Data & DPDP Statement

Ketpy Book (operated by Ketpy) is a Data Fiduciary under the Digital Personal Data Protection Act 2023 ("DPDP"). This statement summarises our obligations and your rights as a Data Principal.

1. Our role

For your account profile + business identity (name, email, GSTIN), we are the Data Fiduciary — we determine the means and purposes of processing.

For business data you upload about your customers and vendors (their names, GSTINs, contact info), we act as Data Processor on your behalf — you are the Fiduciary, and you are responsible for obtaining lawful consent from your customers/vendors before storing their data with us.

2. Lawful grounds for processing

Our processing is based on:

• Consent — you signed up + accepted these terms.
• Performance of contract — to provide the Service.
• Legal obligation — GST records (Companies Act 7-year retention), audit logs.

3. Your DPDP rights

4. Data Protection Officer (DPO)

5. Data breach notification

In the event of a notifiable data breach, we will:

• Notify the Data Protection Board within 72 hours of becoming aware.
• Notify affected Data Principals via email + in-app banner with the same urgency.
• Publish a post-mortem within 30 days describing root cause + remediation.

6. Cross-border transfers

All production data is stored in India (Hostinger Mumbai region). No cross-border transfer occurs for business data. Telemetry / error logs may transit through Hostinger's global CDN edge — anonymised and not personally identifying.

7. Significant Data Fiduciary

If notified by the Government as a Significant Data Fiduciary (SDF), we will appoint a DPO based in India (already done), conduct annual data audits, and conduct DPIAs for high-risk processing. Until such notification, our DPO + audit cadence operate voluntarily.

8. Children's data

Ketpy Book is not directed at users under 18. We do not knowingly process children's data. Verifiable parental consent is not collected.