DPDP privacy notice template
Short answer
This is a free, ready-to-fill privacy notice template for anyone collecting personal data in India under the DPDP Act. It covers every item Section 5 and the DPDP Rules require: an itemised list of what you collect and why, a link to act on it, how to withdraw consent, how to exercise rights, how to raise a grievance, and how to complain to the Data Protection Board. Fill in the bracketed fields, delete rows you don’t need, and give it to people before you collect their data — not buried in a policy after.
Educational resource only. This provides a template for the notice requirement under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice, and you should have it reviewed for your own specific data collection before you use it.
On this page
- What this template is (and when you need it)
- The template — copy and fill in
- How to fill it in
- What this template doesn’t cover
- FAQ
The situation
Starting a notice from a blank page means guessing at what the law actually requires you to say. This template starts you from the full list instead — fill in your specifics, and every mandatory item is already accounted for.
What this template is (and when you need it)
A notice is the plain-language statement you show someone at or before you collect their personal data — this template is a ready-made starting point for writing yours. It’s built directly off the itemised requirements in Section 5 of the DPDP Act and Rule 3 of the DPDP Rules. Use it anywhere you capture personal data — a signup form, a checkout page, a document-upload step, an app’s onboarding flow. It is not the same as your full privacy policy (see “What a DPDP privacy notice must contain” for that distinction) — a notice is shorter, purpose-specific, and shown at the moment of collection.
The template — copy and fill in
Copy everything below, replace the bracketed fields with your own details, and delete any row that doesn’t apply to you.
Privacy Notice — [Your Business/Product Name]
Last updated: [DATE]
[Your Business/Product Name] (“we”, “us”) collects the following personal data when you [describe the action — e.g. “create an account,” “place an order,” “submit this form”]:
What we collect, and why:
| Personal data | Purpose |
|---|---|
| [e.g. Name] | [e.g. To personalise your account] |
| [e.g. Email address] | [e.g. To send order confirmations and updates] |
| [e.g. Phone number] | [e.g. To verify your identity by OTP] |
| [Add one row for every field you actually collect] |
This data enables [the specific goods, services, or functions this depends on — e.g. “processing and delivering your order”]. You can act on this notice, or review our full policy, at [link to your website/app/privacy policy page].
How to withdraw consent: You can withdraw your consent at any time by [describe the method — e.g. “emailing [email protected]” or “using the ‘Manage consent’ setting in your account”]. Withdrawing is as easy as giving consent was, and it won’t affect anything already done lawfully before you withdrew.
Your rights: You can ask us to let you access, correct, or erase your personal data, or nominate someone to act on your behalf, by [describe the method — e.g. “emailing [email protected]”].
Grievance redressal: If you have a concern about how we’ve handled your data, contact our Grievance Officer: [Name], [email address]. We will respond within [your stated timeframe].
Complaints: If you’re not satisfied with our response, you can complain to the Data Protection Board of India.
How to fill it in
Every bracketed field maps to something Section 5 or Rule 3 actually requires — none of them are optional filler.
- List every data field you genuinely collect, one row at a time — not a vague “we collect data to serve you.”
- State the exact purpose next to each field. “To improve our services” is too vague; “to verify your identity by OTP” is specific enough to pass.
- Name a real person or role as your Grievance Officer — not just a generic support inbox.
- Set a real response timeframe and hold yourself to it — it’s the clock a complainant can rely on before escalating to the Board.
- Show it before you collect, not after. Adding a notice retroactively doesn’t make consent gathered earlier “informed.”
What this template doesn’t cover
This is a notice, not your whole compliance programme — and it isn’t legal advice. It doesn’t cover consent-flow design (see “DPDP consent, explained”), your broader privacy policy, data security, retention schedules, or sector-specific requirements. It also doesn’t replace a lawyer’s review of your specific data collection — treat it as a complete starting structure, not a substitute for checking it fits what you actually do.
FAQ
Is this template legally binding as-is? No. It’s a starting structure covering the items DPDP requires a notice to contain. Fill it in accurately for what you actually collect, and have it checked against your own situation before you rely on it.
Is a notice the same as a privacy policy? No. A notice is shorter and purpose-specific, shown at the point of collection. A privacy policy is your broader standing document — see “What a DPDP privacy notice must contain” for the full distinction.
Can I use one notice for my whole app, or do I need a separate one per form? You need a notice covering whatever data you’re collecting at that specific point of collection. Different forms collecting different data need their own itemised list — reuse the same template structure for each.
Related reading
- What a DPDP privacy notice must contain — the full requirement this template is built from.
- DPDP consent, explained — the standard the notice has to make “informed.”
- What is a DPDP notice? — the one-line definition.
- How to collect personal data compliantly under DPDP — where the notice fits in your overall intake process.
Reviewed by Confidential Dispatch Editorial Team
Last updated 9 July 2026
Not legal advice.