Forem: Aditya

DPDPA will kick our asses, We need this checklist

Aditya — Wed, 04 Feb 2026 22:22:17 +0000

TL;DR: DPDPA is law, not a certification. Fines go up to 250 crore. Full enforcement around May 2027. Small or large, you need to comply. Get proper opt-in consent, publish a DPO contact, delete data when users ask, sign Data Processing Agreements with every vendor (CMS, email tool, analytics, everything). If some random WordPress plugin leaks your user's data, YOU get fined, not them. Children = anyone under 18, no tracking, no targeted ads. If unsure whether a tool is compliant, assume it isn't.

Howdy again!

I've helped companies work through HIPAA, ISO 27001, GDPR. I get the tech side. I also run zappush.com where we deal with user data daily. Figured I'd help confused indie devs and founders navigate this new regulation. There's both opportunity and a huge pain in the ass coming our way :)

I'm an engineer, not a lawyer. None of this is legal advice, but I know what I'm talking about.

DPDPA is India's version of GDPR. It's law, not a certification. Fines go up to 250 crore (~$30M), though I wouldn't expect small businesses to get hit that hard. Still, no need to get into locha over negligence.

DPDPA Timeline: Where We Are Now

The act isn't fully enforced yet. Here's the official timeline.

Phase 1 (Nov 2025): Skeleton laid down. The law exists on paper.
Phase 2 (by Nov 2026): Operational rules for consent managers and the Data Protection Board. How complaints are filed, how notices are issued, etc.
Phase 3 (~May 2027): Full enforcement. This is when business owners get fined.

The market has already started preparing. I've noticed a lot of compliance consultants popping up. Consently, Scrut, and others. I also help companies with this stuff. If you need a hand, reach out through the contact form.

What YOU Need to Know About DPDPA

Most of this comes from here

Notice & Consent (Sections 3–5)

Clear notice: Explain why you need each item of data before collecting it.
Language: Available in English or any Eighth Schedule language.
User rights: Tell users what you collect, why, and how they can access, correct, delete, or withdraw consent.
Grievance contact: Publish your Data Protection Officer (DPO) or someone from your team. You have 90 days to resolve grievances. If you don't, users can escalate to the Data Protection Board.

Core Fiduciary Duties (Sections 6(1)–6(8), 6(10))

Data minimisation: Collect only what you need. Don't collect the user's entire contact list if you can't explain what you'd do with it. (This is a loose example from the guidelines themselves :P)
Purpose limitation: Use data only for stated purposes.
"Reasonable" security: I found this bit very ambiguous. GDPR at least suggests pseudonymisation, encryption, and regular security testing. DPDPA doesn't get into what algorithms count as "reasonable." From personal experience, auditors for ISO 27001 or SOC 2 often use NIST's published FIPS algorithms. I dislike DPDPA's skeleton for the lack of technical care.
Processor liability: You are liable even if your data processor screws up. If AWS leaks YOUR user's data, you get fined. Not them. I do not like this personally. The party that screwed up should be penalised, not the business owner who trusted their infrastructure.
DPA required: All processors need a Data Processing Agreement with you.
Breach notification: Notify the Data Protection Board and affected users if there's a breach.
Deletion: Delete data when consent is withdrawn or the purpose is served. Make sure your processors do the same.
Grievance mechanism: Publish your DPO's contact so issues get handled before they escalate to the board.

Special Situations (Sections 7–10)

Consent exemptions: Some processing is allowed without consent. Legal compliance, employment, medical emergencies, fraud prevention, public interest.
Children (under 18): Verifiable parental consent required. No tracking, no targeted ads. Be careful with how Google Analytics tracks underage users and how you advertise to them. Meta already enforces a lot of this. If you have a social platform for teenagers, a gaming platform, or an adolescent audience, this will affect you.
Significant Data Fiduciaries: The Government can designate certain entities as "Significant." These are bigger firms with more responsibilities.

Data Principal Rights (Sections 11–17)

Access & Correction: Users can see what personal data is processed, why, with whom it is shared, and request correction, updating, or deletion where applicable.
Consent Control: Users can withdraw consent at any time; processing must stop and data deleted unless legally required to retain it.
Grievance & Escalation: Users must have a clear grievance mechanism and can escalate unresolved complaints to the Data Protection Board.
Nomination: Users may nominate another person to exercise their rights in case of death or incapacity.

Data Protection Board Powers (Sections 28–34)

Investigation: Board can investigate and ask for evidence.
Enforcement: Board can issue orders and penalties.

Penalties & Appeals (Sections 36–37)

Fines: Proportional to the violation. Up to 250 crore.
Appeals: Decisions can be appealed.

Rule-making (Section 44(2))

Supporting rules: Government will introduce additional rules and standards over time.

DPDPA Compliance Checklist

1. Data Collection and Consent

"Child" as per DPDPA: Person under 18 years of age or a person with disability who has a lawful guardian obtain.

Are you collecting only what you need without ambigious permissions?
Are you clearly telling them why you need it and how users can exercise their "rights" to withdraw, reach out for griences etc?
Are you ensuring children's data (<18 years) is not processed without verifiable parental consent.
Are you NOT undertaking tracking or behavioural monitoring of children or targeted advertising directed at children?
Are you using opt-in consent for analytics, marketing, or tracking cookies (Google Analytics, Meta Pixel, etc.)?

2. Data Processing & Storage

Are you using data only for the stated purpose, Respecting the fact that cross-purpose usage requires fresh consent, As per the law?
If using AWS, GCP, or other cloud services, Can you confirm that data is processed securely (encryption at rest with a good algorithm published from NIST's FIPS & in transit, regular backups, restricted access) AND DPDPA compliant?
For CMS platforms, Or any other third party software processing the user's data, Can you ensure they don't process personal data without compliance and take measures to be compliant to DPDPA themselves, ideally? otherwise, you're liable as the fiduciary.
Keep personal data accurate and complete, especially if used for decisions affecting users.

^ An interesting illustration stated for above is: X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X's personal data for the said period.

3. Security Measures

Remember: DPDP is vague on technical standards, so relying on ISO 27001 / SOC 2 / NIST-approved algorithms is safest.

Are you implementing reasonable security safeguards for all personal data?
Is encryption applied at rest and in transit using strong, recognized algorithms (e.g., NIST-approved)?
Have you applied pseudonymization or anonymization for sensitive personal data where feasible?
Are access controls in place to restrict data to authorized personnel only?
Do you maintain audit logs to track who accessed or modified personal data?
Are you conducting regular security testing (e.g., vulnerability scans, penetration tests) to identify and fix risks?
Do your security practices align with recognized standards (ISO 27001, SOC 2, NIST)?

4. Data Retention & Deletion

Are you deleting personal data when it is no longer needed for the original purpose?
Do you honor user requests to withdraw consent by deleting their personal data promptly?
Are you ensuring that third-party processors also delete personal data when instructed?
Are you retaining data only as long as legally required, and not beyond that period?

5. Data Principal Rights

Can users easily access their personal data that you hold?
Can users request correction or completion of inaccurate or incomplete data?
Can users request deletion of their personal data or withdraw consent at any time?
Do you have a clear grievance redressal mechanism that handles complaints promptly and effectively (not just an email or portal)?
Is it clear who users should contact (DPO or authorised person) for exercising their rights?
Can users nominate another person to exercise their rights in case of death or incapacitation?

6. Third-Party Processors & Analytics

Are you using valid contracts (example here) with all third-party processors (e.g., database providers, analytics platforms, email marketing tools)?
Do you avoid sending personal data to non-compliant third-party services, especially for minors?
Are you minimizing third-party tracking and sharing by default?
Where feasible, are you self-hosting analytics or similar services to reduce reliance on external processors? Reach out to me if you need help with it.
Do you know where your user data is stored and whether it's sent outside India?
Are records of cross-border transfers maintained for audit and potential inspection by the Data Protection Board?
Can you confirm if the data processor abroad complies with DPDPA as well?
Have you checked whether any government guidelines or restrictions require certain types of data to remain in India, and are you compliant with them?

7. Monitoring & Compliance

Are you keeping records of user consent and processing purposes for all personal data collected?
Do you have a plan to respond to potential investigations or audits by the Data Protection Board?
Are you actively monitoring for data breaches across all systems handling personal data?
Do you have a breach notification plan to inform both affected users and the Data Protection Board promptly, as required under the law?
Are periodic internal compliance checks conducted to ensure adherence to DPDPA obligations?

If you're unsure about a tool, plugin, or CMS, assume it's non-compliant until proven otherwise. Liability falls on you.

FAQ

Do I need to comply if my company is registered outside India?
Yes, if you're processing personal data of people in India. Doesn't matter where your company is registered.

What counts as "personal data"?
Anything that can identify a person: name, email, phone, IP address, device IDs, location data. If you can trace it back to a specific human, it's personal data.

Do I need a Data Protection Officer (DPO)?
The law requires you to publish contact information for someone who handles data protection queries and grievances. For small SaaS, this can be you or a co-founder. Larger companies designated as "Significant Data Fiduciaries" have stricter requirements.

What's a Data Processing Agreement (DPA)?
A contract between you and any third party that processes your users' data. Your database provider, email marketing tool, analytics platform, payment gateway, all of them. Many big vendors (AWS, Stripe, etc.) already have standard DPAs. Smaller tools might not. Ask them.

Does DPDPA apply to B2B SaaS?
Yes. If you're storing data about employees or contacts of your business clients, that's still personal data. B2B doesn't exempt you.

What about data I collected before DPDPA?
You'll need to ensure it meets compliance standards. If you don't have proper consent records, you may need to re-obtain consent or delete the data.

Can I transfer data outside India?
Yes, to most countries. The government will publish a list of restricted countries where transfer is not allowed. As of now, this list hasn't been finalized.

What triggers a breach notification?
Any unauthorized access, disclosure, or loss of personal data. You must notify the Data Protection Board and affected users. Timeline isn't specified yet, but "promptly" is the expectation.

Is Google Analytics compliant?
Depends on how you use it. You need opt-in consent before firing any tracking. The default "implied consent" banners won't cut it. Consider self-hosted alternatives like Plausible or Umami if you want to avoid the headache.

What if a user asks to delete their data but I need it for legal/tax reasons?
You can retain data if required by law. Example: banks must keep records for 10 years. But you can only keep what's legally required, nothing extra.

Conclusion

I have mixed feelings about this law. On one side, the government can't do anything well. It is a deeply incompetent organization. On the other, the law itself, even with its faults and rigidity, tries to argue for consent and clarity. I agree with that ethic, on its own.

This law will clearly make a lot of businesses more difficult to operate but, I hope that the accountable ones shine through. Hoping for liberty and a bright future.

If you don't even have a company, what are you doing here? You should be reading this.

How do you even register a company as an indie dev?

Aditya — Tue, 03 Feb 2026 20:24:30 +0000

TL;DR: Go LLP if you have a co-founder and want to move fast without raising soon. Pvt Ltd if you're raising VC money and can stomach the compliance. Get a CA, virtual office, and bank account. Share capital minimum is ₹1 (not ₹1 lakh, that's outdated, though your CA might default to it out of habit). Total damage: ₹25k-40k. Took me about 3-4 months, but should ideally take less than a month. Also, get your Startup India certificate - it's free and saves you 3 years of taxes.

Howdy!

I started zappush.com in August last year. The whole thing took me 3-5 months. After a lot of confused, frustrated nights staring at a product that was ready to make money but couldn't because I had no way to accept payments.

Every payment gateway accepting International transactions I tried wanted documentation I didn't have.

So I'm writing this for the engineer who's been so heads-down building that they forgot they need a legal entity to actually sell the thing. That was me.

Why Indie Devs and First-Time Founders Need a Legal Entity in India

Here's why:

Payment gateways won't let you accept international payments without one. This sucks especially if the indian market is too price sensitive and you have a money hungry product.
WhatsApp Business API requires it if you're planning to build on it (I wanted to back 2 years ago, And no one could get me access to it)
Banks won't open a business account for you otherwise. You will have to use your personal account.
Clients take you more seriously when there's a company behind the product
Meta Ads will flag your account if you increase ad spend too fast.
Liability if something goes wrong, you're personally liable. With a legal entity, there is legal separation between you and your business.

Startup Registration Checklist India 2026: Step-by-Step

Step 1: Get a CA

No reason to not. Whether it's through razorpay rize, RegisterKaro, or a kind CA friend of a cousin. This stuff is not straight forward, and founders tend to love building. Let the professionals handle the boring stuff. This bureaucracy exists to slow you down by design.

You can ALSO just get a company to do it for you. Razorpay Rize takes care of a lot of pains for you (From taking care of the address, to documents, to DIN etc).

Razorpay rize does say that they charge 1499 + Govt fees for incoperation in here. In reality, They partner up with a company to take care of the virtual office address registration which also has a decent fee (this would easily charge you 17k-25k for the company address. They also usually have a more expensive GST registration plan that they try to sell you). Expect this going in!

About GST: You can register GST for free, Feel free to tell the virtual office space provider that you will do it yourself instead of using their GST package and negotiate a good deal with your CA to sort this out instead. It will most likely be cheaper for you overall.

Step 2: LLP vs Pvt Ltd vs Sole Proprietorship - Which to Choose?

Entity Type	Who's involved	When to use it
Sole Proprietorship	Just you	Solo operation, but you're personally liable for everything
LLP	2+ partners	Fast setup, less compliance, works great with a co-founder
Pvt Ltd	2-15 directors	Need to raise VC money, can handle the extra paperwork

I was super confused what to pick. Lawyer student friends were biased towards Private Limited Company, But ex-founders wanted to avoid the regulatory hassle they brought. I ended up finding myself a co-founder, And chose LLP. This was regulatory wise simpler, While still allowing for multiple partners. Our bias towards speed made it the perfect choice.

The catch with LLP: You'll have to convert to Pvt Ltd if you want to raise proper funding. People can't usually invest in LLPs unless they become partners. It makes things more complicated.

The catch with Sole Proprietorship: There's no separation between you and the business. If the company gets sued, so do you.

The catch with Pvt Ltd: More regulatory burden. Still managable if you're ready!

Resources if you want to DIY:

Notes from the community - r/indiehackersindia

Also, the community gave some pretty good advice about their experiences:

Step 3: Digital Signature Certificate (DSC)

Government forms need to be digitally signed. Get a DSC from eMudhra, Sify, or NSDL. They'll send you a USB dongle or email certificate.

Official MCA info

Step 4: Get your DIN (Director Identification Number)

Both you and your co-founder need one. Apply through the MCA Portal.

Heads up: Most tutorials online have dead links because MCA keeps changing their portal. The link above worked when I wrote this.

Step 5: Name approval

Have 3-5 name options ready. The MCA will reject anything too similar to existing companies, and you can't use words like "National" or "Bank" without special approval.

Your CA runs the names through MCA's RUN service. Once approved, you have 20 days to file for incorporation or the name gets released.

Step 6: File the forms

Your CA handles these:

Form SPICe+ INC-32
e-MOA and e-AOA
PAN and TAN applications

Let them deal with it.

Step 7: Virtual office

A virtual office costs ₹17k-22k for 11 months and gives you a proper business address that works for everything - GST, bank accounts, all of it.

This was my biggest bottleneck. Should've done it first. I ended up wasting too much time figuring out how to get a proper business address, whether I have to rent a physical office or not. A quick google search would have made my life easier.

Step 8: Bank account

Call any of the major banks - Axis, HDFC, whatever's convenient. They'll send someone to your door with the paperwork. Takes a few days, and you'll get a debit card for each partner.

Two things I wish someone told me:

First, you need "share capital" to incorporate. Before 2015, this was ₹1 lakh minimum. Some CAs still quote this number out of habit. The actual minimum today? ₹1. Literally one rupee. Don't let anyone convince you otherwise.

Second, current accounts have minimum balance requirements. This varies by bank, so ask upfront. Nothing worse than getting hit with penalties because nobody mentioned this during onboarding.

Best Payment Gateways for Indian Startups (International Payments)

Here's where things got frustrating.

I had a working product in 2024-2025. I was ready to launch. Then I realized that I had no way to receive subscription money.

After doing some research, I found that:

Stripe: Invite-only in India. I wasn't invited. I asked a friend of a friend to invite me, but they never responded. It slowed things down more.

Lemon Squeezy (MoR - Merchant on Record): I had to apply for verification to get full access to their services. They rejected me because I wanted to build an AI video startup and they assumed it would be NSFW (it wasn't going to be).

PhonePe, Razorpay, PayU, CCAvenue: They'd onboard me for domestic payments, but didn't allow international payments without a registered company. My product's target market was international and Indian pricing wouldn't keep the lights on. Talking to each of these vendors slowed things a few more weeks.

PayPal: I ended up wanting to use this but I found a few too many reddit horror stories by indian indie devs and business owners about frozen accounts. It doesn't have a good reputation in the space.

Razorpay (again): They create subscriptions packages in INR, but I needed USD billing. Looking back, I should've just launched with INR and figured it out later.

Best Payment Gateway for Indie Devs in India

Go for a MoR (Merchant of Record) with subscription API support. MoRs handle tax compliance, chargebacks, and payment processing for you - they're the actual seller on paper.

I SHOULD have just launched with Dodopayments. DodoPayments (MoR) is designed for indie devs in exactly this situation. It's a great solution and I love the team behind it :)

I am just afraid of any regulatory hammers that might come their way. Hoping for the best for them.

Whatever you pick, make sure they have subscription API support. You don't want to find out they don't after you've integrated everything.

Startup Registration Cost in India 2026

Item	Cost
LLP Registration (through a service)	₹8,000-15,000
Virtual Office (11 months)	₹17,000-22,000
GST Registration	Free, or whatever your CA does it for (can be 5k-10k)
Total	₹25,000-40,000

How Long Does Company Registration Take in India?

How much it should take

Step	Duration
DSC	1-2 days
DIN	3-5 days
Name Approval	2-4 days
Incorporation	5-7 days
Virtual Office	1-2 weeks (Expect back and forth)
Bank Account	1-2 weeks (Expect signature related troubles)
GST Registration	7-15 days

How much it ended up taking me: 3-5 months

What went wrong:

I didn't know where to start. Spent weeks asking friends, reading contradictory advice, going in circles.
Documents kept bouncing back. missing signatures and forgot my 20 day name approval limit :)
Virtual office took forever. Almost a month to finalize. Should've started here.
Payment gateway approval dragged on. Even after registration, getting approved for international transactions took more weeks.

If you know exactly what to do and have everything ready, you can probably finish in a month. Get yourself a professional to help you out for this.

Word of Advice

Get yourself a Startup India certificate. It saves you taxes for 3 financial years out of 10. You get to choose when to redeem it. It's free and worth doing early.

Need Help Registering Your Startup in India?

I've been through this, and I'm happy to help other first-time founders and indie devs avoid my mistakes. Reach out: aditya@zappush.com

I'll share referrals, answer questions, whatever's useful. I genuinely believe more people should be starting companies, and this guide should help you get there faster than I did.