Cualify.
OutboundInboundBookingCollectionsPricingSecurityBlog
Sign inStart a pilot

Cualify Field Notes

Building India's AI calling stack — in public.

One short essay every other Friday on voice AI, Indian SMB GTM, and what we ship. No spam. Unsubscribe in one click.

Cualify.

AI calling agency for Indian SMBs. Multilingual voice agents, INR billing, DPDP-ready from day one.

Built in Mumbai · Stored in Mumbai

Product

  • Outbound sales
  • Inbound support
  • Appointment booking
  • Collections
  • Voice library
  • Docs

Company

  • Pricing
  • Cualify vs Bolna
  • Changelog
  • Security
  • Blog
  • About
  • Contact

Legal

  • Terms of service
  • Privacy policy
  • Data Processing
  • Acceptable Use
  • 15-day refund

Compliance

  • DPDP Act 2023
  • TRAI / DLT
  • 99.5% SLA
  • Sub-processors
  • Customer KYC
  • Contact DPO

© 2026 Cualify Technologies. All rights reserved.

[email protected]·[email protected]·+91 80 0000 0000

Field Notes·Compliance·2 May 2026·3 min read

DPDP Act 2023 — what an AI calling team actually has to do

Pulling apart the consent registry, retention, and DSR clauses, and what they mean for an outbound campaign that runs across six languages.

By Utsav Rana

If you're running outbound calls in India in 2026, the Digital Personal Data Protection Act 2023 already applies to you — even if the enforcement notifications are still rolling out. Here's the actual operator-level checklist we run for every Cualify pilot, written in plain English instead of clauses.

Who this is for

Founders, sales heads, and compliance leads at Indian SMBs running 100+ outbound calls a week. If you're a 4-seat insurance broker or an 80-loan NBFC, this is the same rulebook applied to your scale.

1. Establish your role

Under DPDP, you are the Data Fiduciary for every contact you call. Cualify (or any voice-AI vendor) is your Data Processor — we act on your instruction, we don't decide what to do with the data. This matters because the legal liability for unlawful calling sits with you, not the platform. The flip side: as long as your platform contract is solid, you're not liable for vendor breaches alone.

Action: appoint a Data Protection Officer in writing. For an SMB this is usually the CEO or COO — formality matters, the title doesn't.

2. Get consent before you dial

Every dial needs a lawful basis. For B2B work-email contacts, that's typically legitimate interest under §7(d). For B2C / consumer calling, you need affirmative consent — the form fill, the opt-in checkbox, the WhatsApp-bot agreement.

  • Capture the consent timestamp + the language the consent was given in.
  • Store the consent statement verbatim — not paraphrased — alongside the contact record.
  • Re-confirm consent at the start of every call. We play a 5-second AI disclosure clip in the customer's language; that's both a TRAI requirement and a DPDP belt-and-braces.

3. Mind the calling window

TRAI's 09:00–21:00 IST window is the floor; DPDP doesn't override it. Your calling stack should reject any dispatch outside the window, not just warn — it's the kind of audit-trail compliance that closes a complaint in five seconds.

4. Run the NCPR scrub every time

The National Customer Preference Register is updated daily. Scrubbing once at list upload isn't enough — by the time your campaign dispatches a week later, dozens of numbers may have opted out. Scrub at dispatch, every time.

5. Set retention windows you can actually defend

DPDP doesn't prescribe a number; it asks you to retain data only as long as 'necessary for the purpose'. We default to 90 days for recordings, configurable up to 365. After the window, recordings are auto-purged and the transcript is redacted. The shorter your retention, the easier your DPDP audit.

PII redaction is non-negotiable

Aadhaar numbers, PAN, card digits — these get auto-redacted from stored transcripts at Cualify before long-term archival. If your stack doesn't do this, build it before you scale.

6. Wire the rights workflow before the first request

Within 30 days of a Data Principal request — access, correction, erasure, consent withdrawal — you have to deliver. The way to handle this is not a special-case workflow when the request lands. Build the in-app DSR inbox now, write the SOP now, run a tabletop drill now. Two paragraphs of policy and zero tooling is a fail mode.

7. Notify breaches in 72 hours

If a sub-processor leaks recordings, you have 72 hours to notify the Data Protection Board of India and your affected customers. Cualify commits to notifying you within the same 72-hour window so your clock starts on time.

What this looks like in practice

On the Cualify side, every campaign goes through a pre-flight gate that checks: DLT template ID attached (yours, registered under your entity), calling window valid, NCPR scrub recent, AI disclosure clip ready in the call language, retention policy attached, consent text on file. The gate refuses to dispatch if any of those fails. We're bring-your-own-carrier — Cualify connects to your existing telephony provider (Exotel / Plivo / Twilio), uses the DLT templates you've already filed, and adds the AI orchestration + audit trail on top. You stay the Principal Entity; we give you the receipts.

If you're running calls today without these guardrails, the cost of retrofitting is much higher than building it in. Email [email protected] if you want to walk through your specific stack.

Read more

  • Benchmark

    Human vs AI: cost per qualified lead, the real Indian numbers

  • Voice tech

    Indic voice quality teardown: Sarvam, Smallest, ElevenLabs

Got a question about this post? Email us →