DPDP Act 2023 Compliance

Last updated: March 31, 2026

This page describes how APUA AI Private Limited ("APUA AI") complies with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules) in the operation of the ApuaLegal platform (product name: Arsenal). We are committed to protecting the personal data of our users and upholding the principles set forth in the DPDP Act and DPDP Rules.

1. Our Role as Data Fiduciary

Under the DPDP Act 2023, APUA AI Private Limited acts as a Data Fiduciary -- the entity that determines the purpose and means of processing personal data. As a Data Fiduciary, we are committed to:

• Processing personal data only for lawful purposes for which consent has been obtained.
• Maintaining accuracy and completeness of personal data.
• Implementing reasonable security safeguards to protect personal data.
• Deleting personal data when it is no longer necessary for the stated purpose, unless retention is required by law.
• Publishing clear and accessible information about our data processing practices.

2. Consent Mechanisms

We obtain your consent for data processing in accordance with Section 6 of the DPDP Act:

2.1 How We Obtain Consent

• Registration consent: At the time of account creation, you are presented with a clear notice describing the data we collect and the purposes for which it is processed. You must affirmatively consent before proceeding.
• Granular consent: For specific features (such as AI processing of your documents), we obtain separate, specific consent.
• Clear language: All consent notices are written in clear, plain language.
• Freely given: Consent is not bundled with unrelated terms. You may use the platform without consenting to non-essential data processing.

2.2 Withdrawal of Consent

You may withdraw your consent at any time by:

• Adjusting your privacy settings in your account dashboard.
• Contacting us at grievance@apua.ai.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Please note that withdrawing consent for essential data processing may result in limited access to platform features.

3. Data Principal Rights

As a Data Principal (the individual whose data is being processed), you have the following rights under the DPDP Act 2023:

We respond to all data principal requests within 30 days of receipt, as required by the Act.

4. Data Fiduciary Obligations

As a Data Fiduciary, APUA AI fulfils the following obligations under the DPDP Act:

4.1 Purpose Limitation

We process personal data only for the specific, clear, and lawful purposes communicated to you at the time of obtaining consent. We do not process your data for purposes incompatible with those originally stated.

4.2 Data Minimisation

We collect only the personal data that is necessary for providing our services. We do not collect excessive data beyond what is required.

4.3 Storage Limitation

Personal data is retained only for as long as it is needed to fulfil the purpose for which it was collected, or as required by applicable law. See our Privacy Policy for specific retention periods.

4.4 Security Safeguards

We implement reasonable security safeguards as required under Section 8 of the DPDP Act, including:

• AES-256 encryption at rest and TLS 1.3 encryption in transit
• Access controls and role-based permissions
• Regular security audits and penetration testing
• Incident response procedures and breach notification protocols

4.5 Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India as required under the DPDP Act.
• Notify affected Data Principals without undue delay.
• Take immediate steps to contain and remediate the breach.
• Document the breach and actions taken for regulatory review.

5. Cross-Border Data Transfer

All personal data collected and processed by ApuaLegal is stored on Google Cloud Platform infrastructure in Mumbai, India (asia-south1 region). We do not transfer your personal data outside India.

In the event that cross-border data transfer becomes necessary in the future, we will:

• Only transfer data to countries or territories permitted by the Central Government under the DPDP Act.
• Obtain your explicit consent before any cross-border transfer.
• Update this page and our Privacy Policy to reflect such changes.

6. AI Data Processing

ApuaLegal uses AI (Google Gemini) for legal research and document generation. Our AI data processing practices under the DPDP Act include:

• Your queries and data are processed in real-time and are not retained by the AI model.
• Your data is never used for AI model training.
• AI processing occurs within our Google Cloud infrastructure in India.
• You are informed when content is AI-generated, and you may opt out of AI features.

7. Data Protection Officer

In compliance with the DPDP Act 2023, we have appointed a Data Protection Officer to oversee our data protection practices:

Name: Neelanchal Dixit
Email: neel@apua.ai (alternate: grievance@apua.ai)
Organisation: APUA AI Private Limited, India

The Data Protection Officer is responsible for:

• Ensuring compliance with the DPDP Act 2023
• Handling data principal requests and grievances
• Serving as the point of contact for the Data Protection Board of India
• Conducting periodic data protection impact assessments

8. Data Processing Register

We maintain a register of data processing activities as required, including:

• Categories of personal data processed
• Purposes of processing
• Categories of Data Principals
• Retention periods
• Security measures in place

9. Compliance with DPDP Rules 2025

The Digital Personal Data Protection Rules, 2025, notified under the DPDP Act 2023, introduce additional compliance requirements that APUA AI adheres to:

9.1 Consent Manager Registration

The DPDP Rules 2025 provide for the registration of Consent Managers as intermediaries between Data Principals and Data Fiduciaries. APUA AI currently manages consent directly through our platform. Should it become applicable or beneficial for our users, we will evaluate registration as a Consent Manager or engage with a registered Consent Manager to facilitate consent management on behalf of our users.

9.2 Enhanced Breach Notification Procedures

Under the DPDP Rules 2025, we follow enhanced breach notification procedures:

• Notify the Data Protection Board of India within the prescribed timeframe of becoming aware of a personal data breach.
• Notify affected Data Principals individually with clear information about the nature of the breach, the data involved, and recommended protective measures.
• Maintain a breach register documenting all incidents, response actions, and timelines for regulatory review.

9.3 Data Protection Impact Assessments

In accordance with the DPDP Rules 2025, we conduct Data Protection Impact Assessments (DPIAs) for:

• New features or services that involve significant processing of personal data.
• Changes in data processing practices that may affect the rights of Data Principals.
• AI-powered features that process personal data, to evaluate and mitigate privacy risks.

9.4 Cross-Border Data Transfer Rules

The DPDP Rules 2025 establish specific conditions for cross-border data transfers. APUA AI ensures compliance by:

• Storing all personal data within India on Google Cloud Platform (Mumbai region).
• Transferring data outside India only to countries or territories permitted by the Central Government, and only when strictly necessary.
• Implementing additional safeguards as prescribed by the Rules for any cross-border transfer.
• Maintaining transparency with users about any data transfers and their legal basis.

10. Contact

For questions about our DPDP Act compliance or to exercise your data principal rights:

Email: grievance@apua.ai
Website: apualegal.com
Grievance Officer page: apualegal.com/grievance