VOLTAIR TECH
Start a project →
← Back to voltairtech.com

DPDP Act 2023 — Our Compliance Framework

Last updated: May 2026 · Voltaire Tech · Andheri West, Mumbai · India

India's Digital Personal Data Protection (DPDP) Act 2023 is a landmark law that governs how organisations collect, process, and store personal data of Indian citizens. Voltaire Tech takes compliance seriously. This page explains how we implement our obligations as a Data Fiduciary and how you can exercise your rights as a Data Principal.

What is the DPDP Act 2023?

The DPDP Act 2023 (Digital Personal Data Protection Act, 2023) establishes a rights-based framework for personal data protection in India. It defines the responsibilities of Data Fiduciaries (organisations that process data) and grants Data Principals (individuals) specific rights over their personal data.

The Act requires lawful, purpose-limited processing; valid consent or legitimate use; data minimisation; security safeguards; and mechanisms for grievance redressal.

Our Role as Data Fiduciary

When you share personal data with Voltaire Tech — via our website, email, WhatsApp, or phone — we act as a Data Fiduciary. We determine the purpose and means of processing your data and are accountable for its protection.

Where we process personal data on behalf of our clients (e.g., user data within an app we build), we act as a Data Processor. In those cases, the client is the Data Fiduciary and we process data only on their documented instructions.

Consent Framework

We collect consent at the point of data collection. Our consent notices are:

  • Clear — written in plain English (and available in Hindi on request), not legalese.
  • Specific — we state exactly what data we collect and why.
  • Granular — consent for marketing is separate from consent required for service delivery.
  • Revocable — you can withdraw consent at any time with the same ease as it was given.

We do not use pre-ticked boxes, dark patterns, or bundled consent. Where we rely on "legitimate interests" rather than consent, we document this and ensure it does not override your fundamental rights.

Your Rights as a Data Principal

Under Section 11–14 of the DPDP Act 2023, you have the right to:

  • Right to access (Section 11) — Request a summary of personal data we hold about you and the purposes for which it is processed.
  • Right to correction and erasure (Section 12) — Request that we correct inaccurate or incomplete data, and request erasure of data processed on the basis of consent (subject to legal retention obligations).
  • Right to grievance redressal (Section 13) — Lodge a grievance with our Grievance Officer and receive a response within 30 days.
  • Right to nominate (Section 14) — Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

Significant Data Fiduciary

Voltaire Tech does not currently meet the thresholds to be designated a Significant Data Fiduciary by the Central Government. We will update this page and our compliance programme if we are designated in the future.

Cross-Border Data Transfers

Some of our service providers (e.g., Vercel for hosting, OpenAI/Anthropic for LLM inference) process data outside India. We ensure such transfers are to countries notified by the Central Government as providing adequate data protection, or are covered by appropriate contractual safeguards. We will update this section as the government's notification list evolves.

Data Localisation

For client projects involving sensitive personal data, we can configure infrastructure to store data within India (e.g., AWS ap-south-1, Supabase India region) on request. Discuss this requirement during your scoping call.

Security Measures

We implement reasonable security safeguards as required by Section 8(5) of the Act, including:

  • TLS 1.2+ encryption for all data in transit.
  • Encryption at rest for databases holding personal data.
  • Role-based access controls and least-privilege principles.
  • Regular security reviews and dependency audits.
  • Incident response procedures with breach notification obligations.

Data Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected data principals in accordance with the timelines prescribed by the Act and associated rules. We maintain an incident log and conduct post-incident reviews.

Grievance Redressal

To exercise any of your rights or raise a data protection concern, contact our Grievance Officer:

Grievance Officer — Voltaire Tech
Andheri West, Mumbai, Maharashtra 400053, India
Email: business@voltairtech.com
Phone: +91 70210 00764
Response time: within 30 days of receipt.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once the Board is constituted under the DPDP Act 2023.