Everything you need for DPDP Act compliance
DPDP Guard is a compliance platform for India's Digital Personal Data Protection Act, 2023 and Rules, 2025. It brings consent management, an AI privacy-policy generator, data-principal rights, 72-hour breach reporting, grievance redressal, and cookie scanning into one place — so Data Fiduciaries can capture lawful consent, honour individual rights, and stay audit-ready.
Capture provable, granular consent before a single tracker fires
A drop-in consent banner presents your published notice and records each visitor's per-purpose choices with an immutable audit trail — the lawful basis the DPDP Act requires before processing personal data.
An Indian e-commerce store embeds the banner; a shopper accepts analytics but declines marketing. The choice, timestamp, and notice version are stored, so if the Data Protection Board audits, the company can produce per-user consent evidence.
- Drop-in banner script, deployed and themed per domain group
- Per-purpose consent (e.g. analytics vs. marketing) with an immutable audit trail
- Switch legislation modes — DPDP, GDPR or CCPA — from a live-preview designer
- Configurable layout, position, branding and language

Generate a DPDP-ready privacy policy in minutes, not weeks
A guided wizard collects how your organisation handles data, then an AI agent drafts a Digital Personal Data Protection Act–aligned privacy policy you can version, publish, and host at a public URL.
A seed-stage startup with no in-house counsel completes the wizard, generates a first-draft policy, edits it, and publishes it to a shareable page — instead of waiting weeks for an external law firm.
- Seven-step wizard captures company, data-handling and third-party-sharing details
- An AI agent drafts the policy and streams its progress live
- Save drafts, keep versions, and publish when ready
- Serve the active policy at a public, always-current URL (/policy/your-org)

Give people a self-service portal for their data-principal rights
Individuals get their own dashboard to view and withdraw active consents, raise rights requests, and nominate a representative — and every request is logged against your organisation with a status the principal can track.
A customer withdraws marketing consent, files an erasure request for old orders, and nominates a family member to act on their behalf if they are incapacitated — all without emailing support.
- View and withdraw any active consent
- Raise access/summary, correction and erasure requests
- Nominate a representative to exercise rights on your behalf
- Track the live status of every request you have raised

Hit the DPDP 72-hour breach report — every time
Log a data breach and the platform immediately queues intimation to the affected principals and the Data Protection Board, schedules the statutory 72-hour detailed-report reminder, and tracks each notification milestone through to the detailed report — the two-stage response the DPDP Rules, 2025 require.
A SaaS company discovers a breach and records it. The platform immediately queues intimation to the affected users and the Board and sets a 72-hour reminder to file the detailed report, and the team marks each milestone — users notified, Board notified, detailed report submitted — as it is completed.
- Central breach register with status from first intimation to detailed report
- On report, automatically queues intimation to affected principals and the Board
- Schedules the statutory 72-hour detailed-report reminder the moment a breach is logged
- Track each milestone — users notified, Board notified, detailed report submitted
- Aligned to the DPDP Rules, 2025 (Rule 7 — intimation of personal data breach)

Resolve grievances on a clock your DPO can defend
Data principals raise grievances from their dashboard; your team responds within a configurable SLA with automatic due-date tracking — satisfying the DPDP Act's mandate for an accessible grievance mechanism.
A customer submits a complaint about how their data was used. The DPO sees it in a queue with a due date, investigates, and posts a documented resolution well inside the SLA.
- Self-service grievance submission for data principals
- Configurable SLA with automatic due dates
- A response queue and resolution trail for your DPO

Find every cookie and tracker running on your sites
Scan your domains with a dedicated scanning worker, then review a categorised inventory of the trackers actually loading — so the consent categories you offer match what your site really does.
A marketing team scans their domain and discovers an undeclared ad-tech pixel a vendor added months ago. They classify it under Marketing so it is only loaded after consent.
- Domain scans dispatched to a dedicated scanning worker
- Trackers categorised as Essential, Analytics, Marketing or Preferences
- Inventory feeds the categories your consent banner presents
Run one consent setup across every brand and domain
Group your primary and alias domains under a single configuration and share consent across them — so multi-site and multi-brand organisations manage every property from one place.
A media company links brand.com and brand.in as aliases in one domain group, so a consent decision captured on one site is honoured on the other.
- Group primary and alias domains together
- Share consent across aliased domains
- Per-group banner settings for distinct brands

See your compliance posture in one dashboard
Track consent-acceptance trends, tracker-category distribution, and a single organisation-wide compliance score — the readiness metrics leadership actually asks for.
Before a board meeting, a DPO opens the dashboard, reviews the month's consent-acceptance trend, and reports the current compliance score along with the gaps behind it.
- Consent-acceptance trends over time
- Tracker-category distribution across your sites
- A single organisation compliance score with key metrics

Prove lawful processing with retention rules and audit logs
Define retention rules for each data category and review immutable processing logs and the consent audit trail — the evidence you need to demonstrate storage limitation and lawful processing.
A compliance officer sets a rule to delete inactive accounts after three years, then during an internal audit pulls the processing-activity log to show exactly what was done, when, and on what basis.
- Define retention rules per data category
- Backed by scheduled-erasure infrastructure
- Immutable processing logs and consent audit trail for reviews

Protect children's data with age-gating and parental consent
Prompt visitors for their age status, flag accounts that belong to a child, and begin a parental-consent step for minors by collecting a parent's email — the heightened protection the DPDP Act requires for the data of children.
A user self-identifies as under 18. The app records the child status and prompts for a parent's email to begin parental consent, applying the DPDP Act's heightened protection before a child's data is processed.
- Age-status prompt that self-identifies and gates minors
- Child-account flagging
- A parental-consent step that collects a parent's email for minors

Frequently asked questions
What is the DPDP Act, 2023?
The Digital Personal Data Protection Act, 2023 is India's comprehensive personal-data protection law. It establishes the Data Protection Board of India — the body that adjudicates non-compliance — and the Digital Personal Data Protection Rules, 2025 operationalise the Act's obligations for data fiduciaries.
Who is a Data Fiduciary and who is a Data Principal under the DPDP Act?
Under the DPDP Act, 2023 a Data Fiduciary is the entity that alone or with others determines the purpose and means of processing personal data (comparable to a controller under the GDPR), and a Data Principal is the individual to whom the personal data relates. DPDP Guard gives Data Fiduciaries the tooling to meet their obligations and gives Data Principals a self-service portal to exercise their rights.
Does DPDP Guard help with the DPDP Act's 72-hour breach notification?
Yes. When you report a breach, DPDP Guard immediately queues intimation to the affected data principals and to the Data Protection Board, then schedules a reminder for the detailed report due within 72 hours. This mirrors the two-stage duty in Rule 7 of the DPDP Rules, 2025 (notified 13 November 2025): an initial intimation to the Board without delay, followed by a detailed report within 72 hours.
Can I collect granular cookie consent with DPDP Guard?
Yes. The consent banner captures per-purpose consent — for example analytics versus marketing — with an audit trail, and supports DPDP, GDPR and CCPA legislation modes from a single live-preview designer.
Does DPDP Guard support data-principal rights requests?
Yes. From a self-service portal, individuals can view and withdraw consent, raise access, correction and erasure requests, and nominate a representative — and each request is logged against your organisation with a status the principal can track.
What is the penalty for not reporting a data breach under the DPDP Act?
Under Section 8(6) of the Digital Personal Data Protection Act, 2023, a Data Fiduciary that fails to notify the Data Protection Board or affected Data Principals of a personal data breach can face a financial penalty of up to ₹200 crore. DPDP Guard's Breach Management module queues both notifications automatically when you log a breach, helping you meet this obligation.
Does DPDP Guard scan for cookies and trackers?
Yes. A dedicated scanning worker crawls the domains you add and returns a categorised inventory — Essential, Analytics, Marketing or Preferences — of the cookies and trackers actually loading, so the consent categories your banner presents match what your site really does.
Which industries is DPDP Guard built for?
DPDP Guard is used across regulated, consumer-facing sectors — including BFSI and fintech, e-commerce, telemarketing, and healthcare — wherever Indian businesses process personal data and must meet DPDP Act obligations.
Is DPDP Guard free to start?
Yes. You can create an account and set up your compliance workspace — consent banner, privacy-policy generator, data-principal portal and breach register — at no cost, then scale up as your needs grow.
How does the AI privacy policy generator work?
A step-by-step wizard collects your data-processing details, then an AI agent drafts a DPDP-aligned privacy policy. You can save drafts, keep versions, publish the policy, and host it at a public URL.
Is DPDP Guard suitable for multi-site or multi-brand companies?
Yes. Domain groups let you configure a distinct banner per brand and share consent across aliased domains, so every property is managed from one place.
Ready to become DPDP compliant?
Set up your compliance engine in minutes — register, configure, and go. No lengthy onboarding required.