DPDP Act 2023 native · Hosted in Mumbai · ap-south-1
Sign in
Vault.in
Made for India, hosted in Mumbai

Your phone number is on 47 websites you have never heard of.

We will get it off, by law if needed.

Vault.in scans the Indian internet for your personal details every day. Phone, email, address, photo, PAN, court records, leaked passwords. Then we file legal removal requests under Section 12 of the Digital Personal Data Protection Act, 2023. If a company misses the 90-day deadline in Rule 14, we file with the Data Protection Board on your behalf. No call center. No human reading your data.

Scan me, freeHow it actually works
451 + 215
Indian + global sites covered
78%
Removal success within 90 days
6.20.4
Average phone exposure, per quarter
Live exposure preview
Rohit S. · sample
Found in
47
places, today
In 90 days
4
remaining exposures
Truecaller
Phone, photo, email9/10
Justdial
Phone, address8/10
IndiaMART
Phone, email, employer7/10
NoBroker
Phone, address7/10
99acres
Phone, address6/10
MagicBricks
Phone, address6/10
Naukri
Phone, email, employer5/10
+ 40 more across IndiaMART, Naukri, Sulekha, real estate portals.
Last scan
02:14 IST · today
The daily scan

How the daily scan actually works.

Six steps. No black box. We will explain each one with a real screenshot if you want to see it on your account.

01
We expand your identity.
Maiden names, past addresses, common misspellings, English and Hindi transliterations of your name. We build a search tuple that finds the version of you that brokers are selling, not just the one on your passport.
02
We search the Indian internet.
451 Indian data brokers, classified sites, matrimony sites, court records, real estate listings, public exam mirrors. Every site you have never visited but somehow has your phone number.
03
We monitor leak ecosystems.
Have I Been Pwned, DeHashed, IntelX, LeakCheck, plus 150 public Telegram channels that traffic in Indian data, plus dark web marketplaces via a commercial threat-intel partner.
04
We capture evidence.
For every exposure we record a screenshot, the HTML, a SHA-256 hash, and a chain-of-custody log. So your removal request, and your DPB escalation if it comes to it, holds up legally.
05
We file under DPDP Section 12.
Auto-drafted Section 12 erasure notices in your name, sent to each Data Fiduciary. The 90-day clock under Rule 14 starts the moment we hit send. We track every response.
06
If they ignore, we escalate.
Day 91, our system drafts a complaint to the Data Protection Board of India. Penalties under Section 33 reach Rs 250 crore. Fiduciaries who would not reply to you reply to the DPB.
What we cover

666 sites, ranked by how much they leak.

See full directory
134
Indian data brokers and people search
Truecaller · Justdial · IndiaMART · Sulekha · Tofler · Zauba Corp
96
Classifieds, real estate, matrimony
99acres · MagicBricks · NoBroker · Shaadi · Jeevansathi · OLX
78
Employment and B2B databases
Naukri · Apollo.io · Lusha · ZoomInfo · RocketReach · FoundIt
41
Court, public records, government
IndianKanoon · MCA Online · eCourts · Voter ID mirrors · RERA · Udyam
102
Breach, leak, paste, Telegram, dark web
HIBP · DeHashed · IntelX · Pastebin · Telegram leak channels · Russian forums
215
Global brokers and social caches
Spokeo · Whitepages · BeenVerified · Google Search · LinkedIn · Facebook
159 sites currently published in the coverage directory. The rest live in our active queue and ship as we validate their opt-out methods.
Anti-positioning

What we are not.

Because the privacy category lies a lot, here is what we will not pretend to do.

  • 01
    Not a VPN. Not antivirus. Not a password manager.
    Use a separate tool for those. We work alongside them; we do not replace them.
  • 02
    Not a private investigator.
    We will not dig dirt on anyone except the public version of you. We refuse all third-party lookup requests, including from your spouse and your employer.
  • 03
    Not anonymous.
    We need your identity to claim your rights under DPDP. We treat it the way a bank does. Encryption per user, audit log on every read, deletion on request.
  • 04
    Not magic.
    About 22% of exposures cannot be removed today. Statutory public records, defunct sites whose owners ignore mail, deep dark web caches. We tell you which, and why, on the day we find them.
Live estimate

Estimate your current exposure.

Tell us four things. We will run a 60-second lite scan and show you a real number for where you stand, before you decide whether to subscribe.

  • We never sell or share what you enter here.
  • We hash your phone and email before sending to breach APIs. The plaintext stays in Mumbai.
  • You can ask us to delete the estimate record from the result page itself.
60 seconds · top 50 sites · no card needed
Pricing

Annual, all-inclusive, in rupees.

GST included. Pay through Razorpay using UPI, card, or NetBanking. Cancel any time; account deletion runs the same Section 12 flow we use against everyone else.

Anyone curious
Free scan
Rs 0
one-time
  • One scan across top 50 Indian sites
  • Exposure report with severity scoring
  • No removals, no daily monitoring
  • Sample DPDP notice you can send yourself
Run free scan
Working professional
Personal
Rs 1,499
per year
  • Daily scan of 451 Indian + 215 global sites
  • Automated Section 12 removal requests
  • Breach monitoring (HIBP, DeHashed, IntelX, LeakCheck)
  • WhatsApp alerts within 5 minutes for severity 8 to 10
  • Monthly privacy report, PDF
Choose Personal
Most chosen
Most households
Family
Rs 3,499
per year, up to 5 people
  • Everything in Personal, for up to 5 family members
  • Verifiable parental consent flow for minors (DPDP Section 9)
  • Shared family dashboard with separate scores
  • Combined monthly report covering everyone
  • Spouse, parents, children, siblings supported
Choose Family
Founders, doctors, lawyers, journalists, NRIs
Concierge
Rs 14,999
per year
  • Everything in Personal
  • Image misuse monitoring across web + Yandex
  • Dark web monitoring via threat-intel partner
  • Telegram leak channel monitoring (150 channels)
  • DPB filing assistance with paralegal queue
  • Monthly review call (30 minutes)
Choose Concierge

No free trial of paid tiers. The free scan already tells you exactly what you would be paying to remove. That is more honest than a 7-day trial that auto-charges your card.

Monthly privacy report
April 2026
Issued to
Anjali I. · Personal
Privacy score
82
↑ +14 vs March
11
Removals filed
9
Verified gone
2
Escalated to DPB
Top exposures resolved this month
  • Justdial19 days · removed
  • IndiaMART24 days · removed
  • Sulekha12 days · removed
  • NoBroker31 days · removed
  • Truecaller22 days · removed
12 pages · SHA-256 stamped
Vault.in · Confidential
What you get monthly

A 12-page privacy report, every month, in your inbox.

Designed so you can hand it to your lawyer, your CFO, or yourself in three months when you have forgotten what we did for you.

  • 01Executive summary, score change, top three wins, top three losses.
  • 02Daily scan summary by category, with the actual sites checked.
  • 03Exposure inventory with thumbnail evidence and SHA-256 hashes.
  • 04Removal pipeline (drafted, submitted, acknowledged, completed, escalated).
  • 05Breach inventory grouped by source.
  • 06Privacy score trend (last 90 days, weekly granularity).
  • 07DPB filing log and next-action calendar.
View a sample report8 pages · anonymised · printable
DPDP for non-lawyers

Three things to know about the law that protects you.

What rights you have.

Section 11 gives you the right to access and correct everything a Data Fiduciary holds about you. Section 12 gives you the right to erase it. You can withdraw consent at any time and the company must remove anything that depended on that consent. If they refuse, you have the right to complain to the Data Protection Board under Section 27.

These rights do not apply only to giant tech companies. They apply to anyone holding your data digitally, from a city builder with your phone number on a property listing to a B2B database that sold your email to a recruiter in Gurugram.

Section 12, in detail

What the 90-day rule means.

Rule 14 of the Digital Personal Data Protection Rules, 2025, says a Data Fiduciary must act on your request within ninety days. Not respond, not acknowledge, actually act.

On day 91, the Data Protection Board can be approached. Section 33 caps penalties at Rs 250 crore per incident for negligent fiduciaries. Most companies, faced with that math, choose to comply at day 89 rather than risk a board hearing.

Our daily scan watches the calendar so you do not have to. The Section 12 notice goes on day zero; the DPB filing packet is ready on day 91 if needed.

Rule 14, explained

What changed in November 2025.

The DPDP Act was passed in August 2023. The implementing rules were notified on November 13, 2025. Phased rollout runs through May 2027. The Board began intake in early 2026.

A handful of provisions are operative today: consent notices, grievance officers, erasure requests, and breach reporting. Significant Data Fiduciary (SDF) designation, Consent Manager licensing, and cross-border transfer rules will phase in through 2027.

We file under whatever is operative on your filing date. Our templates are versioned and dated, and we keep an audit trail of which version was used for each notice.

DPDP timeline + updates
Who runs Vault.in

Built by people who got tired of receiving scam calls citing private medical details.

We are an India-incorporated company, headquartered in Mumbai, with engineers and paralegals split across Bengaluru, Chicago, and Delhi. Our team includes former privacy counsel from Indian law firms, ex-platform engineers from leading consumer products, and a paralegal team trained specifically on the DPDP Act and its implementing rules.

We started this after watching family in Tier 2 cities receive scam calls that cited details no random caller should have known. Names of doctors, recent medical procedures, dates of admission, hospital bills. The path from my mother's MRI report to a scammer pretending to be a billing department was less than a year and went through three intermediaries, two of them legitimate Indian companies. The law to push back already existed; nobody was using it at scale.

Our Data Protection Officer is appointed and listed on the grievance page. Our Grievance Officer responds within thirty days as the law requires, and in practice usually within seventy-two hours. The DPO and Grievance Officer are two different people. We took external legal review of every template before launch and again each calendar quarter.

If you ever want to know what data we hold on you, the email is on /grievance. By Section 11 of the DPDP Act we have thirty days to answer. We have never used the full thirty.

We sign every quarterly transparency report. The next one publishes 15 July 2026.

Trust posture

Open about everything that matters.

Trust center

Where your data lives.

Supabase ap-south-1 Mumbai. Encryption at rest with per-user derived keys. No replication outside India unless you explicitly opt in to face-match cross-checks.

Read more

Who can see it.

Only you. Vault.in engineers cannot read your data in plaintext. Customer success can see the metadata of an incident; never the content of an exposure or an evidence pack.

Read more

How we handle minors.

Verifiable parental consent under Section 9 of the DPDP Rules, 2025. We turn off tracking-style processing and any monetisation pathway by default for under-18s.

Read more

How to delete everything.

Section 12 applies to us too. Hit one button in Settings; we delete every record within thirty days and email you the proof, including evidence pack hashes that we destroyed.

Read more
FAQ

Twelve real questions, plainly answered.

If you have a question we have not answered, write to [email protected]. A human responds within one working day.

We use the same indices a regular search user does (Google Custom Search, Bing Web Search, SerpAPI), at human-sized pace, behind residential proxies in India. For Indian data brokers that explicitly allow user lookup, we hit their search forms with one query per minute per site. We respect robots.txt. We do not bypass paywalls. If a site forbids automated access, we use the email or postal channel instead of automation.

Free scan

Your name is in the system.

We will show you exactly where, in under five minutes. No card. No sales call. No upsell email tomorrow. If you decide you want us to clean it up, the lowest plan is Rs 1,499 a year, paid in full. If you do not, you keep the report and you are still ahead.

Free scan now