Confidential Dispatch

DPDP privacy notice template

Short answer

This is a free, ready-to-fill privacy notice template for anyone collecting personal data in India under the DPDP Act. It covers every item Section 5 and the DPDP Rules require: an itemised list of what you collect and why, a link to act on it, how to withdraw consent, how to exercise rights, how to raise a grievance, and how to complain to the Data Protection Board. Fill in the bracketed fields, delete rows you don’t need, and give it to people before you collect their data — not buried in a policy after.

Educational resource only. This provides a template for the notice requirement under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice, and you should have it reviewed for your own specific data collection before you use it.

On this page

The situation

Starting a notice from a blank page means guessing at what the law actually requires you to say. This template starts you from the full list instead — fill in your specifics, and every mandatory item is already accounted for.

What this template is (and when you need it)

A notice is the plain-language statement you show someone at or before you collect their personal data — this template is a ready-made starting point for writing yours. It’s built directly off the itemised requirements in Section 5 of the DPDP Act and Rule 3 of the DPDP Rules. Use it anywhere you capture personal data — a signup form, a checkout page, a document-upload step, an app’s onboarding flow. It is not the same as your full privacy policy (see “What a DPDP privacy notice must contain” for that distinction) — a notice is shorter, purpose-specific, and shown at the moment of collection.

The template — copy and fill in

Copy everything below, replace the bracketed fields with your own details, and delete any row that doesn’t apply to you.

Privacy Notice — [Your Business/Product Name]

Last updated: [DATE]

[Your Business/Product Name] (“we”, “us”) collects the following personal data when you [describe the action — e.g. “create an account,” “place an order,” “submit this form”]:

What we collect, and why:

Personal data Purpose
[e.g. Name] [e.g. To personalise your account]
[e.g. Email address] [e.g. To send order confirmations and updates]
[e.g. Phone number] [e.g. To verify your identity by OTP]
[Add one row for every field you actually collect]

This data enables [the specific goods, services, or functions this depends on — e.g. “processing and delivering your order”]. You can act on this notice, or review our full policy, at [link to your website/app/privacy policy page].

How to withdraw consent: You can withdraw your consent at any time by [describe the method — e.g. “emailing [email protected]” or “using the ‘Manage consent’ setting in your account”]. Withdrawing is as easy as giving consent was, and it won’t affect anything already done lawfully before you withdrew.

Your rights: You can ask us to let you access, correct, or erase your personal data, or nominate someone to act on your behalf, by [describe the method — e.g. “emailing [email protected]”].

Grievance redressal: If you have a concern about how we’ve handled your data, contact our Grievance Officer: [Name], [email address]. We will respond within [your stated timeframe].

Complaints: If you’re not satisfied with our response, you can complain to the Data Protection Board of India.

How to fill it in

Every bracketed field maps to something Section 5 or Rule 3 actually requires — none of them are optional filler.

  1. List every data field you genuinely collect, one row at a time — not a vague “we collect data to serve you.”
  2. State the exact purpose next to each field. “To improve our services” is too vague; “to verify your identity by OTP” is specific enough to pass.
  3. Name a real person or role as your Grievance Officer — not just a generic support inbox.
  4. Set a real response timeframe and hold yourself to it — it’s the clock a complainant can rely on before escalating to the Board.
  5. Show it before you collect, not after. Adding a notice retroactively doesn’t make consent gathered earlier “informed.”

What this template doesn’t cover

This is a notice, not your whole compliance programme — and it isn’t legal advice. It doesn’t cover consent-flow design (see “DPDP consent, explained”), your broader privacy policy, data security, retention schedules, or sector-specific requirements. It also doesn’t replace a lawyer’s review of your specific data collection — treat it as a complete starting structure, not a substitute for checking it fits what you actually do.

FAQ

Is this template legally binding as-is? No. It’s a starting structure covering the items DPDP requires a notice to contain. Fill it in accurately for what you actually collect, and have it checked against your own situation before you rely on it.

Is a notice the same as a privacy policy? No. A notice is shorter and purpose-specific, shown at the point of collection. A privacy policy is your broader standing document — see “What a DPDP privacy notice must contain” for the full distinction.

Can I use one notice for my whole app, or do I need a separate one per form? You need a notice covering whatever data you’re collecting at that specific point of collection. Different forms collecting different data need their own itemised list — reuse the same template structure for each.

Related reading

  • What a DPDP privacy notice must contain — the full requirement this template is built from.
  • DPDP consent, explained — the standard the notice has to make “informed.”
  • What is a DPDP notice? — the one-line definition.
  • How to collect personal data compliantly under DPDP — where the notice fits in your overall intake process.

Reviewed by Confidential Dispatch Editorial Team

Last updated 9 July 2026

Not legal advice.