VOLTAIR TECH
Booking · 1 slot this weekStart a project

DPDP Act 2023 and AI: what Indian builders must do right now

Guide · Compliance · Voltair Tech, Mumbai

The Digital Personal Data Protection Act 2023 is India’s first comprehensive data protection law. It applies to every organisation that processes the personal data of Indian users — including every AI product, chatbot, and automation pipeline.

What counts as personal data under DPDP?

Any data that can identify an individual: name, phone number, email, Aadhaar number, location data, IP address, financial data, health records, and any combination that makes identification possible. Anonymised data that cannot be re-identified is exempt.

Sensitive personal data (higher obligations)

  • Financial data (bank account, credit card, transaction history)
  • Health and medical data (patient records, prescription history)
  • Biometric data (fingerprints, facial recognition)
  • Caste or religious data
  • Sexual orientation

7 DPDP obligations for AI products

  • 1. Consent — explicit, informed, granular consent before collecting any personal data. No bundled consent forms.
  • 2. Purpose limitation — data collected for a specific purpose may only be used for that purpose. A chatbot collecting phone numbers for appointments cannot use them for marketing without separate consent.
  • 3. Data minimisation — collect only what you actually need. A delivery tracking bot doesn’t need the user’s date of birth.
  • 4. Storage limitation — don’t keep data longer than necessary. Implement automated deletion schedules.
  • 5. Data localisation — sensitive personal data must be stored on Indian servers. Check your cloud provider’s region settings.
  • 6. Right to erasure — users can request deletion of their data. Your AI system must have a verifiable, documented deletion mechanism.
  • 7. Breach notification — notify affected users and the Data Protection Board within 72 hours of discovering a breach.

DPDP compliance checklist for AI builders

  • Consent UI is explicit and granular
  • Privacy policy references the DPDP Act 2023
  • Vector database and AI model APIs use Indian or approved data centres
  • Deletion endpoint is tested and documented
  • Third-party APIs (OpenAI, Anthropic, etc.) have data processing agreements
  • Breach notification SLA is defined internally

How Voltair Tech handles DPDP by default

Every product we ship includes: DPDP-compliant consent capture, a tested deletion mechanism, pgvector on ap-south-1 (Mumbai) as the default vector store, and a privacy policy that explicitly references the DPDP Act 2023. We include DPDP documentation in the handover package.

FAQs — DPDP and AI

Does DPDP apply to B2B AI products?

Yes. If your B2B AI product processes the personal data of individuals (even employees of your clients), DPDP applies. The B2B exemption under DPDP is narrow and does not cover processing of individual personal data.

Do US-hosted AI APIs (OpenAI, Anthropic) comply with DPDP?

Both OpenAI and Anthropic offer data processing agreements and data residency options, but the default API endpoint sends data to US servers. For sensitive personal data, use a regional deployment in India or implement a data-scrubbing layer before sending to any foreign API.

Build a DPDP-compliant AI product — compliance on day one, not as an afterthought.

WhatsApp +91 70210 00764 · email business@voltairtech.com · start a project →