Your Data Rights in India — The DPDP Act 2023 Explained Simply

Most people have heard that “India now has a data protection law.” What they haven’t heard is what it actually gives them — six specific, enforceable rights over any company that holds their personal data. If you use a finance app, a shopping platform, or any digital service in India, these rights apply to you right now.

This post explains each of the six rights in plain language and tells you exactly how to exercise each one inside MyFam360.

---

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 (DPDP Act) was passed by Parliament in August 2023. It is India’s primary law governing how companies collect, store, process, and share the personal data of Indian users.

Under the Act, companies like MyFam360 are classified as Data Fiduciaries — entities that determine what data to collect and why. You, the user, are the Data Principal — the person the data belongs to.

The law creates a clear accountability structure: before processing your personal data, a Data Fiduciary must obtain free, specific, informed, unconditional consent — and must be able to demonstrate that consent was properly recorded.

---

The 6 Rights the DPDP Act Gives You

Right 1 — Consent: Know and Approve What’s Collected

What it means: Before a company collects your data, it must tell you exactly what it will collect and why. You must actively agree — pre-ticked consent boxes are not valid under the Act.

What we do: When you sign up for MyFam360, you see a non-pre-checked “I agree to the Privacy Policy and Terms of Service” checkbox. You must tick it yourself. When you use the AI features (AskAI, AI Insights), a separate consent screen appears before the first use — because sending data to an external AI provider is a different processing purpose from storing your expenses.

Every consent you’ve given is time-stamped and saved in your account.

How to see your consent history: Settings → Privacy → Consent History

---

Right 2 — Access: See What Data a Company Holds About You

What it means: You have the right to request a copy of all personal data a company holds about you and to know what it’s being used for.

What we do: You can download a complete export of everything MyFam360 holds about you at any time — no need to submit a request or wait for a response.

How to use it: Settings → Privacy → Download All My Data. This generates a ZIP file containing:

• Your profile (name, email, account creation date)
• All consent records
• Every expense, income, budget, account, savings goal, settlement, and recurring entry
• Your badge and feature interaction history
• Audit records of actions in your account

The export is in CSV format — readable in Excel, Google Sheets, or any data tool.

---

Right 3 — Correction: Fix Inaccurate Data

What it means: If a company holds inaccurate or incomplete personal data about you, you have the right to correct it.

What we do: Your profile, transactions, and preferences are all directly editable inside the app. There’s no request-and-wait process.

How to use it:

• Profile (name, email): Settings → Profile
• Transactions: tap any expense or income to edit it
• Preferences (theme, language, notifications): Settings

---

Right 4 — Erasure: The Right to Be Forgotten

What it means: You can request complete deletion of all your personal data. The company must fulfill this within 30 days. This is sometimes called the “right to be forgotten.”

This is more nuanced for shared-data apps. When you participate in a shared family group, your expenses are intertwined with other members’ financial history. The DPDP Act and similar laws handle this by requiring anonymization of shared records rather than deletion — preserving other members’ data while removing your identity from it.

What we do:

When you delete your MyFam360 account:

Data Type	What Happens
Your profile and login credentials	Permanently deleted
Your passkeys (WebAuthn credentials)	Permanently deleted
Push notification subscriptions	Permanently deleted
Consent records	Permanently deleted
Plan trial history	Permanently deleted
Expenses you logged in shared family groups	Anonymized — your name becomes “Deleted Member”
Audit logs	Retained 7 years (Indian law), but stripped of your email
Subscription payment records	Retained 7 years (RBI compliance), but de-linked from your identity

How to use it: Settings → Account → Delete Account. A confirmation modal explains exactly what will be deleted and what will be anonymized before you proceed.

---

Right 5 — Portability: Take Your Data Elsewhere

What it means: You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another service provider.

What we do: The same “Download All My Data” export described under Right 2 satisfies portability. The CSV format is specifically chosen because it’s interoperable — it works in every spreadsheet tool, database, and competing finance app.

How to use it: Settings → Privacy → Download All My Data

---

Right 6 — Grievance: File a Complaint and Get a Response

What it means: Every Data Fiduciary must designate a grievance officer with published contact details and a defined response timeframe. Under the DPDP Act, the acknowledgment must happen within 72 hours.

What we do:

• Privacy grievance email: support+privacy@myfam360.com
• Acknowledgment SLA: 72 hours
• Resolution target: 30 days
• In-app option: Help → Give Feedback → Privacy Grievance

If a grievance cannot be resolved with the company, the DPDP Act provides for escalation to the Data Protection Board of India — an independent adjudicating body empowered to issue directions and impose penalties.

---

Why This Matters for Finance Apps Specifically

Finance apps hold the most sensitive category of personal data — income, debts, spending habits, account balances. The DPDP Act applies with full force to this data. Any Indian finance app that collects your financial information without:

1. A clear consent record tied to a specific policy version
2. A mechanism to download or delete your data
3. A published grievance contact with a response SLA

…is not compliant with Indian law.

When evaluating any finance app, these six rights are the baseline to check. Not as a legal exercise — as a practical signal of whether the company intends to handle your data responsibly.

---

What’s Next for Indian Data Protection

The DPDP Act 2023 is currently being implemented in phases. The implementing rules (covering specific timelines, the Data Protection Board’s operations, and Significant Data Fiduciary classifications) are in progress. As these rules are notified, we’ll update our practices accordingly.

You can view MyFam360’s current privacy commitments in the Privacy Policy. For questions about your specific data rights, contact us at support+privacy@myfam360.com.

Related reading:

• How we protect your financial data — the technical security layers behind every protection
• The right to delete: how to erase all your data from MyFam360 — step-by-step account deletion guide
• Why we moved our servers to an India-compliant region — data residency and RBI compliance explained