DPDP Act 2023 compliance

What the DPDP Act requires

The Digital Personal Data Protection Act 2023 governs how Indian businesses collect, process, store, and share personal data — including phone numbers, voice recordings, and conversational transcripts. Outbound AI calling falls squarely within scope.

Key obligations for outbound callers:

1. Lawful basis for processing — you need consent or a legitimate interest to call. Cualify enforces this through your contact list upload flow.
2. Recorded consent — every call must open with a disclosure ("This call is recorded for quality and training"). Cualify's default playbooks include this line.
3. DND respect — calls to numbers on TRAI's NCPR (National Customer Preference Register) are prohibited. Penalties up to ₹2L/incident.
4. Data subject rights — customers can request to see their data, correct it, delete it, or take it to another provider. You must respond within 30 days.
5. Data residency — sensitive personal data should be processed in India where feasible. Cualify hosts everything in Supabase Mumbai.
6. Data Protection Officer (DPO) — required for "significant data fiduciaries" (large operators). SMBs need a designated grievance officer.

How Cualify helps

1. Calling-window enforcement

Every call dispatch passes through a TRAI compliance gate. Calls outside 09:00 – 21:00 IST are rejected before any provider is invoked, regardless of customer preference. Holidays and Sunday afternoons can be configured per-campaign.

2. NCPR / DND scrubbing

Every contact list you upload is checked against TRAI's NCPR list. Matched numbers are marked as "DND" on your list and silently skipped at dispatch time. You can also maintain an org-wide suppression list at /contacts.

3. Consent disclosure on every call

All system playbook templates open with a recorded-consent line. When you write your own playbook prompt, Cualify reminds you to include one if you're missing it (the prompt validator checks before publishing).

4. Recording + transcript retention policy

By default, call recordings are retained for 90 days and transcripts for2 years. PII redaction (names, account numbers, OTPs) runs on every transcript automatically. You can request shorter retention for sensitive use cases — email [email protected].

5. Customer data export + delete

End-customer rights (your customer asking you for their data): you can export everything Cualify has for a specific phone number from /admin/audit within seconds. Hard delete is also one-click — we wipe recordings, transcripts, and ledger entries within 30 days of the request.

6. Data residency in Mumbai

All customer data — contacts, recordings, transcripts, ledger entries — lives in Supabase's Mumbai region (AWS ap-south-1). Cross-border processing only happens for the LLM inference call itself (OpenAI), and we send only the agent prompt + utterance — never your contact list, never your CRM data.

What you (the customer) still own

Cualify is a data processor under DPDP terms. You're the data fiduciary. That means:

• You decide who to call (Cualify enforces compliance but doesn't pick numbers)
• You're responsible for upstream consent (where did the contact come from?)
• You respond to data subject requests (forwarded to you if they reach Cualify)
• You appoint your own grievance officer + post their contact on your website

Our DPA (Data Processing Agreement) covers the responsibility split formally — sign it on the dashboard once you're on a paid plan.

Sub-processors we use

Cualify's data path touches the following sub-processors:

• Supabase (Mumbai) — database, file storage, auth
• Clerk (US) — user authentication only; no customer data
• Bolna (India) — voice agent runtime
• Sarvam (India) — Indic TTS
• Deepgram (US) — speech-to-text. Subject of an active India-data-residency RFP from our side.
• OpenAI (US) — LLM. Configured with the no-training opt-out flag.
• Razorpay (India) — payment processing
• Resend (US) — transactional email
• Vercel (US, with India edge) — hosting
• Cloudflare R2 (configurable region) — recording storage

Full DPDP-compliant sub-processor list: /legal/sub-processors.

If a regulator audits you

From /admin/audit you can pull, within minutes:

• Every call placed in the last 7 years with metadata
• Consent disclosure verbatim text
• DND scrub timestamps per contact list
• Recording retention status per call
• Data subject rights requests + how they were resolved

Common questions

Do I need DLT registration?

Yes, for SMS templates and for outbound calls under transactional / service categories. See our DLT handoff guide.

What if my customer says "stop calling me"?

Add the number to your org-wide suppression list (/contacts/suppression). Future dispatches skip it automatically. Record the request in your CRM for audit.

Are AI-generated voices "personal data"?

No — the synthesised voice itself isn't personal data (it's generated). But the underlying conversation transcript and recording IS — covered by retention + redaction policies above.

What's next?

• TRAI calling windows + holidays
• How DND scrub works