What do I need to put in my privacy policy, and how do I actually draft one?
The short answer
Skip the generic Shopify/WooCommerce boilerplate privacy policy, it won't map to DPDP's requirement that you itemise each data category (name, phone, payment info, browsing behaviour) against a specific purpose you're using it for. Start from a DPDP-specific generator or template rather than adapting an old GDPR policy, since the two laws' required disclosures don't fully overlap. At minimum your policy needs: what data you collect, why, how long you keep it, who you share it with (payment gateways, courier partners, ad platforms), and a working process, with a real email address, for a customer to request access, correction, or deletion.
A quick summary to orient you. The real value is below: the resources worth your time, from people who've actually done it, not us.
Here are the resources
Hand-picked from around the web, each with a note on why it earns your time. India-specific ones carry a badge.
Why we picked it
A global law firm's action-step framing is useful precisely because it's written for businesses operating across multiple jurisdictions, a good structure if you're already juggling GDPR or US state laws alongside DPDP.
Why we picked it
A free, DPDP-specific privacy notice generator (available in English and Indian languages), start here instead of retrofitting an old GDPR template that won't match India's disclosure requirements.
Why we picked it
A single page of downloadable DPDP-aligned templates, data protection policy, privacy notice, consent forms, that saves you from drafting each document from a blank page.
Why we picked it
Useful if you need one policy that references DPDP, GDPR, and CCPA together, a realistic need for a D2C brand selling on its own store to customers in multiple countries.