We are a Data Fiduciary that protects other Data Principals.
Vault.in is an India-incorporated company, headquartered in Mumbai, with engineers and paralegals in Bengaluru, Chicago, and Delhi. We exist to make the rights granted by the Digital Personal Data Protection Act, 2023 actually usable by ordinary residents, not just by people with the time and money to retain privacy counsel.
Built by people who got tired of receiving scam calls citing private medical details.
We are an India-incorporated company, headquartered in Mumbai, with engineers and paralegals split across Bengaluru, Chicago, and Delhi. Our team includes former privacy counsel from Indian law firms, ex-platform engineers from leading consumer products, and a paralegal team trained specifically on the DPDP Act and its implementing rules.
We started this after watching family in Tier 2 cities receive scam calls that cited details no random caller should have known. Names of doctors, recent medical procedures, dates of admission, hospital bills. The path from my mother's MRI report to a scammer pretending to be a billing department was less than a year and went through three intermediaries, two of them legitimate Indian companies. The law to push back already existed; nobody was using it at scale.
Our Data Protection Officer is appointed and listed on the grievance page. Our Grievance Officer responds within thirty days as the law requires, and in practice usually within seventy-two hours. The DPO and Grievance Officer are two different people. We took external legal review of every template before launch and again each calendar quarter.
If you ever want to know what data we hold on you, the email is on /grievance. By Section 11 of the DPDP Act we have thirty days to answer. We have never used the full thirty.
We sign every quarterly transparency report. The next one publishes 15 July 2026.
- The law works when it gets used. The DPDP Act gives ordinary Indian residents real, enforceable rights. The only reason most people have not used them is logistical: drafting Section 12 notices, tracking ninety-day deadlines, escalating to a new Board nobody has dealt with before. We built the logistics so the law could be used.
- Honesty is the brand. We tell you our success rate (about 78%). We tell you what we cannot remove (about 22%). We publish a quarterly transparency report with government request counts. We refuse to claim "military-grade encryption" or any other marketing phrase that has no technical meaning.
- No surveillance. We do not log into your email. We do not read your messages. We do not sell anything to your employer, your spouse, or anyone else. Our threat model includes ourselves: per-user encryption keys mean our engineers cannot read your data in plaintext even with database access.
- Indian first. We started with the Indian internet because the existing privacy tools were built for the American internet. NRIs and foreign residents are served, but the priority is Indian residents and their families.
- We file under whatever is operative. The DPDP regime is phasing in through 2027. Our templates are versioned and dated. If the law changes, our templates change with it, and we keep the audit trail.
For the record.
- Incorporated
- Vault.in Privacy Operations Pvt Ltd (India)
- Registered office
- Mumbai, Maharashtra
- Data residency
- Supabase ap-south-1, Mumbai
- Banking
- ICICI Bank India · Razorpay merchant
- GST
- Registered, listed on every invoice
- DPO
- Appointed, listed on /grievance
- Grievance officer
- Appointed, listed on /grievance
- Cyber insurance
- Rs 5 crore policy in force
- External counsel
- Indian privacy lawyer of standing, quarterly template review
- Transparency report
- Quarterly, next on 15 July 2026