Privacy & Data

India Privacy & Grievance Addendum

Our DPDP Act 2023 notice and Grievance Officer for users in India.

Last updated: 13 July 2026


Table of contents

    1. Purpose and relationship to our other documents
    1. Who we are and why Indian law applies to us
    1. Status of the Indian legal framework
    1. Our roles — Data Fiduciary and Data Processor
    1. Notice and consent (DPDP Act ss. 5–7)
    1. Your rights as a Data Principal (DPDP Act ss. 11–14)
    1. Grievance Officer and grievance redressal (DPDP, IT Rules, E-Commerce Rules)
    1. Children’s personal data (DPDP Act s. 9)
    1. Personal data breach notification (DPDP Act s. 8(6); DPDP Rules)
    1. Cross-border transfers (DPDP Act s. 16)
    1. Intermediary status and user content (IT Act s. 79; IT Rules 2021)
    1. E-commerce entity identity and consumer disclosures (E-Commerce Rules)
    1. Security safeguards
    1. Significant Data Fiduciary — forward-looking
    1. Precedence, changes and contact

1. Purpose and relationship to our other documents

This India Privacy & Grievance Addendum (this “Addendum”) sets out how SemlyPro handles the personal data of, and grievances raised by, users and consumers located in India. It is a supplement to, and forms part of, the SemlyPro legal pack. It should be read together with:

Where this Addendum conflicts with another document in respect of an Indian Data Principal or an Indian consumer, this Addendum prevails to the extent of the conflict. Nothing in this Addendum, or in any other SemlyPro document, waives or diminishes any right that a Data Principal or a consumer has under Indian law that cannot be waived by agreement.

Capitalised terms not defined here (for example, “Customer Materials”, “Content”, “Service”, “Customer”) have the meanings given in the Terms of Service; and “Data Fiduciary”, “Data Principal”, “Data Processor” and “Data Protection Board” have the meanings given in the DPDP Act.


2. Who we are and why Indian law applies to us

The entity responsible for the processing described in this Addendum is:

Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”, “we”, “us”, “our”).

SemlyPro currently operates as a Dutch sole proprietorship, so the owner named in our Privacy Policy (Surya Pillai) is the natural person legally responsible. We intend to incorporate a private limited company, Semly Pro B.V. Upon incorporation, Semly Pro B.V. will assume this Addendum and our other agreements, and references to “SemlyPro” will be read as references to Semly Pro B.V.; this does not require your further consent.

Why Indian law reaches us. The DPDP Act applies extraterritorially: under section 3(b), it governs the processing of digital personal data outside India where that processing is in connection with any activity related to the offering of goods or services to Data Principals within India. Because SemlyPro offers its services to, and processes the personal data of, users located in India, the DPDP Act applies to us notwithstanding that we are established in the Netherlands. Similarly, the E-Commerce Rules expressly bind e-commerce entities based outside India that systematically offer goods or services to consumers in India, and the IT Rules 2021 apply to intermediaries that make their computer resource available to users in India.


3. Status of the Indian legal framework

We set out the current status of the principal Indian instruments so that this Addendum is read against the correct legal backdrop. The commencement position is being phased in and some in-force dates are still being clarified; the exact dates below should be confirmed with Indian counsel before we rely on this Addendum operationally.

  • DPDP Act 2023. Enacted (received Presidential assent on 11 August 2023). Provisions are being brought into force by notification.
  • DPDP Rules 2025. Notified in the Official Gazette in November 2025 (on or about 13–14 November 2025), with a phased commencement. Certain provisions (including those establishing and empowering the Data Protection Board) took effect on notification, while the core substantive Data Fiduciary obligations — itemised notice, consent, Data Principal rights, security safeguards, children’s-data rules, breach reporting and cross-border transfer — are phased in, with the bulk of those obligations expected to become operative from around 14 May 2027 (approximately eighteen months after notification). The Consent Manager registration framework is expected to commence separately (reported around November 2026).
  • IT Act 2000 and IT Rules 2021. In force. The IT Rules 2021 require an intermediary to publish a Grievance Officer and to observe the grievance timelines in Rule 3(2). The IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules 2026 (notified 10 February 2026, in force from 20 February 2026) introduce labelling and provenance-metadata obligations for “synthetically generated information”; SemlyPro’s approach to AI-content labelling is described in our AI Transparency Notice.
  • Consumer Protection Act 2019 and E-Commerce Rules 2020. In force. They require, among other things, a published grievance officer, mandatory entity-identity disclosures, and fair cancellation/refund practices for consumers in India.

We are building toward full DPDP compliance ahead of the operative dates above, and the grievance and contact provisions in this Addendum are available now.


4. Our roles — Data Fiduciary and Data Processor

Our role under the DPDP Act depends on whose personal data is being processed and who determines the purpose and means of processing:

  • SemlyPro as Data Fiduciary. For personal data whose purpose and means we ourselves determine — for example account, billing, marketing, security, support and product-improvement data relating to our own users — SemlyPro is the Data Fiduciary.
  • SemlyPro as Data Processor. Where an Indian business customer uses the Service to process the personal data of Data Principals (for example, personal data contained in Customer Materials, uploaded Excel/CSV files, or data ingested from the customer’s connected Google Ads, Google Analytics 4 or Google Search Console accounts), that customer is the Data Fiduciary and SemlyPro acts as its Data Processor under a valid contract, consistent with section 8(2) DPDP Act. That processing is governed by our DPA (clause 16 and Annex 3), not by this Addendum. In that scenario, a Data Principal should raise a request or grievance with the customer (the Data Fiduciary) first; we will assist the customer as required by the DPA and may forward a request we receive to the relevant customer.

This mirrors the controller/processor split under the GDPR that is described in our Privacy Policy.


5. Notice and consent (DPDP Act ss. 5–7)

Where SemlyPro is the Data Fiduciary, we process the personal data of Indian Data Principals on the following bases.

5.1 Itemised notice (s. 5). We give you a clear and plain-language notice — presented separately from, or clearly within, our other terms — that itemises: (a) the personal data we seek to process and the specified purpose for processing it; (b) how you may exercise your Data Principal rights (Section 6); © how you may make a complaint to the Data Protection Board; and (d) our Grievance Officer contact (Section 7). Where consent was obtained before the DPDP Act’s notice requirement came into force in respect of us, we will provide the notice as soon as reasonably practicable, as the Act contemplates.

5.2 Consent (s. 6). Where we rely on your consent, that consent is a free, specific, informed, unconditional and unambiguous indication of your agreement, given by a clear affirmative action, and limited to the personal data necessary for the specified purpose. You may withdraw your consent at any time, and it must be as easy to withdraw as it was to give. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and you remain responsible for the consequences of withdrawal (for example, that a feature dependent on the withdrawn data may no longer function). Once you withdraw consent, we will, within a reasonable time, cease processing your personal data for the affected purpose and cause our Data Processors to do the same, unless retention is required or permitted by law.

5.3 Certain legitimate uses (s. 7). For some processing we may rely on a “certain legitimate use” permitted by section 7 DPDP Act (for example, where you have voluntarily provided personal data for a specified purpose, or for purposes such as compliance with law or responding to a medical emergency), rather than on consent. We do not rely on the GDPR concept of “legitimate interest” for Indian Data Principals; where our Privacy Policy relies on legitimate interest, the corresponding Indian basis is consent or a section 7 legitimate use.

5.4 Consent Manager. When the DPDP Consent Manager framework becomes operational, you will additionally be able to give, manage, review and withdraw your consent through a Consent Manager registered with the Data Protection Board.

5.5 Verification of requests. Where you exercise a right or make a request, we may take reasonable steps to verify your identity before acting, to protect your personal data against unauthorised access.


6. Your rights as a Data Principal (DPDP Act ss. 11–14)

If you are a Data Principal in India and SemlyPro is the Data Fiduciary for the relevant personal data, you have the following rights, which you may exercise by contacting anil@semlypro.com (or anil@semlypro.com):

  • Right to access information about your personal data (s. 11). You may obtain a summary of the personal data we process about you, the processing activities we undertake with it, and the identities of other Data Fiduciaries and Data Processors with whom we have shared it (together with a description of the data shared).
  • Right to correction, completion, updating and erasure (s. 12). You may request that we correct inaccurate or misleading personal data, complete incomplete personal data, update your personal data, and erase personal data that is no longer necessary for the purpose for which it was processed, unless retention is required by law.
  • Right of grievance redressal (s. 13). You may raise a grievance with us in respect of any act or omission regarding the performance of our obligations, and receive a response within the period prescribed (Section 7). You must exhaust this route before approaching the Data Protection Board.
  • Right to nominate (s. 14). You may nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

You also have corresponding duties under the DPDP Act (for example, not to impersonate another person, not to suppress material information, and not to file false or frivolous grievances). We will respond to a request or grievance within the timelines in Section 7. Where the personal data concerned is processed by us as a Data Processor on behalf of a business customer, we will forward your request to that customer (the Data Fiduciary) and assist their response as required by the DPA; you should also contact that customer directly where possible.


7. Grievance Officer and grievance redressal

SemlyPro maintains a single, published point of contact — the Grievance Officer — who is readily available to receive and act on questions and grievances from Data Principals, users and consumers in India. This single contact is designed to satisfy the grievance-officer requirements of three separate Indian regimes at once: the DPDP Act (s. 13, and the contactability requirement in s. 8(9)/s. 5), the IT Rules 2021 (Rule 3(2)), and the E-Commerce Rules (Rule 4).

7.1 Grievance Officer contact

Grievance Officer (India) — SemlyPro Email: anil@semlypro.com

If you are dissatisfied with the resolution (or non-resolution) of a grievance concerning your personal data, you may escalate to the Data Protection Board of India.

7.2 Response timelines

Because more than one regime may apply to a given grievance, we apply the shortest applicable acknowledgement and resolution timeline so that we comply with all of them. The statutory baselines are:

Regime Basis Acknowledge Resolve / redress
IT Rules 2021 (intermediary grievances) Rule 3(2)(a)–(b) Within 24 hours Within 15 days (and, for certain unlawful-content removal requests, as expeditiously as possible and within 72 hours)
E-Commerce Rules 2020 (consumer grievances) Rule 4(6) Within 48 hours Within one month from receipt
DPDP Act 2023 (Data Principal grievances) s. 13; DPDP Rules Prompt acknowledgement Within the period prescribed by the DPDP Rules

Our operating standard: we aim to acknowledge every grievance within 24 hours and to resolve it within 15 days, and in any event within the shortest period the applicable regime requires. We maintain an intake and logging process that records each grievance, the applicable regime(s), the acknowledgement, the action taken and the resolution date.

7.3 Interaction with other complaint routes

This grievance route operates alongside, and does not replace: our GDPR/UK-GDPR complaint routes described in the Privacy Policy; the notice-and-action route for illegal content under the EU Digital Services Act; and our IP & Illegal Content Takedown Policy. For content-related complaints connected to Indian users, this Section and the Takedown Policy operate together.


8. Children’s personal data (DPDP Act s. 9)

Under the DPDP Act, a “child” is any individual who has not completed eighteen (18) years of age — a higher age threshold than the digital-consent ages under the GDPR (16 in the Netherlands) or UK data-protection law (13). The Service is a business tool and is not directed to children.

Where we would process the personal data of a Data Principal who is a child:

  • we will obtain verifiable consent of a parent or lawful guardian before the processing, in the manner required by the DPDP Rules;
  • we will not undertake tracking, behavioural monitoring, or targeted advertising directed at children; and
  • we will not process a child’s personal data in a manner likely to cause a detrimental effect on the child’s well-being.

Our marketing-site analytics and advertising features (described in the Cookie Policy) are not directed at children; where India-facing traffic may involve a child, such features are suppressed or age-gated. If you believe we have collected a child’s personal data without the required verifiable parental consent, contact anil@semlypro.com and we will delete it promptly.

We draw the founders’ attention to the fact that the DPDP Act’s penalty Schedule treats a breach of the children’s-data obligations as one of its most serious categories (see Section 9), so this area warrants particular care.


9. Personal data breach notification (DPDP Act s. 8(6); DPDP Rules)

Where a personal data breach affects the personal data of Indian Data Principals and SemlyPro is the Data Fiduciary, we will, in accordance with section 8(6) DPDP Act and the breach-intimation provisions of the DPDP Rules:

  1. give the Data Protection Board of India an initial intimation without delay on becoming aware of the breach, describing (to the extent then known) the nature, extent, timing and location of the breach and its likely impact; followed by a detailed report within 72 hours (or such longer period as the Board allows on request), covering the broader facts, the mitigation and remedial measures taken, findings on the person who caused the breach, and the notifications given to affected Data Principals; and
  2. notify each affected Data Principal without delay, in clear and plain language, describing the nature and extent of the breach, its likely consequences, the mitigation measures we have implemented, the safety measures the Data Principal may take, and our contact details for further information.

The DPDP breach-notification duty is not subject to a risk threshold — the intimation obligations apply to a personal data breach as such. Where personal data you have entrusted to us as a Data Processor is affected, we will notify the relevant business customer (the Data Fiduciary) in accordance with the DPA so that it can meet its own intimation obligations, and we will support that customer’s intimation to the Board and to affected Data Principals (DPA clauses 10 and 16.3). This India duty runs in parallel with our GDPR Article 33/34 obligations described in the Privacy Policy (a single incident may trigger both). Notifying is not an admission of liability.


10. Cross-border transfers (DPDP Act s. 16)

The DPDP Act adopts a “negative-list” (blacklist) model for cross-border transfers. Under section 16 DPDP Act, a Data Fiduciary may transfer personal data outside India except to a country or territory that the Central Government of India restricts by notification. Accordingly:

  • we may transfer Indian Data Principals’ personal data to our infrastructure and sub-processors located outside India (for example, in the EEA and, for certain sub-processors, the United States), subject to the negative-list restriction;
  • we will not transfer such data to any country or territory that the Central Government restricts by notification, and we will monitor and comply with any such notification and with any sector-specific data-localisation directions that may apply to us; and
  • irrespective of destination, we apply the technical and contractual safeguards described in the DPA (Annex 2) and in our Privacy Policy’s international-transfer section (Standard Contractual Clauses, the UK IDTA/Addendum, and adequacy frameworks as applicable) to protect the data in transit and at the recipient.

A current list of our sub-processors, their locations and the transfer mechanism relied on for each is maintained at semlypro.com/subprocessors.


11. Intermediary status and user content (IT Act s. 79; IT Rules 2021)

SemlyPro primarily generates first-party outputs (Content) at the Customer’s instruction, rather than operating as a platform that hosts third-party user-generated content. To the extent, however, that SemlyPro stores or transmits information provided by users such that it is an “intermediary” within the meaning of section 2(1)(w) of the IT Act 2000, we observe the applicable due-diligence obligations of the IT Rules 2021, including:

  • publishing rules and a grievance mechanism — our Terms of Service, AUP and this Addendum inform users of what is prohibited, and Section 7 publishes our Grievance Officer and grievance timelines;
  • acting on grievances and takedown requests within the Rule 3(2) timelines and, where required, removing or disabling access to unlawful information on receipt of actual knowledge or a valid order of a court or competent authority; and
  • AI-generated-content labelling — where the Service produces synthetically generated information for Indian users, our approach to prominent labelling and provenance metadata (relevant to the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules 2026, in force from 20 February 2026) is described in our AI Transparency Notice.

12. E-commerce entity identity and consumer disclosures (E-Commerce Rules)

As an e-commerce entity offering services to consumers in India, SemlyPro provides the mandatory disclosures required by Rules 4 and 5 of the E-Commerce Rules. These are displayed on our website (including the footer and, where applicable, at checkout):

  • our legal name (Semly Pro, trading as SemlyPro) and principal geographic/registered address (Hawaiiweg 41, 1339 NW Almere, Netherlands);
  • the name, contact details and designation of the Grievance Officer (Section 7);
  • a customer-care contact for consumer queries, complaints, returns, refunds and cancellations; and
  • our GSTIN, once registered.

Because we are an e-commerce entity based outside India, the E-Commerce Rules also contemplate appointment of a person or nodal contact resident in India to ensure compliance.

Consumer cancellation, refunds and fair terms. We will not impose unreasonable cancellation charges on a consumer unless we bear equivalent charges when we cancel, and we will effect accepted refunds within a reasonable period consistent with applicable Reserve Bank of India / payment-processor timelines. Nothing in our Terms of Service excludes or limits an Indian consumer’s non-excludable rights under the Consumer Protection Act 2019, and our governing-law and jurisdiction clause (Netherlands / courts of Amsterdam) is subject to those mandatory Indian consumer protections. The detailed cancellation and refund position is set out in the Terms of Service (and any dedicated Refund & Cancellation Policy).


13. Security safeguards

We implement reasonable security safeguards to prevent a personal data breach, consistent with the DPDP Rules’ reasonable-security-safeguards requirement and with the technical and organisational measures described in the DPA (Annex 2) and the Privacy Policy. These include encryption in transit and at rest, role-based and least-privilege access controls with access logging, isolation of environments, backup and recovery controls, vulnerability management, and personnel confidentiality and training. Our internal Staff Data-Access Policy operationalises the least-privilege controls, and we do not use Customer Materials or Content to train publicly-released AI models (see the Privacy Policy and DPA).


14. Significant Data Fiduciary — forward-looking

The Central Government may, under section 10 DPDP Act, designate a Data Fiduciary (or class of Data Fiduciaries) as a Significant Data Fiduciary based on factors such as the volume and sensitivity of personal data processed and the risk to Data Principals. We do not consider that SemlyPro meets such a designation at its current scale. If SemlyPro is so designated, we will:

  • appoint a Data Protection Officer based in India, who will be responsible to us and serve as the point of contact for grievance redressal;
  • appoint an independent data auditor to evaluate our DPDP compliance; and
  • undertake periodic Data Protection Impact Assessments and audits, and other measures the Rules prescribe.

We track this designation pathway because India is a focus market for us.


15. Precedence, changes and contact

15.1 Precedence. In respect of Indian Data Principals and Indian consumers, this Addendum prevails over any conflicting term in our other documents to the extent of the conflict, save that (a) where the DPA governs our processing as a Data Processor, the DPA’s India module (clause 16, Annex 3) governs that processing; and (b) nothing here waives a mandatory right under Indian law.

15.2 Changes. We may update this Addendum from time to time — for example, as the DPDP Rules’ remaining provisions commence, or as the Consent Manager framework goes live. Material changes will be notified by email or in-product notice, and the “Last updated” date above shows when this Addendum was last revised. We will keep the commencement statements in Section 3 aligned with the law as it comes into force.

15.3 Contact.

  • India grievances (Data Principals and consumers): anil@semlypro.com
  • Privacy (general): anil@semlypro.com
  • Security incidents: anil@semlypro.com
  • Legal notices: anil@semlypro.com
  • Postal address: Semly Pro (eenmanszaak, trading as SemlyPro), Hawaiiweg 41, 1339 NW Almere, Netherlands
  • Data Protection Board of India: the statutory escalation forum where a grievance to us is not resolved to your satisfaction.

Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com