Skip to content

Data Privacy and Legal Policies for a D2C Store in India (2026): DPDP Act, Privacy Policy, Terms and Refunds

By Ravikant Tyagi · 11 min read

You have built the store, wired up Razorpay, and you are about to run your first ads. Then the payment aggregator asks for your privacy policy, your terms, your refund policy and a proper Contact Us page before it activates your account. Suddenly you are copy-pasting legal text at 1am from a random blog.

On top of that, India now has a real data privacy law. The Digital Personal Data Protection Act (DPDP Act) was passed in 2023, and the detailed DPDP Rules were notified on 13 November 2025. If you collect a customer's name, phone, address or email, and every D2C store does, this law applies to you. It is not just for the big tech companies.

This guide sorts out both problems in one place. What legal pages your store is legally required to show, what the DPDP Act actually asks of a small brand, and how to get compliant without hiring a law firm. Written by Ravikant Tyagi for founders, not lawyers.

Executive summary

Every Indian D2C store legally needs five pages live before it takes an order: Privacy Policy, Terms of Service, Return/Refund and Cancellation Policy, Shipping Policy, and a Contact Us page with a real address and grievance contact. These are required under the Consumer Protection (E-Commerce) Rules, 2020, and your payment gateway checks them before activating you. On top of that, the DPDP Act 2023 (rules notified Nov 2025, full compliance by 13 May 2027) says you must take clear consent before collecting customer data, tell people what you collect and why, use it only for that purpose, and let them withdraw consent or ask for deletion. Penalties for a serious security failure run up to ₹250 crore, but the practical fix is simple: publish the required pages and collect only the data you actually use.

Getting StartedSet Up LegallyLaunchUnit EconomicsScale

Why this matters before you take a single order

Two separate rulebooks apply to an Indian online store, and founders confuse them.

The first is the Consumer Protection (E-Commerce) Rules, 2020. These came into force on 23 July 2020 under the Consumer Protection Act, 2019, and they cover what an e-commerce business must disclose to a buyer: who you are, how to reach you, your return and refund terms, and a grievance officer. Miss these and you are non-compliant from day one, plus your payment gateway will not activate you.

The second is the DPDP Act 2023, India's first proper data privacy law. It governs how you collect and handle personal data. The detailed rules were notified on 13 November 2025, with a phased rollout and full compliance expected by 13 May 2027 (EY India). So you have runway, but the direction is clear and the notice-and-consent parts are what a small store must get right first.

You do not need a lawyer to start. You need to understand what each page must say and set up honest data habits. Let's go rule by rule.

The five pages every Indian D2C store must have

Under the E-Commerce Rules, your store must clearly display your legal business name, headquarters address, contact details, and full terms on returns, refunds, exchange, delivery and grievance handling (Department of Consumer Affairs). In practice this maps to five pages, all linked in your footer.

PageWhat it must coverWhy it exists
Privacy PolicyWhat personal data you collect, why, how it is stored, who you share it with, and how a customer can access or delete itDPDP Act notice duty + gateway requirement
Terms of ServiceRules of buying from you, pricing, order acceptance, liability limits, governing lawSets the contract with the buyer
Return / Refund & Cancellation PolicyReturn window, conditions, refund method, and clear timelines like 5 to 7 working daysMandatory disclosure under E-Commerce Rules
Shipping PolicyDispatch time, delivery estimate, courier partners, serviceable areas, chargesMandatory disclosure + sets expectations
Contact UsReal business address, phone, email, and a named grievance officer with contact detailsRequired; gateway reads this page manually

One point founders miss: the E-Commerce Rules require a grievance officer. You must display a name and contact, acknowledge any complaint within 48 hours, and resolve it within one month (Consumer Affairs Rules). For a solo founder, that officer is you. Just put your name, email and phone on the Contact Us page.

If you are on Shopify, these live under Settings, then Policies, and you can edit the templates. Do edit them. A refund policy that still says "30 days" when you actually give 7 will burn you in a dispute.

Founder Mistake

Copy-pasting a US store's privacy policy that mentions California rights and a Delaware address, then leaving it live for a year. It reads fake, it does not match Indian law, and it names the wrong data rights. When Razorpay's compliance team opens the page (they genuinely read it before activating your merchant ID), a mismatched or missing policy is a common reason for rejection. The cost is not a fine at your stage. It is a week of delay and a blocked launch while you scramble to rewrite pages you should have set up in an afternoon.

What the DPDP Act actually asks of a small D2C brand

Strip away the jargon and the DPDP Act has a simple spine. If you handle someone's personal data, you are a data fiduciary (the one who decides how data is used). Your customer is the data principal (the person the data belongs to). Personal data is anything that can identify a person: name, phone, email, address, order history.

Here is what the law expects, in founder language.

1. Give a clear notice and take consent

Before you collect data, you must show a plain-language notice that itemises what you collect and exactly why. This notice has to be separate from your long terms of service, not buried inside them (Fisher Phillips). A pre-ticked box does not count as consent. The customer must actively agree.

2. Use data only for the stated purpose (purpose limitation)

Purpose limitation means you use the data only for what you said. You took an email to send an order update, you cannot later sell that list or blast unrelated promotions without fresh consent. If you want to add someone to a marketing newsletter, ask for that specifically.

3. Honour data-principal rights

Customers can ask for a summary of the data you hold, ask you to correct it, and ask you to delete it. They can withdraw consent, and withdrawing must be as easy as giving it. Under the rules, requests like erasure or access must be handled within about 90 days (CookieYes DPDP guide). Practically: give an email like privacy@yourbrand.com and actually answer it.

4. Report serious breaches

If customer data leaks, you must notify affected people and the Data Protection Board. This is where the big numbers live, and it is worth being accurate about them rather than scaring yourself.

Decision Framework

Deciding what data to collect at checkout? If you use the field to fulfil, ship, or legally invoice the order (name, address, phone, email) → collect it. If it is "nice to have" for some future idea (date of birth, gender, second phone number) → do not collect it yet. Every extra field is data you must now protect, justify and be able to delete. The safest privacy posture is the smallest honest dataset.

The penalties, stated honestly

You will see "₹250 crore" thrown around online. Here is the real picture so you neither ignore it nor panic.

The DPDP Act sets maximum penalties for specific failures, decided by the Data Protection Board case by case (EY India):

  • Up to ₹250 crore for failing to take reasonable security safeguards that lead to a breach.
  • Up to ₹200 crore for failing to notify the Board and affected people about a breach, or for failing children-related obligations.
  • Up to ₹50 crore for other breaches of duty.

These are ceilings for serious, negligent failures, not automatic fines on a small store with a slightly imperfect page. The rollout is phased, and full enforcement lands by 13 May 2027. So the sane response is not fear. It is basic hygiene: collect little, protect it, publish honest pages, and be reachable. Do that and you are in a strong position well before the deadline.

Operator Framework

Launch Readiness Score™ · legal layer: before you spend the first rupee on ads, score yes or no on eight items. Business name and address shown · Contact Us with grievance officer · Privacy Policy that matches what you actually collect · Terms of Service · Refund and Cancellation Policy with real timelines · Shipping Policy · consent taken at signup and checkout, not pre-ticked · a working privacy email. Eight yes means you are launch-ready on the legal layer. Any no is a blocker, not a "later".

Source Scratch to ₹5 Lac/month · Phase Set Up Legally · Framework Launch Readiness Score™ · Created by Ravikant Tyagi, 2026

Cookies and consent, kept simple

If your store loads Meta Pixel, Google Analytics or any tracker, those drop cookies that collect behaviour data. Under DPDP thinking, that is personal data you need consent for. You do not need a heavy enterprise setup at your stage. A simple cookie banner that lets a visitor accept or reject non-essential cookies, plus a short cookie section in your privacy policy explaining what you run and why, covers the basics for a small D2C store.

Keep the banner honest. Do not make "Reject" a tiny grey link while "Accept" is a giant green button. Regulators worldwide are cracking down on that pattern, and it damages trust with the exact customers you want to keep.

Operator Note · Ravikant Tyagi

I have watched founders treat legal pages as decoration and treat customer data as free inventory to be mined later. Both backfire. The store that collects a phone number and address, uses them only to ship and update the order, and answers a deletion request within a day builds the kind of trust that lowers RTO and lifts repeat rate. Good privacy is not a cost. It is quietly a retention lever.

What it costs and how long it takes

The legal layer is one of the cheapest things you will set up. Here is the honest range.

ApproachCostTimeGood for
Shopify policy templates, edited yourselfFree (in your plan)An afternoonMost early-stage stores
Free policy generator + your editsFree to ₹2,000Half a dayCustom builds, WooCommerce
A lawyer-reviewed set of pages₹8,000 to ₹25,0001 to 2 weeksHigher-ticket or funded brands
Cookie consent toolFree tier to ₹1,000/moAn hourStores running ad pixels

Most founders should start with edited templates and upgrade to a lawyer review once revenue justifies it, typically once you are past a few lakh a month or raising money. The mistake is not "cheap pages". The mistake is no pages, or pages that lie about what you do.

Execution Checklist
  • Register your business name and note the exact legal name and address you will display.
  • Publish Privacy Policy, Terms, Refund/Cancellation, Shipping, and Contact Us in your footer.
  • Put a named grievance officer, email and phone on Contact Us.
  • Edit templates so refund windows and shipping timelines match what you actually do.
  • Add an active checkbox for consent at signup and checkout (never pre-ticked).
  • Add a cookie banner if you run any pixel or analytics tracker.
  • Set up a privacy@yourbrand.com and commit to answering data requests within days.
  • Audit your checkout: delete every field you do not actually use.
  • Run the payment gateway activation only after all pages are live and honest.

Next action

Today, open your store's policy section and check whether all five pages exist and match reality. If any are missing or copied from a US template, fix that first, before you touch your ad account. It is a one-afternoon job that unblocks your entire launch and keeps you clean under both the E-Commerce Rules and the DPDP Act.

Once your legal layer is set, the next money decisions are your tax setup and your returns process, both tied to compliance. Read GST for e-commerce sellers in India and returns, refunds and reverse logistics next. If you are still setting up the store itself, the Shopify store setup guide shows where these pages plug in, and how to start a D2C brand in India covers the full launch order. When you are ready to spend on acquisition, your unit economics decide whether that spend is safe.

If you'd like the complete execution system, calculators, SOPs, templates and operating frameworks behind this process, continue inside D2C Acquisition.Lab.

About the author
Ravikant Tyagi, Founder of D2C Acquisition.Lab
Founder, D2C Acquisition.Lab
  • Former Distribution Head at Eureka Forbes (₹3,500 crore consumer business).
  • Former Supply Chain & Operations Leader at Atomberg Technologies during its growth from ₹400 crore to ₹1,200 crore.
  • Creator of the Scratch to ₹5 Lac/month Operating System. Fractional COO to funded consumer startups.
D2C OperationsUnit EconomicsProduct ValidationSupply ChainEcommerce LogisticsFounder Execution Systems

Want the whole system, not just the theory?

Scratch to ₹5 Lac/month: 9 live calculators (margin, RTO, break-even), 50+ SOPs, and a 90-day plan built for Indian D2C.

₹1,999₹4,99960% off
Start building today
  • One-time payment
  • No recurring fees
  • Instant access

FAQ

Common questions

An Indian D2C store must display five things: a Privacy Policy, Terms of Service, a Return/Refund and Cancellation Policy, a Shipping Policy, and a Contact Us page with a real business address and a named grievance officer. These come from the Consumer Protection (E-Commerce) Rules, 2020. Your payment gateway also checks these pages before activating your account, so missing even one can block your launch.

It applies to any business that collects personal data, which includes every D2C store taking a name, phone, email or address. Under the DPDP Act 2023, you are a data fiduciary the moment you collect that data. The obligations are lighter than for large data processors, but the basics still apply: take clear consent, use data only for the stated purpose, and let customers ask for access or deletion.

The Data Protection Board can impose penalties up to ₹250 crore for failing to keep reasonable security safeguards during a data breach, up to ₹200 crore for failing to report a breach or breaching children-related duties, and up to ₹50 crore for other failures. These are maximum ceilings for serious, negligent cases, decided case by case, not automatic fines on a small store with a minor gap. Full enforcement is expected by 13 May 2027.

The DPDP Act was passed in 2023, and the detailed DPDP Rules were notified on 13 November 2025. The rollout is phased over roughly 18 months, with full compliance expected by 13 May 2027. The Consent Manager framework becomes operational around November 2026. So you have runway, but the notice-and-consent basics and your required policy pages should be in place now, before you launch.

If your store loads trackers like Meta Pixel or Google Analytics, those collect behaviour data that counts as personal data, so a simple cookie consent banner is the right move. Let visitors accept or reject non-essential cookies, and add a short cookie section to your privacy policy. Keep the choice honest and do not hide the reject option. For a small store, a free-tier consent tool is enough.

No. Copying a US or generic policy that names the wrong laws, the wrong data rights and a foreign address reads as fake and does not match Indian rules. Your payment gateway's compliance team reads these pages manually and rejects mismatches. Start from your platform's India template or a generator, then edit it so it honestly describes what data you collect, why, and how a customer can get it deleted.