How it worksPlatformPricingLog inSign up

Privacy Policy

Privra — Digital Personal Data Protection Policy

Last Updated: June 12, 2026

Effective Date: June 12, 2026

This Privacy Policy is published in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act" or "Act") and the Digital Personal Data Protection Rules, 2025 ("Rules"). It describes how Privra collects, uses, stores, and protects your personal data when you use our platform.

You may access this policy in English or any language specified in the Eighth Schedule to the Constitution of India. To request a translated version, please write to us at the contact details provided at the end of this policy.

1. Who We Are

Privra is a DPDP compliance automation platform operated by Shreyas Jain (Sole Proprietor), based in Jaipur, Rajasthan, India.

For the purposes of the DPDP Act, 2023, Privra is the Data Fiduciary — we determine the purpose and means of processing your personal data when you use our platform.

When Privra scans your organisation's infrastructure or websites on your behalf, we act as a Data Processor processing data under your instructions as the Data Fiduciary of your own users.

Contact for data protection queries:

Shreyas Jain Email: shreyas@privra.in Website: https://privra.in

This contact information is published in accordance with Section 8(9) of the Act.

2. What Personal Data We Collect and Why

We collect different categories of personal data depending on how you interact with Privra. Below, we explain each category, the specific data collected, and the purpose for which it is processed, as required by Section 5(1)(i) of the Act.

2.1 Account Data (collected at signup)

What we collect:

  • Email address
  • Password (stored only in hashed form; we never have access to your plaintext password)
  • Company name (organisational data, not personal data unless it contains an individual's name)

Why we collect it:

  • To create and authenticate your Privra account
  • To communicate with you about your compliance status, scan results, and platform updates
  • To associate your compliance data with your organisation

Lawful basis: Your consent, given when you sign up (Section 6(1) of the Act).

2.2 Onboarding and Compliance Configuration Data

What we collect:

  • Industry vertical
  • Types of personal data your organisation processes (checkboxes)
  • Whether your organisation processes children's data
  • Whether your organisation transfers data outside India
  • Whether your organisation has an existing privacy policy or designated data protection officer
  • Approximate user base size

Why we collect it:

  • To configure your DPDP compliance assessment correctly
  • To determine which compliance checks are applicable to your organisation
  • To generate accurate, customised policy documents and compliance reports

Nature of this data: This is organisational data about your company's practices, not personal data about you as an individual. We collect it to provide our service accurately.

2.3 Policy Contact Information

What we collect (when you use the policy generator or configure your Trust Center):

  • Contact person name
  • Contact person email
  • Contact person designation
  • Contact address (for Trust Center display)

Why we collect it:

  • To include accurate contact details in your generated privacy policies, consent notices, and Trust Center page as required by the DPDP Act
  • To display your organisation's data protection contact on your public Trust Center

Important note: This data may relate to you or to another individual in your organisation whom you designate. If you provide personal data of another individual, you confirm that you have the authority to do so.

Lawful basis: Your consent and the legitimate purpose of providing the compliance service you have requested (Sections 6(1) and 7(a) of the Act).

2.4 Integration Credentials

What we collect (when you connect cloud infrastructure or payment integrations):

  • AWS IAM Role ARN (Amazon Resource Name for cross-account read-only access)
  • Razorpay API Key ID and Key Secret

Why we collect it:

  • To perform automated security scans of your cloud infrastructure
  • To assess your payment integration's compliance with DPDP security safeguard requirements

How we protect it:

  • AWS Role ARN is stored in our database. No AWS access keys are stored; we use temporary session credentials via STS AssumeRole.
  • Razorpay Key Secret is encrypted using AES-256-GCM before storage. The Key ID is stored in plaintext.
  • When you disconnect an integration, credentials are immediately removed from our database.

Lawful basis: Your consent, given when you connect each integration (Section 6(1) of the Act). You may disconnect integrations at any time, which immediately removes stored credentials.

2.5 Consent Audit Data (Browser Agent)

When you initiate a consent and privacy scan of your website, our automated browser agent visits your publicly accessible web pages and collects:

What we collect:

  • Screenshots of your website pages (signup flows, consent notices, privacy policies, contact pages)
  • Extracted text from your web pages (limited to visible content relevant to compliance analysis)
  • AI-generated analysis of your consent flows and privacy notices

Why we collect it:

  • To assess your website's compliance with DPDP consent requirements (Sections 5 and 6 of the Act)
  • To provide visual evidence of compliance gaps with timestamped screenshots
  • To generate your DPDP Readiness Report with supporting evidence

Important note about third-party data: Your website pages may display personal data of third parties (such as grievance officer names or contact details published on your site). We collect this incidentally as part of the compliance scan. Our agent does not log into your systems, submit forms, or access any non-public content.

Lawful basis: Your consent, given when you initiate a scan (Section 6(1) of the Act).

2.6 Scan Results and Compliance Data

What we generate and store:

  • Infrastructure scan findings (pass/fail/partial results for each security check)
  • Compliance scores (overall and per DPDP section)
  • AI-generated gap analysis and remediation recommendations
  • AI-generated policy documents (privacy policies, consent notices, breach notification templates, data retention policies, grievance redressal SOPs, data processing agreements)
  • DPDP Readiness Reports

Why we store it:

  • To display your compliance dashboard
  • To track your compliance posture over time
  • To generate your Trust Center and Readiness Reports
  • To detect compliance drift through continuous monitoring

Lawful basis: Necessary for providing the service you have subscribed to (Section 7(a) of the Act).

2.7 Trust Center Rights Requests

If a Data Principal (an end user of your product) submits a rights request through your Privra-hosted Trust Center, we collect:

What we collect:

  • Requestor's name
  • Requestor's email
  • Description of the request

Why we collect it:

  • To route the rights request to your organisation for action
  • To track the status and response timeline of rights requests

Nature of processing: We collect this data on your behalf as a Data Processor. Your organisation is the Data Fiduciary for these individuals, and you are responsible for responding to their requests within the timelines required by the Act.

2.8 Cookies and Technical Data

Cookies we set:

  • Authentication session cookies (prefixed sb-): Essential cookies required for you to log in and use the platform. These are set by our authentication provider (Supabase) and are strictly necessary for the service to function. They are not used for tracking, advertising, or analytics.

We do not set any:

  • Analytics or tracking cookies
  • Advertising cookies
  • Third-party tracking pixels
  • Social media cookies

Third-party requests:

  • Our website loads fonts from Google Fonts, which involves your browser making a request to Google's servers. This transmits your IP address and browser information to Google. Google's privacy policy governs their processing of this data.

Since we only use cookies that are strictly necessary for the functioning of our service, and do not engage in any tracking or profiling, we rely on the legitimate use provision under Section 7(a) of the Act for session cookies.

3. How We Use Your Data

We use your personal data only for the specific purposes described in Section 2 above. We do not use your data for:

  • Advertising or marketing to third parties
  • Profiling or automated decision-making that produces legal effects concerning you
  • Selling, renting, or trading your personal data to any third party
  • Any purpose not disclosed in this policy

If we ever need to process your data for a new purpose not covered by this policy, we will seek your specific consent before doing so, as required by Section 6(1) of the Act.

4. Who We Share Your Data With

We share your personal data with the following categories of Data Processors, who process data on our behalf under valid contracts as required by Section 8(2) of the Act. We do not share your personal data with any party for their own independent purposes.

4.1 Infrastructure and Hosting

Supabase (Supabase Inc.)

  • What they process: Account data (email, hashed password), organisational data, scan results, compliance scores, generated policies, consent audit screenshots, integration credentials
  • Why: Database hosting, user authentication, and file storage
  • Data location: Asia-Pacific (Tokyo, Japan)

Vercel (Vercel Inc.)

  • What they process: Account data and form submissions pass through Vercel's serverless functions during authentication, onboarding, and integration setup
  • Why: Web application hosting and server-side rendering
  • Data location: Global edge network with serverless functions

4.2 AI Processing

Google (Google LLC) — Gemini API

  • What they process: Website screenshots and extracted page text (for consent analysis), organisational profile data (for policy generation), scan findings (for gap analysis and report generation), policy contact details (for document generation)
  • Why: AI-powered compliance analysis, policy generation, and report generation
  • Data location: Google Cloud infrastructure (global)

Anthropic (Anthropic PBC) — Claude API

  • What they process: Same categories as Google Gemini, used as an alternative AI provider
  • Why: AI-powered text generation for policies, analysis, and reports
  • Data location: United States

4.3 Communications

Resend (Resend Inc.)

  • What they process: Email addresses, organisation names, scan result summaries (included in notification emails)
  • Why: Sending scan completion alerts, compliance drift notifications, and weekly digest emails
  • Data location: United States

4.4 Background Processing

Trigger.dev (Trigger.dev Inc.)

  • What they process: Organisational data, integration credentials (temporarily decrypted in worker memory during scans), scan results, AI processing inputs and outputs
  • Why: Running scheduled and on-demand scanning jobs, AI analysis tasks, and email delivery tasks
  • Data location: Cloud workers (region determined by deployment configuration)

4.5 Client Infrastructure Access

Amazon Web Services (when you connect AWS)

  • What happens: Privra assumes a read-only role in your AWS account to scan infrastructure configuration. We read metadata about your cloud resources (encryption settings, access controls, logging configuration). We do not read, copy, or access the actual data stored in your infrastructure.

Razorpay (when you connect Razorpay for scanning)

  • What happens: Privra reads structural information about your Razorpay integration (what customer data fields exist, webhook configuration, API key metadata). We store only field names and configuration flags, not actual customer payment data or personal information.

5. Cross-Border Data Transfers

Some of our Data Processors are located outside India. As of the date of this policy, the Central Government has not notified any country as restricted under Section 16(1) of the Act. We transfer personal data to the following jurisdictions:

  • Japan (Supabase database hosting)
  • United States (Resend, Anthropic Claude API, and certain Vercel and Trigger.dev infrastructure)
  • Global (Google Gemini API, Vercel edge network, Google Fonts)

We ensure that all Data Processors, regardless of location, are bound by contracts that require them to protect your personal data with security safeguards equivalent to those required by the DPDP Act.

Should the Central Government restrict transfers to any of these jurisdictions in the future, we will migrate the affected data processing to compliant locations and notify you of any changes.

We are actively working to migrate our primary data storage to India (Mumbai, ap-south-1) to minimise cross-border data transfers.

6. How Long We Keep Your Data

We retain your personal data only for as long as it is necessary for the purposes described in this policy, or as required by law, as mandated by Section 8(7) of the Act.

Account data (email, authentication): Retained while your account is active. Deleted within 90 days of account deletion.

Onboarding and compliance configuration: Retained while your account is active. Deleted when your account is deleted.

Policy contact information: Retained while your account is active and you have active policies or a published Trust Center. Deleted when your account is deleted or when you remove the contact from your settings.

Integration credentials: AWS Role ARN and Razorpay API keys are deleted immediately when you disconnect an integration. Scan findings generated before disconnection are retained.

Consent audit screenshots and page text: Retained while your account is active for compliance evidence and historical comparison. Deleted within 90 days of account deletion.

Scan results, compliance scores, and generated documents: Retained while your account is active. Available for export for 30 days after account deletion, then permanently deleted.

Trust Center rights requests: Retained for 3 years from the date of resolution to maintain a compliance record, then deleted.

Transactional emails: Sent via Resend; we do not control Resend's retention of delivery metadata after emails are sent. Email content is generated on demand and not stored separately by Privra after dispatch.

AI provider processing: Data sent to Google Gemini or Anthropic Claude for processing is transient. We do not control these providers' data retention policies. Their respective privacy policies govern retention of data processed through their APIs. We select API configurations that minimise data retention where available.

When the purpose for which we collected your data has been fulfilled and no legal obligation requires further retention, we erase your personal data and instruct our Data Processors to do the same, as required by Section 8(7) of the Act.

7. How We Protect Your Data

We take reasonable security safeguards to prevent personal data breach, as required by Section 8(5) of the Act. These include:

Technical safeguards:

  • All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • Passwords are hashed using industry-standard algorithms; we never store or have access to plaintext passwords
  • Razorpay API secrets are encrypted at rest using AES-256-GCM
  • Database access is controlled through Row-Level Security (RLS) policies, ensuring each organisation can only access its own data
  • Consent audit screenshots are stored in private storage buckets with time-limited signed URLs (1-hour expiry) for viewing access
  • Integration scans use temporary, read-only credentials that cannot modify your infrastructure

Organisational safeguards:

  • Access to production systems is restricted and logged
  • We regularly review and update our security practices
  • Third-party Data Processors are selected based on their security posture and are bound by contractual obligations

8. Personal Data Breach Notification

In the event of a personal data breach affecting your data, we will notify the Data Protection Board of India and you, as required by Section 8(6) of the Act. Our notification will:

  • Be in clear and plain language
  • Describe the nature of the breach
  • Explain the likely impact on you
  • Describe the measures we have taken and are taking to address the breach and mitigate its effects
  • Provide contact details for obtaining further information

9. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights in relation to your personal data:

9.1 Right to Access Information (Section 11)

You have the right to obtain from us:

  • A summary of the personal data we hold about you and how we process it
  • The identities of all Data Processors and other Data Fiduciaries with whom we have shared your personal data
  • Any other information about your personal data and its processing as prescribed under the Act

9.2 Right to Correction and Erasure (Section 12)

You have the right to request:

  • Correction of any personal data that is inaccurate or misleading
  • Completion of any personal data that is incomplete
  • Updating of any personal data that is no longer current
  • Erasure of your personal data, unless retention is necessary for a specified purpose or required by law

9.3 Right to Grievance Redressal (Section 13)

You have the right to raise a grievance with us about any aspect of how we handle your personal data or exercise of your rights. See Section 11 of this policy for our grievance redressal process.

9.4 Right to Nominate (Section 14)

You have the right to nominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity. To register a nomination, please contact us using the details in Section 12 of this policy.

How to exercise your rights:

To exercise any of the rights described above, send an email to shreyas@privra.in with:

  • Your registered email address (so we can verify your identity)
  • The specific right you wish to exercise
  • Any relevant details about your request

We will respond to your request within 90 days of receipt, as required by the Rules.

10. Consent and Withdrawal

10.1 How We Obtain Your Consent

We obtain your consent in accordance with Section 6(1) of the Act. Your consent is:

  • Free — you are not compelled to use Privra; using our service is your choice
  • Specific — we obtain consent for each distinct processing purpose as described in Section 2
  • Informed — this policy provides full transparency about how your data is processed
  • Unconditional — we do not bundle consent for unrelated purposes
  • Unambiguous — consent is given through clear affirmative actions (creating an account, connecting an integration, initiating a scan)

10.2 Your Right to Withdraw Consent (Section 6(4))

You may withdraw your consent at any time. Withdrawal is as easy as giving consent:

To withdraw consent for the entire service:

  • Delete your account from your dashboard settings, or email us at shreyas@privra.in requesting account deletion
  • We will cease processing your personal data and erase it within the timeframes specified in Section 6 of this policy

To withdraw consent for specific processing:

  • Disconnect an integration (AWS or Razorpay) from your dashboard to stop infrastructure scanning. Credentials are deleted immediately.
  • Remove policy contact details from your settings to stop including them in generated documents
  • Unpublish your Trust Center to stop displaying your compliance status publicly

Consequences of withdrawal (Section 6(5)):

  • If you withdraw consent entirely (account deletion), you will no longer have access to Privra's platform, your compliance dashboard, scan history, generated policies, or Trust Center
  • The legality of processing that occurred before withdrawal is not affected
  • We may retain certain data where required by law, even after withdrawal

11. Grievance Redressal

In accordance with Section 13 of the Act, we have established a grievance redressal mechanism.

Grievance Officer: Shreyas Jain Email: shreyas@privra.in

Process:

  1. Send your grievance to the email address above, describing the issue and your registered email address
  2. We will acknowledge receipt of your grievance within 7 days
  3. We will investigate and resolve your grievance within 90 days of receipt, as required by the Rules
  4. If we need additional information to resolve your grievance, we will contact you at your registered email address

12. Complaint to the Data Protection Board

If you are not satisfied with our resolution of your grievance, you have the right to file a complaint with the Data Protection Board of India, as provided under Section 5(1)(iii) of the Act.

You must exhaust the grievance redressal process described in Section 11 above before approaching the Board, as required by Section 13(3) of the Act.

Information about how to file a complaint with the Data Protection Board will be made available on the Board's official website once the Board is fully operational. You may also contact us for current information about the complaint process.

13. Children's Data

Privra's platform is designed for use by businesses and their employees. It is not directed at individuals under the age of 18.

We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent as required by Section 9(1) of the Act, we will take immediate steps to erase that data.

If you believe we may have inadvertently collected personal data from a child, please contact us immediately at shreyas@privra.in.

14. Privra as a Data Processor

When you use Privra to scan your organisation's infrastructure or websites, Privra acts as a Data Processor under Section 8(2) of the Act. In this capacity:

  • We process data strictly on your behalf and under your instructions
  • You remain the Data Fiduciary responsible for your end users' personal data
  • Our processing is limited to what is necessary to provide the compliance assessment service
  • We do not use data obtained from your infrastructure or website scans for any purpose other than providing your compliance analysis
  • Our consent audit agent accesses only publicly available web pages; it does not log in, submit forms, or access authenticated content
  • When your organisation's users submit rights requests via your Trust Center, we route those requests to you; you are responsible for fulfilling them

15. Changes to This Policy

We may update this policy from time to time to reflect changes in our data processing practices, legal requirements, or platform features.

When we make material changes, we will notify you by email at your registered address and update the "Last Updated" date at the top of this policy. Your continued use of Privra after such notification constitutes your acceptance of the updated policy.

If a change materially expands how we use your personal data, we will seek your specific consent before applying the change to your data, as required by the Act.

16. Contact Us

For any questions about this Privacy Policy, your personal data, or to exercise any of your rights under the DPDP Act, please contact:

Shreyas Jain Privra — DPDP Compliance Platform

Email: shreyas@privra.in Website: https://privra.in

This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023 (No. 22 of 2023) and the Digital Personal Data Protection Rules, 2025, as notified by the Government of India.

This policy was generated and validated using Privra's own DPDP compliance platform.