DPDPA Compliance
Effective 10 July 2026. Latest revision published to napdesigns.com/dpdpa-compliance.
The Digital Personal Data Protection Act 2023 (“DPDPA”) is India's data-protection statute. This page explains how the NAP Designs WhatsApp Business Platform helps you meet your obligations as a Data Fiduciary and how NAP Designs operates as a Data Processor on your behalf.
1. Roles
- You (the business) are the Data Fiduciary. You determine the purpose and means of processing your customers' data.
- NAP Designs is a Data Processor. We only process customer data on your instructions to operate the Platform.
- Your customers (the individuals sending you WhatsApp messages) are the Data Principals.
2. Consent capture
Under DPDPA § 6, you must obtain free, specific, informed, unambiguous consent before processing personal data. The Platform helps you demonstrate consent by:
- A dedicated
consentcheckbox on the WordPress plugin's pre-chat form, storing the consent event on the contact record with source and timestamp - Manual opt-in toggle in Contacts UI with the source and time of consent recorded
- CSV import consent column that requires an explicit “yes/1/ true” to set
opt_in = true - Every outbound send path (broadcast, flow, template, inbox) hard- blocks contacts marked
opt_out_at != null
3. Opt-out
DPDPA § 7 grants Data Principals the right to withdraw consent. Every inbound message is scanned for opt-out keywords:
- Stop family — stop, unsubscribe, cancel, end, quit, optout, opt-out, dnd, no thanks, not interested
- Start family — start, subscribe, resubscribe, join, yes, optin
When a match is detected, the Platform immediately updates the contact record, replies with a confirmation message on WhatsApp, and prevents any further outbound send until the customer opts back in.
4. Notice
DPDPA § 5 requires you to provide an itemised notice to Data Principals. Sample opt-in copy you can adapt:
By replying YES, you agree that [your business] may send you updates about your order, delivery and offers via WhatsApp. Reply STOP any time to unsubscribe. Our privacy notice is at[your privacy URL].
5. Data Principal rights
Under DPDPA § 11–14 Data Principals may request from you (as Fiduciary) the following. NAP will assist you within 5 business days of your request to us:
- Access — export a copy of all data held on that contact
- Correction and completion
- Erasure — delete the contact and message history
- Grievance redressal — escalate to your Grievance Officer
6. Grievance Officer
Every Data Fiduciary must publish a Grievance Officer. If you are an NAP customer and act as the Fiduciary for your own audience, you must publish your own Grievance Officer on your website. For grievances relating to NAP's own processing of your account holder data (e.g. your login), our Grievance Officer is:
Grievance Officer · NAP Designs · Mumbai, India · grievance@napdesigns.com · response within 30 days.
7. Data breach notification
DPDPA § 8(6) requires notification to the Data Protection Board of India in the event of a personal-data breach. NAP maintains an incident-response playbook. If a breach affects your account, we will notify you without undue delay (target: within 24 hours of confirmation) with:
- Nature of the incident
- Categories and approximate number of records affected
- Steps taken to contain
- Recommended actions on your side
8. Data localisation
All personal data is stored in AWS ap-south-1 (Mumbai). We do not transfer personal data outside India without your explicit instruction and without appropriate safeguards.
9. Sub-processors
See the Privacy Policy §5 for the current list. Any addition or replacement is announced with 30 days notice.
10. Records of processing
The Platform automatically logs every send, receive, and administrative action in an append-only audit table. On written request you can access up to 12 months of audit logs at legal@napdesigns.com.
11. Contact
NAP Designs · Mumbai, India · Data Protection Officer: dpo@napdesigns.com