Call Us
Whatsapp Us
HomeData Protection Compliance (GDPR & India DPDP Act, 2023)

Data Protection Compliance (GDPR & India DPDP Act, 2023)

Effective Date: March 1, 2026

PurnOrganic is committed to protecting personal data in compliance with applicable global and Indian data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Digital Personal Data Protection (DPDP) Act, 2023 (India). This page sets out our specific obligations and your rights under each framework. Please also refer to our full Privacy Policy.

1. Lawful Basis for Processing (GDPR)

Under GDPR, PurnOrganic processes personal data on the following lawful bases:

  • Consent: Where you have given clear, freely given, specific, informed, and unambiguous consent for a specific processing purpose (e.g., marketing emails). You may withdraw consent at any time without detriment.
  • Contractual Necessity: Where processing is necessary to perform a contract with you or to take pre-contractual steps (e.g., processing your order, managing your account, facilitating delivery).
  • Legal Obligation: Where processing is required to comply with a legal obligation applicable to PurnOrganic (e.g., tax records, anti-money laundering obligations).
  • Legitimate Interest: Where processing is necessary for our legitimate business interests and does not override your fundamental rights and freedoms (e.g., fraud prevention, platform security, analytics to improve services).

2. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Right to Access: You may request a copy of the personal data we hold about you (Subject Access Request).
  • Right to Rectify: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data where there is no legitimate reason for continued processing.
  • Right to Restrict Processing: You may request that we limit how we process your data in certain circumstances.
  • Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format, and have it transferred to another controller where technically feasible.
  • Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes at any time.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any GDPR rights, contact support@purnorganic.com. We will respond within 30 days (extendable by a further 60 days for complex requests).

3. Your Rights Under India DPDP Act, 2023

Under the Digital Personal Data Protection Act, 2023, Indian data principals (users) have the following rights:

  • Right to Access Information: You have the right to obtain confirmation of whether your personal data is being processed, a summary of the data processed, and information about the processing activities.
  • Right to Correction and Erasure: You may request correction of inaccurate, incomplete, or misleading personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  • Right to Grievance Redressal: You have the right to have grievances addressed by our designated Grievance Officer. Complaints will be acknowledged within 48 hours and resolved within 30 days.
  • Right to Nominate: You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

To exercise DPDP rights, contact our Grievance Officer at support@purnorganic.com.

4. Consent Management

  • PurnOrganic collects explicit consent for data processing activities that require it (e.g., marketing, cookies).
  • Consent is captured through clear opt-in mechanisms — pre-ticked boxes are not used for consent.
  • You may manage, update, or withdraw your consent preferences at any time through your account settings or by contacting our support team.
  • Records of consent, including the time, method, and scope of consent, are maintained by PurnOrganic.
  • Withdrawal of consent for non-essential processing will not affect the core services provided to you under contract.

5. Data Retention

  • Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
  • Account data is retained for the duration of your account and for up to 5 years after account closure for legal and audit purposes.
  • Transaction records and financial data are retained for a minimum of 7 years as required by Indian tax and accounting laws.
  • Consent records are retained for the period of consent plus 3 years.
  • Data subject request records are retained for 3 years.

6. Data Transfers & Cross-Border Processing

  • GDPR: Where personal data of EEA/UK users is transferred outside the EEA/UK, PurnOrganic ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or other transfer mechanisms recognised under GDPR.
  • DPDP Act: Cross-border transfers of Indian users' personal data are conducted in compliance with the provisions of the DPDP Act, 2023, and any rules or notifications issued thereunder. Transfers are made only to countries or entities that meet the requirements specified by the Indian Government.
  • Certain data may be stored on cloud infrastructure operated by third-party service providers. All such providers are bound by data processing agreements consistent with applicable law.

7. Data Breach Notification

  • In the event of a personal data breach that poses a risk to individuals' rights and freedoms, PurnOrganic will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under GDPR).
  • Under the DPDP Act, 2023, PurnOrganic will notify the Data Protection Board of India and affected data principals as required by the Act and applicable rules.
  • Where a breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay.
  • We maintain a data breach register and conduct root cause analysis to prevent recurrence.

8. Children's Data — Enhanced Compliance

  • PurnOrganic does not knowingly collect or process personal data of individuals under the age of 18.
  • GDPR (Article 8): For users in the EEA who are under 16 (or a lower age set by the relevant Member State), processing of personal data based on consent requires parental or guardian authorisation. Our Platform is not directed at children, and we do not offer services targeted at minors.
  • DPDP Act: Processing of personal data of children requires verifiable parental consent. PurnOrganic will not process a child's data without such consent, and will not profile children or undertake behavioural targeting of children.
  • If we discover that personal data of a child has been collected without appropriate consent, we will delete it promptly.

9. Complaints & Supervisory Authorities

If you believe your data protection rights have been violated and we have been unable to resolve your concern satisfactorily, you have the right to lodge a complaint with the relevant supervisory authority:

  • GDPR users (EEA/UK): You may contact your national Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
  • Indian users (DPDP Act): You may file a complaint with the Data Protection Board of India once established under the DPDP Act, 2023, and the relevant rules.

Before escalating to a supervisory authority, we encourage you to contact us first at support@purnorganic.com so we can address your concern directly.