Our alignment with the Digital Personal Data Protection Act, 2023.

cmplihr.ai is designed to support our customers' obligations under the Digital Personal Data Protection Act, 2023 (the "DPDP Act"). This page summarises how the Platform and our website handle personal data within the framework of the DPDP Act.

1. Roles under the DPDP Act

When you visit our website, cmplihr.ai is the Data Fiduciary in relation to the personal data you submit. When you use the Platform under a customer subscription, our customer (your employer) is the Data Fiduciary and cmplihr.ai is the Data Processor.

2. Lawful processing

We process personal data only on a lawful basis recognised under the DPDP Act — typically with consent, for performance of a contract, for compliance with a legal obligation, or for a recognised legitimate use.

3. Notice and consent

Where consent is required, we provide a clear notice describing the purpose, the categories of personal data processed, and the rights of the Data Principal. Consent can be withdrawn at any time at no penalty for future processing.

4. Purpose limitation and minimisation

We collect only the personal data needed for a defined purpose. We do not repurpose personal data beyond what was disclosed at the point of collection without obtaining fresh consent.

5. Data principal rights

• Right to information about processing.
• Right to access, correction, completion and updating of personal data.
• Right to erasure where the purpose has been served.
• Right to nominate, in the event of incapacity or death.
• Right of grievance redressal through our Grievance Officer.

6. Children's data

We do not direct our website or Platform at children. We do not knowingly collect children's personal data without verifiable parental consent as required under the DPDP Act.

7. Security safeguards

We implement reasonable security safeguards as required by the DPDP Act, including encryption, access controls, monitoring and incident-response procedures. Please see our Security Policy for further detail.

8. Breach notification

In the event of a personal data breach, we notify the Data Protection Board and affected Data Principals in the manner and within the timelines required by the DPDP Act and subordinate rules.

9. Cross-border transfers

Customer content is hosted within India. Any limited operational processing outside India is subject to contractual safeguards and is restricted to jurisdictions not specifically prohibited by the Central Government under the DPDP Act.

10. Grievance redressal

Data Principals may raise grievances to our Grievance Officer at [email protected]. We endeavour to acknowledge complaints promptly and respond within the timelines prescribed under the DPDP Act.