Confidential Dispatch

How to draft a DPDP privacy policy

At a glance

Writing a DPDP-compliant privacy policy starts before you touch the template: know exactly what you collect, your legal basis for each purpose, how long you keep it, and who you share it with. Once you’ve worked that out, filling in the actual policy text takes minutes — figuring out what belongs in it is the part that takes thought. This is your broad, standing document; it doesn’t replace the shorter, purpose-specific notice you still owe someone at the actual point of collection.

Educational resource only. This explains how to work out what belongs in a DPDP privacy policy under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice — have your finished policy reviewed against what your business actually does before you publish it.

On this page

The situation

You’ve got a privacy policy — every site has one — but it was probably copied from a template years ago, written for a different law, or drafted by someone who’s never read the DPDP Act. Rewriting it properly means knowing exactly what has to be in there, not just adding an “India” mention to what you already had.

Why your policy still isn’t your DPDP notice

A privacy policy and a DPDP notice do two different jobs — writing a good policy doesn’t let you skip the notice. Your policy is the broad, standing document that explains how your business handles personal data generally; the notice is shorter, purpose-specific, and shown at or before the actual point of collection. See “What a DPDP privacy notice must contain” for the full distinction — the short version here is that you need both, and one can’t substitute for the other.

What a compliant policy actually has to cover

Miss one of these and the policy has a real gap, not just a stylistic one. At minimum, a DPDP-compliant privacy policy needs to state:

  • Who you are — the entity responsible, and how to reach your grievance contact.
  • What you collect, and why — itemised, not lumped into “we may collect information you provide.”
  • Your legal basis — consent for each purpose, or which defined legitimate use (Section 7) you’re relying on instead.
  • How long you keep it — a retention period tied to purpose, not “as long as necessary” left undefined.
  • Who you share it with — your processors (hosting, analytics, email, payment providers), and whether any of them are outside India.
  • The rights people have — access, correction, erasure, and nomination — and how to exercise them.
  • How to raise a grievance, and how to escalate to the Data Protection Board of India if you don’t resolve it.
  • Whether the policy covers children’s data, and if so, how you handle verifiable parental consent.

A policy that’s missing the retention period, doesn’t name a grievance contact, or is silent on where data actually goes has a real gap a regulator or a careful reader will find.

Step by step: from what you do to a finished policy

Work through your actual practices before you work through the template.

  1. List everything you actually collect, and why — feature by feature, not from memory. Walk your real signup, checkout, and account flows; don’t rely on what you think you collect.
  2. For each field, state the specific purpose in plain language. “To improve our services” isn’t a purpose; “to verify your identity by OTP” is.
  3. Decide your legal basis for each purpose — consent, or a defined legitimate use under Section 7 — and how someone can withdraw consent where that’s the basis.
  4. Set a real retention period per data type, and what happens when it ends: deletion, and whether backups are excluded from restoration.
  5. List every processor you share data with, including hosting, analytics, email, and payments — and flag plainly if any of them sit outside India.
Use the template

DPDP privacy policy template — a free, ready-to-fill policy covering every section Section 8 and Rule 3 require. Once you’ve worked out your fields, purposes, retention, and processors above, this is where you drop them in.

  1. Wire in the mandatory actions, not just the mandatory text: a working way to exercise rights, a named Grievance Officer, a real response timeframe, and a route to the Data Protection Board of India. A policy that states these but doesn’t actually connect to a working process isn’t complete.
  2. Get it reviewed against what you actually built, not what you planned to build — the two drift apart more often than teams expect.

Mistakes that quietly break an otherwise good policy

These are the gaps that slip through even a policy that looks thorough at a glance:

  • Vague purpose language — “to improve our services” or “for business purposes” doesn’t meet the itemised-purpose bar. Name the actual purpose.
  • No stated retention period — “as long as necessary” is not a period; state a duration or a clear end-of-purpose trigger.
  • Burying the grievance contact, or naming only a generic support inbox instead of a real Grievance Officer.
  • Treating the policy as the notice — publishing a thorough policy but never showing anything at the actual point of collection.
  • Leaving out cross-border processing — if any processor sits outside India, or processes data on servers outside India, that has to be disclosed, not assumed obvious.

Keeping it accurate as your business changes

A privacy policy is a living document — it’s wrong the moment it stops matching what you actually do. Revisit it whenever you add a new data field, a new processor, or a feature that changes retention or sharing. A policy that was accurate at launch but never updated is arguably worse than one that was always a little thin — it actively misrepresents your current practice.

FAQ

Is a privacy policy the same thing as a DPDP notice? No. The policy is your broad, standing document; the notice is shorter and shown at the specific point of collection. You need both — the policy doesn’t discharge the notice duty.

Do I need a lawyer to write my privacy policy? Not to draft a first version using a process like this one, but have the finished policy reviewed against what your business actually collects and does before you publish it — especially if you handle sensitive data or operate in a regulated sector.

What’s the most commonly missed section? Retention periods and the grievance-escalation path to the Data Protection Board. Both are frequently vague or missing entirely in older policies.

Does my privacy policy need to mention children specifically? Only if your service is directed at, or knowingly used by, anyone under 18. If it isn’t, a plain statement that the service isn’t directed at children is enough; if it is, you need to cover verifiable parental consent.

How often should I update my privacy policy? Whenever something it describes changes — a new data field, a new processor, a new retention period. Don’t treat it as a one-time document.

Reviewed by Confidential Dispatch Editorial Team

Last updated 15 July 2026

Not legal advice.