The DPDP Act applies to your startups and you probably arent taking it seriously
Been working in cybersecurity for about 15 years, there are on going conversations about the DPDP act but not many are taking it seriously simply because they either assume that it only applies to 'Big companies' or the government would be lenient on them. Well,if your company collects someone's name, phone number, or email you're already covered under the Act. Doesn't matter if you're 3 people or 300. And if you're using third-party tools that touch user data (pretty much everyone is), you're on the hook for how they handle it too.
Enforcement isn't aggressive yet but the law is already in effect. Scrambling after the first notice lands is not a fun place to be.
I got tired of not finding anything India specific that wasn't either an expensive consulting engagement or a GDPR tool with Indian branding slapped on it, so I built something called CompliSeal. Runs a scan, shows you where you have gaps, tells you what to fix. Nothing fancy. Free to try if you want a quick sense of where you stand.
Even if you skip that, just spend 20 minutes on the MeitY summary. Most founders are genuinely unaware of basics that could bite them later.Drop questions here if you have any, happy to help where I can.