DPDP 2023 disclosure · effective 2026-05-15

Your rights as a Data Principal under India's Digital Personal Data Protection Act, 2023.

This page is the single place where Pooja's DPDP compliance posture lives. If you only read one legal page on this site, read this one.

Data Fiduciary (the controller)

Empire Apps, published by Aditya Sharma. Indian sole proprietor with place of business in India.

This is the entity that decides the purposes and means of processing your personal data for Pooja. Empire Apps is also the publisher of Hisaab, Khazaana, Tankhwah, Sehat, Aramgah, Almari, Dial, Wasiyat, Bachcha, and Sarathi — eleven apps sharing one chassis.

Grievance Officer

Aditya Sharma · dpdp@taxwalaai.com

Per Section 8 of DPDP 2023, the Data Fiduciary must publish the contact details of a Grievance Officer who shall respond within the timelines prescribed by the Data Protection Board. We respond within 7 days for non-erasure grievances and within 30 days for erasure requests.

Lawful basis for processing

Your rights and how to exercise them

Section 11

Right to access

Receive a JSON export of everything Empire Apps holds on you. Email dpdp@taxwalaai.com with subject "DPDP access · Pooja". Delivered within 7 days.

Section 12

Right to correction + erasure

Correct errors or delete your data. Email subject "DPDP correction · Pooja" or "DPDP erasure · Pooja". Erasure completed within 30 days, except for data we are legally required to retain (RBI, Income Tax).

Section 13

Right to grievance redressal

If our response is unsatisfactory, you may file a complaint with the Data Protection Board of India at meity.gov.in.

Section 14

Right to nominate

Name another person who can exercise your rights if you are unable to (death, incapacity). Settings → DPDP → Nominate.

Section 6(4)

Right to withdraw consent

Stop our processing at any time. Prospective only (we keep what we already processed, as the law allows). Settings → DPDP → Withdraw consent.

Section 9

Children's data

Pooja is not intended for users under 18. The chassis enforces an 18+ self-declaration. We do not knowingly process children's personal data.

Cross-border transfer

Empire Apps stores all personal data on infrastructure routed through India (Cloudflare Mumbai region, Coolify on Oracle India ARM, PocketBase on Oracle India ARM). No personal data leaves India in normal operation.

Exceptions: Razorpay processes payments per its own RBI-licensed processing; Google Fonts serves Devanagari and Crimson Pro fonts from its global CDN (no personal data is sent in that request).

Sensitive data and the trust ledger

For 80G donations, Section 7 of DPDP 2023 read with Income Tax Rule 18ABA permits the sharing of donor PAN with the recipient trust. This sharing is necessary for the 80G receipt to be valid.

The trust, as a separate Data Fiduciary, has its own retention and grievance obligations under DPDP. Empire Apps acts as a Data Processor in this transfer; we do not retain PAN beyond the issuance of the receipt and the audit log.

Consent management

Pooja uses a per-feature consent model. Each sensitive feature (cross-device sync, priest booking, 80G donation, family-deity vault) requests its own explicit consent. Consent records are hash-chained and tamper-evident.

You can review and revoke each consent grant at Settings → DPDP → Consent ledger.

Breach disclosure

In the event of a personal data breach as defined in Section 8(6) of DPDP 2023, we will notify affected users and the Data Protection Board of India within the timelines prescribed by the rules thereunder.

This page in Hindi

हिंदी अनुवाद · A Hindi translation of this disclosure is in preparation and will land before the DPDP 2023 enforcement deadline. The English version remains the legally binding one.