Legal Information

1. Privacy Policy

This Privacy Policy explains how DPDP Readiness Scanner ("we", "our", "the Service") collects, uses, and protects personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable Indian law.

1.1 Data We Collect

• Work email address — collected at sign-up to verify your organisation identity and send the magic-link login. We accept only professional/work email addresses; personal email providers (Gmail, Yahoo, Hotmail, etc.) are not permitted.
• Organisation name and scan domain — provided by you during onboarding to configure your account.
• Scan URLs and results — the URLs you submit for scanning and the compliance reports we generate are stored and associated with your account.
• Payment information — we do not store card or bank details. Payments are processed by Razorpay; we only retain the Razorpay order ID and payment ID for transaction records.
• Technical logs — IP address, timestamp, and HTTP metadata collected automatically for security and rate-limiting purposes.

1.2 How We Use Your Data

• To authenticate you via magic-link email and maintain your session.
• To run compliance scans and deliver reports linked to your account.
• To process payments and unlock full reports.
• To enforce usage limits (3 scans per domain per account on the free plan).
• To prevent abuse and enforce our rate limits.
• To send transactional emails (magic links, payment receipts). We do not send marketing emails without your explicit consent.

1.3 Legal Basis for Processing

We process your personal data on the basis of your consent, which you provide when you sign up for the Service. You may withdraw consent at any time by requesting account deletion (see Section 1.6). Processing of payment data is also necessary for performance of the contract between us.

1.4 Data Sharing

We do not sell or share your personal data with third parties for advertising or marketing. We share data only with:

• Razorpay — for payment processing (governed by Razorpay's Privacy Policy).
• Email delivery provider — for sending magic-link and transactional emails.
• Infrastructure providers — our hosting and database providers (bound by data processing agreements).

We may disclose data if required by law or a competent government authority under the DPDP Act or other applicable legislation.

1.5 Data Retention

• Scan results are retained for 12 months from the date of the scan.
• Account and authentication data are retained for the lifetime of the account.
• Expired session tokens are deleted within 7 days of expiry.
• Payment records are retained for 7 years as required by Indian financial regulations.

1.6 Your Rights Under the DPDP Act

As a Data Principal, you have the following rights:

• Right to access — request a summary of personal data we hold about you.
• Right to correction — request correction of inaccurate personal data.
• Right to erasure — request deletion of your account and associated personal data.
• Right to grievance redressal — contact our Grievance Officer (see Section 4).
• Right to nominate — nominate an individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, email our Grievance Officer at the address in Section 4. We will respond within 7 business days.

1.7 Security

We implement reasonable technical and organisational security measures including HTTPS, server-side session storage, hashed authentication tokens, and access controls. In the event of a personal data breach, we will notify affected users and the Data Protection Board of India within 72 hours as required by the DPDP Act.

1.8 Cookies

We use a single session cookie to maintain your logged-in state. This cookie is strictly necessary for the Service to function and does not track you across other websites. We do not use advertising or analytics cookies.

2. Terms of Service

By accessing or using DPDP Readiness Scanner ("the Service", "we", "us", "our"), you ("User", "you") agree to be legally bound by these Terms of Service ("Terms"). These Terms constitute a binding contract between you and the operators of DPDP Readiness Scanner. If you do not agree to all of these Terms, you must immediately cease all use of the Service.

These Terms are governed by the Indian Contract Act, 1872, the Information Technology Act, 2000, the Indian Copyright Act, 1957, and all applicable Indian law. By using the Service, you confirm that you have read, understood, and agree to be bound by these Terms in their entirety.

2.1 Eligibility

The Service is intended exclusively for businesses, organisations, and professionals acting in their professional capacity. You must provide a valid professional or work email address (personal email providers such as Gmail, Yahoo, and Hotmail are not accepted). By registering, you represent and warrant that:

• You are at least 18 years of age and have the legal capacity to enter into a binding contract;
• You have the authority to agree to these Terms on behalf of your organisation; and
• Your use of the Service complies with all applicable laws and regulations.

2.2 Permitted Use

Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Service solely for the purpose of assessing the DPDPA compliance posture of websites and Android applications that you own or are expressly authorised to test. You may:

• Scan domains that you own or for which you have written authorisation from the domain owner;
• Download, store, and share the compliance reports generated for your own use and internal compliance purposes;
• Share individual report findings with your legal counsel, compliance team, or external auditors for the purpose of your own compliance programme.

2.3 Prohibited Uses

You agree that you will not, and will not permit or facilitate any third party to:

1. Use the Service to scan any domain, website, or application that you do not own or are not expressly authorised to test;
2. Use the Service to perform competitive intelligence or benchmarking on competitors' websites, or to assess third-party organisations' compliance posture without their knowledge and consent;
3. Automate, script, or bot any interaction with the Service beyond what is expressly permitted by our API documentation, including automated submission of scan requests, scraping of scan results, or systematic extraction of output data;
4. Attempt to circumvent, bypass, or defeat any rate limit, scan limit, authentication control, payment gate, or access restriction implemented by the Service;
5. Use the Service for any illegal purpose, including submitting URLs for the purpose of gathering information to facilitate a cyberattack or unlawful intrusion;
6. Resell, sublicense, or commercially redistribute the Service or any report generated by the Service as a standalone product or as part of a managed compliance service, without our prior written consent;
7. Use the Service in any manner that imposes an unreasonable or disproportionately large load on our infrastructure;
8. Attempt to probe, test, or compromise the security of our infrastructure, APIs, or databases;
9. Introduce any virus, trojan, worm, or other malicious code into the Service or our systems.

2.4 Intellectual Property and Proprietary Technology

The Service, including but not limited to its scan engine, compliance mapping algorithms, findings classification system, scoring methodology, legal citation framework, remediation guidance architecture, report templates, user interface design, and all underlying software code, constitute valuable proprietary intellectual property of DPDP Readiness Scanner and are protected under the Indian Copyright Act, 1957, applicable trade secret law, and international intellectual property conventions.

You acknowledge and agree that you will not, directly or indirectly:

1. Reverse engineer the Service — you will not reverse engineer, decompile, disassemble, decode, decrypt, translate, adapt, or otherwise attempt to derive the source code, object code, algorithms, data structures, database schema, or internal logic of any part of the Service, whether through technical means, systematic observation of inputs and outputs, or any other method;
2. Study and replicate the methodology — you will not systematically study, analyse, map, or document the scan output, findings categories and subcategories, scoring weights and calculations, legal citation patterns, penalty exposure methodology, or remediation step structure of the Service for the purpose of replicating, reverse-engineering, or understanding the underlying methodology;
3. Extract proprietary data — you will not scrape, extract, harvest, or systematically collect the structured output, findings schema, section-to-penalty mappings, or report format of the Service using automated tools, browser automation, API enumeration, or manual systematic extraction;
4. Create derivative works — you will not create derivative works based on the Service's output structure, report format, findings taxonomy, scoring logic, or any other proprietary element of the Service;
5. File competing intellectual property — you will not apply for patent or design protection on any invention, process, or interface that is substantially derived from or inspired by your observation or use of the Service's methodology, output format, technical approach, or user experience; and
6. Circumvent technical protection — you will not circumvent, remove, deactivate, or otherwise impair any technical protection measure, digital rights management system, or access control implemented in the Service.

A breach of this clause will cause us irreparable harm for which monetary damages may be an inadequate remedy. In addition to all other remedies available in law or equity, we shall be entitled to seek injunctive or other equitable relief from a competent court without the requirement of posting a bond or proving actual damages.

2.5 Prohibition on Competitive Use

Without limiting the generality of the foregoing, you specifically agree that you will not:

1. Use the findings format, compliance categories, penalty mapping, legal citation structure, or remediation guidance generated by the Service as a reference specification, functional blueprint, feature checklist, or competitive benchmark for designing, building, training, or improving any DPDPA compliance scanning tool, privacy compliance audit tool, or regulatory gap analysis tool;
2. Use knowledge gained from using the Service — including but not limited to which compliance checks the Service performs, how it structures findings, how it maps findings to legal provisions, how it calculates scores, or how it generates remediation steps — to inform the product design or technical architecture of any competing product;
3. Share, disclose, or transmit detailed knowledge of the Service's methodology, output structure, findings taxonomy, or technical approach to any developer, investor, co-founder, employee, contractor, or third party for the purpose of building a competing product;
4. Use the Service to generate scan reports and then use those reports as training data, reference data, or ground-truth labels for any machine learning model, large language model, artificial intelligence system, or automated compliance tool that performs functions similar to the Service;
5. Use a scan report generated by this Service to demonstrate to potential clients or investors the features or output format of a competing tool that you are building or plan to build.

This restriction applies during your use of the Service and for a period of two (2) years following the termination or expiry of your access to the Service. If any court of competent jurisdiction finds this period to be unenforceable, it shall be reduced to the maximum period that is enforceable under applicable law.

You acknowledge that the above restrictions are reasonable given the substantial investment of time, expertise, and resources that went into developing the Service's proprietary methodology, and that a breach would cause irreparable commercial harm.

2.6 Disclaimer of Warranties

To the fullest extent permitted under applicable Indian law, we expressly disclaim all warranties, whether express, implied, statutory, or otherwise, including but not limited to:

1. Any implied warranty of merchantability, satisfactory quality, or fitness for a particular purpose;
2. Any warranty that the Service will identify every DPDPA compliance violation, gap, risk, or deficiency present on your website or application — the Service has known limitations and expressly does not audit internal data flows, vendor agreements, organisational policies, or back-end data processing systems;
3. Any warranty that the findings, compliance scores, penalty exposure estimates, or legal citations in any report are legally accurate, complete, up-to-date, or applicable to your specific situation;
4. Any warranty that a report generated by the Service, or any remediation steps taken in reliance on such report, will protect you from regulatory investigation, inquiry, enforcement action, direction, penalty, or prosecution by the Data Protection Board of India, any other regulatory authority, or any court;
5. Any warranty of uninterrupted, timely, error-free, or secure access to the Service;
6. Any warranty that the Service is free from technical errors, false positives, or false negatives in its findings.

You assume all risk arising from your use of the Service and from reliance on any report, finding, recommendation, score, or other output of the Service.

2.7 Limitation of Liability

To the maximum extent permitted under applicable Indian law, DPDP Readiness Scanner and its founders, directors, officers, employees, agents, licensors, and service providers shall not be liable to you or any third party, under any legal theory (including contract, tort, strict liability, negligence, or otherwise), for:

1. Any regulatory fine, penalty, direction, enforcement order, or action issued or threatened by the Data Protection Board of India, any Central or State Government authority, or any court, in connection with your organisation's DPDPA compliance status — regardless of whether the relevant compliance gap was identified, not identified, incorrectly characterised, or given an incorrect severity level in any scan report;
2. Any personal data breach, data loss, unauthorised access, or privacy violation occurring at your organisation, whether or not the scan identified the relevant technical gap;
3. Any decision made, action taken, or action not taken by you or your organisation in reliance on any finding, score, recommendation, legal citation, penalty estimate, or remediation step in any scan report;
4. Any indirect, incidental, special, consequential, exemplary, or punitive damages of any nature, including loss of profits, loss of revenue, loss of business opportunity, loss of goodwill, loss of data, business interruption, or reputational damage, even if we have been advised of the possibility of such damages;
5. Any third-party claims against you arising from your organisation's compliance status or data practices;
6. Any loss or damage arising from service interruption, technical failure, data corruption, or inability to access the Service;
7. Any loss or damage arising from your reliance on the Service as a substitute for qualified legal or compliance advice.

Aggregate liability cap: Our total aggregate liability to you for all claims, losses, and damages of any kind arising under or in connection with these Terms or the Service — whether in contract, tort, strict liability, or otherwise — shall not exceed the lesser of: (i) the total fees actually paid by you to us for the specific report giving rise to the claim; or (ii) ₹4,499 (Indian Rupees Four Thousand Four Hundred and Ninety-Nine).

Some jurisdictions do not permit the exclusion of certain warranties or the limitation of liability for certain types of damages. If you are in such a jurisdiction, our liability will be limited to the fullest extent permitted by applicable law in that jurisdiction.

2.8 Indemnification

You agree to indemnify, defend, and hold harmless DPDP Readiness Scanner and its founders, directors, officers, employees, agents, and service providers from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

1. Your use of the Service or any report generated by the Service, including any decision made or action taken in reliance on scan results;
2. Your violation of any provision of these Terms;
3. Your violation of any applicable law, regulation, or third-party right, including any DPDPA obligation;
4. Any regulatory action, investigation, or penalty related to your organisation's data protection practices;
5. Any claim by a third party that your use of the Service infringes their intellectual property rights or causes them harm; or
6. Any content, data, or URLs submitted by you to the Service.

We reserve the right, at our own expense, to assume exclusive defence and control of any matter subject to indemnification by you, and you agree to cooperate with our defence of such claims.

2.9 Report Accuracy and Scope Limitations

You acknowledge that:

• The Service scans only the externally observable technical surface of your website — it does not audit internal data flows, backend systems, vendor contracts, employee training records, Records of Processing Activities (RoPA), Data Processing Agreements (DPAs), Data Protection Impact Assessments (DPIAs), or organisational governance policies;
• A high compliance score does not represent full DPDPA compliance, and a low score does not represent the full extent of your compliance risk;
• Scan results represent a snapshot of the scanned URL at the time of scanning and may not reflect subsequent changes to the website, to the DPDPA framework, or to regulatory enforcement guidance;
• The penalty exposure amounts shown in reports are statutory maxima under the DPDP Act's penalty schedule and do not predict, estimate, or represent the likely actual penalty for any specific violation;
• Some compliance checks produce false positives or false negatives due to technical limitations of automated scanning.

2.10 Account Responsibility

You are responsible for maintaining the confidentiality of your account and for all activity that occurs under it. Magic-link login emails are single-use and expire after 15 minutes. You agree to notify us immediately at the contact details in Section 4 if you suspect any unauthorised access to your account. We will not be liable for any loss or damage arising from your failure to comply with this obligation.

2.11 Governing Law and Dispute Resolution

These Terms and any dispute, claim, or controversy arising out of or in connection with them or the Service — whether in contract, tort, or otherwise — shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles.

Dispute resolution: In the event of any dispute, the parties shall first attempt to resolve the matter through good-faith negotiation for a period of thirty (30) days from written notice of the dispute. If the dispute is not resolved within that period, it shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996, conducted by a sole arbitrator mutually appointed by the parties, with the seat of arbitration in Bengaluru, Karnataka, and proceedings conducted in English.

Nothing in this clause shall prevent either party from seeking urgent interim or injunctive relief from a court of competent jurisdiction in Bengaluru, Karnataka, India, in relation to breaches of Sections 2.4 or 2.5 (intellectual property and competitive use).

2.12 Changes to Terms

We may update these Terms from time to time to reflect changes in the Service, applicable law, or our business practices. We will notify registered users of material changes by email at least 14 days before the changes take effect. Continued use of the Service after changes take effect constitutes your acceptance of the revised Terms. If you do not agree to the revised Terms, you must stop using the Service before the effective date of the changes.

2.13 Severability

If any provision of these Terms is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible, and the remaining provisions shall continue in full force and effect.

2.14 Entire Agreement

These Terms, together with our Privacy Policy and Refund Policy, constitute the entire agreement between you and DPDP Readiness Scanner with respect to the Service and supersede all prior agreements, representations, and understandings, whether oral or written, relating to the subject matter hereof.

3. Refund & Cancellation Policy

This policy applies to payments made for unlocking full DPDP compliance reports and monitoring subscriptions through the Service.

3.1 What You're Paying For

A one-time payment of ₹4,499 + GST unlocks the full DPDP compliance report for your scanned URL, including all findings, remediation steps, penalty exposure analysis, legal citations, and PDF export. The report is delivered immediately upon successful payment verification.

3.2 Refund Eligibility

• Technical failure — if your payment is processed but the full report is not unlocked within 30 minutes due to a technical error on our side, you are entitled to a full refund or immediate resolution at our discretion.
• Duplicate charge — if you are charged more than once for the same report, the duplicate charge will be fully refunded within 5–7 business days.
• Report not delivered — if the scan fails and a report cannot be generated, you will not be charged (scans are queued and completed before payment is requested; payment unlocks an already-completed scan).

3.3 Non-Refundable Cases

• Once you have accessed the full report, the payment is non-refundable, as the digital product has been fully delivered and cannot be "returned".
• Dissatisfaction with report findings, compliance scores, or remediation recommendations is not grounds for a refund — scan results are an accurate reflection of the technical state of your website at the time of scanning, subject to the limitations described in these Terms.
• Payments are non-transferable between accounts or scan domains.
• Refunds will not be issued for scans of websites that were subsequently modified after scanning — the report reflects the website at the time of the scan.

3.4 How to Request a Refund

Email our Grievance Officer (see Section 4) with your Razorpay payment ID (available in your payment confirmation email) and a description of the issue. We will investigate and respond within 3 business days. Approved refunds are processed within 5–7 business days to the original payment method.

3.5 GST

Prices are displayed exclusive of Goods and Services Tax (GST) at 18%. GST is added at checkout and included in your payment receipt. GST-registered businesses may claim input tax credit on this purchase under applicable GST law. A GST invoice is available on request to our Grievance Officer.

4. Contact & Grievance Officer

For privacy-related requests (access, correction, erasure), refund claims, intellectual property concerns, or any other concerns about the Service, contact our Grievance Officer:

We are committed to resolving all complaints promptly and in good faith. If you are not satisfied with our response to a privacy complaint, you may escalate to the Data Protection Board of India through such mechanism as it establishes for public complaints.

For reports of intellectual property infringement or suspected competitive misuse of the Service under Section 2.4 or 2.5, please email us with the subject line "IP Concern — [Your Organisation]". We investigate all such reports and reserve all legal remedies.