DPDP notice template
Short answer
This is a free, ready-to-fill notice template for anyone collecting personal data in India under the DPDP Act. It covers every item Section 5 and the DPDP Rules require: an itemised list of what you collect and why, a link to act on it, how to withdraw consent, how to exercise rights, how to raise a grievance, and how to complain to the Data Protection Board. Fill in the bracketed fields, delete rows you don’t need, and give it to people before you collect their data — not buried in a policy after.
Educational resource only. This provides a template for the notice requirement under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice, and you should have it reviewed for your own specific data collection before you use it.
On this page
- What this template is (and when you need it)
- The template — copy and fill in
- How to fill it in
- What this template doesn’t cover
- FAQ
The situation
Starting a notice from a blank page means guessing at what the law actually requires you to say. This template starts you from the full list instead — fill in your specifics, and every mandatory item is already accounted for.
What this template is (and when you need it)
A notice is the plain-language statement you show someone at or before you collect their personal data — this template is a ready-made starting point for writing yours. It’s built directly off the itemised requirements in Section 5 of the DPDP Act and Rule 3 of the DPDP Rules. Use it anywhere you capture personal data — a signup form, a checkout page, a document-upload step, an app’s onboarding flow. It is not the same as your full privacy policy (see “What a DPDP privacy notice must contain” for that distinction) — a notice is shorter, purpose-specific, and shown at the moment of collection.
The template — copy and fill in
Copy everything below, replace the bracketed fields with your own details, and delete any row that doesn’t apply to you.
Notice
Last updated: [DATE]
[Your Business/Product Name] (“we”, “us”) collects the following personal data when you [the action]:
What we collect, and why:
| Personal data | Purpose |
|---|---|
| Name | [purpose] |
| Email address | [purpose] |
| [Document Name] | [purpose] |
Add one row per additional field you collect — one data type and one purpose per row (for example, Name → “To personalise your account”; Email address → “To send confirmations and updates”). Don’t combine multiple fields into a single row.
This data enables [the purpose]. You can act on this notice, or review our full policy, at [link].
How to withdraw consent: You can withdraw your consent at any time by [method]. Withdrawing is as easy as giving consent was, and it won’t affect anything already done lawfully before you withdrew.
Your rights: You can ask us to let you access, correct, or erase your personal data, or nominate someone to act on your behalf, by [method].
Grievance redressal: If you have a concern about how we’ve handled your data, contact our Grievance Officer: [Name], [email address]. We will respond within [timeframe].
Complaints: If you’re not satisfied with our response, you can complain to the Data Protection Board of India.
How to fill it in
Every bracketed field maps to something Section 5 or Rule 3 actually requires — none of them are optional filler. Show it before you collect data, not after — adding a notice retroactively doesn’t make consent gathered earlier “informed.”
- [the action]
- What it means: The specific thing someone is doing when you collect their data.
- Examples: Creating an account, placing an order, submitting a form.
- [Document Name]
- What it means: The name of any field you collect beyond Name and Email. Pick the one field this row is for — add a separate row for each additional field instead of listing several in one row.
- Examples: Phone Number, PAN, Aadhaar, or another ID document.
- [purpose]
- What it means: The specific reason you collect that field, in plain language. Never a vague catch-all like “to improve our services.”
- Examples: “To personalise your account,” “To send order confirmations,” “To verify your identity by OTP.”
- [link]
- What it means: Wherever someone can act on this notice or read your full policy.
- Examples: Your website, your app, or a dedicated privacy policy page.
- [method]
- What it means: However someone can actually reach you to withdraw consent or exercise a right.
- Examples: Emailing [email protected], or using a “Manage consent” setting in your account.
- [Name], [email address], [timeframe] — your Grievance Officer
- What it means: A real person or role handling grievances, not a generic support inbox, plus a real response timeframe you hold yourself to — it’s the clock a complainant can rely on before escalating to the Board.
- Examples: “Data Protection Officer,” “[email protected],” “30 days.”
What this template doesn’t cover
This is a notice, not your whole compliance programme — and it isn’t legal advice. It doesn’t cover consent-flow design (see “DPDP consent, explained”), your broader privacy policy, data security, retention schedules, or sector-specific requirements. It also doesn’t replace a lawyer’s review of your specific data collection — treat it as a complete starting structure, not a substitute for checking it fits what you actually do.
FAQ
Is this template legally binding as-is? No. It’s a starting structure covering the items DPDP requires a notice to contain. Fill it in accurately for what you actually collect, and have it checked against your own situation before you rely on it.
Is a notice the same as a privacy policy? No. A notice is shorter and purpose-specific, shown at the point of collection. A privacy policy is your broader standing document — see “What a DPDP privacy notice must contain” for the full distinction.
Can I use one notice for my whole app, or do I need a separate one per form? You need a notice covering whatever data you’re collecting at that specific point of collection. Different forms collecting different data need their own itemised list — reuse the same template structure for each.
Related reading
- What a DPDP privacy notice must contain — the full requirement this template is built from.
- DPDP consent, explained — the standard the notice has to make “informed.”
- What is a DPDP notice? — the one-line definition.
- How to collect personal data compliantly under DPDP — where the notice fits in your overall intake process.
Reviewed by Confidential Dispatch Editorial Team
Last updated 9 July 2026
Not legal advice.