DPDP Act Compliance

The Digital Personal Data Protection Act, 2023 ("DPDP Act") sets the data-protection bar in India. This page describes how Trinetra CRM complies with the Act for every Indian user — and, by extension, for everyone, because we apply the same controls globally. It supplements (and is incorporated by reference into) our Privacy Policy.

Trinetra plays two distinct roles, and both are visible to you:

• For data about your account holders (you, your team) — Trinetra is the Data Fiduciary. We decide why and how this data is processed.
• For data about your end-customers (your contacts in your inbox) — Trinetra is a Data Processor. You are the Data Fiduciary, and we process this data only on your documented instructions.

A Data Processing Addendum (DPA) reflecting these roles is available on request and is automatically attached to Growth and higher plans.

Every act of processing on Trinetra has a lawful basis under Section 6 (consent) or Section 7 (legitimate uses) of the DPDP Act. We document each one inside the product so you can audit it.

• Account signup — consent, captured at signup with a checkbox + plain-language notice.
• Billing — performance of contract; necessary to provide the Service.
• Sending WhatsApp messages — your customers must have opted in to receive WhatsApp messages from your business. Trinetra provides opt-in capture tools (web forms, QR codes, click-to-WhatsApp links) and a per-contact consent log.
• Security & abuse prevention — legitimate use under Section 7(g).
• Compliance with Indian law (GST, KYC, court orders) — legitimate use under Section 7(c).

Under DPDP, notice must be given in plain language and in a recognised Indian language on request. Trinetra provides:

• A signup notice in English and Hindi describing what data is collected, why, and how to exercise rights.
• A first-message notice explaining how Trinetra processes your customers' data on your behalf.
• An updated notice 30 days before any material change to processing or sub-processors.

Every Data Principal under DPDP has the right to —

• Access — see a summary of personal data being processed.
• Correction — request correction of inaccurate or incomplete data.
• Erasure — request deletion of personal data when no longer needed.
• Grievance redressal — raise a complaint with our Grievance Officer.
• Nominate — appoint someone to exercise rights on their behalf in case of incapacity.

Trinetra exposes all of these rights in an in-app privacy dashboard available to every user, free of charge, with response within 30 days. Your end-customers can exercise their rights by contacting you (the Data Fiduciary), and Trinetra will assist with technical execution at no extra cost.

Section 8 of the DPDP Act requires reasonable security safeguards. Trinetra meets and exceeds the threshold:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Bcrypt password hashing (cost factor 12); plaintext never stored.
• HMAC-signed webhooks; rejected on signature mismatch.
• Role-based access control + audit logs (1-year retention).
• Rate limiting + brute-force protection on the auth path.
• Independent penetration test before public launch and annually.
• Quarterly internal access reviews.
• Hard-deleted data is overwritten in backups within 30 days.

If we become aware of a personal-data breach affecting your data, we will — as soon as possible, and in any case promptly upon becoming aware — notify both (a) the Data Protection Board of India under DPDP Section 8(6), and (b) each affected Data Principal directly via email and in-app banner. Notification timing follows the Board's prescribed timeline once the DPDP Rules are notified; we are not waiting for "scope confirmation" before first contact. The notification will include what data was affected, what we have done, what you should do, and a contact for follow-up.

Primary data is stored in India (Neon, Mumbai region). Some sub-processors operate globally — Vercel CDN, Resend, Plausible (marketing-page analytics, no PII), PostHog EU (authenticated-dashboard product analytics — page views, approximate city, browser, OS, UTM, referrer; identifiers and OAuth tokens stripped at SDK). We rely on contractual safeguards for these and process only the minimum data necessary. Once the Central Government publishes the DPDP cross-border list, we will move processing to permitted jurisdictions if required, with notice to all customers.

Trinetra is not directed at children under 18. We do not knowingly collect data from children. If we learn that we have collected such data without verifiable parental consent, we will delete it. Where required, we will obtain verifiable parental consent before any processing. Behavioural monitoring of and targeted advertising to children is not part of our product and never will be.

If notified by the Government as a Significant Data Fiduciary under Section 10, we will appoint a Data Protection Officer based in India, conduct regular Data Protection Impact Assessments, and undergo independent audits — and publish a redacted summary of audit findings on this page.

Per DPDP Section 8(9) and IT Rules 2021 Rule 4(1), our designated Grievance Officer is Raj Kumar Upadhyay, Founder & Grievance Officer, contactable at grievance@trinetracrm.com (also reachable at +91 83839 00820 — voice or WhatsApp — during Mon–Sat, 10:00–19:00 IST). Subject line "Grievance" routes the email correctly. We acknowledge within 24 hours (an automated reply confirms receipt) and resolve within 15 days, per IT Rules 2021 Rule 3(2).

Postal escalation: our registered office (see footer for the full address). If your grievance concerns the Grievance Officer's own decision, or you are not satisfied with the resolution, you may escalate to the Data Protection Board of India under DPDP §27 once the Board has begun accepting filings.

This page will be updated as DPDP rules and guidance evolve, and as the product matures. Material changes are notified by in-app banner and email.