dpdpa compliance.

last updated: may 2026

Digital Personal Data Protection Act, 2023

cform is designed from the ground up to comply with india's Digital Personal Data Protection Act, 2023 (DPDPA). this page explains how.

who is the data fiduciary

the hotel or host using cform is the data fiduciary — they decide why and how guest personal data is collected and processed. imperfection.tech (operating guestdesk/cform) is the data processor — we process data only on the hotel's instructions and only for the purpose of C-Form filing with the FRRO.

every hotel account signs a Data Processing Agreement (DPA) during onboarding that formalises this relationship.

lawful basis for processing

guest personal data is processed under two lawful bases:

  1. legal obligation — C-Form filing is mandatory under the Foreigners Act, 1946 and the Immigration and Foreigners Act, 2025. hotels are legally required to file this data with the FRRO.
  2. consent — guests provide explicit DPDPA consent at the point of form submission. consent is timestamped and stored per guest per filing.

what we collect and why

data collectedpurpose
passport detailsrequired for FRRO C-Form fields
visa detailsrequired for FRRO C-Form fields
contact and addressrequired for FRRO C-Form fields
face crop from passportrequired for FRRO photo upload
consent recordDPDPA compliance evidence

data minimisation

we collect only what the FRRO C-Form requires. no marketing data, no behavioural tracking, no advertising profiles.

where data lives

all personal data is stored on indian servers (mumbai region). there is no cross-border transfer of personal data. all data is encrypted at rest and in transit. row-level security ensures hotels only access their own guest data.

retention

filing records are retained for 5 years to satisfy FRRO requirements under the Registration of Foreigners Rules, 1992. passport and visa images are deleted earlier where feasible. hotels may request earlier deletion in writing; we will comply unless a legal retention obligation prevents it.

guest rights (data principal rights)

as a foreign guest whose data was filed via cform, you have the following rights under the DPDPA:

  • right to access your personal data
  • right to correction of inaccurate data
  • right to erasure (subject to 5-year FRRO retention)
  • right to withdraw consent
  • right to grievance redressal

to exercise any right: contact the hotel that filed your form first — they are the data fiduciary. you may also email hello@imperfection.tech and we will route your request appropriately. we respond within 7 business days.

breach notification

if we become aware of a personal data breach affecting guest data, we will notify affected hotels without undue delay and within 72 hours, consistent with DPDPA expectations.

grievance officer

name: C V Sanjeev Kumar

company: imperfection.tech

email: hello@imperfection.tech

address: trivandrum, kerala, india

response time: 7 business days

data processing agreement

hotels requiring a signed DPA for their own compliance records may request one at hello@imperfection.tech.

← back to guestdesk