A privacy notice should answer a simple question: what happens to my personal data after I submit this form?
For many websites, the answer is unclear. The enquiry form asks for name, phone number, email, city and service requirement. The privacy policy says something broad. The CRM sends the lead to a team member. A marketing tool may store the same data. Nobody has checked whether the notice matches the actual process.
What a privacy notice is supposed to do
Under DPDP readiness, the notice should help a person understand the personal data being collected and the purpose of processing. The language should be clear enough for a normal website visitor. If your visitor needs a lawyer to understand your notice, rewrite it.
Flowchart: website form to DPDP notice
User opens website form
↓
Form asks for personal data
↓
Notice explains purpose and use
↓
User submits data
↓
Data enters CRM / email / WhatsApp / sheet
↓
Team uses data only for stated purpose
↓
Requests, corrections, deletion and complaints are recorded
Minimum points to cover in a privacy notice
- Who is collecting data: business name and contact details.
- What data is collected: name, phone, email, address, documents, device data, payment data or other fields.
- Why it is collected: consultation, service delivery, billing, compliance, support, hiring, marketing or another clear purpose.
- How it is collected: website forms, WhatsApp, email, app, CRM, offline form later digitised or phone call follow-up.
- Who may receive it: internal team, consultants, vendors, payment gateways, cloud tools or authorities where needed.
- User rights/contact process: correction, withdrawal, grievance, deletion or other request route where applicable.
- Retention position: how long data may be kept or how retention is decided.
- Security statement: basic access control and handling practices.
Example: lead form privacy wording
Here is a plain-language style that works better than vague wording:
When you submit this form, we collect your name, phone number, email address and service requirement so our team can contact you, understand your query and share next steps. We may store this information in our enquiry records and use approved service tools for follow-up. You can contact us at [email] for correction, deletion or privacy-related requests, subject to legal and service record requirements.
This is only a sample. Your final wording should match your actual tools, vendors and record-keeping practice.
Table: weak notice vs useful notice
| Weak wording | Better wording | Why it matters |
|---|---|---|
| We collect information to improve services. | We collect your phone number and email to respond to your enquiry and share service steps. | The purpose is specific. |
| We may share data with third parties. | We may share data with payment gateways, cloud tools, consultants or authorities where needed for the service. | The user knows the broad recipient categories. |
| Contact us for privacy issues. | Email [privacy/contact email] for correction, deletion, grievance or withdrawal requests. | The route is clear. |
| We keep data as long as needed. | Lead records may be retained for follow-up, legal, tax, service and dispute records as per business need and law. | Retention is not left completely blank. |
Where to place the notice
- Footer privacy policy link on every page.
- Short notice or link near enquiry forms.
- Checkout or payment page if billing data is collected.
- App signup screen where account data is collected.
- Job application form if employee or candidate data is collected.
- Customer onboarding form where documents are uploaded.
Common mistakes
- Using a copied policy that names another country, law or business model.
- Collecting Aadhaar, PAN or documents too early without need.
- Not mentioning vendors even when CRM, payment gateway, cloud storage or marketing tools receive data.
- Writing consent text that is mixed with unrelated terms.
- Not giving a working email/contact route for privacy requests.
- Leaving HR and employee records outside the privacy review.
Question and answer
- Can one privacy notice cover website, HR and customer data?
- It can, but only if the notice clearly covers each use. Many businesses prefer a public privacy policy for users and an internal employee data notice for HR records.
- Should the notice mention DPDP Act by name?
- It can mention DPDP where relevant, but the content matters more. A notice that says "DPDP compliant" but does not explain data use is weak.
- Do we need separate consent for marketing?
- Check the actual use. If data collected for service enquiry is also used for promotional messages, the wording and consent route should be reviewed.
- How often should the privacy notice be reviewed?
- Review it when forms, apps, CRM, vendors, marketing tools, payment flow or data use changes. A yearly review is also sensible for active businesses.
Quick review checklist
- Does the notice match every active form?
- Does it name the type of personal data collected?
- Does it explain why the data is collected?
- Does it mention vendor/tool sharing in simple categories?
- Does it give a real contact route?
- Does your team know what to do when a request comes?
- Has the wording been checked against the latest official DPDP Rules position?
Do not publish a privacy notice only to fill a footer link. It should match the way your business actually collects and uses personal data.