DPDP Act, 2023 — Compliance Overview

1. Legal framework

The DPDP Act, 2023 governs processing of digital personal data in India. TANIYUR acts as a Data Fiduciary when we determine the purpose and means of processing personal data in connection with our platform and website. Data Principals (residents, committee members, visitors to our site, and others whose personal data we process) have statutory rights, including access, correction, erasure (where applicable), grievance redressal, and nomination, as provided under the DPDP Act and applicable rules.

2. Notice, consent, and legitimate uses

We provide clear notice of what personal data we collect and for what purposes through our Privacy Policy. Where the DPDP Act requires consent, we seek it in a granular manner (for example, before you submit contact details or use features that involve optional processing). We also rely on legitimate uses recognised under the Act where applicable—for example, compliance with law or voluntary provision of data for specified purposes—with appropriate safeguards.

2a. Societies and the platform

Many societies use TANIYUR to run gate logs, billing, notices, and resident records. The management committee (or other authorised body) typically decides society operational policy and what data to record. TANIYUR supplies the software, security, and hosting; where the law treats the society as fiduciary for those records, we process on documented instructions compatible with the DPDP Act. Our Privacy Policy explains both roles for Data Principals.

3. Purpose limitation and data minimisation

We process personal data only for stated purposes (such as society operations, gate security, billing, optional AI assistant features, security logs, product improvement in aggregate form where allowed, and responding to enquiries). Mobile permissions (camera, microphone, notifications, photo library) are requested only for features that need them. We avoid collecting data that is not reasonably necessary for those purposes.

4. Security and organisational measures

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, authentication, logging, and separation of environments. Details are summarised in our Privacy Policy; specific controls may evolve as the product and threat landscape change.

5. Processors and third parties

We use reputable service providers—for example Supabase/PostgreSQL, Firebase, Redis, Razorpay, Cloudinary, Expo push, Resend, Sentry, and optional AI or speech providers—strictly under contract and instructions compatible with the DPDP Act. We do not sell personal data. An internal data inventory is maintained for engineering and counsel review alongside these public pages.

6. Cross-border transfers

Where personal data is transferred outside India, we do so in line with the DPDP Act and notifications issued by the Central Government from time to time (including restrictions or permitted destinations, as applicable).

7. Retention and erasure

We retain personal data only as long as needed for the purposes described, legal obligations, or dispute resolution, then delete or anonymise it in accordance with our retention practices (see Privacy Policy).

8. Children's data

Where processing relates to children as defined under the DPDP Act, we require parental consent or follow other lawful bases and safeguards as the law requires.

9. Grievance redressal and the Data Protection Board

You may contact our grievance channel (see below). If you are not satisfied with our response, you may escalate in accordance with the DPDP Act, including before the Data Protection Board of India, once applicable processes and rules fully apply to your case.

10. Breach notification

Where the DPDP Act or rules require us to notify the Board and/or affected Data Principals of a personal data breach, we will comply with those requirements.

11. Related documents

• Privacy Policy — categories of data, rights, retention, and contacts.
• Terms & Conditions — contractual terms, including incorporation of the Privacy Policy where referenced.

12. Contact

Grievances and data-rights requests: [GRIEVANCE EMAIL] (Grievance Officer, [COMPANY NAME])

Replace bracketed placeholders with your registered entity name and dedicated grievance inbox before publishing to production users.