India Privacy Addendum
Last updated: March 7, 2026
This India Privacy Addendum ('Addendum') supplements YBuffet's Privacy Policy and applies specifically to users located in India. It sets out YBuffet's obligations and your rights under India's Digital Personal Data Protection Act 2023 ('DPDPA'), which received Presidential assent on August 11, 2023 and is being brought into force in phases by the Central Government.
In the event of any conflict between this Addendum and the main Privacy Policy with respect to Indian users, this Addendum controls.
Note: The DPDPA's implementing rules ('DPDP Rules') are still being finalized by the Ministry of Electronics and Information Technology (MeitY) as of the date of this Addendum. YBuffet will update this document promptly as rules are notified. The framework and obligations described herein reflect the enacted statute.
1. Applicability
The DPDPA applies to the processing of digital personal data of Data Principals (individuals) located in India, including:
Processing of personal data within India
Processing of personal data outside India if it relates to the offering of goods or services to individuals in India
YBuffet's Platform processes personal data of Indian users in connection with providing its startup marketplace, community forum, service matching, and related services. Accordingly, YBuffet acts as a 'Data Fiduciary' under the DPDPA in relation to Indian users' personal data.
2. Key Definitions (DPDPA)
The following terms have the meanings assigned under the DPDPA:
'Data Fiduciary' means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. YBuffet acts as a Data Fiduciary for the personal data of Indian users.
'Data Principal' means the individual to whom the personal data relates. If you are an Indian user of the Platform, you are a Data Principal.
'Data Processor' means any person who processes personal data on behalf of a Data Fiduciary. Third-party service providers engaged by YBuffet may act as Data Processors.
'Personal Data' means any data about an individual who is identifiable by or in relation to such data.
'Processing' means an operation or set of operations performed on digital personal data, including collection, recording, storage, use, sharing, erasure, or destruction.
'Consent Manager' means a person registered with the Data Protection Board of India who acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
'Significant Data Fiduciary' means a Data Fiduciary notified by the Central Government based on volume and sensitivity of data processed, risk to the rights of Data Principals, and other factors specified under Section 10 of the DPDPA.
3. Consent and Lawful Bases for Processing
Under the DPDPA, YBuffet processes your personal data on the following lawful bases:
3.1 Consent (Section 6)
Where YBuffet relies on consent, it must be:
Free, specific, informed, and unambiguous
Given through a clear affirmative action
Limited to the specific purpose for which it is sought
Accompanied by an itemized notice in clear and plain language (in English and in languages specified in the Eighth Schedule to the Constitution, as may be notified)
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. YBuffet will not deny services solely on the basis of withdrawal of consent for processing that is not necessary for the service.
3.2 Legitimate Uses (Section 7)
The DPDPA permits processing without consent for certain 'legitimate uses', including:
Performance of a contract to which you are a party
Compliance with a legal obligation under Indian law
Medical emergencies threatening life
Employment-related purposes under Indian law
Purposes related to sovereign functions of the State
YBuffet relies on legitimate use for account management, transaction processing, fraud prevention, and legal compliance with Indian law.
4. Notice Requirements (Section 5)
Before or at the time of collecting your personal data, or as soon as reasonably practicable where data is collected from a source other than you, YBuffet will provide notice containing:
The personal data being collected and the purpose of processing
The manner in which you may exercise your rights under the DPDPA
The manner in which you may make a complaint to the Data Protection Board of India
This Privacy Policy and Addendum constitute YBuffet's notice to Indian users. Where specific consent is sought (e.g., for marketing emails or AI features), a specific notice will be presented at the point of consent.
Language: YBuffet will provide this notice in English. As and when MeitY notifies additional languages under the DPDPA, YBuffet will make notices available in those languages as required.
5. Your Rights as a Data Principal (Sections 11-13)
Under the DPDPA, Indian users have the following rights:
Right to Access Information (Section 11): You may request confirmation of whether YBuffet is processing your personal data, a summary of the personal data being processed and the processing activities, the identities of all Data Fiduciaries and Data Processors with whom your personal data has been shared, and any other information as may be prescribed by the Central Government.
Right to Correction and Erasure (Section 12): You may request that YBuffet correct inaccurate or misleading personal data, complete incomplete personal data, and erase personal data that is no longer necessary for the purpose for which it was collected, unless retention is required by applicable law.
Right to Grievance Redressal (Section 13): You have the right to register a grievance with YBuffet regarding any action or inaction related to your personal data. YBuffet will acknowledge and respond to grievances within the time period prescribed by the Central Government. If you are not satisfied with YBuffet's response, you may file a complaint with the Data Protection Board of India.
Right to Nominate (Section 14): You may nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity. YBuffet will honor such nominations upon receiving valid documentation.
Note: The DPDPA does not provide a general right to data portability or right to object in the same form as GDPR. YBuffet will facilitate these on a best-efforts basis for Indian users.
6. Obligations of YBuffet as Data Fiduciary (Section 8)
Under the DPDPA, YBuffet as Data Fiduciary is obligated to:
Ensure personal data is complete, accurate, and consistent with the purpose of processing
Implement appropriate technical and organizational measures to prevent personal data breaches
Implement reasonable security safeguards to prevent personal data breaches
Give Data Principals the means to withdraw consent easily, as easily as consent was given
Cease processing personal data (and direct processors to do the same) upon withdrawal of consent or upon the purpose for processing being served, subject to retention requirements under applicable law
Establish a grievance redressal mechanism (see Section 8 below)
Not retain personal data beyond the period necessary for the stated purpose
Not process personal data in a manner harmful to the rights of children (see Section 9 below)
7. Data Retention and Erasure
YBuffet retains Indian users' personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Upon the purpose being served, YBuffet will delete the personal data unless retention is required by applicable Indian law.
Retention periods for specific categories of data are set out in the main Privacy Policy (Section 6). Where Indian law prescribes different or additional retention requirements, those will apply.
You may request erasure of your personal data at any time where it is no longer necessary for the stated purpose. Requests will be processed in accordance with the DPDPA rules as notified by MeitY.
8. Grievance Officer
YBuffet has designated the following point of contact for DPDPA-related grievances from Indian users:
Grievance Contact: grow@ybuffet.com
YBuffet will acknowledge grievances within 48 hours and address them within the timeframe prescribed by DPDPA rules. If you are not satisfied with YBuffet's response, you may escalate to the Data Protection Board of India (see Section 11).
9. Children's Personal Data (Section 9)
The DPDPA prohibits processing personal data of children (individuals under 18 years of age) without verifiable parental consent. YBuffet's Platform is not directed at children, and we do not knowingly collect personal data from individuals under 18.
YBuffet also prohibits tracking, behavioral monitoring, or targeted advertising directed at children. If a user is identified as being under 18, their account will be suspended and their personal data deleted.
YBuffet will implement age verification mechanisms as required by DPDPA rules when notified by MeitY.
10. Personal Data Breaches (Section 8(6))
In the event of a personal data breach, YBuffet will:
Notify the Data Protection Board of India in the form and manner prescribed by DPDPA rules
Notify each affected Data Principal in the form and manner prescribed by DPDPA rules
Take immediate steps to mitigate the breach and prevent further harm
The DPDPA requires notification 'in such form and manner as may be prescribed.' YBuffet will comply with the prescribed form and timeline as soon as rules are notified. In the interim, YBuffet will notify affected Indian users without undue delay and no later than 72 hours of becoming aware of a breach.
11. Significant Data Fiduciary Obligations
If YBuffet is designated as a 'Significant Data Fiduciary' by the Central Government under Section 10 of the DPDPA (based on volume of personal data processed, sensitivity, national security risk, or other prescribed criteria), additional obligations will apply, including:
Appointment of a Data Protection Officer based in India, reporting to the Board of Directors
Appointment of an independent data auditor
Conduct of periodic Data Protection Impact Assessments (DPIAs)
Additional restrictions on cross-border data transfers
YBuffet does not currently meet the thresholds likely to trigger Significant Data Fiduciary designation but will comply immediately upon any such designation by the Central Government.
12. Cross-Border Data Transfers
The DPDPA empowers the Central Government to restrict transfers of personal data to notified countries or territories. YBuffet's primary infrastructure is in the United States (via Vercel). YBuffet will comply with any restrictions on cross-border data transfers as notified by the Central Government under Section 16 of the DPDPA.
In the event that cross-border transfer restrictions are imposed, YBuffet will assess whether to implement India-specific data localization or to cease offering services to Indian users in affected categories, and will notify affected users accordingly with at least 30 days advance notice.
13. Data Protection Board of India
The DPDPA establishes the Data Protection Board of India ('Board') as the adjudicatory body for complaints and enforcement. If you have a complaint about YBuffet's handling of your personal data that has not been resolved to your satisfaction through YBuffet's grievance mechanism, you may file a complaint with the Board.
Board website: www.meity.gov.in (Board contact details will be updated once the Board is formally constituted under DPDPA rules)
Penalties under the DPDPA for non-compliance can reach up to INR 250 crore (approximately USD 30 million) per breach, with a maximum aggregate penalty of INR 500 crore.
14. Updates to This Addendum
This Addendum will be updated as DPDPA rules are notified by MeitY and as the Data Protection Board of India issues guidance. Material updates will be communicated to Indian users with at least 30 days advance notice. The current version is always available at ybuffet.com/legal/india-privacy-addendum.