Privacy Policy

Executive Summary: The Imperative for a Privacy Policy

This report is designed to serve as both a comprehensive, legally compliant privacy policy for rozkabhav.com and a foundational guide for its operators to understand and navigate India’s evolving data protection landscape. The core service provided by rozkabhav.com—the aggregation and dissemination of daily prices for fuel, vegetables, metals, and dairy products across India—is fundamentally an informational one. While the price data itself is public and does not constitute “personal data,” the website’s operation necessitates the collection and processing of information about its users, a practice that is now subject to stringent legal requirements in India.

The central conclusion of this analysis is that a robust and transparent privacy policy is no longer a mere formality but a strategic and legal imperative. Compliance is essential to avoid significant financial penalties, which can be as high as ₹250 crore per instance of non-compliance.1 Beyond mitigating legal risk, a clear and accessible policy is a powerful tool for building user trust and enhancing the website’s reputation and credibility in the digital economy.3 The entire framework of this policy is built upon the foundational principles of the Digital Personal Data Protection (DPDP) Act, 2023, India’s first comprehensive law of its kind.

The key recommendations of this report are threefold: first, to immediately implement the comprehensive privacy policy provided herein; second, to establish a transparent, consent-based mechanism for any data collection; and third, to recognize the importance of a separate disclaimer page to address the unique nature of the informational data provided. This integrated approach ensures both legal compliance and the cultivation of a trustworthy relationship with the website’s audience.

The Indian Data Privacy Framework: Navigating the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a paradigm shift in India’s legal and digital landscape. Passed in August 2023, it is the country’s first comprehensive privacy law, establishing a robust framework for safeguarding the digital personal data of its citizens.1 The Act’s primary objective is to balance the fundamental right of individuals to protect their personal data with the legitimate need for businesses and other entities to process such data for lawful purposes.5 It applies to all processing of digital personal data within India, including data that was originally in a non-digital format but has since been digitized.1

Key Definitions for Business Owners

To comply with the DPDP Act, an operator of a website like rozkabhav.com must first understand the key terminology and their corresponding obligations.

  • Data Fiduciary: This is the legal term for the rozkabhav.com website owner. A Data Fiduciary is any entity that determines the purpose and means of processing personal data. This role carries the primary legal responsibility for ensuring all data handling practices comply with the Act.1
  • Data Principal: This term refers to any individual whose personal data is being processed. In the context of rozkabhav.com, this is the website visitor or user who interacts with the site.1
  • Personal Data: The Act defines personal data as any information that relates to an identifiable individual, either directly or indirectly.1 For a website like
    rozkabhav.com, this includes information such as an email address collected for a daily alert subscription, a phone number for SMS notifications, an IP address, or browsing history that is automatically gathered via cookies and tracking technologies.4

A common point of misunderstanding arises from the nature of rozkabhav.com’s core service. The daily price updates for fuel, vegetables, and other commodities are public, aggregated information. This data is not “personal data” as it does not relate to or identify a specific individual. The DPDP Act’s protections apply only to the personal data collected from the Data Principal. Therefore, the legal obligation and focus of this privacy policy are not on the price data itself but on the information collected from and about the individual who is accessing the website and its services. This distinction is crucial for understanding the scope of a business’s legal responsibilities.

Core Principles of the DPDP Act

The DPDP Act is built on a set of core principles that every Data Fiduciary must adhere to.

  • Consent-Based Processing: This is the cornerstone of the Act. Personal data can only be processed with the explicit consent of the Data Principal for a legitimate and specified purpose.1 The consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action”.5 This means that pre-ticked boxes or implied consent are not sufficient. For example, a user signing up for an email newsletter must actively and clearly check a box to agree to the processing of their email address for that specific purpose, with a link to the privacy policy provided at the time of collection.2
  • Notice Requirements: A Data Fiduciary must issue a clear and comprehensive privacy notice. This notice is a foundational element of the privacy policy, detailing the types of information being gathered, the purposes for which it is being used, and the rights of the Data Principal.2 The language of this notice must be easy to understand.
  • Data Minimization: The Act mandates that organizations collect only the personal data that is necessary for the specified purpose.2 This principle, also known as “Privacy by Design,” encourages businesses to limit their data collection practices to the bare minimum required to deliver their services and to embed privacy protections into their operations from the outset.2

User Rights Under the Act

The DPDP Act empowers Data Principals with a set of specific rights over their personal information. A legally compliant privacy policy must clearly articulate these rights and provide a straightforward mechanism for users to exercise them.1

  • Right to Access: Individuals have the right to request access to their personal data that a company has collected and processed.6 This includes a right to an easily understandable copy of their data in a commonly used electronic format, along with information about the purposes for which it was processed.8
  • Right to Correction and Completion: If any information stored by the Data Fiduciary is incorrect or incomplete, a Data Principal has the right to request its correction or completion without undue delay.6
  • Right to Erasure (Right to be Forgotten): A Data Principal can request the complete erasure of their personal data when it is no longer required for its specified purpose or when they withdraw their consent.1 The Data Fiduciary is obligated to comply with such requests in a timely manner.8
  • Right to Grievance Redressal: The Act requires a formal system for users to address inquiries or complaints related to the processing of their personal data. The Data Fiduciary must publish the contact details of a designated representative or officer to manage this process.1

Data Collection & Processing Analysis for rozkabhav.com

The data practices of rozkabhav.com can be categorized into information that is actively provided by users and information that is collected automatically.

Anticipated Data Collection & Justification

  • Directly Collected Data: This includes information users willingly submit through forms on the website. For rozkabhav.com, this would most likely be a user’s email address or phone number submitted via a subscription form for “daily alerts” or a “contact us” form.9 The purpose of this collection is to provide a specific, requested service, such as sending daily price updates via email or responding to a user query.3 The legal basis for this is explicit consent, as the user is actively taking a clear, affirmative action to receive the service.1
  • Passively Collected Data: This includes technical and usage information that is automatically gathered from all visitors to the website. This information may include Internet Protocol (IP) addresses, browser type, operating system, and a record of the pages visited.9 This data is typically collected through cookies and other tracking technologies for purposes such as improving site functionality, analyzing traffic patterns, and ensuring network and information security.3 The legal basis for this passive collection can be “legitimate interest” for basic site operation and security, or explicit consent for non-essential cookies used for analytics or advertising.

The distinction between these two types of data is crucial for compliance. The DPDP Act mandates that all data processing be tied to a specific and lawful purpose. For a website like rozkabhav.com, the purposes are clearly defined by the services it offers and the need for basic operational security.

Table 1: Data Types, Purposes, and Legal Basis

To provide a clear overview of the data practices, the following table maps the anticipated data collection for rozkabhav.com, its purpose, and the corresponding legal basis under the DPDP Act, along with a recommended retention period.

Type of Data CollectedPurpose of CollectionLegal Basis (DPDP Act)Retention Period
Email AddressTo send daily price updates and service-related communications.Explicit Consent.As long as the user is subscribed.
Phone NumberTo send price alerts via SMS or WhatsApp.Explicit Consent.As long as the user is subscribed.
IP Address, Browser Info, Operating SystemFor website analytics, to improve site functionality and performance.Legitimate Interest or Explicit Consent for non-essential cookies.Up to 12 months for analytics data.
Server and System Logs (IP address, timestamps)To monitor and ensure network and information security.Legitimate Interest.Typically 6-12 months.
Cookie DataTo enable website functionality, remember user preferences, and analyze traffic.Explicit Consent required for non-essential cookies (e.g., analytics).Varies depending on cookie type; up to 12 months for analytics.

Third-Party Services and Data Sharing

A website’s data practices often involve sharing information with third-party service providers. For rozkabhav.com, this could include services like Google Analytics for traffic analysis, an email marketing platform for sending alerts, or an advertising network.6 The DPDP Act strictly regulates this practice, requiring Data Fiduciaries to obtain explicit consent before sharing personal data with third parties.16

A critical operational consequence of this requirement is the necessity of a formal, legally binding Data Sharing Agreement (DSA) with every third-party vendor that processes personal data on the website’s behalf.16 The DPDP Act considers these third parties as “Data Processors,” and the Data Fiduciary remains legally accountable for their handling of the data. A DSA must specify the types of data that can be shared, the purpose for sharing, the security measures that must be taken to protect the data, and the data retention policy of the processor.16 The absence of such an agreement exposes the Data Fiduciary to significant legal risk, as it would be unable to enforce compliance with the DPDP Act on its partners, thereby failing to meet its own legal obligations.

Proposed Privacy Policy for rozkabhav.com

The following is a proposed Privacy Policy for rozkabhav.com, drafted to be compliant with the Digital Personal Data Protection Act, 2023, and other applicable laws and standards.

Privacy Policy

This Privacy Policy governs the manner in which rozkabhav.com (referred to as “the Website,” “we,” “us,” or “our”) collects, uses, maintains, and discloses information collected from users (each, a “User,” “you,” or “Data Principal”) of the rozkabhav.com website. This policy has been created in accordance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). By using the Website, you agree to the practices described in this Privacy Policy.

1. Information We Collect

We are a public information service and do not collect any personally identifiable information from you without your consent. We collect two types of information from our Users:

  • Information You Provide to Us: This includes any personal data you voluntarily submit to us, such as your:
  • Email Address: For subscribing to our daily price alert newsletter.
  • Phone Number: For subscribing to our SMS or WhatsApp alert services.
  • Name: If provided in a contact or inquiry form.
  • Information Collected Automatically: When you visit our Website, we automatically collect certain technical information about your device and usage activity. This information is non-personally identifiable and is used to analyze trends, administer the site, and improve user experience. This may include:
  • Internet Protocol (IP) Address: Your device’s unique identifier used for internet communication.
  • Browser Type and Operating System: Information about the software you use to access the Website.
  • Usage Data: Details about the pages you visit, the time you spend on the Website, and your interactions with the content.

2. How We Use Your Information

We use the information we collect for the following specific and legitimate purposes:

  • To Provide Requested Services: We use the email addresses and phone numbers you provide to deliver daily price updates, alerts, and notifications that you have subscribed to.
  • For Site Analytics and Improvement: We use automatically collected data to analyze traffic patterns, understand how our Website is being used, and improve its functionality and content to better serve our Users.
  • To Ensure Security: We use technical data to monitor network activity, prevent fraudulent activities, and protect our Website and its Users from security threats.
  • To Respond to Inquiries: If you contact us via a form or email, we use the information you provide to respond to your questions or feedback.

3. Disclosure and Sharing of Your Information

We do not sell your personal data to any third party. We may share your information only in the following limited circumstances:

  • With Service Providers: We may share your information with trusted third-party service providers who assist us in operating our Website and delivering our services, such as email delivery platforms, analytics providers (e.g., Google Analytics), or hosting services. These third parties are bound by strict confidentiality and data protection obligations and are only permitted to process your data for the purposes we have specified.
  • For Legal Purposes: We may disclose your information if we are required to do so by law, court order, or governmental requests, or when we believe in good faith that such action is necessary to comply with legal obligations, protect our rights or property, or ensure the safety of our Users or the public.

4. Data Security Measures

We are committed to protecting the integrity and confidentiality of your personal data. We implement reasonable technical, administrative, and physical security measures to safeguard your information from unauthorized access, loss, or misuse. However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

5. Your Rights as a Data Principal

As a Data Principal under the DPDP Act, you have the following rights regarding your personal data:

  • Right to Access: You have the right to request and receive a copy of your personal data that we have collected.
  • Right to Correction and Completion: You have the right to request that we correct or complete any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure: You have the right to request the deletion of your personal data, particularly when it is no longer necessary for the purpose for which it was collected.
  • Right to Grievance Redressal: You have the right to have a dedicated and accessible mechanism to address your complaints.

To exercise any of these rights, please contact our Grievance Officer using the contact information provided in this policy.

6. Children’s Privacy

Our Website is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a child under 18 without verifiable parental consent, we will take immediate steps to delete the information from our records.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Website. Cookies are small text files placed on your device by a web server. They help us remember your preferences, track user movements, and compile aggregated statistical data about site usage.6 Our use of cookies is disclosed in accordance with our contractual obligations with partners like Google, whose terms of service for Google Analytics explicitly require this disclosure.17 Google Analytics uses first-party cookies to measure user interactions, and while it prohibits customers from sending Personally Identifiable Information, its use must be disclosed.18 You may manage your cookie preferences through our consent banner or by adjusting your browser settings. Please note that disabling cookies may affect the functionality of some features on our Website.9

8. Data Retention Policy

We retain your personal data only for as long as necessary to fulfill the purpose for which it was collected, to provide our subscribed services, or to comply with our legal obligations. For example, we will retain your email address for as long as you remain subscribed to our alerts.9 Once the data is no longer needed, it will be securely deleted or anonymized.

9. Grievance Redressal and Contact Information

To address any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our designated Grievance Officer:

Name: Deepak

Designation: Content Manager

Email:

Phone:

10. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or to comply with new legal requirements. We will notify you of any significant changes by posting the updated policy on this page, and we may also notify you via email or a prominent notice on the Website.9

This Privacy Policy was last updated on: 23/09/2025

Implementation and Ongoing Compliance Recommendations

Technical Implementation

A legally compliant privacy policy is only effective if it is technically implemented correctly.

  • The Consent Management Platform (CMP): The “clear affirmative action” requirement of the DPDP Act means that a simple banner stating “We use cookies” is insufficient.2 The website must deploy a robust Consent Management Platform (CMP) that presents a clear choice to users. This platform should be designed to prevent non-essential cookies, such as those used for analytics or advertising, from loading until the user has given explicit, affirmative consent.17 This approach ensures that the business is not collecting or processing data without a valid legal basis.
  • Accessibility and Visibility: The privacy policy must be easily discoverable by all users. A link to the policy should be prominently displayed on every page of the website, typically in the footer, to ensure that the required information is always accessible and a single click away.3

Operational Compliance

Compliance is not a one-time task but an ongoing operational responsibility.

  • Handling User Requests: The business must have a defined, practical process for handling user requests to access, correct, or delete their personal data. This involves setting up a dedicated email inbox for privacy inquiries and training the designated Grievance Officer on how to fulfill these requests promptly and securely, as required by law.8
  • Data Retention and Secure Deletion: The Data Fiduciary has a duty to securely delete personal data when it is no longer needed for the purpose for which it was collected.1 This necessitates a periodic review of data stored and a process for its secure and permanent deletion to prevent any risk of a data breach.
  • Data Breach Notification: A critical aspect of the DPDP Act is the requirement to notify the newly formed Data Protection Board and the affected Data Principals in the event of a personal data breach.2 The business should have a clear, pre-defined plan for responding to a breach, including internal protocols and communication strategies.

Integrating with Other Website Policies

While a privacy policy addresses the handling of personal data, a website that provides publicly available, non-personal information, such as commodity prices, requires an additional layer of legal protection. A thorough review of similar government and private informational websites in India reveals a universal practice of including a separate, dedicated “Disclaimer” page. This is not a matter of privacy but of liability.

The core service of rozkabhav.com is providing data that could be used by individuals or businesses for financial or operational decisions (e.g., trading, purchasing). There is an inherent risk that this data could be inaccurate, outdated, or misinterpreted, leading to a user suffering a loss. A disclaimer is a crucial legal instrument that protects the business by stating that the information provided is for general purposes only, is not professional advice, and is used at the user’s sole risk.19 This legal protection complements the privacy policy, which is concerned with protecting the user’s personal information, by addressing a different type of risk related to the content itself. A separate disclaimer ensures legal clarity and safeguards the business from potential lawsuits arising from the use of its informational content.

Conclusion and Forward-Looking Statement

The enactment of the Digital Personal Data Protection Act, 2023, marks a significant and definitive moment for digital businesses in India. For rozkabhav.com, this means that a comprehensive, transparent, and legally-compliant privacy policy is no longer a choice but a mandatory component of its operation. This report has provided a complete policy and a detailed guide to the underlying legal principles, from the core concepts of the DPDP Act to the practical steps required for its implementation.

By adhering to the principles of consent, purpose limitation, and data minimization, and by actively respecting the rights of Data Principals, rozkabhav.com can transform a legal obligation into a competitive advantage.2 A commitment to data privacy builds user trust, strengthens brand reputation, and establishes a foundation of credibility in the digital marketplace. India’s regulatory framework is dynamic and continuously evolving, with the DPDP Act serving as a foundation for future regulations.7 Ongoing vigilance and a commitment to updating data practices in line with new legal requirements will be essential to ensure continued compliance and long-term business success.

Works cited

  1. Digital Personal Data Protection Act, 2023: Key Features and Implications for Data Privacy in India – Lexcomply.com, accessed on September 23, 2025, https://lexcomply.com/blog/digital-personal-data-protection-act-2023-key-features-and-implications-for-data-privacy-in-india/
  2. Brace Yourselves: The Game-Changing Impact of India’s DPDP Act, 2023 | Tripwire, accessed on September 23, 2025, https://www.tripwire.com/state-of-security/brace-yourselves-game-changing-impact-indias-dpdp-act
  3. What is a Privacy Policy and Do You Need One? Here’s What You Need to Know – Iubenda, accessed on September 23, 2025, https://www.iubenda.com/en/help/6187-what-should-be-in-a-privacy-policy
  4. What is a privacy policy and why do you need one? – Usercentrics, accessed on September 23, 2025, https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/
  5. THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023) An Act to provide for the processing of digital personal data in, accessed on September 23, 2025, https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
  6. How to Write a Privacy Policy: 12 Essential Guidelines and Steps – Cookiebot, accessed on September 23, 2025, https://www.cookiebot.com/en/how-to-write-a-privacy-policy/
  7. Navigating Digital Privacy Laws in Indian Advertising – India agent, accessed on September 23, 2025, https://india-agent.com/navigating-digital-privacy-laws-in-indian-advertising/
  8. Digital Personal Data Protection DPDP Act India 2023 – What You Need To Know, accessed on September 23, 2025, https://cookiefirst.com/digital-personal-data-protection-dpdp-act-india-2023-what-you-need-to-know/
  9. Privacy Policy – Commodities Control, accessed on September 23, 2025, https://www.commoditiescontrol.com/eagritrader/revamp/privacy-policy.php
  10. Privacy Policy – Agriculture Marketing, accessed on September 23, 2025, https://agmarknet.gov.in/OtherPages/privacy.aspx
  11. Privacy Policy – Commodity Samachar, accessed on September 23, 2025, https://commoditysamachar.com/privacy
  12. Privacy Policy – Telecom Ad India |, accessed on September 23, 2025, https://www.telecomadindia.in/privacy-policy
  13. Privacy statement – Admincontrol, accessed on September 23, 2025, https://admincontrol.com/privacy-statement
  14. How to Create a Privacy Policy for Your Online Shop (Template Included) – Pay.com, accessed on September 23, 2025, https://pay.com/blog/how-to-create-a-privacy-policy
  15. The Privacy Policy – TradeSmart, accessed on September 23, 2025, https://tradesmartonline.in/privacy-policy
  16. India’s Data Sharing Agreement | Comprehensive Guide to Data Protection and Non-Disclosure Agreements – Secure Privacy, accessed on September 23, 2025, https://secureprivacy.ai/blog/india-dpdp-act-data-sharing-agreements
  17. Privacy Policy for Google Analytics – iubenda help, accessed on September 23, 2025, https://www.iubenda.com/en/help/11994-privacy-policy-for-google-analytics
  18. Safeguarding your data – Analytics Help – Google Help, accessed on September 23, 2025, https://support.google.com/analytics/answer/6004245?hl=en
  19. Disclaimer | NATIONAL LEGAL SERVICES AUTHORITY (NALSA) | India, accessed on September 23, 2025, https://nalsa.gov.in/disclaimer/
  20. Disclaimer | Data Security Council of India, accessed on September 23, 2025, https://www.dsci.in/content/disclaimer