DPDPA 2023 — India

Digital Personal Data Protection Act 2023 — Compliance Statement

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's landmark data protection legislation enacted on 11 August 2023. The Digital Personal Data Protection Rules, 2025 were notified by the Central Government, prescribing detailed compliance requirements for Data Fiduciaries. The Data Protection Board of India (DPBI) is being constituted as the enforcement authority. The DPDPA applies to the processing of digital personal data of individuals within India, and to processing outside India if it involves offering goods or services to individuals in India. HostupCloud Technolabs Private Limited (GSTIN: 29AAGCH5335N1Z2), our India entity, is subject to the DPDPA as a Data Fiduciary. This page explains how we comply with the Act and the 2025 Rules.

Last updated: 22 February 2026 · Effective: 22 February 2026 · Privacy contact: privacy@hostupcloud.com

Applicability Consent Data Principal Rights Our Obligations Data Processors Cross-Border Grievance Officer

1. Applicability & Roles

1.1HostupCloud Technolabs Pvt. Ltd. is the primary Data Fiduciary under the DPDPA for personal data processed in connection with services offered to individuals in India.

1.2As a Data Fiduciary, we determine the purpose and means of processing personal data, and we are accountable for compliance with the DPDPA.

1.3When we process personal data on behalf of our business customers (e.g. data stored on their hosted servers), we act as a Data Processor and our customers act as the Data Fiduciary for that data.

1.4'Personal data' under the DPDPA means any data about an individual who is identifiable by or in relation to such data.

1.5'Sensitive personal data' (now referred to under the DPDPA as data requiring heightened protection) includes financial data, health data, biometric data, and data revealing caste, religion, or political opinions.

1.6The DPDPA applies to digital personal data processed: (a) within India; or (b) outside India if it is processed in connection with offering goods or services to individuals in India.

1.7The DPDPA does not apply to personal data made publicly available by the data principal themselves or which is required to be made public by law.

Under the DPDPA, we process personal data on the following lawful bases:

Consent (Section 6)

You give free, specific, informed, unconditional, and unambiguous consent via a clear affirmative action (e.g. account sign-up, cookie consent). Consent is separate from other terms and is withdrawable at any time.

Legitimate Use (Section 7)

Processing is necessary for the performance of a contract with you, compliance with a legal obligation, protection of vital interests, performance of a state function, or for journalistic/research purposes.

Voluntary Data (Section 7(a))

Where you have voluntarily provided personal data (e.g. when filling in a contact form) and have not indicated you do not consent to its use.

Employment Relationship

Processing of employee/contractor personal data as necessary for employment purposes, within the scope of applicable labour law.

2.1Consent notices are provided in clear, plain language in English and, where required, in other scheduled Indian languages.

2.2We do not bundle consent: you may decline consent for non-essential processing without affecting your access to core services.

2.3Consent for children (under 18) requires verifiable parental consent. HostupCloud services are not directed at children under 13.

2.4We do not process sensitive personal data without explicit, specific consent, and we do not process such data in ways you would not reasonably expect.

3. Data Principal Rights

Under Chapter III of the DPDPA, you (as the Data Principal) have the following rights regarding your personal data processed by HostupCloud:

Right to Information (Section 11)

You have the right to obtain a summary of the personal data we process about you and the processing activities being undertaken.

Right to Correction & Erasure (Section 12)

You may request correction of inaccurate or misleading personal data, completion of incomplete data, and erasure of personal data that is no longer necessary for the purpose it was collected.

Right to Grievance Redressal (Section 13)

You have the right to file a grievance with our Grievance Officer (see Section 7) and, if not resolved, to approach the Data Protection Board of India.

Right to Nominate (Section 14)

You may nominate another individual to exercise your DPDPA rights on your behalf in the event of your death or incapacity.

Right to Withdraw Consent

You may withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

3.1To exercise any of these rights, submit a request to privacy@hostupcloud.com or through your account portal.

3.2We will respond to rights requests within 30 days of receipt.

3.3We will verify your identity before actioning any rights request.

3.4If we cannot identify you from the information provided, we may be unable to fulfil your request.

4. Our Obligations as Data Fiduciary

4.1Purpose Limitation: We collect only the personal data that is necessary for the specific, clear, and lawful purpose for which it is collected.

4.2Data Minimisation: We do not collect personal data beyond what is needed. We periodically review our data collection practices.

4.3Storage Limitation: Personal data is retained only for as long as necessary for the purpose of collection, or as required by law. See our Data Privacy Policy for specific retention periods.

4.4Data Quality: We take reasonable steps to ensure that personal data we process is accurate and complete.

4.5Security Safeguards: We implement appropriate technical and organisational measures to protect personal data from breach, loss, or unauthorised processing.

4.6Breach Notification: In the event of a personal data breach, we will notify the Data Protection Board of India and affected data principals in the manner and within the time required by the DPDPA.

4.7Children's Data: We do not knowingly process personal data of children under 18 without verifiable parental consent, and we do not conduct behavioural monitoring of children.

4.8We do not sell personal data of Indian data principals to third parties for advertising purposes.

5. Data Processors & Consent Managers

5.1We engage third-party Data Processors to assist with payment processing, analytics, support, and infrastructure. These are listed in our Data Processing Agreement (DPA).

5.2We enter into written contracts with all Data Processors, binding them to process personal data only on our documented instructions and to implement adequate security measures.

5.3We remain responsible to data principals for the acts of our Data Processors.

5.4We do not engage Data Processors in countries prohibited by the Data Protection Board under DPDPA cross-border transfer provisions.

5.5If you are a business customer using HostupCloud as your Data Processor (storing your customers' data on our infrastructure), you must ensure you comply with the DPDPA as the Data Fiduciary for that data, including obtaining appropriate consents from your end-users.

The DPDPA introduces the concept of a Consent Manager — a registered entity that enables individuals to give, manage, and withdraw consent. HostupCloud will integrate with registered Consent Manager services as they become available under the DPDPA framework.

6. Cross-Border Data Transfers

6.1The DPDPA permits transfer of personal data to countries or territories not restricted by the Central Government.

6.2HostupCloud transfers personal data to the United Kingdom and European Union, which maintain data protection standards broadly equivalent to or exceeding India's DPDPA.

6.3Where we transfer personal data to the United States (e.g. for payment processing via Stripe/PayPal or analytics via certain providers), we implement standard contractual clauses and ensure the recipient provides equivalent protection.

6.4We will update our cross-border transfer practices as the Central Government publishes the list of permitted and restricted countries under the DPDPA.

6.5We do not transfer personal data to countries that the Central Government notifies as restricted under Section 16(1) of the DPDPA.

The DPDP Rules 2025 have prescribed the framework for cross-border data transfers. The Central Government is expected to publish the list of permitted and restricted countries (the "white list") via official notification. HostupCloud will update this section once the permitted-countries list is finalised. Until then, transfers are made under contractual safeguards (SCCs, IDTAs) with the receiving party.

7. Grievance Officer & Contact

As required by Section 13 of the DPDPA, HostupCloud has appointed a Grievance Officer to handle data principal complaints:

Grievance Officer — HostupCloud Technolabs Pvt. Ltd.

HostupCloud Privacy Team

privacy@hostupcloud.com

GSTIN: 29AAGCH5335N1Z2 · Phone: +91 87625 28280

7.1Grievances must be submitted in writing to the Grievance Officer at the contact above.

7.2We will acknowledge your grievance within 48 hours and resolve it within 30 days.

7.3If you are not satisfied with the resolution, you may approach the Data Protection Board of India (DPBI), which is being constituted under the DPDP Rules 2025.

7.4For matters related to our UK operations, you may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7.5For matters related to our US operations, state-specific privacy rights (CCPA/CPRA for California residents) may also apply.

Exercise Your DPDPA Rights

Submit a privacy request, file a grievance, or ask questions about how we process your personal data.