Terms of Use & Legal Disclaimer

About This Tool

Privacipher is a free, browser-based self-assessment tool developed by Adv. Sanket Shah, an advocate practising in AI & Tech Law, data protection, and contract lifecycle management.

The Tool helps organisations conduct a preliminary assessment of their compliance posture across one or more of the following nine frameworks:

• The Digital Personal Data Protection Act, 2023 (DPDPA) and Digital Personal Data Protection Rules, 2025, Government of India
• The EU General Data Protection Regulation 2016/679 (GDPR)
• The California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and CPPA Final Regulations Arts. 9, 10, and 11 (2025)
• The Saudi Arabia Personal Data Protection Law (PDPL), Royal Decree M/19 (2021, amended 2023), enforced by SDAIA
• The Brazilian Lei Geral de Proteção de Dados (LGPD), Law No. 13,709/2018, enforced by ANPD
• The Singapore Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020 (in force February 2021), enforced by PDPC
• The Thailand Personal Data Protection Act B.E. 2562 (2019), fully enforced from 1 June 2022, enforced by PDPC
• The UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025 (in force 5 February 2026), enforced by the ICO
• The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and Cabinet Resolution No. 33 of 2022, enforced by the UAE Data Office (UAEDO)

It generates a compliance score, risk heat map, penalty exposure estimate, remediation roadmap, cross-jurisdiction divergence analysis, and a downloadable PDF report based on the responses you enter. All processing happens in your browser. Nothing is transmitted to any server.

Not Legal Advice

The Tool is an educational and informational resource. It helps identify potential areas of non-compliance and frames the general requirements of the listed frameworks in a practical way. It is not a substitute for professional legal advice tailored to your specific circumstances.

Before making compliance decisions, implementing a compliance programme, or relying on this Tool's output in any regulatory or legal context, you should consult a qualified lawyer. This applies even when the Tool's results look favourable.

Accuracy & Limitations

Reasonable efforts have been made to ensure the accuracy of legal references, penalty figures, and compliance guidance. The following limitations should be kept in mind:

• DPDPA penalty figures reflect the statutory maxima in the Schedule to DPDPA s.33(1), cross-checked against the official Gazette notification (No. 25, August 11, 2023). The Data Protection Board is strictly bound by these Schedule maxima and may impose any amount up to (but not exceeding) the applicable ceiling. The factors in s.33(2) guide how far below the maximum the Board imposes in any given case. Separately, the Central Government holds power under s.42(1) to amend the Schedule by notification, subject to a cap of 2x the stated figure; this is a legislative power to revise the Schedule and does not confer on the Board any discretion to exceed Schedule maxima in individual penalty proceedings.
• Response timelines for data principal rights. The DPDPA (ss.11--12) prescribes timelines for access and correction/erasure requests as "such period as may be prescribed." The DPDP Rules 2025 do not currently specify a fixed number of days for these requests. Rule 14(3) caps grievance redressal at 90 days. The tool reflects this distinction.
• DPDPA breach notification structure (Rule 7). Rule 7 establishes a two-part notification regime. Under Rule 7(1) and Rule 7(2)(a), on becoming aware of any personal data breach, the Data Fiduciary must notify the Data Protection Board of India AND each affected Data Principal "without delay" (initial brief description). Under Rule 7(2)(b), within 72 hours of becoming aware (extendable by the Board on written request), the Data Fiduciary must provide the Board a detailed follow-up report covering causes, mitigation measures, findings regarding the person responsible, remedial steps, and a summary of notifications sent to Data Principals. The 72-hour window governs the detailed report only; both the Board and all affected Data Principals must receive the initial notification without delay. Unlike GDPR Art. 34, there is no minimum risk threshold for individual notification: all affected Data Principals must be notified regardless of harm level.
• Cross-border transfers. DPDPA s.16 uses a restriction model: transfers are permitted by default unless the Central Government restricts specific countries. No restriction list has been notified as of the date of this Tool. Sector-specific rules (RBI, SEBI, IRDAI) may independently impose localisation requirements.
• Sensitive personal data. DPDPA 2023 does not create a separate "sensitive personal data" category. All personal data is regulated uniformly. The IT Act SPDI Rules 2011 (which do define sensitive personal data) remain in force until s.44(2) of DPDPA takes effect in May 2027.
• SDF status. No Data Fiduciaries have been officially notified as Significant Data Fiduciaries as of the date of this Tool. SDF obligations under s.10 take effect 18 months from the Rules notification (May 13, 2027).
• Regulatory evolution. The DPDP Rules 2025 were notified November 13, 2025. Regulatory guidance, enforcement policy, and judicial interpretation will continue to develop. This Tool is updated on a best-efforts basis but may not reflect the most current regulatory position at any given time.
• Saudi Arabia PDPL. The PDPL and its Implementing Regulations are fully enforceable as of 14 September 2024. The 2023 amendment (Royal Decree M/148, 27 March 2023) introduced legitimate interests as a valid lawful basis for non-sensitive personal data processing, subject to a balancing condition that the legitimate interest does not override data subject rights under the PDPL. This basis is not available for sensitive personal data. SDAIA enforcement guidance and further implementing measures continue to develop. Criminal penalty provisions (including imprisonment for illegal cross-border transfers and for unlawful disclosure of sensitive personal data) are among the few data protection criminal offences globally and are reflected in the Tool. The enforcement ecosystem is still maturing and penalty practice may evolve.
• Brazil LGPD. The ANPD's breach notification regime is governed by ANPD Resolution CD/ANPD No. 15/2024 (published 26 April 2024, effective immediately), not the earlier Resolution CD/ANPD No. 2 (which addresses simplifications for small processing agents). The standard timeline for full breach notification to the ANPD and affected data subjects is 3 business days from the moment the controller confirms the incident affected personal data. Where full details are unavailable within that window, a preliminary notice within the 3-business-day deadline is permitted, to be supplemented within a further 20 working days. Small processing agents (as defined by Resolution CD/ANPD No. 2/2022) benefit from a doubled deadline of 6 business days. ANPD Resolution CD/ANPD No. 19 (published August 2024, effective August 22--23, 2025) mandates the use of ANPD standard contractual clauses for international data transfers. The Tool reflects these positions as of 30 March 2026. ANPD enforcement decisions, further resolutions, and sectoral guidance will continue to evolve.
• Singapore PDPA. The single most commonly misunderstood provision in the Singapore PDPA is the mandatory breach notification timeline. Under Section 26D, organisations have 3 calendar days from the date of determination (not from discovery) that a data breach is notifiable to report to the PDPC. This is operationally distinct from the GDPR's 72-hour clock, which runs from awareness. The Tool reflects this distinction precisely.
• Thailand PDPA. The Thailand PDPA has been fully enforced since 1 June 2022. Administrative fines are capped at THB 3,000,000 per violation. Criminal sanctions (imprisonment up to one year and/or fines up to THB 1,000,000) apply to deliberate or reckless violations. The PDPC continues to issue notifications and guidance; the Tool reflects the primary statutory obligations.
• UK GDPR and DUAA 2025. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and came into force on 5 February 2026. Key changes codified by the DUAA 2025 include: the "not materially lower" standard for transfer risk assessments (TRAs); a recognised legitimate interests schedule; a formal SAR stop-the-clock procedure; and a more permissive automated decision-making framework compared to EU GDPR Article 22. The Tool reflects the DUAA 2025 as in force from 5 February 2026. The ICO's updated guidance on DUAA 2025 provisions will continue to develop.
• UAE PDPL. The UAE PDPL and its implementing Cabinet Resolution No. 33/2022 are in force. The UAEDO continues to develop its enforcement infrastructure and issue guidelines. Administrative financial penalties under the UAE PDPL framework range from AED 50,000 to a maximum of AED 5,000,000 per violation, with potential doubling for repeat violations (AED 10,000,000). The AED 5,000,000 figure is consistently cited across authoritative secondary sources including Baker McKenzie, DLA Piper, and Chambers and Partners. The penalty framework is still maturing and organizations should monitor UAEDO publications closely. Note: the UAE PDPL primary text does not contain explicit language mandating that data subject rights are exercisable free of charge (unlike GDPR Art. 12(5)). The Tool reflects this as best practice aligned with the GDPR model. The enforcement framework is still maturing; users operating under the UAE PDPL should monitor UAEDO publications closely.
• CPPA Regulations Arts. 9, 10, and 11. The California Privacy Protection Agency's Final Regulations on Risk Assessments (Art. 10), Cybersecurity Audits (Art. 9), and Automated Decision-Making Technology (Art. 11) were finalized on 22 September 2025 (approved by the Office of Administrative Law and filed with the Secretary of State on that date; formally announced 23 September 2025). Risk Assessment obligations under Art. 10 took effect 1 January 2026. Cybersecurity Audit submission deadlines are phased from 2028 to 2030. ADMT compliance obligations under Art. 11 take effect 1 January 2027. The Tool reflects these effective dates.
• Results are self-reported. The Tool cannot verify your inputs. Inaccurate or incomplete responses will produce inaccurate outputs.

Statutory text referenced in this Tool (including sections of the DPDPA 2023, DPDP Rules 2025, GDPR, CCPA/CPRA, Saudi PDPL, Brazil LGPD, Singapore PDPA, Thailand PDPA, UK GDPR, DUAA 2025, and UAE PDPL) is quoted for informational and educational purposes. All statutory text belongs to its respective legislative authority and is in the public domain.

Intellectual Property

© 2025–2026 Adv. Sanket Shah. All rights reserved.

The following elements of this Tool are the intellectual property of Adv. Sanket Shah:

• The question framework, structure, and wording (including sector-specific questions, weight adjustments, and scoring logic)
• The penalty exposure mapping methodology and risk classification framework
• The multi-framework divergence analysis (covering DPDPA, GDPR, LGPD, Singapore PDPA, Thailand PDPA, UK GDPR/DUAA 2025, and other framework comparisons) and the comparison structure and methodology
• The 30/60/90-day remediation roadmap format and remediation guidance text
• All original commentary, explanatory notes, and help text accompanying each question
• The tool's overall design, user interface, and visual presentation

Statutory text, legal provision numbers, and regulatory references belong to their respective legislative authorities and are used here for informational purposes only.

You may share the tool's URL freely and reference its outputs in your work, with attribution to Adv. Sanket Shah. You may not reproduce the tool's original content for commercial purposes without prior written permission.

For licensing enquiries, institutional access, or white-label arrangements, please contact Adv. Sanket Shah via the details in Section 10.

No Warranty

This Tool is provided "as is" without any warranty, express or implied. Adv. Sanket Shah makes no warranties as to the accuracy, completeness, timeliness, or fitness for purpose of the Tool or any output it generates.

In particular, no warranty is made that:

• The Tool's output reflects the current regulatory position at any given time
• The Tool will satisfy your specific compliance requirements or be accepted by any regulatory authority
• The Tool will be uninterrupted or error-free

Use of this Tool is at your own risk.

Limitation of Liability

To the fullest extent permitted by law, Adv. Sanket Shah shall not be liable for any loss or damage arising from your use of or reliance on this Tool, including:

• Any regulatory penalty, fine, or enforcement action taken against you or your organisation
• Any direct, indirect, incidental, or consequential loss
• Loss of business, revenue, data, or goodwill
• Any third-party claims arising from your use of this Tool

Nothing here excludes liability for fraud, death, personal injury caused by negligence, or any other liability that cannot lawfully be excluded.

Data & Privacy

This Tool runs entirely in your browser. Nothing you enter is transmitted to, stored on, or processed by any server.

• Your responses, organisation name, and results exist only in your browser session and are deleted when you close the tab
• The PDF report is generated locally in your browser; it is not sent anywhere
• No cookies, analytics trackers, or third-party data collection scripts are used
• No account creation or email address is required

External resources loaded by the Tool include Google Fonts (typography) and CDN-hosted open-source libraries: Chart.js (risk heat map) and jsPDF (PDF generation). These are standard libraries loaded from public CDNs and are subject to their respective licences.

Governing Law & Jurisdiction

These Terms are governed by the laws of India. Any dispute arising from these Terms or your use of this Tool shall be subject to the exclusive jurisdiction of the courts at Indore, Madhya Pradesh, India.

If any provision of these Terms is found invalid or unenforceable, the remaining provisions continue in full force.

Changes to These Terms

These Terms may be updated from time to time. The "Last Updated" date at the top reflects the most recent revision. Continued use of the Tool after any changes constitutes acceptance of the revised Terms.

Contact

For questions about these Terms, licensing enquiries, or to engage Adv. Sanket Shah for legal advisory services on data protection, AI governance, or contract lifecycle management: