formready
Compress now
DPDP Act 2023

DPDP Compliance

A focused note on how the Digital Personal Data Protection Act, 2023 applies to FormReady — and how our architecture lets us comply by collecting almost nothing in the first place.

Last updated: 1 April 2026

⚠ This is a v0 draft. Final version pending review by Indian privacy counsel before public launch.

1. About this notice

India's Digital Personal Data Protection Act, 2023 ("DPDP Act") regulates the processing of digital personal data of residents of India. This notice describes how FormReady complies with the DPDP Act. It is supplemental to our broader Privacy Policy; where there is any conflict between the two on DPDP-specific matters, this notice prevails for Indian residents.

2. The architecture-first approach

The cleanest way to comply with a data protection law is to never collect personal data in the first place. FormReady is built around that principle. Single-file compression (PDF, image, photo, signature) runs entirely in your browser via WebAssembly. The file content never reaches FormReady servers, which means no personal data within those files ever becomes our responsibility under the DPDP Act.

You can verify this yourself at /privacy/verify: open DevTools, run a sample compression, watch the Network tab show zero outbound file requests.

3. Personal data we do process

For Indian residents, we process the following personal data, all of which falls under the DPDP Act:

  • Pro account holders: email address (from Google OAuth), display name, profile photo URL, subscription state, billing address (Indian state for GST purposes), Razorpay payment ID.
  • All visitors: IP address (in short-term hosting logs only, not associated with any account), anonymous usage event timestamps.

4. Data Fiduciary identity

For the purposes of the DPDP Act:

Data Fiduciary: [LEGAL ENTITY NAME — e.g., FormReady Technologies Pvt Ltd]
CIN: [CORPORATE IDENTIFICATION NUMBER]
Registered office: [REGISTERED ADDRESS, INDIA]
Email: hello@formready.in

5. Grievance Officer

Per §10 of the DPDP Act, our designated Grievance Officer:

Name: [GRIEVANCE OFFICER NAME]
Email: grievance@formready.in
Address: [REGISTERED ADDRESS, INDIA]
Hours: Monday–Friday, 10:00–18:00 IST
Response time: we acknowledge grievances within 7 working days and resolve them within 30 days where reasonable.

6. Your rights under the DPDP Act

If you are a resident of India, the DPDP Act grants you the following rights:

6.1 Right to access (§11)

You may request a summary of the personal data we hold about you, the processing activities undertaken with it, and the identities of any Data Processors with whom it has been shared. Email grievance@formready.in; Pro users can self-serve this from /account/profile.

6.2 Right to correction and erasure (§12)

You may request correction of inaccurate data or erasure of your data. Erasure is subject to legal retention requirements — for example, GST invoices must be retained for 8 years per Indian tax law, but we anonymise them after account closure.

6.3 Right to grievance redressal (§13)

You may submit a grievance to our Grievance Officer using the contact above. If unsatisfied with our response, you may approach the Data Protection Board of India.

6.4 Right of nomination (§14)

You may nominate another individual to exercise your rights in case of your death or incapacity. Email this nomination to grievance@formready.in with the nominee's name and contact details.

7. Lawful basis for processing

We process personal data on the following lawful bases under §7 of the DPDP Act:

  • Consent (§7(a)) — for marketing communications and product updates. You can withdraw consent at any time by adjusting notification preferences in your Pro profile.
  • Performance of a contract (§7(b)) — for processing payments, providing Pro features, and sending transactional emails (welcome, password reset, receipts).
  • Compliance with legal obligation (§7(d)) — for retaining GST invoices for 8 years per Indian tax law, and for reporting personal data breaches to the Data Protection Board within 72 hours.
  • Legitimate use (§7(g)) — anonymous usage counters and abuse detection are processed under legitimate business interest.

8. Data localisation

Pro account data is stored in PostgreSQL on infrastructure located in [REGION — typically AWS Mumbai (ap-south-1) for Indian users]. Some operational data (anonymous error reports via Sentry, cookieless analytics via Plausible) is processed on infrastructure outside India under standard contractual safeguards.

9. Children

Per §9 of the DPDP Act, processing of personal data of children (under 18 in India) requires parental consent and additional protections. Our Pro tier is intended for users 18 and over; the free tier requires no personal data and is suitable for users 13 and over.

10. Personal data breaches

In the unlikely event of a personal data breach affecting Pro account data, per §8(6) of the DPDP Act we will:

  • Notify the Data Protection Board of India within 72 hours.
  • Notify affected Data Principals (you) without undue delay, with the nature of the breach, what was affected, and recommended steps.
  • Provide a remediation report within a reasonable timeframe.

11. Significant Data Fiduciary status

Based on our current scale of operations, FormReady is not classified as a Significant Data Fiduciary under §10 of the DPDP Act. If our processing volumes change such that this classification applies, we will appoint a Data Protection Officer, conduct annual data audits, and update this notice accordingly.

12. Updates to this notice

We may update this notice as the DPDP Act's rules and adjudicative orders evolve. The "Last updated" date at the top reflects the most recent change.

13. Contact