Back to Dech
Dech
Dech legal

Privacy Policy

Effective Date: April 20, 2026 Last Updated: April 20, 2026

Your privacy matters to us. This policy explains what data we collect, how we use it, and your rights. Dech is committed to handling your data responsibly under Indian law.

1. Who We Are

Dech ("we", "us", "our") operates the platform at dech.in - a chat-first lead capture and CRM tool for small businesses in India.

Contact: support@dech.in | dech.in

2. How Dech Handles Data: Two Distinct Roles

Dech operates as two different types of data handler depending on whose data is involved. Understanding this distinction is important for compliance with India's DPDP Act 2023.

2.1 For Business Users (You)

When you register and use Dech as a business owner, Dech is the Data Fiduciary / Data Controller. We determine why and how your personal data (name, email, payment info, and similar account details) is collected and processed. This Privacy Policy governs how we handle your data.

2.2 For Your Customers (End Users)

When your customers fill forms you have created on Dech, you are the Data Fiduciary / Data Controller. You determine what data is collected and why. Dech acts only as the Data Processor - we store and process your customers' data strictly on your behalf, as instructed by your use of the Platform.

Dech does not use your customers' data for any of our own purposes, does not sell it, and does not share it with any third party except sub-processors required to operate the Platform.

2.3 Your Responsibilities as Data Controller

As the Data Fiduciary for your customers' data, you are independently responsible for:

Our Data Processing Agreement (DPA), which you accept by using Dech, governs the processor-controller relationship in detail.

  • Obtaining valid, informed consent from your customers before collecting their data.
  • Providing your customers with a privacy notice describing your data practices.
  • Honoring your customers' rights to access, correct, and delete their data.
  • Ensuring the data you collect is lawful and proportionate to your stated purpose.

3. Information We Collect

3.1 From Business Users (You)

When you create an account and use Dech, we collect:

  • Name, email address, and password (or Google OAuth token).
  • WhatsApp number or Instagram username for form delivery.
  • Payment information processed via Razorpay. We never store card details.
  • Form content, fields, and configuration you create.
  • Usage data including login history and feature interactions.
  • Support ticket content when you contact us.

3.2 From Your Customers (End Users) - On Your Behalf

When your customers fill a Dech form, we collect and store on your behalf:

This data is yours. We process it only to provide the service. We do not analyze, profile, or monetize your customers' data.

  • Any information captured in your form fields (name, phone, requirements, and similar details).
  • Submission timestamp and the channel used (WhatsApp or Instagram).
  • Lead status and notes you add to the response.

3.3 Automatically Collected Data

We may automatically collect IP address, browser or device information, session cookies, and page interaction data for security and Platform improvement purposes.

4. How We Use Your Information

We use information we collect to:

We do not sell, rent, or share your personal data or your customers' data with third parties for marketing, advertising, or profiling purposes.

  • Create and manage your account and subscription.
  • Deliver the core Dech service - forms, lead storage, CRM, and notifications.
  • Process payments and send invoices via Razorpay and email.
  • Send email notifications for new form submissions (Pro plan).
  • Respond to support requests and resolve issues.
  • Improve Platform performance and security.
  • Comply with legal obligations under Indian law.

5. Legal Basis for Processing

As a business user, you are responsible for identifying and documenting a valid legal basis for collecting your customers' data through Dech forms.

  • Contractual necessity - to provide the service you have signed up for.
  • Legitimate interests - to improve the Platform and prevent fraud.
  • Legal obligation - to comply with applicable Indian laws.
  • Consent - where required by applicable law, such as cookies.

6. Data Storage and Security

All Dech data is stored in Google Firebase Firestore, hosted on Google Cloud infrastructure with enterprise-grade security, encryption in transit and at rest, and strict access controls.

Despite these measures, no system is 100% secure. We are not liable for unauthorized access beyond our reasonable control.

  • Firebase Authentication for account access control.
  • Firestore security rules ensuring users can only access their own data.
  • HTTPS encryption for all data in transit.
  • Razorpay for payment processing - card data never touches our servers.

7. Data Retention

You may request deletion of your customers' data at any time by contacting support@dech.in or deleting records from your dashboard.

  • Business user account data - retained while your account is active.
  • Form and lead data - retained while your account is active and for 30 days after account deletion, after which it is permanently deleted.
  • Payment records and invoices - retained for 7 years as required by Indian tax law.
  • Support tickets - retained for 2 years for quality and compliance purposes.

8. Sub-Processors

To provide the Dech service, we share data with the following sub-processors. These sub-processors only process data as necessary to perform their specific function and are bound by data processing agreements.

We will notify you of any changes to our sub-processor list by updating this Privacy Policy. You can object to a new sub-processor by contacting support@dech.in and we will work with you to find a solution.

  • Google Firebase (Google LLC) - data storage, authentication, hosting for both business user data and end-customer form responses.
  • Razorpay - payment processing for business user subscription payments only.
  • Gmail / Google SMTP - email notification delivery to business users.
  • Meta / WhatsApp - message link delivery via WhatsApp Web links, and for Enterprise, automated sending via Meta Cloud API.

9. Your Rights (Business Users)

As a registered Dech user, you have the following rights:

To exercise any of these rights, contact support@dech.in. We will respond within 30 days.

  • Access - request a copy of the personal data we hold about you.
  • Correction - request correction of inaccurate or incomplete data.
  • Deletion - request deletion of your account and associated data.
  • Portability - export your data in CSV format directly from the dashboard.
  • Withdrawal of consent - withdraw consent for any processing based on consent.

10. Your Customers' Rights (End Users)

Your customers have rights over their own personal data under the DPDP Act 2023. As the Data Fiduciary, you are responsible for honoring those rights. This includes:

Dech will assist you in fulfilling these obligations by providing data access and deletion tools within the dashboard. If an end user contacts Dech directly regarding their data, we will refer them to you as the Data Fiduciary.

  • The right to access their data you have collected.
  • The right to correct inaccurate data.
  • The right to withdraw consent and request erasure.

11. Cookies

Dech uses cookies for session management, security, and basic analytics. We do not use cookies for third-party advertising. You can control cookies through your browser settings, but disabling certain cookies may affect Platform functionality.

12. Children's Privacy

Dech is not intended for individuals under 18 years of age. Business owners must not use Dech forms to collect data from minors. If you believe we have inadvertently collected data from a minor, contact support@dech.in immediately.

13. Data Transfers

Your data is stored on Google Firebase infrastructure, which may involve data centers outside India. Google LLC complies with applicable international data transfer standards. By using Dech, you consent to such transfers to the extent permitted by Indian law.

14. Compliance with Indian Law

Dech is committed to compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices) Rules 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act). As a business user collecting your customers' personal data through Dech forms, you are a Data Fiduciary under the DPDP Act and are independently responsible for your own compliance obligations.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email or a Platform notice. The "Last Updated" date will always reflect the most recent revision. Continued use of Dech after changes constitutes acceptance of the updated policy.

Data Processing Agreement (DPA) Expand to view the full DPA reference
Effective Date: April 20, 2026 Last Updated: April 20, 2026

1. Definitions

  • "Data Fiduciary" or "Controller" means the Business Owner who determines the purpose and means of processing End User personal data collected via Dech forms.
  • "Data Processor" means Dech, which processes personal data on behalf of the Data Fiduciary.
  • "Data Principal" or "End User" means the individual customer whose personal data is collected via your Dech forms.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
  • "Sub-Processor" means any third party engaged by Dech to process personal data on behalf of the Data Fiduciary.
  • "Applicable Law" means the Digital Personal Data Protection Act, 2023 (India), the IT Act 2000, IT (Amendment) Act 2008, and all related rules and regulations.

2. Scope and Purpose

This DPA applies to Dech's processing of personal data that Business Users collect from their customers through forms created on the Dech Platform.

Dech processes this personal data solely:

  • To store form submissions in the Business Owner's dashboard.
  • To display, filter, and manage leads as directed by the Business Owner.
  • To enable CSV export, status updates, and notes as instructed by the Business Owner.
  • To deliver email notifications to the Business Owner (Pro plan).
  • To facilitate WhatsApp and Instagram message flows as configured by the Business Owner.

3. Data Fiduciary Obligations

As the Data Fiduciary, you carry primary legal responsibility for the lawfulness of data collection from your customers. Dech cannot fulfill these obligations on your behalf.

3.1 Lawful Basis

You have a valid lawful basis, such as consent or legitimate interest, under the DPDP Act 2023 or other applicable law for collecting each category of personal data from your customers through Dech forms.

3.2 Consent

Where consent is your lawful basis, you have obtained free, specific, informed, and unambiguous consent from each Data Principal before collecting their data. You maintain records of such consent and can demonstrate it upon request.

3.3 Privacy Notice

You have provided your customers with a clear and accessible privacy notice that describes what data is collected, the purpose of collection, how long it is retained, and who it may be shared with.

3.4 Data Minimization

You only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose. You do not use Dech forms to collect data that is excessive or unrelated to your business purpose.

3.5 Prohibited Data

You will not use Dech forms to collect the following sensitive data categories unless you have implemented appropriate legal safeguards, explicit consent, and security measures, and have notified Dech in advance:

  • Aadhaar numbers or copies of government-issued identity documents.
  • Financial credentials, bank account or payment card details.
  • Passwords, PINs, or authentication credentials.
  • Medical history, health records, or biometric data.
  • Data of minors under 18 years of age.
  • Racial, ethnic, caste, religious, or political belief data.

3.6 Accuracy

You take reasonable steps to ensure the personal data collected through your forms is accurate and up to date for the purpose for which it is processed.

3.7 Instructions

Your use of the Dech Platform constitutes your instructions to Dech to process personal data. You will provide additional instructions in writing if required.

4. Data Processor Obligations (Dech)

4.1 Process Only as Instructed

Process End User personal data only on documented instructions from the Data Fiduciary and not for any independent purpose.

4.2 Confidentiality

Ensure that all personnel with access to End User personal data are bound by confidentiality obligations.

4.3 Security Measures

Implement and maintain appropriate technical and organizational security measures to protect personal data, including:

  • Encryption of data in transit (HTTPS/TLS).
  • Encryption of data at rest (Google Firebase default encryption).
  • Access controls ensuring only the Data Fiduciary can access their customers' data.
  • Firebase Authentication and Firestore security rules.
  • Regular review of security measures.

4.4 Sub-Processors

Not engage new sub-processors without notifying the Data Fiduciary via the Privacy Policy update process. Current approved sub-processors are:

Dech will impose equivalent data protection obligations on all sub-processors.

  • Google Firebase (Google LLC) - storage and authentication.
  • Google SMTP - email notification delivery.
  • Meta / WhatsApp - message delivery (Enterprise: Cloud API).

4.5 Assist with Data Principal Rights

Provide reasonable technical assistance to the Data Fiduciary to respond to Data Principals' requests to access, correct, restrict, or delete their personal data.

4.6 Data Breach Notification

Notify the Data Fiduciary without undue delay, and within 72 hours where feasible, upon becoming aware of a personal data breach affecting End User data.

  • A description of the nature of the breach.
  • Categories and approximate number of Data Principals affected.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

4.7 Deletion on Termination

Upon account termination or written request, delete all End User personal data within 30 days, unless retention is required by applicable law. Dech will confirm deletion in writing upon request.

4.8 Audit Assistance

Provide reasonable cooperation and information to the Data Fiduciary to enable compliance audits or assessments of Dech's data processing activities under this DPA, subject to reasonable notice and confidentiality obligations.

5. Data Transfers

End User personal data is stored on Google Firebase infrastructure, which may involve processing outside India. All such transfers are governed by Google LLC's compliance with applicable international data transfer standards. By accepting this DPA, the Data Fiduciary consents to such transfers to the extent required for service delivery.

6. Retention and Deletion

Dech retains End User personal data for as long as the Business Owner's account is active. Upon account deletion:

The Data Fiduciary is responsible for exporting any data they wish to retain before account deletion.

  • End User personal data is retained for 30 days to allow for data recovery if needed.
  • After 30 days, all End User personal data is permanently and irreversibly deleted.
  • The Data Fiduciary may request earlier deletion via support@dech.in.

7. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms and Conditions. The Data Fiduciary is solely liable for any claims arising from their failure to fulfill obligations under Section 3 of this DPA, including failure to obtain consent, failure to provide a privacy notice, or collection of prohibited data categories.

Dech is not liable for data protection violations that arise directly from the Data Fiduciary's instructions or their failure to comply with applicable law.

8. Governing Law

This DPA is governed by the laws of India, specifically the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and related regulations. Any disputes shall be subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka, India.

9. Order of Precedence

In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall take precedence with respect to the processing of End User personal data.

10. Updates to This DPA

Dech may update this DPA to reflect changes in applicable law, sub-processors, or processing activities. Material updates will be notified via email or Platform notice at least 7 days before taking effect. Continued use of the Platform constitutes acceptance of the updated DPA.

Contact

Emailsupport@dech.in
Websitedech.in