Use cases
Your industry, your duties, your plan
The DPDP Act reads the same for everyone, but it lands differently on a clinic than on a D2C brand. Find your industry - what the Act asks of you specifically, and exactly what we do about it.
Ecommerce and D2C brands
Names, phones, addresses, payments - on every single order, plus pixels on every page.
Every order collects a name, phone, address, and payment - the Act applies from order one
A D2C founder runs the free check at 11pm and watches the Meta pixel fire before consent on all forty pages of her store. One deploy later, it waits - and she has the report to prove it.
Where it usually goes wrong
Meta and Google pixels firing before consent, checkout forms without notices, courier and gateway vendors with no agreements, marketing lists built before consent records existed.
What PrivacyReady does about it
- The check catches pixel-before-consent on your store automatically - the most common ecommerce gap
- One tag serves the consent banner on Shopify, Wix, or WordPress; the WordPress plugin is free
- Processor register closes the courier and gateway agreement gap; the re-permission kit cleans old lists
Clinics, hospitals, diagnostics
Health data is as sensitive as it gets - and likely Significant Data Fiduciary territory at scale.
Health data carries the Act's heaviest expectations - and clinics run on WhatsApp
A two-doctor clinic books appointments on WhatsApp, emails lab reports, and keeps patient history in Excel. Nobody ever decided how long any of it is kept - until the checklist asked.
Where it usually goes wrong
Appointment forms and WhatsApp bookings with no notice, lab reports over email, HR-run patient spreadsheets, CCTV in waiting rooms, retention nobody ever decided.
What PrivacyReady does about it
- The applicability checklist marks your heavier duties (and possible SDF obligations) honestly
- Schema check flags patient identifiers for encryption and retention rules - column by column
- Kits cover the offline reality: QR notices on paper forms, CCTV signage, WhatsApp opt-in lines
Fintech, lending, insurance
PAN, Aadhaar, income data - the highest-value data with RBI obligations layered on top.
PAN, Aadhaar, income data - the ₹250 crore penalty tier is written for this industry
An NBFC's telecallers read a script written in 2019. The verifier found it never actually asks for consent - it assumes staying on the line is a yes. The Act disagrees.
Where it usually goes wrong
KYC flows collecting more than the notice admits, call-centre consent that would not survive scrutiny, data shared with collection agencies without agreements.
What PrivacyReady does about it
- Store-listing check catches where your app's public claims contradict your policy
- IVR script verifier checks your call scripts speak the consent elements - with evidence stored
- Enterprise tier works alongside your existing consent manager rather than fighting it
Schools, coaching, edtech
Users under 18 mean verifiable parental consent and a ban on tracking and targeted ads at children.
Users under 18 trigger Section 9: verifiable parental consent, zero tracking, zero targeted ads
A coaching app's signup never asks who is a minor, while its ad pixel profiles every student. Two gaps, one afternoon of fixes - once someone names them.
Where it usually goes wrong
Signup flows that never ask who is a minor, ad pixels running on pages children use, parent WhatsApp groups as an unofficial CRM.
What PrivacyReady does about it
- The checklist surfaces Section 9 duties the moment you answer that minors use your product
- The check flags trackers on your public pages; the banner holds them until consent
- Guided kits make parental-consent and communication flows concrete, not theoretical
SaaS and IT services
You are often the PROCESSOR - your customers will send you DPA paperwork before May 2027.
You are the processor - your customers' DPA paperwork lands on your desk before May 2027
An enterprise deal stalls on a security questionnaire's DPDP section. The readiness report answers it in one attachment instead of three weeks of email.
Where it usually goes wrong
Enterprise deals stalling on security questionnaires, your own marketing site failing the checks you would pass in the product, no processor agreement to hand to YOUR vendors.
What PrivacyReady does about it
- Be ready before your customers ask: a readiness report answers the questionnaire's DPDP section
- MCP server lets your developers run checks from Claude Code or Cursor in CI-adjacent workflows
- The DPA checklist works both directions - what you sign as a processor and what your vendors sign for you
Local shops and services
A salon's booking register and a gym's member list are digital personal data the moment they hit Excel.
A walk-in register typed into Excel is digital personal data under Section 3
A salon's birthday-SMS list, feedback forms, and CCTV were all invisible until the two-minute checklist marked exactly which duties apply - and which never will.
Where it usually goes wrong
Walk-in registers, birthday SMS lists, CCTV, one Google Form doing everything - no notice anywhere.
What PrivacyReady does about it
- Micro at ₹999 covers the essentials: banner, notice, monthly re-check, all the kits
- QR-notice slips make paper forms proper in an afternoon
- The two-minute checklist tells you which duties you can safely ignore - as valuable as the rest
Hotels, restaurants, travel
ID scans at check-in, booking engines, guest Wi-Fi logs, loyalty lists - hospitality touches it all.
ID scans at check-in, OTA data flows, guest Wi-Fi - hospitality touches every duty at once
A twelve-room hotel photocopies Aadhaar at the desk and keeps the copies forever. The kit replaced 'forever' with a retention rule and a sign that says so.
Where it usually goes wrong
Passport and Aadhaar photocopies with no retention rule, OTA data flowing both ways, CCTV everywhere.
What PrivacyReady does about it
- Schema check flags ID-document fields for encryption and retention
- Processor register covers OTAs, booking engines, and the Wi-Fi provider
- CCTV signage and front-desk QR notices come straight from the kits
Real estate
Site-visit registers, purchased lead lists, and aggressive calling - the exact pattern the Act targets.
Bought lead lists and cold calls are the exact pattern the Act was written against
A broker inherited a database of eight thousand numbers with no consent trail. The re-permission campaign turned it into nine hundred people who actually said yes - a smaller list that stopped being a liability.
Where it usually goes wrong
Bought databases, telecallers with no consent script, WhatsApp blasts to strangers.
What PrivacyReady does about it
- The re-permission kit is the honest path out of a purchased list
- IVR script verifier makes every telecaller's opening line compliant
- Consultancy handles the judgement calls a template cannot
Manufacturing and B2B
Fewer consumers, but employee data, plant CCTV, and dealer records are all in scope.
Fewer consumers, but employees, plant CCTV, and dealer records are all in scope
A components maker assumed B2B meant exempt - until the checklist flagged the HRMS vendor with no agreement and biometric attendance with no notice.
Where it usually goes wrong
HRMS vendors with no agreements, biometric attendance, decades-old retention habits.
What PrivacyReady does about it
- Employee pack covers Section 7 properly - what needs consent and what does not
- Processor register for the HRMS, payroll, and attendance vendors
- The checklist keeps it proportionate: B2B firms often have fewer mandatory duties - know which
Agencies and CA firms
Every client you serve has DPDP duties - which makes you either liable or valuable.
Every client you serve has DPDP duties - they will ask you before they ask anyone
A CA's client forwards a DPDP scare-mail and asks 'are we covered?'. With white-label reports, the answer became a billable service instead of an awkward maybe.
Where it usually goes wrong
Clients will ask you first; saying 'not my job' loses the account, guessing loses worse.
What PrivacyReady does about it
- White-label readiness reports carry your letterhead - you stay the trusted expert
- One login for every client workspace; the free WordPress plugin starts the conversation
- Founding partner terms before public launch
NGOs and nonprofits
Donor lists and beneficiary data - often the most sensitive data with the least infrastructure.
Beneficiary data is often the most sensitive data held with the least infrastructure
A three-person NGO tracks beneficiaries in spreadsheets and donors in a free CRM abroad. The checklist right-sized their duties instead of drowning them.
Where it usually goes wrong
Beneficiary records in spreadsheets, donor CRMs abroad, volunteer churn with shared logins.
What PrivacyReady does about it
- Free and Micro tiers keep the essentials affordable for mission budgets
- The checklist right-sizes duties instead of drowning a three-person team
- Kits give printable, practical fixes for field data collection
Not sure where you fit?
One minute against your live website answers more than any category page.