Privacy Policy

1. About This Policy

This Privacy Policy explains how ClearConsent DataSec Pvt. Ltd. ("ClearConsent", "we", "us", or "our") collects, uses, discloses, and safeguards personal data when you visit clearconsent.in, use our platform, or interact with us in any other way.

This Policy applies to all individuals whose personal data we process, including website visitors, prospective customers, platform users, and partner organisations. It is governed by the Digital Personal Data Protection Act, 2023 (DPDPA) and the Digital Personal Data Protection Rules, 2025, along with any other applicable Indian laws.

By using our website or platform, you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use of our services.

2. Who We Are

ClearConsent DataSec Pvt. Ltd. is a Data Fiduciary as defined under Section 2(i) of the Digital Personal Data Protection Act, 2023. We determine the purpose and means of processing personal data in connection with our DPDPA compliance SaaS platform.

Detail	Information
Legal name	ClearConsent DataSec Pvt. Ltd.
Registered in	India
Website	clearconsent.in
Grievance contact	grievance@clearconsent.in
Privacy contact	privacy@clearconsent.in

3. Personal Data We Collect

We collect only the personal data that is necessary for the purposes described in this Policy. The categories of personal data we collect are set out below.

Data Category	Examples	How Collected
Identity	Full name, email address, phone number, job title, company name	Contact, demo, consultation, partner, and training forms
Account	Login email address, hashed password	Partner and admin account registration
Usage	Pages visited, platform features used, button clicks, session duration	Google Analytics and server-side event logging
Device & Technical	IP address, browser type and version, operating system, device type, referrer URL	Collected automatically on each visit
Consent Records	Consent ID, timestamp, choices made, consent notice hash, Data Principal identifier	DPDPA-compliant audit trail generated by the ClearConsent platform
Communications	Messages submitted via contact or enquiry forms, support requests	Form submissions and email correspondence

We do not collect special categories of data (such as health, biometric, or financial data) unless you explicitly provide such information in a communication with us, in which case it is processed only for the purpose of responding to you.

4. How We Use Your Data

We use the personal data we collect for the following purposes:

• Respond to enquiries, schedule product demonstrations, and follow up on consultation requests
• Provide, operate, maintain, and improve the ClearConsent compliance platform
• Send one-time password (OTP) verification codes via email (Resend) and SMS (Twilio Verify) to authenticate users
• Manage billing, invoicing, and partner account administration
• Conduct aggregated analytics and product improvement using usage data
• Fulfil legal compliance and audit obligations imposed by DPDPA 2023, including maintaining consent audit records for the legally required retention period
• Send marketing communications about our products, services, and events — only where you have given explicit consent to receive such communications

5. Legal Basis for Processing (DPDPA 2023 Sections 4–7)

Under the Digital Personal Data Protection Act, 2023, we process personal data only where a valid legal basis exists. The table below maps each processing purpose to its applicable legal basis.

Processing Purpose	Legal Basis
Responding to enquiries and scheduling demos	Consent — Section 6 of the DPDPA
Providing and operating the ClearConsent platform	Contract performance / legitimate use — Section 7
OTP verification (email and SMS)	Consent — Section 6 of the DPDPA
Website analytics (Google Analytics)	Legitimate interest — Section 7
Maintaining DPDPA consent audit records	Legal obligation — Section 8
Marketing communications	Explicit consent — Section 6 of the DPDPA

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Data Processors & Third Parties

We engage the following third-party Data Processors who process personal data on our behalf under written data processing agreements. We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

Processor	Purpose	Location
Resend	Email OTP delivery and transactional notifications	United States
Twilio	SMS OTP verification via Twilio Verify	United States
Google Cloud Platform	Infrastructure hosting, Cloud SQL database (PostgreSQL)	Singapore region (asia-southeast1)
Google Analytics	Aggregated, anonymised website usage analytics	United States (data aggregated)

Cross-Border Transfers

Transfers of personal data to Resend, Twilio, and Google Cloud (hosted outside India) are made under adequate safeguards as permitted by Section 16 of the DPDPA 2023 and any applicable Central Government notifications regarding countries or territories to which such transfers are permitted. We enter into data processing agreements with each processor that impose obligations consistent with DPDPA requirements.

We may also disclose personal data where required by law, court order, or regulatory authority, or to protect the rights, property, or safety of ClearConsent, our users, or the public.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law.

Data Category	Retention Period
Enquiry and lead data	3 years from the date of submission
Partner account data	Duration of the partnership + 1 year after termination
Consent audit records	7 years (DPDPA compliance obligation under Section 8)
OTP records	30 minutes (auto-purged after expiry)
Server and application logs	90 days
Marketing preferences and consent	Until consent is withdrawn or the account is deleted

When personal data is no longer required, we securely delete or anonymise it in accordance with our data disposal procedures.

8. Your Rights Under the DPDPA 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights in relation to your personal data:

• Right to Information (Section 11): You have the right to obtain confirmation of whether we process your personal data, a summary of the personal data we hold, the purposes of processing, and the identities of any Data Processors or other parties with whom your data has been shared.
• Right to Correction and Erasure (Section 12): You have the right to request correction of inaccurate or incomplete personal data, and to request erasure of personal data that is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.
• Right of Grievance Redressal (Section 13): You have the right to have your grievances addressed by our Grievance Officer. We will acknowledge grievances within 48 hours and resolve them within 30 days.
• Right of Nomination (Section 14): You have the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Nomination requests should be submitted to privacy@clearconsent.in.
• Right to Withdraw Consent (Section 5(3)): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.
• Right to Complain to the Data Protection Board (Section 27): If your grievance is not resolved to your satisfaction, you have the right to approach the Data Protection Board of India for redressal.

9. How to Exercise Your Rights

To exercise any of the rights listed in Section 8, please send a written request to privacy@clearconsent.in including the following information:

• Your full name and the email address registered with ClearConsent
• The specific right you wish to exercise
• Sufficient detail to allow us to identify and locate the relevant personal data

We will acknowledge your request within 48 hours and provide a substantive response within 30 days as required by Section 13(2) of the DPDPA. We may ask you to verify your identity before processing your request to prevent unauthorised disclosure or deletion of personal data.

If your request involves erasure of data that we are legally obliged to retain (for example, consent audit records required under Section 8), we will explain which data cannot be erased and why.

10. Cookies & Tracking

We use cookies and similar tracking technologies on our website. For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

We use Google Analytics to collect aggregated, anonymised data about how visitors use our website. This data does not identify you personally. You may opt out of Google Analytics tracking at any time by installing the Google Analytics opt-out browser add-on or by adjusting your cookie preferences.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:

• AES-256-GCM encryption for sensitive data at rest
• HTTPS/TLS encryption for all data in transit, with HSTS enforced
• bcrypt hashing for all stored passwords
• Role-based access controls and least-privilege permissions
• SHA-256 cryptographic audit chains for consent records to ensure tamper-evidence
• Regular internal security assessments and vulnerability reviews

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to affect your rights and interests, we will notify you as required under Section 8(7) of the DPDPA 2023.

12. Children's Privacy

The ClearConsent platform and website are directed at business professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal data from persons under 18. If we become aware that we have inadvertently collected personal data from a child, we will take prompt steps to delete that data. If you believe we may have collected data from a child, please contact us at privacy@clearconsent.in.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will revise the "Last updated" date at the top of this page.

For material changes that significantly affect how we handle your personal data, we will provide additional notice by email to registered users and/or by displaying a prominent notice on our website. We encourage you to review this Policy periodically to stay informed about how we protect your data.

Your continued use of our website or platform after any changes to this Policy constitutes your acknowledgement of the updated terms.

14. Grievance Officer

As required by Section 13 of the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address your data protection concerns. You may contact our Grievance Officer using the details below.

If your grievance is not resolved to your satisfaction within the prescribed period, you may escalate your complaint to the Data Protection Board of India under Section 27 of the DPDPA 2023.