Compliance
Compliance & Security
Data protection & compliance. Our commitment to your customers' privacy.
Our approach to data protection
The Digital Personal Data Protection Act 2023 ("DPDP Act") is India's landmark data protection legislation. Enacted by Parliament and progressively coming into force, it establishes a framework governing how organisations collect, store, use, and share the personal data of individuals in India. It draws conceptual parallels with the European GDPR, requiring lawful basis for processing (primarily consent), granting individuals meaningful rights over their data, and imposing obligations on the organisations that process it.
Under the DPDP Act, organisations that determine the purpose and means of data processing are called Data Fiduciaries. The individuals whose data is processed are called Data Principals. Organisations that process data on behalf of a Data Fiduciary are called Consent Managers or processors. When you use Revvlab to send automated messages to your customers, your brand is the Data Fiduciary and Revvlab acts as the processor, handling data only according to your instructions and within the boundaries of our data processing agreement.
How Revvlab implements compliance
Six principles that govern how we handle personal data on your behalf.
Data Minimisation
We collect only the personal data that is strictly necessary to deliver the Revvlab service. If a piece of data does not serve a clear operational purpose, we do not collect it.
Purpose Limitation
Customer data processed through Revvlab is used only for the purposes explicitly agreed upon — conversation automation, revenue attribution, and support. We do not repurpose data for unrelated uses without fresh consent.
Data Subject Rights
Your customers can request access, correction, or deletion of their personal data at any time. We provide you the tools to honour these requests within prescribed timelines.
Consent Management
Revvlab enforces explicit opt-in before any automated messaging is initiated. Opt-out signals are honoured immediately and propagated across all active flows. Consent records are logged with timestamps.
Data Security
All customer personal data processed by Revvlab is stored on encrypted servers with access controls and audit logging. We maintain ISO 27001-aligned security practices.
Breach Notification
In the event of a personal data breach, Revvlab will notify affected customers within 72 hours of becoming aware of the breach, as required by applicable data protection law.
For brands using Revvlab
Your obligations as a Data Fiduciary
Data protection law places obligations on you as the brand using automated messaging tools. Here is what you must do when running Revvlab-powered flows for your customers.
We collect only what we need to operate the service.
We never sell your data or your customers' data.
We give you tools to export or delete data at any time.
We notify you within 72 hours of any security incident.
Have questions about compliance for your specific use case, or want to receive our Data Processing Agreement (DPA) for countersigning?
dpdp@revvlab.ai