Free DPDP Act 2023 Privacy Policy Generator — for Indian SMBs
Answer 8 quick questions about your business, data flows, retention and children audience. We draft a structured ~2,000-word privacy policy covering DPDP §5/6/7/8/9/13/16, grievance officer, DPO triggers, the 72-hour breach rule and cross-border transfers. Edit, paste into your site, ask your lawyer to bless it.
Notice, consent, legitimate use, fiduciary obligations, children, withdrawal, cross-border transfers.
8 guided steps. The generator drafts ~2,000 words of structured policy mapped to your sector.
Structure modelled on DPDP Act 2023 + DPDP Rules 2025. Have your counsel review before publishing.
Includes 72-hour breach rule, grievance officer SLA, DPO §10 trigger and §16 cross-border guidance.
Business name and website
Used to populate § 1 (Introduction) of the policy.
Frequently asked questions
Do small Indian businesses really need a DPDP-compliant privacy policy?+
Yes. The Digital Personal Data Protection Act 2023 was notified and the DPDP Rules 2025 are in force. The Data Protection Board of India is operational from 2026. The Act does not exempt small businesses — any entity that determines the purpose and means of processing personal data is a Data Fiduciary and must publish a notice (§5), obtain valid consent (§6), honour data principal rights (§11-13), and notify breaches to the Board within 72 hours. Penalties go up to ₹250 crore per breach. A published privacy policy is the most basic public-facing compliance artefact.
What does the DPDP Act 2023 require a privacy policy to contain?+
Section 5 requires a notice in clear and plain language stating the personal data being processed, the specified purpose, the manner of exercising rights under §11 (access, correction, erasure, grievance redressal) and §13 (consent withdrawal), and how to complain to the Data Protection Board. The DPDP Rules 2025 add granular consent capture, ease of withdrawal equal to ease of giving, and a published grievance officer contact with a 7-day response SLA.
When does my SMB need to appoint a Data Protection Officer (DPO)?+
The Central Government may notify a class of Data Fiduciaries as "Significant Data Fiduciaries" under §10 of the DPDP Act, based on volume and sensitivity of personal data processed, risk to data principals, and impact on sovereignty. Significant Data Fiduciaries must appoint a DPO based in India who reports to the board, conduct DPIAs, and undergo audits. Companies processing data of more than 50 lakh data principals OR with revenue above ₹5 crore handling sensitive data routinely should plan for DPO appointment.
What is the 72-hour breach notification requirement?+
Rule 6 of the DPDP Rules 2025 requires every Data Fiduciary to notify the Data Protection Board of India without delay when it becomes aware of a personal data breach, and in any case within 72 hours unless an extension is granted. Affected data principals must also be informed individually with a description of the breach, likely consequences, mitigation measures and a point of contact. Your privacy policy must publish the breach notification process and the contact channel.
Can I store Indian user data outside India?+
Section 16 of the DPDP Act allows cross-border transfer of personal data to any country except those notified by the Central Government as restricted. Sectoral regulators (RBI for payment data, IRDAI for insurance, SEBI for securities) may impose stricter India-only data residency. Your policy must disclose where data is stored and what safeguards apply. Conservative SMB guidance is to host on India-region cloud (AWS Mumbai/Hyderabad, Azure Central India, GCP Mumbai/Delhi) and disclose the country list of any sub-processors.
Is the generated policy legal advice I can publish as-is?+
No. This is a template that captures the structural requirements of the DPDP Act 2023 and Rules 2025. It is not legal advice. Have a qualified Indian lawyer or your compliance officer review and customise the draft to your specific data flows, sectoral regulators (RBI/IRDAI/SEBI/IRDAI/MEITY) and contractual obligations before publishing. RichAutomate does not assume legal liability for use of this template.