Critical Red Flags
Generic Copy-Paste: Using a US template that fails to mention the Indian Digital Personal Data Protection (DPDP) Act.
No Data Protection Officer (DPO): Missing the mandatory contact point for user grievances.
Hidden Data Monetization: Clauses that allow selling your 'anonymized' data to 3rd party brokers.
Silent on Sub-Processors: Failing to disclose that you share user data with AWS, Stripe, or Google Analytics.
Must-Have Clauses
Explicit Consent Logic: How you collect and withdraw consent (Opt-out/Opt-in).
Purposes of Processing: Exactly why you need every piece of data (e.g., 'for shipping' v/s 'for marketing').
User Rights (Access/Deletion): Clear instructions on how a user can request their data be deleted permanently.
Cookie & Tracking Transparency: Detailed list of which cookies are 'necessary' versus 'marketing' trackers.
Analyze Your Privacy Policy Instantly
Upload your PDF and let our AI check for all these risks in 60 seconds.
What Is a Privacy Policy?
A Privacy Policy is a legally binding document used for informing users about what data is collected, how it is processed, stored, shared, and protected, and what rights they have regarding their personal data under Indian law. In India, this agreement is governed by the Digital Personal Data Protection (DPDP) Act, 2023; Information Technology Act, 2000; IT (Reasonable Security Practices) Rules, 2011 and related sector-specific regulations.
Without a well-drafted Privacy Policy, both parties are exposed to significant legal and financial risk. Contract Shield provides a professionally reviewed Privacy Policy template that you can download and use immediately, or upload your existing agreement to our AI analyzer for a comprehensive risk report.
5 Critical Clauses in Every Privacy Policy
Before signing or issuing a Privacy Policy, these are the five clauses that require the closest attention:
Data Collected and Purpose
Must clearly list every category of personal data collected (name, email, IP address, payment information, usage data) and the specific, lawful purpose for each category.
Legal Basis for Processing
The DPDP Act 2023 requires explicit, informed, and specific consent for each category of data processing. The policy must identify the legal basis (consent, legitimate interest, legal obligation) for each processing activity.
Data Retention Period
Data should not be retained longer than necessary for the stated purpose. Specify retention periods for each data category. Indefinite retention is non-compliant with the DPDP Act 2023.
Data Sharing with Third Parties
List all third-party processors (cloud hosting, analytics, payment gateways, marketing tools) and the purposes for which data is shared. Each third party should have a Data Processing Agreement in place.
Data Principal Rights
Under the DPDP Act 2023, users have the right to access, correct, erase, and nominate a data fiduciary. The policy must explain how to exercise these rights and provide a Data Protection Officer contact.
Legal Requirements Under Indian Law
A privacy policy is mandatory under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 for any entity collecting sensitive personal data. Under the DPDP Act 2023, data fiduciaries must publish a privacy policy accessible from the signup/login page. Violations may attract penalties up to Rs 250 crore per instance.
⚡ Analyze Before You Sign
Contract Shield's AI reads your Privacy Policy line-by-line, identifies hidden liabilities, and explains every risk in plain English — in under 60 seconds. Run a free risk scan →
Frequently Asked Questions
Is a privacy policy legally required in India?
Yes. Any website or app collecting personal data from Indian users must have a privacy policy under the IT (SPDI) Rules, 2011. The DPDP Act 2023 reinforces this requirement with significantly higher penalties for non-compliance.
What is the difference between a privacy policy and terms of service?
A privacy policy explains how personal data is handled. Terms of Service govern the contractual relationship between the user and the platform — usage rules, content policies, and dispute resolution. Both are legally distinct and both are required.
Does a mobile app need a separate privacy policy?
The same privacy policy can cover both web and mobile, provided it specifically addresses mobile-specific data collection (location, camera, microphone, contacts). App store submission requires a published privacy policy URL.
Frequently Asked Questions
Does my website need a privacy policy under the DPDP Act 2023?
Yes. Under the Digital Personal Data Protection (DPDP) Act 2023, any website collecting personal data of Indian users must serve a clear privacy policy and consent notice outlining data collection purposes.
What are the penalties for non-compliance with India's DPDP Act?
Non-compliance, including processing personal data without explicit consent or failing to report data breaches, can result in penalties up to Rs 250 crore from the DPDP Board.
Is cookie consent mandatory for Indian websites?
Yes, if cookies track personal user identifiers. Under the DPDP Act, tracking or profiling requires explicit, unambiguous, and revocable consent from the user.