Use cases

Your industry, your duties, your plan

The DPDP Act reads the same for everyone, but it lands differently on a clinic than on a D2C brand. Find your industry - what the Act asks of you specifically, and exactly what we do about it.

Ecommerce and D2C brands

Names, phones, addresses, payments - on every single order, plus pixels on every page.

Every order collects a name, phone, address, and payment - the Act applies from order one

A D2C founder runs the free check at 11pm and watches the Meta pixel fire before consent on all forty pages of her store. One deploy later, it waits - and she has the report to prove it.

Where it usually goes wrong

Meta and Google pixels firing before consent, checkout forms without notices, courier and gateway vendors with no agreements, marketing lists built before consent records existed.

What PrivacyReady does about it

  • The check catches pixel-before-consent on your store automatically - the most common ecommerce gap
  • One tag serves the consent banner on Shopify, Wix, or WordPress; the WordPress plugin is free
  • Processor register closes the courier and gateway agreement gap; the re-permission kit cleans old lists

Clinics, hospitals, diagnostics

Health data is as sensitive as it gets - and likely Significant Data Fiduciary territory at scale.

Health data carries the Act's heaviest expectations - and clinics run on WhatsApp

A two-doctor clinic books appointments on WhatsApp, emails lab reports, and keeps patient history in Excel. Nobody ever decided how long any of it is kept - until the checklist asked.

Where it usually goes wrong

Appointment forms and WhatsApp bookings with no notice, lab reports over email, HR-run patient spreadsheets, CCTV in waiting rooms, retention nobody ever decided.

What PrivacyReady does about it

  • The applicability checklist marks your heavier duties (and possible SDF obligations) honestly
  • Schema check flags patient identifiers for encryption and retention rules - column by column
  • Kits cover the offline reality: QR notices on paper forms, CCTV signage, WhatsApp opt-in lines

Fintech, lending, insurance

PAN, Aadhaar, income data - the highest-value data with RBI obligations layered on top.

PAN, Aadhaar, income data - the ₹250 crore penalty tier is written for this industry

An NBFC's telecallers read a script written in 2019. The verifier found it never actually asks for consent - it assumes staying on the line is a yes. The Act disagrees.

Where it usually goes wrong

KYC flows collecting more than the notice admits, call-centre consent that would not survive scrutiny, data shared with collection agencies without agreements.

What PrivacyReady does about it

  • Store-listing check catches where your app's public claims contradict your policy
  • IVR script verifier checks your call scripts speak the consent elements - with evidence stored
  • Enterprise tier works alongside your existing consent manager rather than fighting it

Schools, coaching, edtech

Users under 18 mean verifiable parental consent and a ban on tracking and targeted ads at children.

Users under 18 trigger Section 9: verifiable parental consent, zero tracking, zero targeted ads

A coaching app's signup never asks who is a minor, while its ad pixel profiles every student. Two gaps, one afternoon of fixes - once someone names them.

Where it usually goes wrong

Signup flows that never ask who is a minor, ad pixels running on pages children use, parent WhatsApp groups as an unofficial CRM.

What PrivacyReady does about it

  • The checklist surfaces Section 9 duties the moment you answer that minors use your product
  • The check flags trackers on your public pages; the banner holds them until consent
  • Guided kits make parental-consent and communication flows concrete, not theoretical

SaaS and IT services

You are often the PROCESSOR - your customers will send you DPA paperwork before May 2027.

You are the processor - your customers' DPA paperwork lands on your desk before May 2027

An enterprise deal stalls on a security questionnaire's DPDP section. The readiness report answers it in one attachment instead of three weeks of email.

Where it usually goes wrong

Enterprise deals stalling on security questionnaires, your own marketing site failing the checks you would pass in the product, no processor agreement to hand to YOUR vendors.

What PrivacyReady does about it

  • Be ready before your customers ask: a readiness report answers the questionnaire's DPDP section
  • MCP server lets your developers run checks from Claude Code or Cursor in CI-adjacent workflows
  • The DPA checklist works both directions - what you sign as a processor and what your vendors sign for you

Local shops and services

A salon's booking register and a gym's member list are digital personal data the moment they hit Excel.

A walk-in register typed into Excel is digital personal data under Section 3

A salon's birthday-SMS list, feedback forms, and CCTV were all invisible until the two-minute checklist marked exactly which duties apply - and which never will.

Where it usually goes wrong

Walk-in registers, birthday SMS lists, CCTV, one Google Form doing everything - no notice anywhere.

What PrivacyReady does about it

  • Micro at ₹999 covers the essentials: banner, notice, monthly re-check, all the kits
  • QR-notice slips make paper forms proper in an afternoon
  • The two-minute checklist tells you which duties you can safely ignore - as valuable as the rest

Hotels, restaurants, travel

ID scans at check-in, booking engines, guest Wi-Fi logs, loyalty lists - hospitality touches it all.

ID scans at check-in, OTA data flows, guest Wi-Fi - hospitality touches every duty at once

A twelve-room hotel photocopies Aadhaar at the desk and keeps the copies forever. The kit replaced 'forever' with a retention rule and a sign that says so.

Where it usually goes wrong

Passport and Aadhaar photocopies with no retention rule, OTA data flowing both ways, CCTV everywhere.

What PrivacyReady does about it

  • Schema check flags ID-document fields for encryption and retention
  • Processor register covers OTAs, booking engines, and the Wi-Fi provider
  • CCTV signage and front-desk QR notices come straight from the kits

Real estate

Site-visit registers, purchased lead lists, and aggressive calling - the exact pattern the Act targets.

Bought lead lists and cold calls are the exact pattern the Act was written against

A broker inherited a database of eight thousand numbers with no consent trail. The re-permission campaign turned it into nine hundred people who actually said yes - a smaller list that stopped being a liability.

Where it usually goes wrong

Bought databases, telecallers with no consent script, WhatsApp blasts to strangers.

What PrivacyReady does about it

  • The re-permission kit is the honest path out of a purchased list
  • IVR script verifier makes every telecaller's opening line compliant
  • Consultancy handles the judgement calls a template cannot

Manufacturing and B2B

Fewer consumers, but employee data, plant CCTV, and dealer records are all in scope.

Fewer consumers, but employees, plant CCTV, and dealer records are all in scope

A components maker assumed B2B meant exempt - until the checklist flagged the HRMS vendor with no agreement and biometric attendance with no notice.

Where it usually goes wrong

HRMS vendors with no agreements, biometric attendance, decades-old retention habits.

What PrivacyReady does about it

  • Employee pack covers Section 7 properly - what needs consent and what does not
  • Processor register for the HRMS, payroll, and attendance vendors
  • The checklist keeps it proportionate: B2B firms often have fewer mandatory duties - know which

Agencies and CA firms

Every client you serve has DPDP duties - which makes you either liable or valuable.

Every client you serve has DPDP duties - they will ask you before they ask anyone

A CA's client forwards a DPDP scare-mail and asks 'are we covered?'. With white-label reports, the answer became a billable service instead of an awkward maybe.

Where it usually goes wrong

Clients will ask you first; saying 'not my job' loses the account, guessing loses worse.

What PrivacyReady does about it

  • White-label readiness reports carry your letterhead - you stay the trusted expert
  • One login for every client workspace; the free WordPress plugin starts the conversation
  • Founding partner terms before public launch

NGOs and nonprofits

Donor lists and beneficiary data - often the most sensitive data with the least infrastructure.

Beneficiary data is often the most sensitive data held with the least infrastructure

A three-person NGO tracks beneficiaries in spreadsheets and donors in a free CRM abroad. The checklist right-sized their duties instead of drowning them.

Where it usually goes wrong

Beneficiary records in spreadsheets, donor CRMs abroad, volunteer churn with shared logins.

What PrivacyReady does about it

  • Free and Micro tiers keep the essentials affordable for mission budgets
  • The checklist right-sizes duties instead of drowning a three-person team
  • Kits give printable, practical fixes for field data collection

Not sure where you fit?

One minute against your live website answers more than any category page.

Free. No card, no signup, about a minute.