Privacy Compliance Checker
Select jurisdictions, answer the diagnostic questions, and get a structured gap analysis with recommendations mapped to specific legal provisions.
Record of Processing Activities
Build and maintain your RoPA in-browser. All data stays in your session. Export to CSV or JSON.
No activities yet
Add your first processing activity to start building your RoPA.
Controllers with 250+ employees must maintain a full RoPA. Smaller organisations must maintain records where processing is not occasional, involves special categories, or could risk individuals' rights.
India's DPDPA places broad accuracy and security obligations on data fiduciaries. A RoPA supports demonstrating accountability, especially for Significant Data Fiduciaries subject to audit obligations under S. 10.
Brazilian law requires controllers and operators to keep records of processing operations, particularly where legitimate interest is relied upon as the legal basis.
Even where not legally mandated, a RoPA is the foundation of any accountability framework. It is typically the first document a supervisory authority requests during an investigation.
Transfer Impact Assessment
Evaluate the legal and practical risk of cross-border personal data transfers. Based on EDPB Recommendations 01/2020 on supplementary transfer tools.
Answer honestly based on your knowledge of the destination country's legal framework.
Based on EDPB Recommendations 01/2020 on measures supplementing transfer tools (updated January 2022).
Privacy / Data Protection Impact Assessment
A structured six-step assessment to identify, document, and mitigate privacy risks before commencing high-risk processing activities.
Step 1: Project Context
Step 2: Screening. Is a DPIA Mandatory?
A DPIA is mandatory under GDPR Art. 35 if any of the following apply. It is also best practice for any processing that may pose significant risks.
Step 3: Data Flows & Processing Details
Step 4: Necessity & Proportionality
Assess whether the processing is the minimum required to achieve the stated purpose.
Step 5: Risk Identification & Mitigation
Identify key privacy risks, their likelihood and severity, and the controls in place to mitigate them.
| Risk Description | Likelihood | Severity | Inherent Risk | Mitigation Measure | Residual Risk |
|---|
Step 6: Outcome & Approval
About Privacipher
A free privacy compliance platform built for lawyers, compliance officers, and in-house counsel working across jurisdictions. Seventeen modules. Zero backend. Open source.
Privacipher is a free, zero-backend privacy compliance suite designed for legal professionals, compliance teams, and businesses navigating multi-jurisdictional data protection obligations. Everything runs in your browser. No data leaves your device.
The tool gives practitioners a structured starting point, not a shortcut. Every question is mapped to a specific statutory provision. Every recommendation is grounded in the primary text of the applicable law.
Privacipher covers nine jurisdictions: GDPR (EU), DPDPA 2023 (India), CCPA/CPRA (California), LGPD (Brazil), PDPA (Thailand), PDPA (Singapore), PIPL (China), POPIA (South Africa), and the Privacy Act 1988 (Australia).
All questions and recommendations are derived from primary legal texts: the actual statutes and regulations, not secondary summaries. Each question references the specific provision so you can verify the source directly.
Regulatory requirements change. The tool carries version numbers and a changelog. If you identify an error or an update not yet reflected, open a GitHub issue or submit a pull request.
Privacipher is an educational and informational tool only. It does not constitute legal advice, create a lawyer-client relationship, or substitute for qualified legal counsel. Results generated are starting points for internal review, not definitive compliance determinations. Laws change; always verify against current primary texts. Adv. Sanket Shah and the contributors to this project accept no liability for reliance on outputs generated by this tool.
Privacipher is open source and free to use. If you spot an error, a legal update not yet incorporated, or want to contribute, raise an issue or PR on GitHub.
GitHub RepositoryChangelog
A record of what changed, what was fixed, and what was added in each release.
-
- new Seven additional practitioner modules, bringing total module count to 17: DSAR Tracker (deadline-aware request log with CSV export); Legitimate Interest Assessment Builder (three-part test, exportable LIA); Privacy Notice Generator (GDPR and DPDPA notice draft from structured input); DPA Checklist (Art. 28 GDPR and DPDPA clause audit with gap list); Consent Flow Auditor (heuristic validity check against jurisdictional criteria); Cross-Border Transfer Mechanism Selector (decision tree across GDPR, DPDPA, PIPL, POPIA, LGPD, CCPA); Regulatory Authority Directory (DPAs, breach portals, official URLs for 9 jurisdictions).
- new Complete design system overhaul inspired by editorial design principles: paper and ink colour palette (#FAFAF7 and #0F1114), monospace eyebrows with leader lines, numbered modules (01 / 17 format), italicised editorial accent headers, refined typography hierarchy.
- new Full-screen module menu overlay replaces the horizontal tab bar and mobile bottom bar. All 17 modules grouped into four categories (Assessments, Builders, Reference, Information) in a clean numbered grid. The same interface works identically across desktop, tablet, and mobile with responsive column layouts.
- new Current-module breadcrumb in the header shows module number and category at all times ("04 / 17 · Assessments · LIA Builder").
- improved Smooth panel transitions: staggered fade-in animation on every tab switch with cubic-bezier easing; module menu uses coordinated opacity and transform transitions.
- improved Global typography removal of em dashes throughout the entire tool, replaced with periods, commas, or parenthetical structure for improved readability in the practitioner writing register.
- improved About section restructured to show all 17 modules grouped by category with numbered descriptions.
- improved DSAR Tracker auto-calculates response deadlines per jurisdiction: GDPR 30 days, DPDPA 90 days, CCPA 45 days, LGPD 15 days, PDPA Thailand 30, PDPA Singapore 30, PIPL 15 working days, POPIA reasonable, APA 30 best practice. Colour-coded days-left warnings (green, amber, red, overdue).
- improved Consent Flow Auditor includes contextual adjustments for sensitive data, children's data, and cookie consent with separate validity thresholds.
- improved Transfer Mechanism Selector accounts for adequacy decisions (including the December 2025 EU-UK renewal), volume thresholds for PIPL CAC security assessment (1M / 100K / 10K), and context-specific derogations under Art. 49 GDPR.
- improved DPA Checklist uses weighted scoring across 19 mandatory clauses with Yes / Partial / No / N/A granularity, producing a prioritised negotiation gap list.
- fix Keyboard shortcut: Escape now closes the module menu on all platforms.
- fix Body scroll locked when module menu is open; unlocks on close.
- fix Active-module state correctly reflected in both header breadcrumb and menu grid on every tab switch.
-
- new Privacy Law Enforcement Calendar. 11 verified regulatory milestones from February 2025 through April 2028, filterable by jurisdiction, covering EU AI Act, DPDPA, CCPA/CPRA, LGPD, and China. Breach notification timelines reference table for all 9 jurisdictions in one view.
- new Breach Response Playbook. jurisdiction-specific, step-by-step incident response guides for all 9 frameworks. Each playbook shows authority deadline, individual notification deadline, and primary statutory references. Covers PIPL's 1-hour CAC window (CAC Cybersecurity Incident Reporting Measures, eff. 1 Nov 2025), Australia's new 2024 statutory tort, DPDPA's CERT-In parallel obligation, and LGPD's ANPD Regulation CD/ANPD 15/2024.
- new Quick Tools tab. DPO Necessity Checker (GDPR, DPDPA, LGPD, PDPA Thailand, PDPA Singapore with statutory references); Penalty Structures table covering all 9 jurisdictions with administrative fines, criminal penalties, and enforcement authority; GDPR Adequacy Decisions status including EU-UK renewal (December 2025) and EU-US DPF.
- new Terms of Use & Legal Disclaimer. standalone tab with comprehensive ten-section legal disclaimer covering nature of the tool, no-legal-advice clause, no warranty, limitation of liability, force majeure, governing law, privacy statement, permitted use, open source licensing, and contact information.
- improved Tab navigation expanded from 6 to 10 modules; mobile bottom bar updated accordingly.
- improved DPDPA enforcement timeline updated to reflect DPDP Rules 2025 (G.S.R. 843(E), notified 13 November 2025): Board established; full enforcement from 13 May 2027; 72-hour breach notification confirmed in Rule 7.
- improved China section updated to reflect CAC Cybersecurity Incident Reporting Measures (effective 1 November 2025) and Measures for Certification of Outbound Transfer of Personal Information (effective 1 January 2026).
- improved CCPA/CPRA section updated to reflect CPPA final regulations (effective 1 January 2026): mandatory Privacy Risk Assessments, independent cybersecurity audits, and ADMT rules.
- improved Footer now includes a Terms of Use link pointing to the dedicated tab.
- improved Calendar filter bar allows one-click jurisdiction filtering of all enforcement milestone cards.
-
- new RoPA Builder. in-browser Record of Processing Activities builder with full Art. 30 GDPR field set. Add, edit, delete processing activities. Export to CSV and JSON. Session-only with clear disclaimer.
- new Transfer Impact Assessment (TIA). structured seven-question destination-country assessment; risk scoring matrix across mechanism type, volume, data sensitivity, and legal framework; rated Low / Medium / High output with supplementary measures mapped to EDPB Recommendations 01/2020 (updated January 2022).
- new PIA / DPIA. six-step Privacy and Data Protection Impact Assessment. Step 2 screening covers nine mandatory and recommended triggers including GDPR Art. 35(3)(a–c), DPDPA S. 10, and PIPL Art. 55. Interactive risk matrix with likelihood × severity inherent risk calculation. Generates exportable .txt assessment report.
- new Privacipher logo. geometric shield mark with "P" letterform and cipher data-stream accent dots. Uses inline SVG with gradient fills.
- improved Complete design overhaul. portfolio-matched colour system (bg-base #F8FAFC, accent #2563EB, text-primary #0F172A); Outfit + Inter + JetBrains Mono typography stack; radius-lg cards; subtle layered shadows.
- improved Compliance Checker fully rewritten. weighted scoring (question-level weights 2–3); animated SVG score ring with colour-coded readiness; live gap panel updating on each answer; per-jurisdiction progress bars; exportable .txt gap report with statutory references and remediation actions.
- improved All 92 questions across 9 jurisdictions reviewed and updated against primary statutory texts. GDPR (15q), DPDPA (14q), CCPA/CPRA (10q), LGPD (9q), PDPA Thailand (8q), PDPA Singapore (8q), PIPL (10q), POPIA (8q), Privacy Act Australia (10q).
- improved DPDPA updated to reflect the Digital Personal Data Protection Act, 2023 as enacted (Presidential assent: 11 August 2023). replacing all references to earlier Bill drafts.
- improved Australia section updated to reflect Privacy and Other Legislation Amendment Act 2024 (Royal Assent: November 2024), including new statutory tort for serious privacy invasion.
- improved PIPL section expanded with CAC security assessment thresholds (>1M persons; >100K cross-border annually; >10K sensitive PI cross-border annually); PIPIA requirements under Art. 55; and three-tier cross-border transfer mechanism structure.
- improved About section updated with current credentials, publications, and professional links from live portfolio.
- improved Sticky desktop tab bar and scrollable mobile bottom tab bar across six modules.
- fix Accordion headers now correctly toggle without layout shifts on repeated open/close.
- fix Score ring animates correctly on first load and after re-running the checker with a different jurisdiction set.
- fix Mobile bottom tab bar scrolls horizontally without clipping on narrow viewports.
- fix Jurisdiction chip deselection correctly removes that jurisdiction's questions from the active assessment and recalculates the score ring.
- fix RoPA modal forms reset cleanly on close. no stale data carryover between add and edit cycles.
-
- new Expanded to 9 jurisdictions. added PIPL (China) and Privacy Act 1988 (Australia)
- new Mobile bottom tab bar navigation
- improved Scoring system with per-jurisdiction progress bars
- fix Various layout and rendering glitches on mobile viewports
-
- new Multi-jurisdiction selector with accordion-style question panels
- new Gap analysis output panel with remediation recommendations
- improved Question flow redesigned with Yes / No / N/A answer options
-
- new Initial launch with GDPR and DPDPA compliance checkers
- new Basic compliance scoring output
Privacy Law Enforcement Calendar
Key regulatory milestones, enforcement deadlines, and upcoming compliance dates across major jurisdictions. Dates verified against official gazette notifications and regulatory publications.
Eight categories of AI practice are now permanently banned across the EU. These include: social scoring by public or private actors; real-time remote biometric identification in public spaces (limited exceptions for law enforcement); subliminal manipulation; exploitation of vulnerabilities of specific groups; untargeted scraping of facial images from the internet; emotion recognition in workplace and educational settings; and AI-based profiling to predict criminal offences.
GPAI model providers must maintain technical documentation and a publicly available summary of training content (using the Commission template). Copyright compliance measures are required. Providers of GPAI models with systemic risk face additional obligations including adversarial testing. 26 major AI providers (Microsoft, Google, Amazon, OpenAI, Anthropic) signed the GPAI Code of Practice. Meta declined.
The Digital Personal Data Protection Rules 2025 were officially notified via Gazette (G.S.R. 843(E) and 846(E)). The Data Protection Board of India (DPBI) is now established and operational. Board-constitution provisions, sections 18–26, and the penalty framework under sections 35 and 38–44 are in force. Substantive compliance obligations (consent, breach notification, rights) come into force 18 months from this date. May 13, 2027.
CAC issued final Measures for the Administration of the Reporting of Cybersecurity Incidents (effective 1 November 2025). Major incidents involving large-scale personal data or important data must be reported to the CAC within 1 hour. General cybersecurity incidents face tiered reporting windows of 4–24 hours depending on severity and scope. Applies to domestic and foreign companies providing network services or online products in China.
California Privacy Protection Agency regulations effective: mandatory Privacy Risk Assessments (PRAs) required before initiating processing that presents a "significant risk" to consumer privacy; annual independent cybersecurity audits for qualifying businesses; updated rules on ADMT (automated decision-making technology), profiling in HR and education contexts, and AI training using biometric data. Data brokers must now disclose foreign government data sharing.
Third mechanism for cross-border transfers under PIPL now operational. Certification by a CAC-accredited body is an alternative to the CAC security assessment and the standard contract for qualifying organisations. Provides a more flexible compliance pathway for regular commercial data transfers not meeting security assessment thresholds.
Full obligations for Annex III high-risk AI systems become enforceable. High-risk categories include: AI used in critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services; law enforcement; migration and border control; and administration of justice. All deployers and providers must complete conformity assessments, maintain technical documentation, and register systems in the EU database before this date.
Entities seeking to operate as Consent Managers under DPDPA must complete registration by this date. Eligibility: India-incorporated entities only; minimum net worth of ₹2 crore; must operate an independent, interoperable consent management platform. Foreign platforms (including OneTrust, TrustArc) are not eligible to register as Consent Managers. Organisations relying on consent as a legal basis must integrate with a registered Consent Manager.
Businesses must have completed Privacy Risk Assessments for covered processing activities that existed before 1 January 2026 (the date the PRA regulations took effect). Covered activities include: selling or sharing personal information; processing sensitive PI; using ADMT for significant decisions; profiling in HR or educational contexts; and training ADMT or biometric technologies. Annual senior-executive attestation and summary submission to CPPA is due April 1, 2028.
All substantive obligations of the DPDPA 2023 and DPDP Rules 2025 become enforceable with no grace period. Obligations include: privacy notices and granular consent; verifiable parental consent for children's data; 72-hour breach notification to DPBI and data principals; automated deletion when purpose is served; data principal rights infrastructure (access, correction, erasure, grievance redressal within 90 days); and security safeguards. Full penalties. up to ₹250 crore per violation. apply from Day 1.
Full application including high-risk AI systems embedded in regulated products (medical devices, machinery, aviation, automotive). Legacy AI systems deployed before August 2026 that are subject to Annex III must comply by this date. Note: Under the EU's Digital Omnibus simplification package (proposed November 2025), certain enforcement timelines for high-risk systems may be extended if harmonised standards are unavailable. backstop dates of December 2, 2027 and August 2, 2028 have been proposed.
Businesses with annual revenue exceeding $100M that process PI presenting a "significant risk to security" must file their first annual independent cybersecurity audit certification by April 1, 2028. Phased for smaller businesses: $50M–$100M by April 1, 2029; $25M–$50M by April 1, 2030. Triggers for "significant risk": 50%+ revenue from selling/sharing PI; 250,000+ consumer records; or 50,000+ sensitive PI records.
| Jurisdiction | Authority Notification | Individual Notification | Threshold | Primary Reference |
|---|---|---|---|---|
| 🇪🇺 GDPR (EU) | 72 hours from awareness | Without undue delay (high risk) | Art. 33: any risk to rights. Art. 34: high risk | Arts. 33–34, GDPR |
| 🇮🇳 DPDPA (India) | Without delay (initial); 72 hours for full report | Without delay to each affected data principal | Any personal data breach | S. 8(6) DPDPA; Rule 7, DPDP Rules 2025 |
| 🇺🇸 CCPA/CPRA (CA) | Notify CA AG if >500 CA residents; no fixed deadline | "Expedient time". governed by Cal. Civ. Code §1798.82 (not CCPA/CPRA) | Unencrypted PI affected | Cal. Civ. Code §1798.82 |
| 🇧🇷 LGPD (Brazil) | 3 working days from awareness | Reasonable timeframe | Risk or significant harm to data subjects | Art. 48 LGPD; ANPD CD/ANPD 15/2024 |
| 🇹🇭 PDPA (Thailand) | 72 hours for high-risk breaches | Without undue delay (high risk) | Likely to cause harm to data subjects | S. 37(3), PDPA Thailand |
| 🇸🇬 PDPA (Singapore) | 3 calendar days after notifiable determination (30-day overall target from discovery) | As soon as practicable after PDPC notified | Significant harm OR 500+ individuals | S. 26D, PDPA Singapore |
| 🇨🇳 PIPL (China) | Immediately to CAC. Major incidents (national security / >100K persons): 1–8 hours (Cybersecurity Incident Reporting Measures, eff. 1 Nov 2025) | Immediately, unless effective remediation avoids harm | Any PI breach or potential breach | Art. 57 PIPL; CAC Cybersecurity Incident Reporting Measures 2025 |
| 🇿🇦 POPIA (South Africa) | As soon as reasonably possible to Information Regulator | As soon as reasonably possible | Reasonable belief of unauthorised access | S. 22, POPIA |
| 🇦🇺 Privacy Act (Australia) | As soon as practicable to OAIC | As soon as practicable (or publish statement if impracticable) | Likely to result in serious harm (NDB scheme) | Pt IIIC, Privacy Act 1988 |
Breach Response Playbook
A structured response guide for personal data breaches across nine jurisdictions. Select a jurisdiction to see your specific obligations, timelines, and notification requirements.
Quick Tools
Frequently needed reference tools for privacy lawyers: DPO necessity checker, penalty structures by jurisdiction, and the current status of adequacy decisions.
Answer the questions to determine whether appointment of a DPO or equivalent is mandatory under GDPR, DPDPA, LGPD, and PDPA frameworks.
| Jurisdiction | Maximum Administrative Fine | Criminal Penalties | Other Consequences | Enforcement Authority |
|---|---|---|---|---|
| 🇪🇺 GDPR (EU) | €20M or 4% of global annual turnover. whichever is higher (Art. 83(5)) €10M or 2% for less serious violations (Art. 83(4)) |
Member state criminal law applies. varies by country | Temporary/permanent bans on processing; orders to erase data; suspension of data flows | National DPAs (CNIL, ICO, BfDI, DPC, etc.) |
| 🇮🇳 DPDPA (India) | Up to ₹250 crore for failure to implement security safeguards or failure to notify breach. ₹200 crore for children's data violations. ₹50 crore for failure to maintain accuracy. ₹10,000 per individual for unresolved grievances (Schedule, DPDPA 2023) | No criminal sanctions under DPDPA (administrative penalties only) | DPBI can issue directions to cease processing; SDF-specific orders | Data Protection Board of India (DPBI) |
| 🇺🇸 CCPA/CPRA (CA) | $2,500 per unintentional violation; $7,500 per intentional violation (Cal. Civ. Code §1798.155). Civil penalties up to $2,500 per affected child for children's data violations | No criminal sanctions directly under CCPA/CPRA | Private right of action for data breach: statutory damages $100–$750 per consumer or actual damages. CPPA enforcement actions. | California Privacy Protection Agency (CPPA); CA Attorney General |
| 🇧🇷 LGPD (Brazil) | 2% of Brazil operations turnover in the prior fiscal year, up to R$50M per violation (Art. 52(I)). Reduced for good faith, cooperation, and risk mitigation. | No criminal sanctions under LGPD | Daily fines; suspension of processing for up to 6 months; prohibition of processing; deletion of personal data | Autoridade Nacional de Proteção de Dados (ANPD) |
| 🇹🇭 PDPA (Thailand) | Administrative fines up to THB 5 million (S. 83–86, PDPA Thailand) | Up to 1 year imprisonment and/or THB 1M fine. Up to 3 years imprisonment and/or THB 3M fine for sensitive PI. Intentional malicious use: up to 6 months imprisonment and/or THB 500K. | Civil liability: actual damages plus additional punitive compensation up to twice actual damages | Office of PDPC Thailand; Criminal courts |
| 🇸🇬 PDPA (Singapore) | S$1M or 10% of annual local turnover (whichever is higher) for large organisations. S$1M for all others. (S. 48J, PDPA 2012 as amended 2020) | Up to S$100,000 or imprisonment of up to 12 months or both (depending on offence). Enhanced criminal penalties for malicious disclosure | Directions to stop collection or use; directions to destroy PI; public naming | Personal Data Protection Commission (PDPC) |
| 🇨🇳 PIPL (China) | Up to CNY 50M or 5% of prior year turnover for serious violations (Art. 66(2) PIPL). Up to CNY 1M for less serious violations (Art. 66(1)). Business licence revocation possible. | Persons directly responsible: up to CNY 1M personal fine. Criminal liability under PRC Criminal Law for serious cases. | Suspension or termination of services; prohibition from processing; national blacklist for responsible individuals | Cyberspace Administration of China (CAC); sectoral authorities |
| 🇿🇦 POPIA (South Africa) | Administrative fines up to R10,000,000 (S. 107, POPIA) | Imprisonment up to 10 years for certain offences (obstructing the regulator, unlawful processing of special category data maliciously) | Civil damages by data subjects; enforcement notices; public naming | Information Regulator (South Africa) |
| 🇦🇺 Privacy Act (Australia) | AU$50M or 3× the benefit obtained or 30% of adjusted turnover in the relevant period. whichever is greater. For serious/repeated interferences. (S. 13G, Privacy Act 1988 as amended 2024) | No criminal sanctions directly under Privacy Act | Civil penalties; enforceable undertakings; injunctions; declaratory relief; compensation orders | Office of the Australian Information Commissioner (OAIC) |
Sources: GDPR Arts. 83–84; DPDPA 2023 Schedule; Cal. Civ. Code §1798.155; LGPD Art. 52; PDPA Thailand Ss. 83–86; PDPA Singapore S. 48J; PIPL Art. 66; POPIA S. 107; Privacy Act 1988 (Cth) S. 13G (as amended by Privacy and Other Legislation Amendment Act 2024). Fines are per-violation figures; cumulative fines may be significantly higher for systemic violations.
Countries/territories with a European Commission adequacy decision allow personal data transfers from the EEA without additional transfer mechanisms. Status as of April 2025.
Legitimate Interest Assessment
The three-part test under Art. 6(1)(f) GDPR. purpose, necessity, and balancing. structured as a guided form. Generates a defensible, documented LIA suitable for your records file.
Identify the legitimate interest pursued. Interests may be your own, those of a third party, or broader commercial or societal interests. Not all interests are legitimate. the test is objective.
Processing must be necessary to achieve the interest. not merely useful. If the interest can be achieved with less intrusive processing, legitimate interests fails.
Weigh your interest against the rights, freedoms, and reasonable expectations of data subjects. If the balance tips toward the individual, legitimate interests fails.
Data Subject Request Tracker
Log, track, and manage Data Subject Access Requests and other rights requests. Auto-calculated deadlines per jurisdiction, status management, and CSV export.
| # | Name | Type | Jurisdiction | Received | Deadline | Days Left | Status | Actions |
|---|---|---|---|---|---|---|---|---|
| No requests logged. Add your first request above. | ||||||||
Consent Flow Auditor
Paste a consent notice, cookie banner, or sign-up flow text. Run it against jurisdiction-specific validity criteria from GDPR Art. 7 & 4(11), DPDPA S. 6, and LGPD Art. 8.
Privacy Notice Generator
Fill in a structured form and generate a GDPR and DPDPA ready privacy notice draft. The output covers all mandatory disclosures under Arts. 13 and 14 GDPR and S. 5 DPDPA.
Data Processing Agreement Checklist
Assess whether a draft DPA covers all mandatory clauses under Art. 28 GDPR, DPDPA processor obligations, and LGPD Art. 39. Answer Yes, Partial, or No per clause and get a structured gap list for negotiation.
Cross-Border Transfer Mechanism Selector
A decision tree for identifying the correct lawful mechanism for an international personal data transfer. Covers GDPR Chapter V, DPDPA S. 16, PIPL Arts. 38 to 43, and POPIA S. 72.
Regulatory Authority Directory
Data protection authorities, complaint portals, and breach notification URLs across nine jurisdictions. Verified against official sources, April 2025.
Terms of Use & Legal Disclaimer
Please read these terms carefully before using Privacipher. By using any part of this tool, you agree to be bound by them.
Privacipher is a free educational tool built by a practising technology lawyer. It does not give legal advice. Nothing it produces. assessment outputs, gap reports, playbooks, or any other content. constitutes advice on which you should rely without qualified legal review. Use it to structure your thinking and prepare drafts. Have a lawyer check the output. The tool processes nothing on the server side: all data stays in your browser and disappears when you close the tab.
Privacipher is an informational and educational privacy compliance platform built and maintained by Adv. Sanket Shah, a technology lawyer practising in Indore, India, holding an LL.M. in IPR and Technology Law from Jindal Global Law School and enrolled at the Bar Council of India.
The tool is provided free of charge on a purely informational basis. Access to, or use of, Privacipher. including any of its modules (Compliance Checker, RoPA Builder, Transfer Impact Assessment, PIA/DPIA, Breach Response Playbook, Enforcement Calendar, Quick Tools, or any other current or future module). does not create, and is not intended to create, a lawyer-client relationship, an attorney-client relationship, a solicitor-client relationship, or any other professional advisory relationship of any kind between Adv. Sanket Shah and the user.
No duty of care, confidentiality, privilege, or any other professional obligation arises from the use of this tool. Users are not "clients" of Adv. Sanket Shah by virtue of using Privacipher.
Nothing produced by, contained within, or generated by Privacipher constitutes legal advice, legal opinion, or a substitute for qualified legal counsel. This includes without limitation: compliance assessments and readiness scores; gap reports and remediation recommendations; Records of Processing Activities (RoPAs); Transfer Impact Assessments; Privacy and Data Protection Impact Assessments; Breach Response Playbooks; Enforcement Calendar entries; DPO necessity determinations; penalty reference information; adequacy decision summaries; and any other content, output, or guidance the tool generates.
All outputs are intended as starting points to structure internal thinking, prepare working drafts, and identify areas for further professional review. not as definitive compliance determinations. Before acting on any output, filing any regulatory notification, executing any contractual document, or making any business decision based on or informed by outputs from this tool, users must obtain advice from a qualified lawyer with expertise in the applicable jurisdiction and subject matter.
Privacy and data protection law is highly fact-specific. A general compliance assessment cannot substitute for advice tailored to your organisation's specific circumstances, processing activities, risk profile, sector, and applicable regulatory requirements.
Reasonable efforts are made to ensure that the content of this tool reflects the state of the law as of the version date stated in the Changelog. All statutory provisions, regulatory deadlines, penalty figures, and enforcement information are verified against primary legal texts at the time of writing. However:
- · Privacy and data protection laws change frequently and sometimes rapidly. Regulatory guidance, enforcement decisions, and court judgments issued after the version date may alter the analysis.
- · The tool covers nine jurisdictions at a general level. It does not capture sector-specific regulations (e.g. HIPAA, PCI-DSS, RBI Master Directions, SEBI regulations) that may impose additional or different obligations.
- · Penalty figures reflect statutory maximums. Actual penalties imposed by regulators depend on mitigating and aggravating factors, cooperation, and enforcement policy. they may be lower or, where multiple violations are aggregated, substantially higher.
- · Regulatory guidance, working party opinions, and supervisory authority decisions interpret and supplement the text of legislation. The tool cannot capture all such guidance and does not substitute for reading it directly.
No representation, warranty, or guarantee. express or implied. is made that the content of this tool is accurate, complete, up to date, fit for any particular purpose, or applicable to any particular set of facts. Users are solely responsible for verifying all information against current primary legal texts and official regulatory guidance before acting.
To the fullest extent permitted by applicable law, Adv. Sanket Shah, any contributors to the tool, and any persons or entities associated with its development or maintenance expressly disclaim all liability. whether in contract, tort (including negligence), breach of statutory duty, or otherwise. for any loss, damage, cost, expense, regulatory penalty, compliance failure, business disruption, reputational harm, or other consequence of any kind arising from or in connection with:
- · Use of, or reliance on, any output, content, or guidance generated by or contained within this tool;
- · Any inaccuracy, incompleteness, or outdatedness in the content of the tool;
- · Any failure, interruption, or unavailability of the tool;
- · Any decision made, or action taken or omitted to be taken, on the basis of outputs from this tool. whether or not the loss was foreseeable and whether or not the user was advised of the possibility of such loss.
Where liability cannot be excluded by law (for example, for fraud or death/personal injury caused by negligence), nothing in these terms limits or excludes that liability.
Privacipher is a fully client-side application. All processing occurs in your browser using JavaScript. No personal data, company information, assessment answers, RoPA entries, risk assessment data, or any other information entered into or generated by this tool is transmitted to, collected by, logged by, or stored on any server operated by Adv. Sanket Shah or any third party associated with this tool.
All session data is held in browser memory only and is permanently and irrecoverably lost when the browser tab is closed, unless the user exports it using the built-in export functions (e.g. RoPA CSV/JSON export, gap report export, PIA report export). Adv. Sanket Shah has no access to, and retains no copy of, any data entered by users.
This tool does not use cookies, tracking pixels, analytics scripts, or any third-party data collection mechanisms. The only external resources loaded are Google Fonts (typography). standard browser privacy controls apply to those requests.
Subject to these terms, you are granted a non-exclusive, revocable, worldwide licence to access and use Privacipher for personal and professional purposes, including in a commercial context. You may use outputs generated by the tool in your own compliance work, client advisory work, internal training, and documentation.
You must not: (a) resell or sublicense this tool or present it as your own product; (b) remove or obscure any attribution to Adv. Sanket Shah; (c) use the tool or its outputs in a manner that implies endorsement by Adv. Sanket Shah of any product, service, or compliance position without written permission; or (d) represent any output of this tool as constituting legal advice or a formal legal opinion.
Attribution: if you publicly share or publish outputs generated by this tool, attribution to Privacipher (https://advsanketshah.github.io/Privacipher/) and Adv. Sanket Shah is appreciated but not legally required for personal or professional use.
Privacipher is open source. The source code is publicly available at github.com/advsanketshah/Privacipher. You are welcome to fork, adapt, and contribute to the tool. Pull requests, issue reports, and suggestions for improving regulatory accuracy are actively encouraged.
If you identify a legal inaccuracy. an incorrect statutory reference, an outdated regulatory deadline, a missing jurisdiction-specific requirement. please raise a GitHub issue citing the primary source (statute, regulation, or official regulatory guidance). This helps keep the tool accurate for all users.
This tool may reference or link to external regulatory websites, official gazette publications, supervisory authority portals, and other third-party resources. These links are provided for convenience and reference only. Adv. Sanket Shah has no control over, and accepts no responsibility for, the content, accuracy, or availability of any third-party website or resource. The inclusion of a link does not imply endorsement.
Links to official regulatory portals (e.g. EDPB, OAIC, PDPC Singapore, Information Regulator South Africa) are provided to help users locate primary sources. Always verify that you are accessing the official website of the relevant authority.
These terms of use are governed by the laws of India. Any dispute arising from or in connection with the use of this tool shall be subject to the exclusive jurisdiction of the courts of Indore, Madhya Pradesh, India.
Users outside India access the tool on the understanding that local laws may impose additional obligations, and that accessing the tool does not imply that these terms satisfy any local legal requirement for terms of service, data processing notices, or similar.
These terms may be updated from time to time to reflect changes in the tool's features, applicable law, or best practice. The current version of the terms is always available in this tab. The version date is reflected in the tool's Changelog. Continued use of the tool after terms are updated constitutes acceptance of the revised terms.
These terms were last updated: April 2025 (Privacipher v4.1).
For questions about these terms, to report a legal inaccuracy in the tool, or to enquire about professional legal services: