under the Companies Act, 2013, with its registered office at [ ]. By entering into any agreement with the Company, you agree, without limitation or qualification, to adhere to this DPA. You also confirm that you have the authority to legally bind yourself and any personnel, representatives, or affiliates operating under such an agreement.
The Company reserves the right to modify or update this DPA at any time, and any changes will take effect immediately upon posting. We encourage you to periodically review the DPA for any updates.
For the purposes of this DPA, the following definitions apply:
"Affiliate" refers to any entity that owns, controls, is owned or controlled by, or is under common ownership with a party.
"Data Protection Laws" encompass all applicable privacy and data protection laws and regulations, including GDPR and the DPDP Act, 2023.
"Data Subject" refers to an individual whose Personal Data is being processed.
"DPBI" is the Data Protection Board of India, responsible for enforcing the DPDP Act, 2023.
"Personal Data" includes any information related to an identifiable individual as defined by applicable Data Protection Laws.
"Processing" refers to actions such as collecting, using, storing, sharing, or deleting Personal Data.
"Security Breach" means any unauthorized access, disclosure, or loss of Personal Data.
Both parties acknowledge that they act as independent Controllers when processing Personal Data. Each party agrees to:
Ensure compliance with GDPR for EEA data and the DPDP Act for Indian data.
Maintain proper records of Processing activities as required under applicable laws.
Collect and process personal data in a lawful, fair, and transparent manner.
Provide mechanisms to enable Data Subjects to exercise their rights under applicable laws.
Each party is responsible for handling Data Subject requests, which include:
Right to Access, Correction, and Deletion (GDPR & DPDP Act)
Right to Withdraw Consent at Any Time (DPDP Act)
Right to File Complaints with the Data Protection Board of India (DPBI) (DPDP Act)
Right to Object to Automated Processing (GDPR)
Each party shall provide reasonable and timely assistance to facilitate compliance with these rights.
Under the DPDP Act, 2023, organizations must obtain parental consent before processing the personal data of individuals under 18 years of age.
Platforms must verify parental consent using official identification methods such as government-issued IDs or virtual authentication tools.
Failure to comply with this requirement may result in penalties under the DPDP Act.
If a Security Breach occurs, the affected party must report it to the DPBI within 72 hours.
If the breach impacts EU residents, it must also be reported to the relevant Supervisory Authority under GDPR.
The notification should include details of the breach, its impact, and the remedial measures taken.
Companies may also be required to notify affected individuals if instructed by the DPBI or GDPR authorities.
For EU data transfers, GDPR Standard Contractual Clauses (SCCs) apply.
For Indian data transfers, DPDP Act restrictions apply, meaning data can only be transferred to jurisdictions approved by the Government of India.
No cross-border data transfers shall occur without adequate legal safeguards in place.
Data Controllers must approve any sub-processors before they handle Personal Data.
Sub-processors must implement the same level of data protection as required under GDPR and the DPDP Act.
Upon termination of the Agreement, both parties must delete all Personal Data within 60 days.
Backup copies must also be securely deleted unless retention is required by law.
For Data Subjects in the EU, GDPR applies, and disputes will be subject to the jurisdiction of relevant EU courts.
For Data Subjects in India, the DPDP Act, 2023 applies, and disputes will be resolved under Indian laws and courts.
Both parties agree that liability for non-compliance shall be shared based on the level of responsibility.
Organizations violating the DPDP Act may face fines up to ₹250 crore.
GDPR penalties can be up to €20 million or 4% of the company's global turnover.
This DPA supersedes previous agreements related to data protection.
Nothing in this DPA affects either party’s intellectual property rights.
This DPA becomes effective from the date of execution of the Agreement and remains valid until all data is deleted.