Website T&C and Privacy Policy

Website Terms and Conditions and Privacy Policy are the two foundational legal documents on a public-facing website or web-application, operating concurrently as a contract between the website operator and the user (the Terms and Conditions, governed by the Indian Contract Act, 1872 with the click-wrap or browse-wrap consent doctrine governing acceptance) and as a statutory disclosure document for personal-data-handling (the Privacy Policy, governed primarily by the Information Technology Act, 2000 §43A read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, transitioning into the Digital Personal Data Protection Act, 2023 framework as the DPDPA Rules and the Data Protection Board are progressively notified). The Terms and Conditions cover the licence to use the website and any associated content, the user's account-creation and authentication obligations, the user-content licence in favour of the operator (where the website permits user-generated content), the prohibited-conduct and acceptable-use framework, the intellectual-property allocation between the operator and the user, the disclaimer of warranties and the limitation of liability within the §73 Indian Contract Act, 1872 actual-loss framework and the §74 liquidated-damages ceiling, the dispute-resolution clause, the governing-law-and-jurisdiction clause, and the modification-and-termination framework. The Privacy Policy covers the categories of personal data collected, the purposes for which the data is collected, the legal basis for processing (consent, legitimate use, statutory obligation), the recipients with whom the data is shared (third-party processors, payment gateways, analytics providers, regulators on legal demand), the data-retention period, the user's data-principal rights (access, correction, erasure, grievance), the security-and-safeguards framework, the cookie-and-tracking-technology disclosure, the international-transfer disclosure where applicable, and the contact details of the Data Protection Officer or grievance officer.

The statutory framework engages multiple parallel regimes. The Information Technology Act, 2000 §43A imposes liability on a body corporate that is "negligent in implementing and maintaining reasonable security practices and procedures" causing wrongful loss or wrongful gain in relation to sensitive personal data; §72A criminalises disclosure in breach of a lawful contract by an intermediary or service-provider. The IT (Reasonable Security Practices) Rules, 2011 prescribe the operative framework for sensitive personal data (passwords, financial information, health information, biometric information, sexual orientation, medical records and history) and remain operative pending DPDPA full commencement. The DPDPA, 2023 introduces a unified personal-data framework with the Data Protection Board of India as the regulator, the Significant Data Fiduciary categorisation, the data-principal-rights framework (§§11-§14), the children's-data special-protection regime (§9), the cross-border-transfer framework (§16), and substantial financial penalties for breach (Schedule I — up to ₹250 crore for certain breach categories). The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 apply to websites that meet the intermediary definition under §2(w) IT Act, imposing due-diligence obligations under Rule 3 and (for significant social media intermediaries) additional Rule 4 obligations. The Consumer Protection Act, 2019 with the Consumer Protection (E-Commerce) Rules, 2020 applies where the website is engaged in e-commerce, imposing display-disclosure obligations on price, country-of-origin, total cost, refund-and-return policy, grievance-redressal mechanism, and grievance-officer contact details.

In Uttarakhand, the website-terms-and-privacy use-case spans the Dehradun-Selaqui-Sahastradhara technology-startup belt (where SaaS, fintech, edtech, and consumer-tech ventures incorporate and host their primary customer-facing properties), the Haridwar and Rishikesh tourism-and-wellness sector (where booking platforms, ashram and yoga-centre websites, and pilgrimage-services portals carry significant personal-data-handling profiles), the Haldwani and Rudrapur services and BPO sector (where third-party-data-processing engagements with international principals require alignment with both Indian and international privacy frameworks), and the State's expanding e-commerce footprint (where the Consumer Protection (E-Commerce) Rules, 2020 disclosure framework engages directly). The Information Technology Adjudicating Officer for Uttarakhand under §46 IT Act is the Secretary, Information Technology Department, Government of Uttarakhand at Dehradun (or the officer notified in that capacity), with adjudication jurisdiction over claims up to ₹5 crore for §43 / §43A complaints; the Cyber Appellate Tribunal jurisdiction (now subsumed under the Telecom Disputes Settlement and Appellate Tribunal under the Tribunals Reforms Act, 2021) is the appellate forum; the Civil Court is the residual forum where the IT Act framework does not apply or the claim exceeds the adjudication threshold; the Uttarakhand High Court at Nainital is the writ forum.

The procedural sequence in practice runs: scoping conversation with the operator (nature of website / web-application / mobile-application; data-collection profile — categories, sensitivity, purposes; user-base profile — Indian / international / mixed; payment-processing arrangement — direct / through PA-PG; third-party-processor arrangement — analytics, hosting, customer-support; intermediary status under §2(w) IT Act; e-commerce status under the 2020 E-Commerce Rules; presence of children's-data handling), followed by drafting of the Terms and Conditions tailored to the website's profile (with click-wrap consent mechanism for account creation and browse-wrap framing for casual visitors), the Privacy Policy aligned to the IT Act §43A + SPDI Rules 2011 framework with forward-compatibility to DPDPA 2023 (consent architecture, data-principal-rights enumeration, grievance-officer designation), the Cookie Policy where tracking technologies are deployed, the Refund and Return Policy where e-commerce, the Acceptable Use Policy and the Community Guidelines where user-generated content, and the Data Processing Agreement with each material third-party processor. The grievance-officer designation under the IT Rules, 2021 (Rule 3(2)) and the DPDPA, 2023 §10 (where applicable) is contemporaneous with the Privacy Policy publication. Where a §43A breach is alleged or a §72A unauthorised disclosure has occurred, the procedural sequence shifts to the IT Act §46 Adjudicating Officer complaint at Dehradun, with parallel BNS criminal-breach-of-trust filings where the conduct rises to that threshold, and parallel civil suit for damages where the claim exceeds the adjudication threshold or where contractual damages are pursued.

NyaySetu Law's website Terms and Privacy Policy drafting service triages the website profile (nature of operation / data-collection profile / user-base / payment arrangement / third-party-processor arrangement / intermediary status / e-commerce status / children's-data handling), drafts the Terms and Conditions with click-wrap-or-browse-wrap consent mechanism, drafts the Privacy Policy aligned to the IT Act §43A + SPDI Rules 2011 framework with forward-compatibility to the DPDPA, 2023 framework, drafts the Cookie Policy where tracking technologies are deployed, drafts the Refund and Return Policy where e-commerce, drafts the Acceptable Use Policy and Community Guidelines where user-generated content is permitted, drafts the Data Processing Agreement with each material third-party processor, advises on the grievance-officer designation under the IT Rules, 2021 Rule 3(2) and the DPDPA, 2023 §10, advises on the Consumer Protection (E-Commerce) Rules, 2020 disclosure obligations where engaged, drafts the §46 IT Act adjudicating-officer complaint at Dehradun where a §43A breach is alleged, and drafts the parallel BNS / civil-suit filings where applicable. You provide the website profile and approve the drafted documents, sign the engagement letter and any Data Processing Agreements, and authorise the publication and the adjudicating-officer / civil filings where engaged.