DRAFT — pending legal and DPDP review. Not yet in force. This document is a starting point prepared for review by a qualified lawyer and a DPDP specialist. Bracketed fields and flagged sections must be completed and verified before publication.
Privacy

Privacy Policy

Zaksha exists to give you control over what reaches your devices — so we hold ourselves to the same standard with your information. This policy explains what we collect, why, how long we keep it, and your rights under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act").

Effective 15 June 2026 Governed by Indian law · DPDP Act, 2023 zaksha.com

01 Who we are

Zaksha is a managed, DNS-based content-filtering service for families, businesses and schools in India. It is operated by Zaksha ("Zaksha", "we", "us" or "our").

This Privacy Policy applies to the Zaksha website at zaksha.com, the Zaksha dashboard and the filtering service (together, the "Service"). For the personal data we handle to provide the Service, Zaksha acts as a Data Fiduciary under the DPDP Act. Where an organisation (such as a business or school) sets up Zaksha for devices it owns and manages, that organisation determines the purposes of processing for its users and is responsible for obtaining the necessary consents; Zaksha processes that data on the terms of this policy and the customer's agreement.

By creating an account or using the Service, you agree to the practices described here.

Draft note: the Data Fiduciary / processor characterisation, and the allocation of responsibility between Zaksha and organisational customers, must be confirmed by counsel against the final DPDP Rules.

02 What we collect

We collect only what we need to run the Service, bill you correctly and show you a useful dashboard. We do not sell your personal data, and we do not build advertising profiles.

Account information
Your name and email address, captured when you sign in (including, where offered, via Google sign-in), plus authentication identifiers needed to keep you signed in securely.
Billing information
Plan, billing status, GST details where applicable, and transaction references. Payments are handled by our payment processor; we do not store full card or UPI credentials.
Device & profile data
The devices you add (a label you choose, the platform such as iOS or Android, and a per-device DNS identifier), and the filtering rules, categories and schedules you configure.
DNS query data
For each protected device, a record of DNS queries it makes — the domain requested, whether it was allowed or blocked, and a timestamp. This is what powers your dashboard history and reports.
Technical & usage data
Standard log data such as IP address, browser type and timestamps, used to keep the Service secure, reliable and free of abuse.

DNS query data is generated by the devices enrolled on your account, not by browsing you do elsewhere, and is tied to the device identifiers set up in Zaksha. Dashboard statistics are computed in periodic batches (roughly every 30 minutes), not in real time.

03 How we use it

  • To create and secure your account and authenticate you when you sign in.
  • To deliver the core Service — applying your filtering rules and schedules to your enrolled devices.
  • To show your dashboard, including activity history and, for business and school accounts, per-device and per-employee reports.
  • To process payments, manage subscriptions and send essential account or billing notices.
  • To maintain security, prevent abuse, debug issues and improve the reliability of the Service.
  • To comply with legal obligations and enforce our terms.

We process personal data on the lawful bases available under the DPDP Act — principally your consent, and the legitimate uses the Act permits (such as performing the Service you have requested and meeting legal obligations).

04 Who can see device activity

We want to be plain about this, because it matters: the account owner can see per-device browsing detail for the devices on their account — the domains requested and whether each was allowed or blocked. For business accounts, the account owner can also see per-employee activity reports for company-owned devices.

This is authorised visibility granted to the account owner over devices they manage — for example, a parent over a child's device, or a business over a company-owned device. It is not anonymised or masked data, and we do not describe it as such. Account owners are responsible for using this visibility lawfully and for informing the people who use those devices, as required.

05 Data retention

We keep information only as long as it serves the purpose it was collected for. For DNS query data, the window you can view is the window we retain:

  • Home (shared cloud): raw DNS query history is kept for a rolling 7 days and is then automatically and genuinely deleted.
  • Enterprise (dedicated instance): DNS query history is kept for 30 or 90 days, as configured, held on the customer's dedicated VPS.
  • Changing the window extends retention from the date of change and fills in over the following days. It does not recover history that has already been deleted.
  • Account, device and billing data is retained while your account is active and for a limited period afterward to meet legal, tax and accounting obligations.

When you close your account, we delete or irreversibly anonymise your personal data except where we are required to retain it by law.

06 Where your data is processed

Your data is processed either on Zaksha's managed cloud (for Home and Team plans) or on a dedicated VPS provisioned for the customer (for Enterprise). In both cases, DNS activity data is processed and stored entirely within India — in our production environment in the AWS Mumbai region — and is not transferred outside it. On the shared cloud, per-device isolation is logical — each device has its own DNS address and client identifier. On a dedicated instance, isolation is physical — the customer's data lives on a separate server. We do not claim that we never store data; we store what is described in this policy, for the periods stated, on the infrastructure described here.

07 Sharing & third-party processors

We do not sell your personal data. We share it only in these limited circumstances, and our processors are bound by contract to use it only to provide their service to us:

  • Payments — a payment processor handles billing and GST invoicing; it receives the data needed to take payment.
  • Hosting & infrastructure — cloud and VPS providers that host the Service and store data as described above.
  • Communications — an email provider for essential account and service messages.
  • Legal & safety — where required by valid legal process, or to protect the rights, safety and security of users, the public or Zaksha.
  • Business transfers — in a merger, acquisition or sale of assets, with notice and continued protection of your data.
Draft note: name each actual processor (payment gateway, hosting/VPS provider, email provider) and confirm cross-border transfer arrangements against the DPDP Act and any restrictions notified under it.

08 Cookies & analytics

The marketing website uses a small number of cookies and similar technologies that are necessary for the site to work and, where enabled, basic analytics to understand aggregate traffic and improve the site. The dashboard uses cookies and local storage needed to keep you signed in and remember your preferences. We do not use advertising or cross-site tracking cookies.

Draft note: confirm the exact cookies and analytics provider in use, add a cookie table if required, and align consent mechanics with DPDP and applicable e-commerce rules.

09 Children's data

Family and school use of Zaksha necessarily involves processing the browsing activity of minors on the devices being protected. Under the DPDP Act, processing children's personal data carries heightened obligations, including obtaining verifiable consent of a parent or lawful guardian and a prohibition on tracking, behavioural monitoring or targeted advertising directed at children.

  • Family accounts. The account is created and operated by a parent or guardian, who provides consent for the processing of their child's device activity for the purpose of filtering and the safety controls they configure.
  • School accounts. The school is responsible, as the entity in the relationship with parents and guardians, for obtaining the consent required to process students' data, and for the lawful basis on which it manages student devices. Zaksha processes that data on the school's behalf under its agreement.
  • We do not use children's data for advertising, profiling or any tracking beyond delivering the filtering and reporting features the account owner has configured.
Draft note — needs DPDP-specialist review. This section in particular must be reviewed by a specialist in India's DPDP Act, including the requirements for verifiable parental consent, the school's role and consent mechanism, age-verification expectations, and the limits on monitoring and profiling of children.

10 Your rights under the DPDP Act

Subject to the DPDP Act and its conditions, you have the right to:

  • Access — obtain a summary of the personal data we process about you and how we process it.
  • Correction & updating — have inaccurate or incomplete data corrected or completed.
  • Erasure — have your personal data erased where it is no longer needed for the purpose it was collected, subject to legal retention.
  • Withdraw consent — withdraw consent at any time, as easily as it was given (this may limit or end the Service).
  • Grievance redressal — raise a grievance with us and, if unresolved, with the Data Protection Board of India.
  • Nominate — nominate another person to exercise your rights in the event of death or incapacity.

You can manage much of your account and device data directly from the dashboard. To make a rights request, contact us at support@zaksha.com. We will respond within the timelines required by applicable law.

11 Security & breach notification

We protect your information with encryption in transit, access controls that limit who can reach data, per-device isolation so accounts and histories don't mix, and routine monitoring for abuse. Enterprise customers run on a dedicated, isolated instance for physical data separation. No method of transmission or storage is completely secure, but we work to protect your data and to respond quickly if something goes wrong. In the event of a personal data breach, we intend to notify the Data Protection Board of India and affected users as required by the DPDP Act and its Rules.

12 Grievance redressal

If you have a concern about how we handle your personal data, you can contact our Grievance Officer, who is responsible for addressing complaints under the DPDP Act:

Grievance Officer
support@zaksha.com zaksha.com

If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India in accordance with the DPDP Act.

13 Changes to this policy

We may update this policy as the Service evolves or as the law changes. When we make material changes, we will revise the effective date above and, where appropriate, notify you by email or in the dashboard. Your continued use of the Service after an update means you accept the revised policy.

14 Contact us

For any question about this policy or how we handle your data, get in touch:

Zaksha
support@zaksha.com zaksha.com