DPDP Act 2023 compliance

1. Who we are (Data Fiduciary)

Margifi Limited, with its registered office at Ground Floor, WeWork Forum, DLF Cyber City, DLF Phase 3, Sector 24, Gurugram, Haryana 122002, India, is the Data Fiduciary responsible for personal data processed through the Margifi platform. We determine the purpose and means of processing the personal data described in our Privacy Policy and Data Processing Addendum.

2. Scope

This page summarises, in plain language, how Margifi applies the DPDP Act to two categories of personal data: (a) data of our account holders and website visitors, and (b) the end-customer data our clients process through Margifi (for which the client is the Data Fiduciary and Margifi acts as a Data Processor). It supplements, and does not replace, our Privacy Policy, DPA and Grievance Policy.

3. Lawful basis and consent

We process personal data on the lawful bases recognised by the DPDP Act: your free, specific, informed and unambiguous consent, and the "legitimate uses" permitted under Section 7 (such as performing a service you requested). Every consent request is made through a clear notice that states what data we collect, the purpose, and how to withdraw consent. Withdrawing consent is as easy as giving it.

4. Your rights as a Data Principal

Under the DPDP Act you have the right to:

• Access a summary of the personal data we process about you and how we process it.
• Correction, completion, updating, and erasure of your personal data.
• Withdraw consent at any time, without affecting processing done before withdrawal.
• Nominate another individual to exercise your rights in the event of death or incapacity.
• Grievance redressal through our Grievance Officer, and escalation to the Data Protection Board of India.

To exercise any of these rights, email admin@margifi.com or use the controls in your account settings. See our Grievance Policy for timelines.

5. How we safeguard your data

We apply reasonable security safeguards as required by Section 8(5) of the DPDP Act:

• Personal identifiers such as customer phone numbers are hashed with HMAC-SHA-256 before storage. We do not store raw phone numbers; the cross-brand reliability network operates only on keyed hashes, never plaintext.
• Data in transit is encrypted with TLS; data at rest is encrypted by our infrastructure providers.
• Each client's data is isolated at the row level; one account can never read another's data.
• Access to production data is restricted, logged, and granted on a least-privilege basis.

6. Data residency and cross-border transfers

Personal data is stored and processed primarily on infrastructure located in India (Mumbai and Bangalore regions). Some operational sub-processors process limited data outside India. Margifi transfers personal data only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act, and only under contractual data-protection safeguards. Our current sub-processors and their regions are listed in the Data Processing Addendum.

7. Data retention

We retain personal data only for as long as it is needed for the purpose it was collected, or as required by law. When the purpose is served and no legal retention obligation applies, we erase the data or retain it only in keyed-hash or aggregate form that cannot identify you.

8. Children and persons with a guardian

Margifi is a business tool not directed at children. We do not knowingly process the personal data of a child (under 18) or of a person with a lawful guardian without verifiable consent of the parent or guardian as required by Section 9 of the DPDP Act, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

9. Grievance redressal and the Data Protection Board

Margifi has designated a Grievance Officer to address questions and complaints about personal data. Contact the Grievance Officer (Data Protection), Margifi Limited at admin@margifi.com. We acknowledge grievances promptly and aim to resolve them within the timelines in our Grievance Policy. If you are not satisfied, you may escalate to the Data Protection Board of India once it is operational.

10. Personal data breach notification

In the event of a personal data breach, Margifi will notify the Data Protection Board of India and each affected Data Principal in the manner and within the timelines prescribed under the DPDP Act and its Rules.

11. Changes to this page

We may update this page as the DPDP Rules are notified and our practices evolve. Material changes will be communicated to registered users by email, and the "Last updated" date above will change.

We never show a precision we can't back, and we never store a phone number we don't need. Compliance is the same operator-honesty as the rest of Margifi.