1. About the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law, enacted in August 2023 and administered by the Ministry of Electronics and Information Technology (MeitY). The DPDP Rules, 2025, notified on 13 November 2025, provide the detailed operational framework for implementing the Act.
The DPDP Act establishes a rights-based model: Data Principals (individuals whose data is processed) are granted clear, enforceable rights over their digital personal data, while Data Fiduciaries (organisations that determine the purpose and means of processing) carry layered, non-delegable obligations. A specialised regulator — the Data Protection Board of India (DPBI) — enforces the Act and adjudicates complaints.
The Act applies to any processing of digital personal data within India and, extraterritorially, to processing outside India that relates to offering goods or services to individuals within India. As an Indian company serving Indian residents and property operators, Neurosync AI Technologies is fully within the scope of the DPDP Act.
2. DPDP Act Implementation Timeline
The DPDP Act follows a phased implementation schedule:
- August 2023: DPDP Act receives Presidential assent and is enacted into law
- 13 November 2025: DPDP Rules 2025 notified; Data Protection Board of India (DPBI) becomes operational; administrative provisions take effect
- 13 November 2026: Registration for Consent Managers opens under the DPDP framework
- 13 May 2027: All substantive compliance obligations take full effect, including consent requirements, privacy notices, security obligations, breach reporting, and Data Principal rights mechanisms
Orayo.ai is committed to achieving full compliance ahead of the 13 May 2027 statutory deadline and is actively implementing the required mechanisms as described in this document.
3. Orayo.ai's Role Under the DPDP Act
3.1 Data Fiduciary
Neurosync AI Technologies, operating the Orayo.ai platform, is a Data Fiduciary under the DPDP Act. As the entity that determines the purpose and means of processing personal data collected through the platform, we bear absolute, non-delegable compliance obligations under Section 8 of the Act. These obligations apply irrespective of any contractual arrangement and cannot be transferred to Data Principals or third parties.
3.2 Data Processor Relationships
Where we engage third-party technology providers (cloud infrastructure, payment processors, push notification services, customer support tools) to process personal data on our behalf, those providers act as Data Processors. All such engagements are governed by valid data processing contracts that define the scope of processing, security obligations, breach notification requirements, and obligations for data deletion upon contract termination, in accordance with Section 8(1) of the DPDP Act.
3.3 Property Administrators as Joint Fiduciaries
Housing society management committees, hotel operators, and other property administrators who access resident or guest data through the Orayo.ai platform for their own operational purposes may themselves constitute Data Fiduciaries with respect to that data. Such administrators are responsible for their own DPDP compliance in their use of data accessed through the platform. Orayo.ai provides role-based access controls and audit logs to support their compliance obligations.
4. Categories of Personal Data Processed
Orayo.ai processes the following categories of digital personal data in the course of providing platform services:
4.1 Identity and Contact Data
- Full name, residential unit or room number, email address, and mobile number
- Government-issued identification (provided for resident onboarding, visitor verification, or domestic help enrollment)
- Profile photographs used for identity verification and community features
4.2 Operational and Service Data
- Complaint and service request records: voice to text inputs submitted via the Orayo.ai Assistant
- Visitor and gate access logs: visitor names, contact details, entry and exit timestamps, and passcode authentication records
- Amenity booking and parking utilization records
- Maintenance billing and payment status records
- Push notification delivery and interaction data
- Emergency alert activation logs
4.3 Device and Usage Data
- IP address, device type, operating system, and browser information
- Session data: login timestamps, features accessed, and session duration
- User activity logs maintained for audit, accountability, and security purposes
4.4 AI-Processed Data
Voice and text inputs processed by the Orayo.ai Assistant are subject to AI-based natural language processing for request classification, routing, and policy Q&A. AI-derived classifications and outputs are stored alongside original inputs. Voice recordings are retained for 90 days unless extended for dispute resolution.
5. Lawful Basis for Processing
Under the DPDP Act, personal data may be processed only with the consent of the Data Principal or for specified "legitimate uses". Orayo.ai's processing is based on the following:
5.1 Consent
We obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals at the time of registration and, where required, for specific processing activities. Consent is requested in plain, clear language and may be withdrawn at any time with equal ease.
5.2 Legitimate Uses (Without Consent)
The DPDP Act permits processing without consent for the following legitimate uses, which apply to certain Orayo.ai operations:
- Processing to comply with legal obligations, court orders, or directions of government authorities
- Processing for employment-related purposes (applicable to staff accounts on the platform)
- Processing to respond to medical emergencies, disasters, or public health situations (applicable to Emergency Alert features)
- Processing data voluntarily shared by the Data Principal for a specified purpose, where the Data Principal has not objected
5.3 Purpose Limitation
Personal data is collected for specific, clearly defined purposes as described in our Privacy Policy. Data is not processed for any purpose incompatible with the purpose for which it was originally collected without obtaining fresh consent.
6. Rights of Data Principals
Under the DPDP Act, every individual whose personal data is processed (Data Principal) is entitled to the following rights. Orayo.ai provides mechanisms to exercise each right:
6.1 Right to Access Information (Section 11)
You have the right to obtain from Orayo.ai a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of any Data Processors or other Data Fiduciaries with whom your data has been shared. Requests may be submitted to contact@orayoai.com and will be fulfilled within 30 days.
6.2 Right to Correction and Erasure (Section 12)
You have the right to request correction of inaccurate or incomplete personal data held by Orayo.ai, and to request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to Orayo.ai's legal retention obligations. Correction and erasure requests will be processed within 30 days of receipt and verification.
6.3 Right to Grievance Redressal (Section 13)
You have the right to have any grievance regarding the processing of your personal data addressed by Orayo.ai's Grievance Officer. If your grievance is not resolved to your satisfaction, you may file a complaint with the Data Protection Board of India (DPBI).
6.4 Right to Nominate (Section 14)
You have the right to nominate another individual to exercise your data rights in the event of your death or incapacity. Nomination requests should be submitted in writing to contact@orayoai.com.
6.5 Right to Withdraw Consent
You may withdraw your consent for processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. Where consent withdrawal affects Orayo.ai's ability to provide services, we will notify you of any consequential impact on service availability.
7. Duties of Data Principals
The DPDP Act also places duties on Data Principals. As a user of the Orayo.ai platform, you are obligated to:
- Not register false or frivolous complaints or grievances with Orayo.ai or the Data Protection Board
- Not impersonate another person or furnish false particulars while exercising your rights under the Act
- Not suppress material information when requesting rectification or erasure of personal data
- Comply with applicable laws when exercising your rights
Violation of these duties is punishable under the DPDP Act with a penalty of up to ₹10,000 imposed by the Data Protection Board of India.
8. Consent Management on Orayo.ai
8.1 Consent at Registration
At the time of account registration, Orayo.ai presents users with a clear, plain-language notice describing: the categories of personal data collected; the specific purposes for which data will be processed; the identities of any third-party Data Processors; the user's rights under the DPDP Act; and the process for withdrawing consent. Consent is recorded and timestamped.
8.2 Consent Standards
All consent obtained by Orayo.ai meets the DPDP Act's standard of being: free (not bundled with services as a non-negotiable condition where alternatives exist); specific (linked to clearly described purposes); informed (provided after a comprehensible notice); unconditional (not contingent on providing more data than necessary); and unambiguous (confirmed by a clear affirmative action).
8.3 Withdrawal Mechanism
Users may withdraw consent at any time through in-app account settings or by contacting contact@orayoai.com. The withdrawal mechanism is as simple as the mechanism by which consent was originally given. Upon withdrawal, Orayo.ai will cease processing for the relevant purpose(s) and will notify the user of any impact on service availability.
8.4 Children's Data (Section 9)
Orayo.ai does not knowingly process personal data of individuals under 18 years of age without verifiable parental or guardian consent, in accordance with Section 9 of the DPDP Act. Minor dependents registered as part of a family account are subject to restricted access controls and require guardian consent. Orayo.ai does not track, behaviourally monitor, or target minors with advertising.
9. Our Obligations as Data Fiduciary
9.1 Data Accuracy (Section 8(3))
Orayo.ai makes reasonable efforts to ensure that personal data processed through the platform is accurate, complete, and up to date. Users are encouraged to review and update their profile information regularly. Correction requests are processed within 30 days.
9.2 Data Minimisation
We collect only the personal data that is necessary for the purposes described in our Privacy Policy and this document. We do not collect data in excess of what is required to deliver platform services.
9.3 Storage Limitation and Erasure (Section 8(7))
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal obligations. Upon expiry of the retention period or withdrawal of consent (where consent is the lawful basis), personal data is securely erased. Specific retention periods are detailed in our Privacy Policy.
9.4 Security Safeguards (Section 8(5))
Orayo.ai implements and maintains reasonable security safeguards appropriate to the nature of personal data processed and associated risks. Our enterprise-grade security infrastructure includes:
- Data Encryption: TLS/SSL for data in transit; AES-256 for data at rest
- Two-Factor Authentication (2FA): Enforced for administrator and staff accounts
- Role-Based Access Controls (RBAC): Users access only data relevant to their role
- Regular Security Audits: Independent audits and penetration tests on a scheduled basis
- Secure SDLC: Security embedded throughout the software development lifecycle
- Backup & Disaster Recovery: Automated backups with geographically redundant failover
- Firewall & Intrusion Detection System (IDS): Network-level protection with real-time monitoring
- User Activity Logging: Comprehensive audit logs of all platform actions
- Secure API Authentication: Token-based authentication for all API access
9.5 Breach Notification (Section 8(6))
In the event of a personal data breach, Orayo.ai will notify the Data Protection Board of India in the prescribed form and manner, and will inform affected Data Principals in a timely manner as required by the DPDP Act and DPDP Rules 2025. Internal breach response protocols are maintained and regularly tested. Users who become aware of a potential breach are requested to notify contact@orayoai.com immediately.
9.6 Privacy Notice
Before or at the time of collecting personal data, Orayo.ai provides each Data Principal with a clear and accessible privacy notice describing: the personal data to be collected; the purposes of processing; and the Data Principal's rights and how to exercise them. The Privacy Policy serves as the primary privacy notice, supplemented by in-app notices at specific collection points.
10. Cross-Border Data Transfers
Where personal data is transferred or processed outside India, Orayo.ai ensures that such transfers comply with the conditions prescribed under Section 16 of the DPDP Act and any restrictions notified by the Central Government. Neurosync AI Technologies only transfers personal data to jurisdictions or entities that offer adequate levels of data protection, and all cross-border processing arrangements are governed by appropriate contractual safeguards.
As the Central Government's list of permitted cross-border transfer jurisdictions is published and updated, Orayo.ai will review and update its data transfer practices accordingly.
11. Significant Data Fiduciary (SDF) Considerations
The DPDP Act empowers the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed, potential national security implications, and the risk of harm to Data Principals. SDFs are subject to additional obligations including appointment of a Data Protection Officer, independent data audits, and Data Protection Impact Assessments (DPIAs).
As of the date of this document, Neurosync AI Technologies has not been designated as a Significant Data Fiduciary. Should such a designation be made, Orayo.ai will comply with all applicable additional obligations without delay and will update this document accordingly.
12. Data Protection Board of India (DPBI)
The Data Protection Board of India (DPBI) is the independent regulatory body established under the DPDP Act to enforce the Act, adjudicate complaints from Data Principals, and investigate data breaches. The DPBI became operational on 13 November 2025 following the notification of the DPDP Rules 2025.
The DPBI has the authority to:
- Investigate complaints filed by Data Principals against Data Fiduciaries
- Levy financial penalties for non-compliance
- Issue compliance directions to Data Fiduciaries
- Maintain a public registry of enforcement actions
- Operate as a digital office enabling virtual hearings and filings
Data Principals who are unsatisfied with Orayo.ai's response to a grievance may file a complaint with the DPBI through its digital portal. More information is available at www.meity.gov.in.
13. Grievance Redressal Mechanism
Orayo.ai has designated a Grievance Officer to receive and address complaints and grievances from Data Principals regarding the processing of their personal data. Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.
Grievance Resolution Process:
- Step 1 — Submit: Send your grievance to the Grievance Officer at contact@orayoai.com with your name, account details, and a description of the concern
- Step 2 — Acknowledgement: You will receive an acknowledgement within 48 hours confirming receipt
- Step 3 — Investigation: The Grievance Officer will investigate the matter and may request additional information if required
- Step 4 — Resolution: A response detailing the outcome and any remedial action will be provided within 30 days
- Step 5 — Escalation: If you are unsatisfied with the resolution, you may file a complaint with the Data Protection Board of India
15. Contact: Grievance Officer and Data Protection
For all matters relating to personal data, DPDP rights, or this document:
- Grievance Officer / Privacy Officer: contact@orayoai.com
- Legal & Compliance: contact@orayoai.com
- Security Incidents: contact@orayoai.com
- DPDP Information: orayoai.com/dpdp
- General Support: contact@orayoai.com
- Company: Neurosync AI Technologies, India
- Regulatory Authority: Data Protection Board of India — www.meity.gov.in
16. Updates to This Document
Orayo.ai will update this DPDP Compliance Statement as required by changes in applicable law, DPDP Rules, regulatory guidance from the DPBI, or our own data processing practices. Material changes will be communicated to users via in-app notification or email. We recommend reviewing this document periodically.