Privacy Policy
Privacy Notice under the Digital Personal Data Protection Act, 2023 (India)
Last Updated: June 17, 2026
About Us
Consently (a product of G. Giri & Partners LLP) ("Consently," "we," "us," or "our") operates www.consently.in — an India-focused, all-in-one consent management platform (CMP) that helps businesses collect, manage, record, and audit user consent in a manner aligned with India's Digital Personal Data Protection Act, 2023 (the "DPDPA").
This Privacy Policy explains what personal data we collect about our website visitors, registered users, and customers (collectively "Data Principals," "you," or "your"), why we collect it, how it is used, with whom it is shared, and the rights you hold under the DPDPA.
Data Fiduciary vs. Data Processor. Consently acts as a Data Fiduciary for personal data processed on our own platform and website. Where our customers use Consently on their own websites to collect consent from their end users, those customers are independent Data Fiduciaries for their end users, and Consently acts as a Data Processor on their behalf under the relevant service agreement. This policy covers only the former — see Section 13.
1. Personal Data We Collect
We collect only the personal data necessary for the specific purposes described in this policy.
| Category | Data Attributes | How Collected |
|---|---|---|
| Identity & Account | Full name, username or display name | Provided at registration or profile setup |
| Contact | Email address, business phone number (optional) | Provided during registration, onboarding, or support |
| Business & Organisation | Company name, website URL(s), business type, industry, GST number (for invoicing) | Provided during account setup or subscription |
| Billing & Payment | Billing address, transaction reference IDs. Card/bank details are processed by our payment gateway and are not stored by Consently. | Provided at subscription checkout |
| Usage & Technical | IP address, browser type, operating system, device identifiers, pages visited, features accessed, session duration, cookie preferences, consent-log metadata | Collected automatically via cookies and platform logs |
| Consent & Preference Records | Records of consent given or withdrawn on our website (e.g., cookie-banner choices), with timestamps | Captured when you interact with our own cookie banner |
Sensitive Personal Data
We do not knowingly collect sensitive personal data through the normal operation of our platform.
Children
Our platform is not directed at individuals under 18, and we do not knowingly collect data from children; if we learn we have, we delete it promptly. Where a child's personal data is processed under the DPDPA, the Act requires verifiable consent of a parent or lawful guardian and prohibits tracking, behavioural monitoring, and advertising targeted at children.
2. Purposes of Processing
We process your personal data only for specific, clear, and lawful purposes. We rely primarily on your consent, and in limited cases on the legitimate uses permitted under Section 7 of the DPDPA.
| Purpose | Lawful Basis | Retention |
|---|---|---|
| Account & Platform Access — creating and managing your account. | Consent | Duration of account; deleted within 30 days of closure |
| Subscription & Billing — payments, invoices, renewals, billing records. | Consent / Legitimate Use (legal & tax) | 7 years (GST & accounting law) |
| Support & Grievance Redressal — resolving queries and rights requests. | Consent / Legitimate Use | 3 years from closure of the request |
| Service Communications — account notices, service updates, downtime, policy changes. | Legitimate Use | Duration of account |
| Marketing (optional) — newsletters, announcements, offers. You may opt out anytime. | Consent (opt-in) | Until withdrawal or opt-out |
| Website Analytics & Performance — understanding and improving site usage. | Consent (via cookie banner) | 13 months; aggregated data may be kept longer |
| Security & Fraud Prevention — detecting and responding to threats and abuse. | Legitimate Use | 1 year from detection; extended if legally required |
| Legal & Regulatory Compliance — complying with applicable Indian law and lawful requests. | Legitimate Use | As mandated by law or order |
3. Consent and Grounds of Processing
Consent (Section 6, DPDPA)
For most processing, we rely on your freely given, specific, informed, and unambiguous consent. We present a clear notice before collection, you may withdraw consent at any time (without affecting prior lawful processing), and we do not bundle consent for services that do not require it. Withdrawing consent may limit access to certain features.
Legitimate Uses (Section 7, DPDPA)
In limited cases we process data as a legitimate use — e.g., where you voluntarily provided data for a specified purpose, to comply with law or orders of courts and tribunals, for employment-related obligations, or to respond to a medical emergency or threat to public health.
4. Sharing of Personal Data
We do not sell your personal data. We share it only with the service providers (sub-processors) needed to operate the platform. Each is engaged under its own data-processing terms and confidentiality obligations, and receives only the data necessary for its function.
| Recipient | Data Shared | Location |
|---|---|---|
| Cloud hosting & database | Account, platform & consent data, logs | India (Mumbai) |
| Payment gateway | Billing name & address, transaction amount (no card/bank details stored by us) | India |
| Transactional email | Name, email, message content (OTPs, alerts, invoices, rights/breach notices) | Outside India |
| SMS / OTP delivery | Phone number | Outside India |
| Error monitoring (Sentry) | Technical diagnostics, with personal data scrubbed before transmission | EU (Frankfurt) |
| Performance insights | First-party, cookieless performance metrics | First-party |
| Web analytics (Google Analytics) | Usage & device data — loaded only after you consent via our cookie banner | Outside India |
| Legal authorities | Only where compelled by a lawful order, or to prevent fraud or harm | As required by law |
If Consently is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy and applicable law; we will notify you of any material change in how your data is handled.
5. Where Your Data Is Stored & Cross-Border Transfers
Data residency: Your personal data is stored and processed in India — our database and application compute are both hosted in Mumbai (ap-south-1 / bom1).
A limited set of sub-processors located outside India (for transactional email, SMS delivery, error monitoring, and web analytics — see Section 4) may process specific data abroad. Any such transfer is carried out in compliance with the DPDPA and any rules or orders issued by the Central Government of India, and only to countries not restricted under the DPDPA. Each recipient is bound by its own data-processing terms, and we are formalising data processing agreements with our sub-processors. For details of cross-border transfers relevant to your data, contact our Data Protection Officer (Section 14).
6. Data Retention and Deletion
We retain personal data only as long as necessary for the purpose it was collected, or as required by law — whichever is longer. As part of our routine data-management process, we delete or anonymise personal data within the retention periods set out below:
- Account data: for the duration of your account; deleted or anonymised within 30 days of closure, unless law requires longer.
- Billing & transaction records: 7 years, as required under the GST Act and Indian accounting rules.
- Consent & audit logs: 3 years from the consent event, to enable audit and verification.
- Support, grievance & rights-request records: 3 years from closure of the interaction.
- Analytics data: raw data for 13 months; aggregated, anonymised insights may be kept longer.
- Marketing preferences: until you withdraw consent or opt out.
7. Your Rights as a Data Principal
Under the DPDPA, you hold the following rights over your personal data. To exercise any of them, see Section 8.
8. How to Submit a Request
To exercise any right or raise a privacy grievance, email our Data Protection Officer at dpo@consently.in (or our Grievance Officer at grievance@consently.in). To protect your privacy, we may ask you to verify your identity before acting on a request. We respond within the timelines prescribed under the DPDPA, and where we cannot fulfil a request (for example, due to a legal obligation to retain data) we will explain why.
You may also lodge a complaint with the Data Protection Board of India, once it is operationalised by the Central Government, in the manner prescribed under the DPDPA.
9. Cookies and Tracking Technologies
Because consent management is our core business, we hold our own website to a high standard. Our cookies fall into these categories:
- Essential cookies — required to operate the site (session, security). Set without consent.
- Analytics cookies — help us understand site usage (e.g., Google Analytics). Loaded only after you consent via our cookie banner.
- Functional cookies — remember preferences such as language. Set only with your consent.
- Marketing cookies — used for relevant advertising. Set only with your explicit consent.
You can change your choices at any time through our cookie banner, opt out of analytics via the Google Analytics Opt-Out Add-On, or adjust your browser settings. For full details, see our Cookie Policy. Withdrawing consent for non-essential cookies will not affect core platform functionality.
10. Security of Personal Data
We apply technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, or destruction:
Encryption
All traffic over TLS (HTTPS) with HSTS enforced. Data at rest is encrypted with AES-256 (provider-managed).
Field-Level Email Encryption
Stored email is encrypted at the field level with AES-256-GCM and matched via a SHA-256 hash — no table stores plaintext email.
Access Control
Role-based access, owner-scoped row-level security (RLS), and whitelist-only authenticated access — no public sign-up.
Audit & Monitoring
Server-only, tamper-resistant audit logging, PII-scrubbed error monitoring, and internal adversarial security review as part of our release process.
Breach Management
A live Breach Management Centre with a DPDPA breach register, statutory countdown timers, and data-principal notice tools. We will notify the Data Protection Board of India and affected Data Principals as prescribed under the DPDPA.
Indian Data Residency
Database and application compute are hosted in India (Mumbai), keeping personal data within the country by default.
11. Links to Third-Party Websites
Our website may link to third-party sites or resources. We are not responsible for their privacy practices or content. Please review the privacy policies of any third-party websites you visit.
12. Changes to This Privacy Policy
We may update this policy to reflect changes in our practices, platform, or applicable law. For material changes, we will notify you by email (to the address on your account) or via a prominent notice on our website before the change takes effect. The "Last Updated" date above reflects the most recent revision.
13. Applicability
This policy applies to personal data of individuals who visit www.consently.in or register for and use the Consently platform as customers. It does not govern the personal data that our customers collect from their own end users through Consently — that processing is governed by each customer's own privacy notice and their data processing agreement with us. Please read this policy alongside our Terms of Service and Cookie Policy.
14. Contact & Data Protection Officer
The Data Fiduciary responsible for your personal data is Consently, operated by G. Giri & Partners LLP. For any question, request, or grievance about this policy or your personal data, contact us:
Data Protection Officer
Name: Sushant Aggarwal
Email: dpo@consently.in
Grievance Officer
Email: grievance@consently.in
Registered Office
G. Giri & Partners LLP
Greater Kailash (GK), Delhi, India
If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India, once it is operationalised by the Central Government under the DPDPA.