DPDP compliance

Under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), telecaller.ai acts primarily as a Data Processor on behalf of our clients (who are Data Fiduciaries for the leads and customers they call using our platform).

For personal data we collect directly from our clients and website visitors (account, billing, support interactions), we act as Data Fiduciary and are accountable under the DPDP Act accordingly.

We process personal data only on the following bases:

• Consent captured by our client from the data principal (for calls made to leads).
• Performance of our contract with our client.
• Compliance with legal obligations under Indian law (TRAI, DLT, taxation).
• Legitimate business interests that do not override the data principal's rights (e.g. fraud prevention, service security).

We collect and process the minimum data necessary to deliver the service. Call recordings are limited to the business interaction, and personal data fields captured are scoped to what the client configures for qualification.

Our primary storage is in India. Where a subprocessor outside India is required to deliver part of the service (for example, a voice-model provider), transfers are made only to jurisdictions not restricted by the Central Government and under contractual safeguards equivalent to DPDP standards.

We operationally support data principal requests to access, correct, update, and erase personal data, to withdraw consent, and to nominate a representative. As Data Processor, we execute such requests through our client (the Data Fiduciary) within 7 working days of receiving the instruction.

Direct requests from data principals relating to data we hold as Data Fiduciary can be sent to abhinav@telecaller.ai.

We maintain the following safeguards, aligned with DPDP standards and ISO 27001 principles:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for call recordings, transcripts, and lead data.
• Role-based access with least privilege; MFA enforced for all administrative access.
• Comprehensive audit logging of data access and administrative actions.
• Regular vulnerability scanning and annual third-party penetration testing.
• Documented incident-response runbooks and breach-notification procedures.
• Vendor due-diligence and DPAs with every subprocessor that handles personal data.

In the event of a personal data breach, we will notify affected clients without undue delay and, where required, the Data Protection Board of India and affected data principals in accordance with the DPDP Act and associated rules.

Retention periods are set per the client's service plan (typically 30 / 90 / 365 days for recordings). Deletion is irreversible at the end of the retention window. Clients may request shorter retention in their service order.

We only dial numbers for which the client has a valid consent basis (typically an inquiry in the last 48 hours). We scrub against the DND registry before every outbound call and route all campaigns through DLT-registered templates.

Our AI agents disclose their AI nature in the opening line of every call, in the caller's language.

Every client signs our Data Processing Agreement (DPA) at onboarding. The DPA formalizes the roles, instructions, subprocessors, security measures, breach-notification timelines, and audit rights.

Request a copy of the DPA template by emailing abhinav@telecaller.ai.

Grievance Officer: Abhinav, Founder.

Email: abhinav@telecaller.ai · Phone: +91 90001 30400 · Hyderabad, India.

Grievances are acknowledged within 2 working days and resolved within 30 days in line with DPDP requirements.