Legal · DPDP Act 2023

DPDP Compliance Statement

Orayo.ai's commitments and your rights under India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.

Effective May 20, 2026·Version 1.0 Download PDF
This document is the third in a suite of Orayo.ai legal documents, read in conjunction with the Privacy Policy and Terms of Service.

1. About the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law, enacted in August 2023 and administered by the Ministry of Electronics and Information Technology (MeitY). The DPDP Rules, 2025, notified on 13 November 2025, provide the detailed operational framework for implementing the Act.

The DPDP Act establishes a rights-based model: Data Principals (individuals whose data is processed) are granted clear, enforceable rights over their digital personal data, while Data Fiduciaries (organisations that determine the purpose and means of processing) carry layered, non-delegable obligations. A specialised regulator — the Data Protection Board of India (DPBI) — enforces the Act and adjudicates complaints.

The Act applies to any processing of digital personal data within India and, extraterritorially, to processing outside India that relates to offering goods or services to individuals within India. As an Indian company serving Indian residents and property operators, Neurosync AI Technologies is fully within the scope of the DPDP Act.

2. DPDP Act Implementation Timeline

The DPDP Act follows a phased implementation schedule:

  • August 2023: DPDP Act receives Presidential assent and is enacted into law
  • 13 November 2025: DPDP Rules 2025 notified; Data Protection Board of India (DPBI) becomes operational; administrative provisions take effect
  • 13 November 2026: Registration for Consent Managers opens under the DPDP framework
  • 13 May 2027: All substantive compliance obligations take full effect, including consent requirements, privacy notices, security obligations, breach reporting, and Data Principal rights mechanisms

Orayo.ai is committed to achieving full compliance ahead of the 13 May 2027 statutory deadline and is actively implementing the required mechanisms as described in this document.

3. Orayo.ai's Role Under the DPDP Act

3.1 Data Fiduciary

Neurosync AI Technologies, operating the Orayo.ai platform, is a Data Fiduciary under the DPDP Act. As the entity that determines the purpose and means of processing personal data collected through the platform, we bear absolute, non-delegable compliance obligations under Section 8 of the Act. These obligations apply irrespective of any contractual arrangement and cannot be transferred to Data Principals or third parties.

3.2 Data Processor Relationships

Where we engage third-party technology providers (cloud infrastructure, payment processors, push notification services, customer support tools) to process personal data on our behalf, those providers act as Data Processors. All such engagements are governed by valid data processing contracts that define the scope of processing, security obligations, breach notification requirements, and obligations for data deletion upon contract termination, in accordance with Section 8(1) of the DPDP Act.

3.3 Property Administrators as Joint Fiduciaries

Housing society management committees, hotel operators, and other property administrators who access resident or guest data through the Orayo.ai platform for their own operational purposes may themselves constitute Data Fiduciaries with respect to that data. Such administrators are responsible for their own DPDP compliance in their use of data accessed through the platform. Orayo.ai provides role-based access controls and audit logs to support their compliance obligations.

4. Categories of Personal Data Processed

Orayo.ai processes the following categories of digital personal data in the course of providing platform services:

4.1 Identity and Contact Data

  • Full name, residential unit or room number, email address, and mobile number
  • Government-issued identification (provided for resident onboarding, visitor verification, or domestic help enrollment)
  • Profile photographs used for identity verification and community features

4.2 Operational and Service Data

  • Complaint and service request records: voice to text inputs submitted via the Orayo.ai Assistant
  • Visitor and gate access logs: visitor names, contact details, entry and exit timestamps, and passcode authentication records
  • Amenity booking and parking utilization records
  • Maintenance billing and payment status records
  • Push notification delivery and interaction data
  • Emergency alert activation logs

4.3 Device and Usage Data

  • IP address, device type, operating system, and browser information
  • Session data: login timestamps, features accessed, and session duration
  • User activity logs maintained for audit, accountability, and security purposes

4.4 AI-Processed Data

Voice and text inputs processed by the Orayo.ai Assistant are subject to AI-based natural language processing for request classification, routing, and policy Q&A. AI-derived classifications and outputs are stored alongside original inputs. Voice recordings are retained for 90 days unless extended for dispute resolution.

5. Lawful Basis for Processing

Under the DPDP Act, personal data may be processed only with the consent of the Data Principal or for specified "legitimate uses". Orayo.ai's processing is based on the following:

5.1 Consent

We obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals at the time of registration and, where required, for specific processing activities. Consent is requested in plain, clear language and may be withdrawn at any time with equal ease.

5.2 Legitimate Uses (Without Consent)

The DPDP Act permits processing without consent for the following legitimate uses, which apply to certain Orayo.ai operations:

  • Processing to comply with legal obligations, court orders, or directions of government authorities
  • Processing for employment-related purposes (applicable to staff accounts on the platform)
  • Processing to respond to medical emergencies, disasters, or public health situations (applicable to Emergency Alert features)
  • Processing data voluntarily shared by the Data Principal for a specified purpose, where the Data Principal has not objected

5.3 Purpose Limitation

Personal data is collected for specific, clearly defined purposes as described in our Privacy Policy. Data is not processed for any purpose incompatible with the purpose for which it was originally collected without obtaining fresh consent.

6. Rights of Data Principals

Under the DPDP Act, every individual whose personal data is processed (Data Principal) is entitled to the following rights. Orayo.ai provides mechanisms to exercise each right:

6.1 Right to Access Information (Section 11)

You have the right to obtain from Orayo.ai a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of any Data Processors or other Data Fiduciaries with whom your data has been shared. Requests may be submitted to contact@orayoai.com and will be fulfilled within 30 days.

6.2 Right to Correction and Erasure (Section 12)

You have the right to request correction of inaccurate or incomplete personal data held by Orayo.ai, and to request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to Orayo.ai's legal retention obligations. Correction and erasure requests will be processed within 30 days of receipt and verification.

6.3 Right to Grievance Redressal (Section 13)

You have the right to have any grievance regarding the processing of your personal data addressed by Orayo.ai's Grievance Officer. If your grievance is not resolved to your satisfaction, you may file a complaint with the Data Protection Board of India (DPBI).

6.4 Right to Nominate (Section 14)

You have the right to nominate another individual to exercise your data rights in the event of your death or incapacity. Nomination requests should be submitted in writing to contact@orayoai.com.

6.5 Right to Withdraw Consent

You may withdraw your consent for processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. Where consent withdrawal affects Orayo.ai's ability to provide services, we will notify you of any consequential impact on service availability.

7. Duties of Data Principals

The DPDP Act also places duties on Data Principals. As a user of the Orayo.ai platform, you are obligated to:

  • Not register false or frivolous complaints or grievances with Orayo.ai or the Data Protection Board
  • Not impersonate another person or furnish false particulars while exercising your rights under the Act
  • Not suppress material information when requesting rectification or erasure of personal data
  • Comply with applicable laws when exercising your rights

Violation of these duties is punishable under the DPDP Act with a penalty of up to ₹10,000 imposed by the Data Protection Board of India.

9. Our Obligations as Data Fiduciary

9.1 Data Accuracy (Section 8(3))

Orayo.ai makes reasonable efforts to ensure that personal data processed through the platform is accurate, complete, and up to date. Users are encouraged to review and update their profile information regularly. Correction requests are processed within 30 days.

9.2 Data Minimisation

We collect only the personal data that is necessary for the purposes described in our Privacy Policy and this document. We do not collect data in excess of what is required to deliver platform services.

9.3 Storage Limitation and Erasure (Section 8(7))

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal obligations. Upon expiry of the retention period or withdrawal of consent (where consent is the lawful basis), personal data is securely erased. Specific retention periods are detailed in our Privacy Policy.

9.4 Security Safeguards (Section 8(5))

Orayo.ai implements and maintains reasonable security safeguards appropriate to the nature of personal data processed and associated risks. Our enterprise-grade security infrastructure includes:

  • Data Encryption: TLS/SSL for data in transit; AES-256 for data at rest
  • Two-Factor Authentication (2FA): Enforced for administrator and staff accounts
  • Role-Based Access Controls (RBAC): Users access only data relevant to their role
  • Regular Security Audits: Independent audits and penetration tests on a scheduled basis
  • Secure SDLC: Security embedded throughout the software development lifecycle
  • Backup & Disaster Recovery: Automated backups with geographically redundant failover
  • Firewall & Intrusion Detection System (IDS): Network-level protection with real-time monitoring
  • User Activity Logging: Comprehensive audit logs of all platform actions
  • Secure API Authentication: Token-based authentication for all API access

9.5 Breach Notification (Section 8(6))

In the event of a personal data breach, Orayo.ai will notify the Data Protection Board of India in the prescribed form and manner, and will inform affected Data Principals in a timely manner as required by the DPDP Act and DPDP Rules 2025. Internal breach response protocols are maintained and regularly tested. Users who become aware of a potential breach are requested to notify contact@orayoai.com immediately.

9.6 Privacy Notice

Before or at the time of collecting personal data, Orayo.ai provides each Data Principal with a clear and accessible privacy notice describing: the personal data to be collected; the purposes of processing; and the Data Principal's rights and how to exercise them. The Privacy Policy serves as the primary privacy notice, supplemented by in-app notices at specific collection points.

10. Cross-Border Data Transfers

Where personal data is transferred or processed outside India, Orayo.ai ensures that such transfers comply with the conditions prescribed under Section 16 of the DPDP Act and any restrictions notified by the Central Government. Neurosync AI Technologies only transfers personal data to jurisdictions or entities that offer adequate levels of data protection, and all cross-border processing arrangements are governed by appropriate contractual safeguards.

As the Central Government's list of permitted cross-border transfer jurisdictions is published and updated, Orayo.ai will review and update its data transfer practices accordingly.

11. Significant Data Fiduciary (SDF) Considerations

The DPDP Act empowers the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed, potential national security implications, and the risk of harm to Data Principals. SDFs are subject to additional obligations including appointment of a Data Protection Officer, independent data audits, and Data Protection Impact Assessments (DPIAs).

As of the date of this document, Neurosync AI Technologies has not been designated as a Significant Data Fiduciary. Should such a designation be made, Orayo.ai will comply with all applicable additional obligations without delay and will update this document accordingly.

12. Data Protection Board of India (DPBI)

The Data Protection Board of India (DPBI) is the independent regulatory body established under the DPDP Act to enforce the Act, adjudicate complaints from Data Principals, and investigate data breaches. The DPBI became operational on 13 November 2025 following the notification of the DPDP Rules 2025.

The DPBI has the authority to:

  • Investigate complaints filed by Data Principals against Data Fiduciaries
  • Levy financial penalties for non-compliance
  • Issue compliance directions to Data Fiduciaries
  • Maintain a public registry of enforcement actions
  • Operate as a digital office enabling virtual hearings and filings

Data Principals who are unsatisfied with Orayo.ai's response to a grievance may file a complaint with the DPBI through its digital portal. More information is available at www.meity.gov.in.

13. Grievance Redressal Mechanism

Orayo.ai has designated a Grievance Officer to receive and address complaints and grievances from Data Principals regarding the processing of their personal data. Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

Grievance Resolution Process:

  • Step 1 — Submit: Send your grievance to the Grievance Officer at contact@orayoai.com with your name, account details, and a description of the concern
  • Step 2 — Acknowledgement: You will receive an acknowledgement within 48 hours confirming receipt
  • Step 3 — Investigation: The Grievance Officer will investigate the matter and may request additional information if required
  • Step 4 — Resolution: A response detailing the outcome and any remedial action will be provided within 30 days
  • Step 5 — Escalation: If you are unsatisfied with the resolution, you may file a complaint with the Data Protection Board of India

15. Contact: Grievance Officer and Data Protection

For all matters relating to personal data, DPDP rights, or this document:

16. Updates to This Document

Orayo.ai will update this DPDP Compliance Statement as required by changes in applicable law, DPDP Rules, regulatory guidance from the DPBI, or our own data processing practices. Material changes will be communicated to users via in-app notification or email. We recommend reviewing this document periodically.

Orayo.ai is committed to upholding the privacy rights of every Data Principal in accordance with the Digital Personal Data Protection Act, 2023.

Last updated: May 20, 2026

© 2026 Neurosync AI Technologies — All rights reserved.