DPDPA notice & responsibilities

This notice explains how Niviverse Consultancy LLP (“we”, “us”, “our”)—which operates the eAccounting compliance desk—handles digital personal data when you enquire about or engage us for corporate compliance, MCA and allied filings, and related professional work in India.

We act as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (India) and applicable rules and guidance issued thereunder, as updated from time to time (together, “DPDPA”). You, and individuals on whose behalf you act, are Data Principals where DPDPA applies to the processing described below.

This notice supplements our general Privacy policy. If anything on the website conflicts with your signed engagement letter, the engagement letter prevails for that engagement.

Compliance and registry work is document- and identity-intensive. To prepare filings, respond to authorities, and coordinate your matter, we routinely need personal identifiers and contact details—not only about your organisation, but often about directors, authorised signatories, partners, shareholders, and other individuals whose particulars appear in forms, registers, or verifications.

Typical categories include: name, address, email, phone, government-issued identifiers where legally required for a filing (for example PAN, DIN-related identifiers, or similar fields mandated by MCA or other regulators), photographs or scans where the process requires them, nationality or demographic fields where forms mandate disclosure, and professional role (e.g. director, CS, manager).

We process such data only for legitimate purposes tied to the services you request: scoping engagements, preparing and submitting filings, maintaining statutory records we are engaged to support, communicating status, invoicing, and meeting legal, regulatory, and professional obligations (including audit and record-keeping norms applicable to our practice).

Where DPDPA requires consent, we will seek your free, specific, informed, unconditional, and unambiguous consent with a clear affirmative action before processing personal data for that purpose, except where the Act permits processing without consent (for example certain legitimate uses described in the statute).

Much of our processing is necessary to perform our contract with you (the engagement) and to comply with law (including MCA, RBI, FEMA, or tax statutes, as applicable to your matter). We do not use personal data for unrelated marketing unless you have separately agreed.

Accuracy and completeness: You are responsible for ensuring that personal data you provide (including through forms, emails, or shared drives) is accurate and kept up to date for the filing in question. Incorrect or incomplete data can delay or invalidate registry work.

Authority and lawful sharing: Where you give us personal data relating to another individual (for example a co-director or shareholder), you confirm that you are authorised to share that data with us for the stated filing or compliance purpose, and that doing so is lawful under DPDPA and any other applicable law. You should direct those individuals to this notice (or provide equivalent notice) where required.

Government and portal accounts: You remain responsible for credentials, OTP delivery devices, and approvals on client-side MCA / GST / other portals unless your engagement explicitly assigns specific tasks otherwise; failures there can limit our ability to complete processing even when we hold data lawfully.

Cooperation: You will cooperate with reasonable requests to verify identity, confirm consent, or clarify conflicting information—so we can meet fiduciary and statutory duties without over-collecting or mis-filing.

Purpose limitation & fairness: We process personal data fairly and only for purposes you have been informed of, or as permitted under DPDPA.

Security: We implement appropriate technical and organisational measures having regard to the nature of the data and our operations (including access controls on cloud workspaces used for your matter). No method of transmission or storage is absolutely risk-free; we take reasonable steps to reduce risks.

No sale: We do not sell personal data. We may share data with Data Processors (for example cloud hosting, e-signature, or accounting tools) strictly under contract and instructions, or with government / regulatory bodies where a filing or law requires disclosure.

Breach: Where the law obliges us to notify the Data Protection Board of India or affected Data Principals of a personal data breach, we will act in accordance with DPDPA and applicable rules.

Grievance redressal: We maintain a mechanism to receive and address grievances as required under DPDPA (see section 9 below).

We retain personal data for as long as needed to complete your engagement, satisfy professional and statutory record-keeping requirements, and resolve disputes. Some filings create obligations to retain underlying evidence for extended periods under company law or tax law; retention timelines may therefore exceed the life of a single form submission.

When data is no longer required and there is no legal bar to deletion, we will delete or anonymise it in line with our internal policies and reasonable commercial practice.

Subject to DPDPA—including applicable exceptions for certain regulatory, legal, or contractual contexts—Data Principals may have rights to access, correction, erasure, grievance redress, and other remedies provided under the Act.

Because many records we hold are also mandated or lodged with government systems, exercising a right (for example correction) may require parallel correction in the official register; we will explain practical constraints when you raise a request.

To exercise rights or ask questions about personal data we process as Data Fiduciary, use the contact in section 9. We may need to verify identity before acting on a rights request.

Some processors we use may process or store data on infrastructure located outside India. Where such cross-border transfer is involved, we take DPDPA’s restrictions and permitted mechanisms into account and use arrangements (including contracts and safeguards) consistent with applicable law at the time.

For DPDPA-related queries, complaints, or rights requests regarding our processing, contact:

Email: privacy@eaccounting.in (subject line: “DPDPA request” or “DPDPA grievance”).

We will acknowledge and handle grievances in line with DPDPA timelines and procedures as they apply to us. Nothing in this notice limits your right to approach the Data Protection Board of India or other authorities where the law allows.

Our services are aimed at businesses and professionals. We do not knowingly collect personal data from children in a manner contrary to DPDPA. If you believe we have received a child’s data without lawful basis, contact us immediately.

We may update this notice to reflect changes in law, regulatory guidance, or our services. The “Last updated” date below will change when we publish a new version; continued use of the website or new engagements after notice may be subject to the updated terms where permitted by law.

This document is provided for transparency and operational clarity only. It is not legal advice. Niviverse Consultancy LLP is not a law firm; regulatory compliance services are delivered by Chartered Accountants and qualified professionals as described elsewhere on this site.