Legal Document

Privacy Policy

Last Updated: April 1, 2026 • Effective: April 1, 2026

DataMukt ("we", "us", or "our") is India's first personal data removal SaaS platform. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), along with all other applicable Indian and international data protection laws.

This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website at datamukt.in and all associated services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide Directly

Full name, email address, and phone number (for scan and removal requests)
Account credentials (email and password, or Google OAuth token)
Billing information processed securely via Razorpay (we do not store raw card data)
Communication you send us via email or support channels

1.2 Information We Collect Automatically

IP address, browser type, device identifiers, and operating system
Pages visited, features used, and time spent on the Service
Scan results: which data brokers were found to hold your information
Removal request status and screenshot proof of completed removals
Cookies and similar tracking technologies (see Section 9)

1.3 Information Collected on Your Behalf

As part of our Service, we visit third-party data broker websites on your behalf and collect only the information necessary to confirm your data is present and to submit removal requests. This includes profile URLs, exposure screenshots, and opt-out confirmation emails.

2. How We Use Your Information

To perform privacy scans and identify where your personal data is exposed
To submit opt-out and data erasure requests to data brokers on your behalf, including DPDP Act Section 12 legal notices
To create, manage, and secure your account
To process subscription payments and send billing receipts
To provide removal proof, screenshots, and status reports on your dashboard
To send you service updates, scan results, and removal confirmations
To detect fraud, prevent abuse, and enforce our Terms of Service
To improve our platform through anonymised, aggregated analytics (never tied to individual users)

We never sell your personal data. We never use your data to build advertising profiles. Your information exists solely to deliver the Service to you.

3. Legal Basis for Processing (DPDP Act 2023)

Under the Digital Personal Data Protection Act, 2023, our legal bases for processing your personal data are:

Consent: You explicitly consent when you create an account and submit your information for scanning
Contract performance: Processing is necessary to deliver the removal services you have subscribed to
Legal obligation: We may process data to comply with applicable laws, court orders, or regulatory requirements
Legitimate interests: Fraud prevention, security, and platform improvement, balanced against your rights

4. Data Sharing and Third Parties

We share your data only to the minimum extent necessary to deliver our Service:

Data Brokers: Your name, email, and phone are shared with data broker websites solely to submit your erasure and opt-out requests on your behalf
Supabase: Our database and authentication provider, hosted in Asia-Pacific, processes your account data under strict security standards
Razorpay: Payment processing. Razorpay operates under its own PCI-DSS compliant privacy policy
Resend: Email delivery service used to send you notifications, scan reports, and DPDP legal notices
Legal authorities: We may disclose data when required by law, court order, or to protect our legal rights

All third-party processors are contractually bound to process your data only on our documented instructions and in accordance with applicable data protection law.

5. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with our Service. Specifically:

Account data is retained for the duration of your subscription plus 12 months
Scan results and removal proof screenshots are retained for 24 months
Billing records are retained for 7 years as required by Indian tax law
Upon account deletion, all personal data is permanently erased within 30 days, except where retention is required by law

6. Your Rights Under the DPDP Act 2023

As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access: Request a summary of the personal data we hold about you
Right to Correction: Request correction of inaccurate or incomplete personal data
Right to Erasure (Section 12): Request deletion of your personal data. We will comply within 30 days.
Right to Grievance Redressal: File a complaint with our Data Protection Officer
Right to Nominate: Nominate a person to exercise your rights in the event of your death or incapacity
Right to Withdraw Consent: Withdraw consent at any time, which will result in termination of the Service

To exercise any of these rights, contact our Data Protection Officer at legal@datamukt.in. We will respond within 30 days. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India.

Right to Immediate Erasure (Delete Your Data)

You are in complete control. Unlike the data brokers we police, DataMukt firmly believes your data is yours.

You can delete your DataMukt account, all scan logs, and all associated PII at any time directly from your dashboard settings. Read our Security & Trust Policy to learn exactly how we rapidly purge your data.

7. Data Security

We implement industry-standard security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction:

All data in transit is encrypted using TLS 1.3
Data at rest is encrypted using AES-256
Row-Level Security (RLS) ensures you can only access your own data
API endpoints are protected with JWT authentication
CSP headers and input sanitisation guard against injection attacks
Regular security audits and vulnerability assessments

Despite our best efforts, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required under the DPDP Act, 2023.

8. International Data Transfers

Your personal data is primarily stored and processed within India or in jurisdictions approved by the Indian government under the DPDP Act. Where data is transferred internationally (for example, to our infrastructure providers), we ensure appropriate safeguards are in place, including contractual protections consistent with applicable data protection law.

9. Cookies and Tracking Technologies

We use only essential cookies required for the Service to function:

Authentication cookies: To maintain your logged-in session securely
CSRF tokens: To prevent cross-site request forgery attacks

We do not use advertising cookies, third-party tracking pixels, or behavioural analytics tools that profile your activity across other websites.

10. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will delete it promptly. If you believe a minor has used our Service, please contact us at legal@datamukt.in.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by posting a prominent notice on our website at least 7 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

12. Contact and Grievance Officer

For any privacy-related questions, requests, or complaints, contact our Data Protection Officer:

Email: legal@datamukt.in
Subject line: "Privacy Request — [Your Name]"
Response time: Within 30 days
Escalation: Data Protection Board of India (dpboard.gov.in) if unresolved