Compliance
DPDP Compliance
1. DPDP Act 2023 Overview
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s comprehensive data protection law. It governs how organizations (“Data Fiduciaries”) process personal data of individuals (“Data Principals”) residing in India. This page summarizes how Brickplot complies with the Act.
This page is a companion to our Privacy Policy; both apply together.
2. Data Fiduciary & Data Principal
Data Fiduciary: Brickplot (operated by Webfluence Marketing Solutions). We determine the purpose and means of processing personal data.
Data Principal: You — any individual whose personal data we process (visitors, newsletter subscribers, registered users, reviewers).
Data Processors: service providers we engage (Google Analytics, email service, host, CDN). Processors act only on our instructions.
3. Consent Management
3.1 How we obtain consent
Under §6 of the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Brickplot obtains consent via:
- Cookie consent banner on first visit — default state is essential-only; analytics and preference cookies require affirmative opt-in
- Newsletter opt-in — unchecked checkbox; double opt-in email confirmation
- Review submission — explicit consent statement with each submission
- Contact form — consent notice at point of collection
3.2 Consent language (sample)
3.3 Consent records
We maintain auditable consent records: timestamp, IP (hashed), consent version, selections made, and withdrawal history. Records retained for the duration of processing + 3 years for audit.
3.4 Consent UI pattern
- Separate checkboxes per purpose (no “bundled” consent)
- No pre-ticked boxes for non-essential processing
- “Accept All” and “Reject Non-Essential” given equal visual weight
- Withdrawal as easy as consent (one-click unsubscribe, one-click cookie reset)
4. Rights of Data Principals
| Right (DPDP §11–15) | What you can do | How to exercise |
|---|---|---|
| Access | Obtain a summary of personal data we process and with whom we share it | Email privacy@brickplot.com — “Data Access Request” |
| Correction | Correct inaccurate, incomplete, or outdated data | Email privacy@brickplot.com with specifics |
| Erasure | Delete data no longer needed for its purpose | Email privacy@brickplot.com — “Erasure Request” |
| Grievance | Readily available means to file a complaint | Contact Grievance Officer (below) |
| Nominate | Nominate another person to exercise rights in the event of death or incapacity | Email privacy@brickplot.com with notarized nomination |
Response SLA: 30 days for all rights requests. If delayed, we will notify you with reason.
5. Withdraw Consent at Any Time
- Marketing emails: click “Unsubscribe” in any email
- Analytics cookies: update preferences via the cookie banner (appears on request) or clear cookies in your browser
- Account data: request deletion at privacy@brickplot.com
- All consent withdrawal: email privacy@brickplot.com — “Withdraw All Consent”
Withdrawing consent does not affect the lawfulness of processing before withdrawal.
6. Children & Guardians
Under DPDP §9, processing of personal data of a child (under 18) requires verifiable consent of a parent or lawful guardian. Brickplot does not knowingly process children’s data. If you are a parent or guardian and believe we have collected data about a child, email privacy@brickplot.com — we will delete within 7 days.
We do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.
7. Grievance Officer
Under DPDP §8(9), every Data Fiduciary must designate a Grievance Officer responsive to Data Principal queries and complaints.
Grievance Officer
Name:Rohtash Tiwari
Email:grievance@brickplot.com
Phone:PENDING VERIFICATION: Grievance Officer phone number
Postal Address:PENDING VERIFICATION: Full postal address of Brickplot c/o Webfluence Marketing Solutions
Under the Digital Personal Data Protection Act, 2023, you may contact the Grievance Officer for any complaints regarding the processing of your personal data.
8. Data Protection Board of India
Once established, the Data Protection Board of India is the statutory body that adjudicates complaints under the DPDP Act. If your grievance is not resolved within 30 days, or you are dissatisfied with our response, you may escalate to the Board.
Official Board contact (once notified):https://meity.gov.in/dpdp-act (interim — DPB-I will publish a dedicated URL when formally constituted)
9. Cross-Border Data Transfer
DPDP §16 allows transfer of personal data outside India except to countries notified as restricted. Brickplot uses international processors (Google Analytics, potentially CDNs) whose data flows may cross borders.
- Storage region (primary): India (MilesWeb Premium shared hosting)
- International sub-processors:Resend (US/EU, DPA signed), Google (Search Console, US, DPF-compliant), Meta (Pixel, US, SCCs in place when used). Data transfers governed by standard contractual clauses.
10. Personal Data Breach Response
Under DPDP §8(6), we must notify the Board and affected Data Principals of a breach. Brickplot’s response plan:
- Detect & contain — within 24 hours of discovery
- Assess scope — what data, how many principals, risk of harm
- Notify Board — within 72 hours of discovery, in the prescribed format
- Notify affected principals — within 72 hours; include nature of breach, data affected, steps we are taking, what they can do
- Public notice — published on brickplot.com if widespread
- Post-mortem — root cause + remediation logged; shared on request
11. Records & Audit
We maintain records of processing activities (categories of data, purposes, recipients, retention, safeguards) and make them available to the Data Protection Board upon request. An internal audit is performed annually; results drive policy updates.