DPDP Compliance

This page sets out how Likhawat — Calligraphy & Design Studio complies with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 notified on 14 November 2025. It supplements our Privacy Policy.

1. Statutory framework

The DPDP Act received Presidential assent on 11 August 2023. The Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025; key operative provisions, including consent management, breach notification and grievance redressal, are being phased in by the Central Government. Likhawat treats the Act and Rules as the binding privacy framework for all processing of digital personal data through this website.

2. Status of Likhawat

  • Data Fiduciary — we determine the purpose and means of processing the personal data submitted through this site.
  • Not a Significant Data Fiduciary (SDF) — Likhawat does not meet the volume, sensitivity, sovereignty or risk thresholds that the Central Government has laid down for SDF classification under section 10 of the DPDP Act. We will reassess this position if our scale changes.
  • Small-scale operations — we process data only for direct enquiry handling, commission delivery, and the running of our small studio.

3. Notice and consent (sections 5 & 6)

Before we collect personal data through the contact form we provide a plain-language notice describing what we collect and why, the rights you have, and how to reach our Grievance Officer. The form carries an unticked consent checkbox; you submit data only if you actively tick it. The notice is also available in this page and in our Privacy Policy. We do not rely on pre-ticked boxes, browse-wrap consent or “by visiting this site you agree” notices.

4. Purpose limitation

We use personal data only for the purpose stated at the time of collection. If we ever need to use it for a new, materially different purpose, we will obtain fresh consent.

5. Storage limitation

  • Enquiry messages: deleted at 12 months from last contact.
  • Commission records: kept for the project term plus seven years for tax and contract purposes, in line with Indian record-keeping practice.
  • Server access logs: rotated within 30 days.

6. Security safeguards (section 8(5))

  • HTTPS with a valid TLS certificate across the entire site.
  • Server hardening: no shared FTP, SSH key-based access only, restricted administrator accounts.
  • WordPress core, theme and active plugins kept up to date.
  • Regular off-server backups stored under access control.
  • Periodic review of who can read enquiry data.

7. Personal data breach (section 8(6))

In the event of a personal data breach we will:

  • Notify the Data Protection Board of India without undue delay and, in any event, within 72 hours of becoming aware of it, in line with the timelines set by the DPDP Rules, 2025.
  • Notify each affected Data Principal directly, in plain language, with the nature of the breach, the categories of data involved, the likely consequences, the measures taken, and contact details for further information.
  • Maintain an internal register of breach incidents and remedial actions.

8. Data Principal rights register

  • Right to information about processing — section 11.
  • Right to correction and erasure — section 12.
  • Right of grievance redressal — section 13.
  • Right to nominate — section 14.
  • Right to withdraw consent — section 6(4) to (6).

Requests are handled by our Grievance Officer. We acknowledge within seven working days and respond substantively within 30 days per section 13(3).

9. Children’s data (section 9)

We do not knowingly collect personal data from children below 18. We do not engage in behavioural monitoring or targeted advertising directed at children. Where we discover that a child has submitted personal data, we erase it without delay.

10. Cross-border transfers (section 16)

Personal data is hosted on servers physically located in India. Where any service provider routes data through servers outside India (for example, a transactional email provider), we restrict transfers to jurisdictions that the Central Government has not notified as restricted under section 16 of the DPDP Act.

11. Grievance redressal

  • Grievance Officer: Shipra Dutta
  • Email: info@likhawat.co.in
  • Acknowledgement: within seven working days.
  • Final response: within 30 days.
  • Escalation: Data Protection Board of India under section 27 of the DPDP Act.

12. Sources verified

  • Digital Personal Data Protection Act, 2023 — Ministry of Electronics and Information Technology.
  • Digital Personal Data Protection Rules, 2025 — notified by the Central Government on 14 November 2025.
  • Information Technology Act, 2000, section 43A and the SPDI Rules, 2011.

Last reviewed: 9 May 2026. Grievance contact: info@likhawat.co.in.