DPDPA Compliance
Digital Personal Data Protection Act, 2023 — Our commitment to lawful processing of personal data in India.
Last Updated: April 1, 2026
1. About the DPDPA
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's primary legislation governing the processing of digital personal data. It grants Data Principals (individuals) rights over their personal data and imposes obligations on Data Fiduciaries (entities that determine the purpose and means of processing).
Virora International Private Limited, operating the VAssess platform, is a Data Fiduciary under the DPDPA. We are registered and incorporated in India and our primary data processing activities are conducted within Indian jurisdiction.
2. Personal Data We Process
We process the following categories of personal data in the course of providing the VAssess platform:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, email address, phone number | Account creation and authentication |
| Academic Data | Admission number, class, institution name | Institutional enrollment and access control |
| Assessment Data | Test responses, scores, time-on-question | Performance analytics and progress tracking |
| Payment Data | Invoice details, transaction IDs | Subscription billing (card data is not stored — processed by Razorpay) |
| Technical Data | IP address, browser type, session logs | Security, fraud prevention, and debugging |
3. Lawful Bases for Processing
Under the DPDPA, personal data may be processed only for a lawful purpose. We rely on the following bases:
- ConsentWhen you register on VAssess, you provide free, specific, informed, and unambiguous consent for us to process your personal data for the purposes described in our Privacy Policy.
- Legitimate UseProcessing necessary to perform a contract with you (e.g., delivering the subscription service, processing payments).
- Legal ObligationProcessing required to comply with applicable Indian law, including tax and financial reporting obligations.
4. Rights of Data Principals
As a Data Principal under the DPDPA, you have the following rights with respect to your personal data:
Right to Access
Request a summary of the personal data we hold about you and the processing activities undertaken.
Right to Correction and Erasure
Request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary for the purpose for which it was collected.
Right to Grievance Redressal
Raise a grievance with our Data Protection Officer regarding any processing of your personal data.
Right to Nominate
Nominate another individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent
Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal but may limit your access to the platform.
To exercise any of the above rights, contact our Data Protection Officer at privacy@vassess.com. We will respond within 30 days.
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected or as required by applicable law. On account deletion, we erase or anonymise personal data within 90 days, except where retention is required for legal, regulatory, or dispute resolution purposes.
Transaction and payment records are retained for 7 years in compliance with Indian accounting and tax laws.
6. Data Localisation & Cross-Border Transfers
Our primary data storage is on MongoDB Atlas with clusters in the Asia Pacific (Mumbai) region, ensuring that personal data of Indian residents is stored within India.
Where personal data is transferred to service providers outside India (e.g., email delivery, analytics), such transfers are made only to countries or entities notified by the Central Government as providing adequate data protection, or pursuant to standard contractual clauses.
7. Children's Data
Where the platform is used by students under the age of 18 in an institutional context, the institution (acting as the parent/guardian proxy) is responsible for obtaining verifiable parental consent prior to enrollment. We do not knowingly collect personal data from minors through our direct-to-consumer registration flow without parental consent.
We do not process children's personal data for behavioural targeting or tracking purposes.
8. Data Fiduciary Obligations
As a Data Fiduciary we have implemented the following measures to comply with the DPDPA:
- Privacy notice presented at point of data collection
- Consent records maintained with timestamp and purpose
- Technical and organisational security measures (TLS, bcrypt, AES-256 encrypted sensitive fields)
- Data minimisation — only data necessary for the stated purpose is collected
- Data Processor agreements with all third-party service providers
- Breach notification procedures in place (72-hour notification to affected users where required)
- Designated Data Protection Officer
9. Grievance Redressal
If you have a complaint or grievance regarding the processing of your personal data, you may contact our Data Protection Officer:
Data Protection Officer
Virora International Private Limited
Email: privacy@vassess.com
Website: vassess.com
If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India once it is constituted under the DPDPA.
10. Updates to This Notice
We will update this DPDPA Compliance Notice as required by changes in law, regulation, or our processing activities. Material changes will be communicated via email or a prominent notice on the platform.