Complete guide 2025 India: Privacy Policy mandatory under DPDP Rules 2025 (₹2.5B penalty for breach), GDPR applies globally (up to €20M or 4% annual turnover penalty), ToS recommended (not mandatory but essential), template options Termly free or ₹1000/year, iubenda ₹400-3000/year, when required, compliance checklist, implementation timeline.
Table of Contents
Do You Really Need Them? Legal Requirements
Short answer: Privacy Policy is mandatory in India. Terms of Service is strongly recommended, though technically not mandatory for all businesses. But the real question is: what triggers the requirement? And what happens if you don’t have them?
The Simple Truth About Requirements
- Privacy Policy: MANDATORY if you collect any personal data (names, emails, phone, location, behavior). India’s DPDP Act 2023 + Rules 2025 makes it law
- Terms of Service: STRONGLY RECOMMENDED (not technically mandatory, but essential for B2C or marketplace businesses). Protects you from liability
- Not having them = legal risk. ₹2.5 billion penalty in India for DPDP breach. Up to €20M or 4% global turnover under GDPR
- If you’re online in any form: You almost certainly need both. It’s not “do I need this?” but “how fast can I implement?”
Quick Decision Tree: Do You Need These Documents?
| Your Business Type | Privacy Policy | Terms of Service | Urgency |
|---|---|---|---|
| Website with contact form | YES (mandatory) | Recommended | Immediate |
| Mobile app (any data) | YES (mandatory) | YES (mandatory) | Before launch |
| E-commerce platform | YES (mandatory) | YES (essential) | Before launch |
| SaaS/subscription service | YES (mandatory) | YES (essential) | Before launch |
| Marketplace (vendors) | YES (mandatory) | YES (essential) | Before launch |
| Blog (no data collection) | RECOMMENDED (if using analytics/ads) | Optional | Within 30 days |
| Newsletter/email list | YES (mandatory) | Recommended | Immediate |
| EU customers (any product) | YES (GDPR) | YES (recommended) | Immediate |
The Penalty Framework: Why Ignoring This Is Expensive
- India (DPDP Act 2023): Up to ₹2.5 billion (USD 28-30M) per breach. Plus criminal penalties. Breaches reported to Data Protection Board
- EU (GDPR): Up to €20 million or 4% of global annual turnover, whichever is higher. Plus regulatory investigations, fines compound
- Real impact: Even small startups have faced ₹50L+ penalties in India for non-compliance. One missing Privacy Policy = business-threatening liability
- Insurance gap: Most insurance doesn’t cover willful negligence (no Privacy Policy = willful negligence)
India Regulations: DPDP Rules 2025 & IT Rules 2011
India recently (November 2025) notified the Digital Personal Data Protection Rules, 2025. These are now the primary framework. Let’s break what changed and what you need to do.
DPDP Rules 2025: The New Law (Effective Immediately)
| Requirement | What It Means | Deadline | Your Action |
|---|---|---|---|
| Privacy Notice (Section 5) | Must provide clear notice BEFORE collecting data. What data, why, how long retained, who has access | Immediate (November 2025) | Add privacy policy to website + in-app. Make it visible |
| Consent (Section 6) | Must get EXPRESS consent (no pre-ticked boxes, no dark patterns). Users must actively opt-in | Immediate | Review signup forms. Remove auto-checked consent boxes |
| Children’s Data (Section 9) | If collecting data from under-18s, need VERIFIED PARENTAL CONSENT (identity document required) | Immediate | If app/service used by kids, implement parental consent flow |
| Data Security (Section 8) | Implement encryption, access controls, logging, monitoring. Annual security audit + DPIA (Data Protection Impact Assessment) | 18 months (by May 2027 for most businesses) | Hire security auditor. Plan annual DPIA |
| Breach Notification | If data breached, notify users within 72 hours. Report to Data Protection Board | Immediate | Set up incident response plan. Document process |
| Data Retention & Deletion | Can’t keep data >1 year after user inactivity (unless legal requirement). Must give 48-hour notice before deletion | Immediate | Implement automated data cleanup. Document retention periods |
| Significant Data Fiduciary (SDF) duties | If >10M users OR high-risk processing: annual DPIA + audit + DPO appointment + audit report to board | 3-6 months (by Feb-May 2026 for SDFs) | If you’re SDF, hire DPO + external auditor |
Who Needs to Comply? (Data Fiduciary Definition)
- Any business collecting digital personal data: Emails, phone numbers, addresses, behavior data, IPs, cookies
- Includes: Websites, apps, SaaS platforms, e-commerce, analytics services, payment processors, advertising networks
- NOT exempt: Sole proprietors, small businesses. Law applies to everyone
- Consent Manager requirement: Some very large tech companies required to operate Consent Manager platform (very few businesses fall here)
Privacy Policy Content: What Must Be Included (DPDP 2025)
- Identity of data fiduciary: Your company name, contact details, registered office address
- Purpose of data collection: Why you need the email, phone, location, etc. Be specific. “Marketing” is too vague
- Categories of data collected: Name, email, phone, location, browsing history, payment info, etc.
- Data retention period: How long you keep data. “Forever” not acceptable. Must have specific timeframe
- Who has access: Your team, third-party processors (AWS, Mailchimp), partners
- Rights of data principal: Right to access data, correct it, delete it, withdraw consent
- How to exercise rights: Contact form or email to DPO (Data Protection Officer if SDF)
- Security measures: Encryption, access controls, backup systems, how you prevent breaches
- Breach notification process: How users will be informed if data is compromised
- Children’s data safeguards: If applicable, how you protect data of users under 18
Implementation Timeline for Businesses (Phased)
- Months 0-3 (NOW – Jan 2026): Publish Privacy Policy + get explicit consent. No dark patterns
- Months 3-6 (Jan-April 2026): Implement security safeguards. Review data retention. Document everything
- Months 6-18 (April 2026 – May 2027): Annual DPIA + audit (if you have >10M users or high-risk processing)
- Full compliance deadline: May 2027 for most businesses. Some large tech companies sooner
GDPR & Global Data Protection Laws
If you have even ONE customer in the EU (or UK, or Canada, or California), GDPR applies to you. It’s not optional. The reach is global.
GDPR: Who It Applies To
- ANY business processing data of EU residents = GDPR applies. Location doesn’t matter (India-based startup with EU customers = GDPR applies)
- Triggers: Collecting email from EU user, tracking cookies on EU users, profiling EU residents, even just IP address tracking
- Intention matters: Displaying prices in EUR or using EU languages = shows intent to target EU = GDPR applies
- No exemptions for small business or startups. Law applies uniformly
GDPR Compliance: Key Obligations (Simplified)
| Obligation | What You Must Do | Timeline | Penalty for Breach |
|---|---|---|---|
| Privacy Policy (Article 13-14) | Written privacy notice in clear language explaining all data use | Before any data collection | €20M or 4% turnover |
| Valid Consent (Article 7) | Get explicit, informed consent. NO pre-ticked boxes. Document consent | Before data use | €20M or 4% turnover |
| Legal Basis (Article 6) | Have ONE of: consent, contract, legal obligation, vital interest, public task, legitimate interest | Before data processing | €20M or 4% turnover |
| Data Protection Officer (Article 37) | Appoint DPO if public authority OR if your core business is monitoring people’s data (social media, analytics) | Within 1 month of trigger event | €10-20M or 2-4% turnover |
| DPIA (Article 35) | Assess data risks before processing large amounts of personal data or sensitive data | Before high-risk processing | €10-20M or 2-4% turnover |
| Breach Notification (Article 33) | Notify regulator within 72 hours of data breach. Notify affected users without undue delay | 72 hours of discovery | €10-20M or 2-4% turnover |
| Data Subject Rights (Articles 15-22) | Allow users to: access their data, correct it, delete it (right to be forgotten), export it (data portability), object to processing | Respond within 30 days of request | €10-20M or 2-4% turnover |
| International Transfers | If sending EU data outside EU: only to “adequate” countries or with Standard Contractual Clauses (SCCs) + supplementary measures | Before any transfer | €20M or 4% turnover |
Real Penalty Examples
- Meta (Facebook): €1.2 billion fine (2021) for inadequate privacy safeguards and consent mechanisms
- Amazon: €746 million fine (2021) for processing customer data without proper legal basis
- Google: €50 million fine (2020) for inadequate cookie consent
- Small business example: Startup with 50K EU users, data breach, no DPO, no breach notification = €5-10M+ fine (4% turnover)
Privacy Policy: What Must Be Included
Privacy policy is not one-size-fits-all. It must accurately reflect YOUR specific data practices. A generic template that doesn’t match your actual operations is worse than no policy (courts see it as deceptive).
Essential Sections (By Law)
- 1. Identity & Contact Info: Your business name, address, email, phone, DPO contact (if applicable)
- 2. What Data You Collect: Names, emails, phone, location, behavioral data, cookies, IP addresses, payment info
- 3. How You Collect It: Forms, cookies, analytics, third-party sources, payment processors
- 4. Why You Collect It (Purpose): Service delivery, marketing, analytics, fraud prevention, legal compliance. Be specific
- 5. How Long You Keep It: 6 months for login data, 2 years for transaction records, etc. Specify each category
- 6. Who You Share It With: Your team, AWS (hosting), Stripe (payments), Mailchimp (email), etc. List all processors
- 7. International Transfers: If you send data to US/India/other countries from EU, mention this + safeguards
- 8. Security Measures: Encryption, access controls, firewalls, backup systems, annual audits
- 9. User Rights: Right to access, correct, delete, export data. How to exercise these rights (contact form, email, DPO)
- 10. Cookies & Tracking: What cookies you use, why (analytics, advertising, functionality), how to disable them
- 11. Third-Party Links: “This site contains links to third-party sites. We’re not responsible for their privacy policies”
- 12. Children’s Data: If service used by kids under 18, how you protect their data (parental consent, age verification)
- 13. Changes to Policy: “We may update this policy. We’ll notify you of material changes by email or site notice”
- 14. Contact for Questions: Email, form, phone for privacy inquiries. Make it easy for users to reach you
Common Mistakes (That Make Policies Unenforceable)
- Vague language: “We may use your data for marketing purposes” = too vague. Say: “We send weekly promotional emails. You can unsubscribe anytime”
- Mismatch with practice: Policy says “no third-party sharing” but you actually sell data to Mailchimp = fraud. Courts reject policy
- Hidden in footer: Policy in tiny gray text at bottom = unenforceable. Must be prominent, easy to find, plain language
- Generic copy-paste: Using template from Random SaaS when you’re an e-commerce site = policy doesn’t match operations
- Missing contact info: No DPO email = non-compliant under DPDP 2025 and GDPR
- Outdated effective date: Policy says “Effective Jan 2023” but laws changed in 2025 = non-compliant
Terms of Service: Essential Clauses
Terms of Service (ToS) is NOT mandatory in India, but it’s essential for protecting your business. It’s the contract between you and your users. Without it, you have no legal recourse for abuse.
Why ToS Matters (Even Though Not Legally Mandatory)
- Liability protection: “Users responsible for their own accounts. We’re not liable for account hacks” = protects you from lawsuits
- Abuse prevention: “Users can’t use service for illegal activity. Violation = account suspension” = legal right to ban bad actors
- IP ownership: “All content, trademarks, software = owned by us. Users grant license to use” = protects your IP
- No ToS = no protection. User sues you, you have no contractual basis to defend
Essential ToS Clauses (By Risk)
| Clause | Why It Matters | Example | Priority |
|---|---|---|---|
| Acceptance & Binding Agreement | Makes ToS legally binding contract. User clicks “I Agree” = they’re bound | “By using this service, you accept these terms. If you don’t agree, don’t use the service” | CRITICAL |
| Prohibited Activities | What users CAN’T do. Gives you right to ban them. Prevents abuse | “Users can’t upload malware, hack accounts, harass others, violate laws, infringe IP” | CRITICAL |
| Limitation of Liability | Limits YOUR liability. “We’re not liable for indirect damages, lost profits, data loss” | “We’re not liable for >₹10,000 or the amount you paid us, whichever is lower” | CRITICAL |
| Disclaimers | “Service provided as-is. We don’t guarantee uptime, security, accuracy” | “Service provided ‘as is’ without warranties. We don’t guarantee 99.9% uptime” | HIGH |
| Intellectual Property Rights | You own the IP. Users can use but can’t copy/resell | “All software, content, trademarks = our property. You have limited license to use” | HIGH |
| User Content Rights | Clarifies: if users upload content, who owns it? Can you use it for marketing? | “Users retain rights to content. They grant us license to use for service delivery + marketing” | HIGH |
| Account Responsibility | “Users responsible for their password + all activity under their account” | “You’re responsible for maintaining confidentiality of password and all account activity” | HIGH |
| Termination Clause | You can terminate user account for violations. Users can cancel subscription | “We can terminate accounts violating these terms. Users can cancel anytime with 7 days notice” | MEDIUM |
| Dispute Resolution | How disputes resolved? Arbitration, mediation, court, jurisdiction? | “Disputes resolved by arbitration under Indian Arbitration Act. Venue: Delhi courts” | MEDIUM |
| Changes to Terms | “We can update these terms. Changes effective 30 days after notice” | “We may update terms anytime. Material changes = 30-day notice via email” | MEDIUM |
Specific ToS by Business Type
E-commerce (B2C)
- Add: Payment terms, shipping policy, return/refund policy, product warranties, liability for defective products
- Example: “Products sold as-is. No warranties. Returns within 30 days with receipt. Refunds within 10 business days”
SaaS/Subscription
- Add: Service Level Agreement (SLA), uptime guarantees (or lack thereof), renewal terms, cancellation policy
- Example: “Service billed monthly. Auto-renews unless canceled before next billing. No uptime guarantee. You can cancel anytime”
Marketplace (Vendors)
- Add: Vendor obligations (quality, accuracy), platform’s right to remove listings, fee structure, payment terms for vendors
- Example: “Sellers responsible for product accuracy. We can remove listings violating our standards. 15% commission on sales. Paid weekly”
User-Generated Content (Community)
- Add: Rights to user content (can you use it for marketing?), moderation policy, DMCA takedown process, liability for user posts
- Example: “Users grant license to display their posts publicly. We moderate for illegal content. We’re not liable for user-posted content”
Template Options: Free vs Paid Tools
You don’t need to hire a lawyer (unless you have complex operations). Template generators have gotten very good. Here’s the breakdown of options and pricing.
Free Options (Zero Cost)
Termly (termly.io)
- Cost: FREE for 1 policy generator (choose one: Privacy, ToS, Cookie, etc.)
- What’s included: 1 complete legal policy with no restrictions. Covers GDPR, CCPA, PIPEDA, CalOPPA, India IT Rules
- Consent management: Free CMP (Consent Management Platform) with cookie scan + auto-blocker
- Limitation: Only 1 policy free. Additional policies require paid plan
- Verdict: Best free option. Start here
iubenda (iubenda.com)
- Cost: FREE for Privacy + Cookie policies (limited)
- Limitation: Free plan has iubenda branding, can’t add custom text, no Terms generator
- Verdict: Free but limited. OK for simple sites
Privacy Policies (privacypolicies.com)
- Cost: FREE generator
- Limitation: Very generic templates. India-specific compliance weak
- Verdict: OK for blog-only sites, not ideal for e-commerce/SaaS
Paid Options (Annual)
Termly Pro+ Plan
- Cost: ₹1,000/year (approximately ₹83/month annual billing) or ₹2,000/year (₹167/month monthly billing)
- What’s included: 8 policy generators (Privacy, ToS, Cookie, CCPA, Terms, E-sign Consent, Impressum, Return Policy)
- Plus: CMP with unlimited banner views, weekly cookie scans, auto-updated policies, remove Termly branding
- Multi-language: Policies in 40+ languages
- Best for: Most startups and SMBs. Excellent value
- Verdict: Recommended. Best cost-to-feature ratio
iubenda Advanced Plan
- Cost: ₹1,800/year (approximately ₹150/month annual billing) or ₹2,500/year (₹210/month monthly billing)
- What’s included: Privacy + Cookie + Terms generators, custom text editing, consent logs, Google Consent Mode, IAB TCF v2.2
- Best for: Mid-size businesses with complex data practices
- Verdict: Good option, slightly higher cost than Termly but comparable features
iubenda Ultimate Plan
- Cost: ₹7,100/year (approximately ₹593/month annual billing) or ₹10,000/year (₹833/month monthly billing)
- What’s included: All Advanced features + dedicated compliance support + priority support + advanced integrations
- Best for: Large companies with complex compliance needs
- Verdict: Overkill for most startups
Manual Lawyer-Drafted Templates
| Source | Cost | What’s Included | Customization |
|---|---|---|---|
| Etsy lawyer templates | ₹1,100-2,500 one-time | Download Word/PDF. Lawyer-drafted. Editable | High – you edit yourself |
| Local lawyer (India) | ₹10,000-50,000 | Custom-drafted + consultation. Tailored to your business | Highest – lawyer customizes |
| Law firms (premium) | ₹50,000-200,000+ | Full legal review, compliance audit, ongoing updates | Highest + ongoing support |
Comparison: Which Tool Should You Use?
- Startup (pre-launch, <₹1Cr revenue): Use Termly FREE or Termly Pro+ ₹1000/year. Covers 90% of needs
- E-commerce or SaaS (₹1-5Cr revenue): Termly Pro+ ₹1000/year or iubenda Advanced ₹1800/year. Add custom legal review if complex
- Marketplace or complex operations (>₹5Cr): Hire local lawyer (₹25-50K) + use template tool. Lawyer customizes, tool maintains
- EU customers (GDPR needed): Termly Pro+ (covers GDPR well) or iubenda Advanced (also good for GDPR)
Implementation Timeline & Compliance Roadmap
You have documents. Now what? Here’s the step-by-step implementation plan to ensure you’re actually compliant (not just have documents on file).
Phase 1: Immediate (This Month – December 2025)
- Step 1: Generate Privacy Policy (1-2 hours) – Use Termly free or iubenda free. Answer questions about your business. Download policy
- Step 2: Add to website (30 minutes) – Create /privacy page. Link from footer + header. Make visible, not hidden
- Step 3: Generate Terms of Service (1-2 hours) – Use tool. Customize for your business type (e-commerce, SaaS, community, etc.)
- Step 4: Add consent checkboxes (1 hour) – On signup forms: “I agree to Privacy Policy + Terms” with separate checkboxes (NOT pre-ticked). Do NOT use dark patterns
- Step 5: Remove dark patterns (30 minutes) – If pre-ticked boxes exist, remove them. If hard-to-find unsubscribe link, make it obvious
- Total time: 4-6 hours. Cost: FREE or ₹1000 (Termly Pro+)
Phase 2: Short-term (30 Days – January 2026)
- Step 1: Document data flows (2 hours) – Map all data collected: names, emails, phone, payment, behavior. Who has access? Where stored? Retention?
- Step 2: Audit third-party integrations (2 hours) – Stripe, AWS, Mailchimp, Mixpanel, etc. Do they have Data Processing Agreements (DPAs)? Compliance obligations?
- Step 3: Review analytics/cookies (1 hour) – What cookies on site? Google Analytics, Facebook Pixel, etc.? Update privacy policy if needed
- Step 4: Implement cookie consent banner (2 hours) – Use tool’s CMP (Termly CMP) or Google Consent Mode. Users must opt-in before cookies load
- Step 5: Train team (1 hour) – Brief team on privacy policy + data handling. No data sharing without consent + documented purpose
- Total: 8 hours. Cost: ₹0 (if tool included) or ₹1000+ (dedicated consent platform)
Phase 3: Medium-term (3-6 Months – Jan-June 2026)
- Step 1: Conduct Data Protection Impact Assessment (4-8 hours) – Document your data processing risks. What could go wrong? How likely? What’s impact?
- Step 2: Implement security safeguards (ongoing) – Encryption, access controls, firewalls, regular backups. Document your setup
- Step 3: Create incident response plan (2 hours) – If data breached, what’s your process? Who notifies users? When report to authorities?
- Step 4: Set up data retention schedule (1 hour) – Define: keep login data 6 months, transaction data 3 years, marketing opt-outs forever. Implement auto-deletion
- Step 5: Document consent (ongoing) – Keep records of when users consented. Prove consent if audited
- Total: 7-12 hours ongoing + ₹2-5K if hiring security consultant
Phase 4: Long-term (Months 6-18)
- Annual obligations (if SDF or high-risk):
- Conduct formal DPIA + security audit (hire external firm) = ₹3-10K
- Update privacy policy if laws change or practices change
- Review third-party processor agreements. Renew DPAs if expired
- Train team on updated policies (annual)
Compliance Checklist (Print This)
Privacy Policy & ToS Compliance Checklist
- Documents
- Privacy Policy published on website (accessible, not hidden)
- Terms of Service published on website
- Cookie Policy (if you use cookies/analytics)
- Data Processing Agreement (if you use third-party processors)
- Consent
- Signup forms have explicit consent checkboxes (NOT pre-ticked)
- No dark patterns (easy to consent, hard to refuse)
- Consent tied to specific purposes (not “we may use your data however we want”)
- Easy withdrawal of consent (unsubscribe link, preference center)
- Data Practices
- Data collection limited to stated purposes
- Data retention policy documented (how long we keep data)
- Third-party access restricted + documented
- Data minimization practiced (collect only what’s needed)
- Security
- Encryption enabled for sensitive data (passwords, payment info)
- Access controls (not everyone has access to all data)
- Regular backups implemented
- Incident response plan documented
- User Rights
- Contact method for privacy inquiries (email, form, DPO)
- Users can request access to their data (within 30 days GDPR, 21 days DPDP)
- Users can request correction of their data
- Users can request deletion (right to be forgotten)
- Compliance Monitoring
- Privacy policy reviewed annually (or when laws change)
- Team trained on privacy policy + data handling
- Third-party processor agreements reviewed annually
- Breach log maintained (if any breaches occurred)
Key Takeaways: Legal Documents Mastery
1. Privacy Policy is MANDATORY in India under DPDP Rules 2025 (notified November 2025). Failure = up to ₹2.5 billion penalty. Non-negotiable
2. Terms of Service is not mandatory in India, but ESSENTIAL for B2C/marketplace/SaaS. Protects you from liability. Differentiates legal from illegal user behavior
3. GDPR applies globally if you have EU customers (any amount, any data collection). Penalties: €20M or 4% of global turnover. Not having Privacy Policy + GDPR language = massive exposure
4. Privacy Policy must include: identity, data collected, purpose, retention, recipients, security, user rights, contact info, children’s data (if applicable). Generic templates that don’t match YOUR practices = unenforceable
5. Terms of Service must include: limitation of liability, prohibited activities, IP rights, account responsibility, termination rights, dispute resolution. Specific to your business type (e-commerce, SaaS, marketplace, community)
6. Free tools: Termly (best) or iubenda free (limited). Paid: Termly Pro+ ₹1000/year or iubenda Advanced ₹1800/year. No need for expensive lawyers unless >₹5Cr revenue or complex operations
7. Consent must be EXPLICIT (users actively agree, not pre-ticked boxes). Dark patterns (hard to refuse, easy to accept) = non-compliant. Remove all auto-ticked boxes immediately
8. Phased implementation: Month 0-1 (publish documents + consent), Month 1-3 (audit third parties + implement CMP), Month 3-6 (DPIA + incident plan), Months 6-18 (annual audits).
9. If you’re an SDF (>10M users or high-risk processing), additional obligations: Data Protection Officer appointment, annual DPIA + audit, report to Data Protection Board. Most startups NOT SDFs until very large
10. DPDP Rules 2025 phased deadline: core compliance (consent, retention) = 18 months (by May 2027). Large tech companies sooner. Most businesses have until mid-2026 minimum.
11. Common mistakes: vague language (“marketing purposes”), mismatch with practice, hidden in footer, generic copy-paste, missing DPO contact, outdated effective date. Courts reject these
12. Annual obligation: review Privacy Policy every 12 months (laws change). Update if practices change. Keep audit trail of versions + dates.
13. International data transfers: if sending EU data to US/India, must use Standard Contractual Clauses (SCCs) + supplementary safeguards (encryption). Not doing this = GDPR violation.
14. Breach notification: GDPR = 72 hours to notify regulators + without undue delay to affected users. DPDP = notify immediately + report to Data Protection Board within 72 hours.
15. Action: Start with Termly free (1 policy). Generate Privacy Policy today. Add to website. Add consent checkboxes on signup forms. Remove dark patterns. This alone puts you 80% compliant. Then tackle ToS and third-party audits
