Privacy Policy
Last updated: 1 April 2025 | Effective: 1 April 2025
DPDP Act 2023 Compliance: This policy is drafted in accordance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. BookMySMS is committed to protecting the digital personal data of every Data Principal (you) who interacts with our platform.
1. Who We Are (Data Fiduciary)
BookMySMS is a brand operated by Decipher Consultancy Services, headquartered at 295, Block C, Sushant Lok III, Sector 57, Gurugram, Haryana – 122003, India.
Under the DPDP Act 2023, we act as the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.
| Detail | Information |
|---|---|
| Legal Entity | Decipher Consultancy Services |
| Brand Name | BookMySMS |
| Registered Address | 295, Block C, Sushant Lok III, Sector 57, Gurugram, Haryana – 122003 |
| support@bookmysms.com | |
| Phone | +91-9911202099 |
2. Data We Collect
We collect only the personal data that is necessary for the specific purpose of providing our services. Under the DPDP Act, “personal data” means any data about an individual who is identifiable by or in relation to such data.
2.1 Data You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, company name, designation | Account creation, KYC, DLT registration support |
| Contact Data | Email address, mobile number, office address | Service communication, support, invoicing |
| Financial Data | GST number, billing address, payment transaction IDs | Invoicing, tax compliance, refund processing |
| Service Data | SMS templates, sender IDs, DLT entity IDs, API keys | Service delivery, TRAI/DLT compliance |
| Enquiry Data | Messages submitted via contact form | Responding to your enquiry |
2.2 Data Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Technical Data | IP address, browser type, device type, operating system | Security, analytics, platform optimisation |
| Usage Data | Pages visited, click patterns, session duration | Improving user experience |
| Cookie Data | Session cookies, analytics cookies | See our Cookie Policy |
2.3 Data We Do NOT Collect
We do not collect sensitive personal data such as biometric data, health data, sexual orientation, political opinions, religious beliefs, caste, genetic data, or transgender status. We do not process data of children (under 18 years) knowingly.
3. Lawful Basis & Purpose of Processing
Under the DPDP Act 2023, we process your personal data based on the following lawful grounds:
| Purpose | Lawful Basis (DPDP Act) |
|---|---|
| Providing SMS, Voice, WhatsApp & communication services | Consent (Section 6) & Performance of contract |
| Account creation & management | Consent & Legitimate use |
| DLT registration & TRAI compliance support | Legal obligation & Legitimate use |
| Billing, invoicing & payment processing | Performance of contract & Legal obligation |
| Customer support & enquiry responses | Consent |
| Service improvement & analytics | Legitimate use |
| Fraud prevention & security | Legitimate use & Legal obligation |
| Tax & regulatory compliance | Legal obligation |
4. Consent Mechanism
In compliance with Section 6 of the DPDP Act, we obtain your free, specific, informed, unconditional, and unambiguous consent before collecting your personal data through:
- Contact forms: A clear consent checkbox with a privacy notice is displayed before submission.
- Service sign-up: You agree to our Terms & Conditions and this Privacy Policy at the time of registration.
- Cookies: A cookie consent banner is displayed on your first visit with the option to accept or decline.
You may withdraw your consent at any time by emailing us at support@bookmysms.com. Upon withdrawal, we will cease processing your data, subject to any legal retention obligations. Please note that withdrawal of consent may affect our ability to provide services to you.
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected:
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form enquiries | 90 days | Respond and follow up, then securely deleted |
| Client account data | Duration of engagement + 3 years | Contractual & tax compliance obligations |
| SMS delivery logs | 90 days | Delivery reporting & dispute resolution |
| Invoices & financial records | 8 years | Income Tax Act & GST Act requirements |
| DLT registration data | Duration of engagement + 1 year | TRAI regulatory compliance |
| Cookie & analytics data | 13 months | Website improvement |
Once the retention period expires, data is securely erased or anonymised so it can no longer be associated with you.
6. Your Rights as a Data Principal
Under the DPDP Act 2023, you (the Data Principal) have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Request a summary of your personal data being processed and the processing activities. | Email us at support@bookmysms.com |
| Right to Correction | Request correction of inaccurate or misleading personal data, and updating of incomplete data. | Email us or contact your account manager |
| Right to Erasure | Request deletion of your personal data when it is no longer necessary for the purpose it was collected. | Email us at support@bookmysms.com |
| Right to Withdraw Consent | Withdraw previously given consent at any time. This does not affect the lawfulness of processing done before withdrawal. | Email us at support@bookmysms.com |
| Right to Grievance Redressal | Lodge a complaint regarding processing of your personal data. | Contact our Grievance Officer (details below) |
| Right to Nominate | Nominate any individual to exercise your rights in the event of your death or incapacity. | Email us with notarised nomination details |
We will respond to all rights requests within 30 days of receipt. If we need more time, we will inform you of the reason and extended timeline.
7. Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We may share data only with:
| Third Party | Purpose | Safeguards |
|---|---|---|
| Telecom operators & DLT platforms | SMS delivery as mandated by TRAI | TRAI-regulated, encrypted channels |
| Payment gateways | Processing payments | PCI-DSS compliant, no card data stored by us |
| Cloud infrastructure (AWS) | Data hosting & processing | AWS India region, encrypted at rest & in transit |
| Email service provider (Brevo) | Transactional email delivery | GDPR-compliant data processing agreement |
| Google (reCAPTCHA, Analytics) | Spam prevention, website analytics | Google Privacy Policy applies |
All third-party processors are contractually obligated to process your data only for the specified purpose and with appropriate security measures, as required under the DPDP Act.
8. Data Security Measures
We implement reasonable security safeguards as required under Section 8 of the DPDP Act to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Infrastructure: Hosted on AWS India (Mumbai region) with ISO 27001 certification.
- Access control: Role-based access with multi-factor authentication for all admin systems.
- Monitoring: 24/7 security monitoring and automated threat detection.
- Regular audits: Periodic security assessments and vulnerability testing.
9. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Data Protection Board of India as required under the DPDP Act.
- Notify affected Data Principals (you) without undue delay.
- Take immediate steps to contain the breach and mitigate potential harm.
- Document the breach, its effects, and remedial actions taken.
10. Cross-Border Data Transfer
Your personal data is primarily stored and processed within India (AWS Mumbai region). We do not transfer personal data outside India except where:
- The Central Government has not restricted transfer to that country or territory.
- Adequate safeguards are in place as prescribed under the DPDP Act.
Currently, limited data may be processed by Google (Analytics, reCAPTCHA) and Brevo (email delivery) on servers outside India, in compliance with applicable regulations.
11. Children's Data
BookMySMS is a business-to-business (B2B) service. We do not knowingly collect or process personal data from children under 18 years of age. If we become aware that a child's data has been collected without verifiable parental consent, we will delete it immediately. If you believe a child's data has been submitted to us, please contact us at support@bookmysms.com.
12. Grievance Officer
In compliance with the DPDP Act 2023 and IT Act 2000, we have appointed a Grievance Officer:
Grievance Officer
Mr. Subesh Kumar
BookMySMS (Decipher Consultancy Services)
295, Block C, Sushant Lok III, Sector 57, Gurugram, Haryana – 122003
Email: support@bookmysms.com
Phone: +91-9911202099
Response time: Within 30 days of receiving your complaint.
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India as established under the DPDP Act 2023.
13. Duties of Data Principal
Under Section 15 of the DPDP Act, as a Data Principal, you have the following duties:
- You must not submit false or misleading personal data when using our services or filling out forms.
- You must not impersonate another person when providing personal data.
- You must not suppress any material information when exercising your rights under this policy.
- You must not register false or frivolous grievances or complaints with us or the Data Protection Board.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or the DPDP Act rules. When we make material changes:
- The updated policy will be published on this page with a new “Last updated” date.
- For significant changes, we will notify registered clients via email.
- Where required by the DPDP Act, we will seek fresh consent before applying changes to data already collected.
15. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Email: support@bookmysms.com
- Phone: +91-9911202099
- Address: 295, Block C, Sushant Lok III, Sector 57, Gurugram, Haryana – 122003
For data protection specific matters, please email support@bookmysms.com.