DPDPA 2023 · compliance statement
How we meet India's data protection law.
The Digital Personal Data Protection Act, 2023 came into force to give Indian users meaningful rights over how their data is processed. This page is our public statement of how Pia complies, role by role, right by right.
Who is who
- Data fiduciary
- Pia Prescience Private Limited. We decide the purpose and means of processing for everything that happens through Pia.
- Data processor
- Our infrastructure and integration vendors, contractually bound to process only what we instruct them to.
- Data principal
- Every individual whose personal data we process — pharmacy owners, employees, customers of pharmacies whose data flows through Pia.
- Grievance officer
- Akshat Gupta, founder, reachable at [email protected].
Lawful basis for processing
We process personal data under one of three bases, recorded explicitly per category in our internal records of processing activities:
- Consent — for anything optional: marketing communication, opt-in features, model improvement contributions.
- Legitimate use (specified uses) — the data subject voluntarily provides data to receive a service they have asked for. The product workflow itself.
- Legal obligation — GST records, drug-regulator-mandated retention, lawful directives.
We do not rely on bundled or implied consent. A separately-collected, granular consent is required for anything outside the immediate service.
Your rights, with mechanics
| Right | How to exercise | SLA |
|---|---|---|
| Access — copy of your data | Email [email protected] or use the in-app export. | 7 days |
| Correction & updation | Most fields are user-editable in-app; for system-managed fields, email us. | 3 days |
| Erasure | Email with subject line “Erasure request.” We will verify ownership, then delete — cite any legally-required retention specifically. | 30 days |
| Withdrawal of consent | Toggle off the feature, or email us. We will confirm the effect on the service. | Immediate; effect by next business day |
| Grievance | Email [email protected] with subject line “Grievance.” | 30 days, per the Act |
| Nomination | Send us a signed instrument naming your nominee. We will record it against your account. | Same day on receipt |
There is no charge for any of these requests in normal circumstances. We reserve the right to charge a reasonable fee only for manifestly unfounded or excessive repeat requests, and we'll always explain in writing what we're charging and why.
Notice obligations
Per Section 5 of the Act, we provide notice in plain language at or before the point of collection — the categories of personal data we collect, the purposes, your rights, and how to exercise them. Our consent screens link to the relevant section of the privacy policy.
Cross-border transfers
We process data within India by default. Where data is processed outside India (typically for edge-cached content delivery and security services), the destination is among those permitted under the Act's Section 16 framework, and the processor is contractually bound to the same standards.
Security & breach
Reasonable security safeguards include per-tenant encryption at rest, transport-layer encryption for everything in motion, audited access controls, and tamper-evident audit logs on every action. Our security page describes the posture in detail.
In the event of a personal-data breach, we notify the Data Protection Board of India and affected data principals as required by the Act. Our internal SLA is detection-to-Board notification inside 72 hours.
Children
We do not knowingly process personal data of individuals below 18 as direct Pia users without verifiable parental consent. The product is designed for business use.
Significant Data Fiduciary status
We are not currently classified as a Significant Data Fiduciary under Section 10 of the Act. If that changes — for instance, if we cross a relevant threshold of personal data processed — we will update this page, appoint a Data Protection Officer, conduct mandatory Data Protection Impact Assessments, and submit to periodic audits as the Act requires.
Escalation
If we cannot resolve a grievance to your satisfaction within 30 days, you may approach the Data Protection Board of India under Section 27 of the Act for redress.