Terms and Conditions for a Website or App 2026

Last verified: 2026-06-25

An Indian app developer spends four months building a clean, well-designed product. The code works. The UI is polished. Beta testers love it. Then comes the final gate: submission to the Play Store. And the app gets bounced. Not for a crash, not for a permissions issue, but for a missing or wrongly-hosted privacy policy and Terms and Conditions for a website or app in India that simply were not in place. One builder had collected no user data at all and assumed that made them exempt. Another had a policy, but the URL “did not link to a valid page.” Same wall, two reasons, zero lines of broken code.

If you spend any time in developer communities, you’ll see this pattern on repeat. The rejection is almost never a code failure. It’s a documentation failure. And it doesn’t only show up at the app store.

The same gate appears at payment onboarding. Try to take Razorpay or any payment gateway live, and the approval flow asks for a published Terms of Service and a privacy policy before it lets you process a single rupee. No documents, no payments, no revenue. The gate appears again, more quietly, in the law itself: the Sec. 79 safe-harbour that shields an intermediary from liability for user content can evaporate if you never published proper user terms in the first place. Three different gates. One root cause.

Here’s the thing most founders get backwards. They treat Terms and Conditions as a boring legal formality, something to copy-paste at the end. In reality, that document is the gate between a finished build and a live, paid, legally protected product. And the part they neglect most, the privacy policy bundled with the terms, is now the highest-risk document of the lot, because the Digital Personal Data Protection Act, 2023 attaches penalties of up to Rs 250 crore to mishandled data.

There’s an upside to all of this, and it’s worth seeing clearly. The founders and lawyers who learn to draft these documents properly don’t just clear the store and the payment gateway. They build products that survive a compliance review, onboard enterprise customers faster, and command real fees precisely because they can produce what most people only know how to download. Getting this right once is a skill you keep. Getting it wrong means inheriting someone else’s litigation.

So before you copy a competitor’s terms or paste a generator’s output, here is what Indian law actually requires, and how to draft a Terms and Conditions document that holds up.

Terms and Conditions are effectively mandatory for any Indian website or app that collects data, processes payments, or hosts user content. Drafting them means stating who you are, the rules of use, your privacy and data practices under the DPDP Act 2023, liability limits, governing law, and a clear “I Agree” acceptance step that the user actively takes.

Get those building blocks right and you have an enforceable, compliant document. Get them wrong, and you have a downloaded template that collapses the moment Indian regulation, a payment gateway, or an app store touches it. Here’s how to draft one properly, starting with why you need it at all.

Why your website or app needs Terms and Conditions in India (and what happens if it does not)

Ask a founder why their site needs Terms and Conditions and you’ll often get a vague answer about “covering ourselves legally.” That instinct is right, but it misses the concrete part. The real reasons are specific, and each one can stop your product cold. So what actually goes wrong if you skip them?

The honest framing is this: no single statute says “every website must display Terms and Conditions or face a fine.” But several different gates make the document effectively non-negotiable for any product that collects data, takes payments, or hosts what users post. Skip the document and you don’t get a tidy legal warning. You get a launch that quietly fails to launch.

This matters most at the worst possible moment, which is when you’re ready to go live. The absence of terms isn’t felt during the build. It’s felt at the gate, when the store, the gateway, or a legal notice arrives and the document you needed isn’t there.

The three real consequences of having none

The first consequence is the loss of safe-harbour protection. Under Sec. 79 of the Information Technology Act, 2000, an “intermediary” (a platform that hosts third-party content) is shielded from liability for what users post, but only if it observes due diligence and publishes the rules users must follow. The Supreme Court in Shreya Singhal v. Union of India, (2015) 5 SCC 1 clarified how that safe-harbour operates, reading down the “actual knowledge” standard so that takedown obligations are triggered by a court order or government notification, not a random private complaint. No published user terms and grievance mechanism, and you weaken the very shield Sec. 79 was meant to give you.

The second consequence is the payment-gateway blocker. Indian payment gateways will not let you go live without a published Terms of Service and a privacy policy hosted on your domain. This is an underrated revenue gate: a product that cannot accept payments cannot earn, and the onboarding checklist treats your legal documents as a hard prerequisite, not a nice-to-have. Founders routinely discover this only when they’re days from launch.

The third consequence is outright store rejection. Both the Google Play Store and Apple’s App Store require a valid, live privacy policy URL, and apps get bounced when it’s missing or wrongly hosted (more on the app-specific traps in the app section below). The pattern repeats across developer forums: months of work, blocked at the final review, for a document that takes a fraction of the time the code did.

The mistake we see most often is treating these three gates as separate problems. They’re not. They’re three symptoms of one missing foundation, and the founders who get caught are the ones who assumed “legal pages” were cosmetic.

“Mandatory” vs “effectively mandatory”: the honest answer

Let’s be honest about the legal position, because half-truths help no one. Is a Terms and Conditions document mandatory in the sense of a single penal section? Not as such. Is it effectively mandatory for any real digital business? Absolutely.

The practical reality is that the obligations are scattered across the IT Rules 2021 (which require intermediaries to publish a user agreement and privacy policy), the Consumer Protection (E-Commerce) Rules 2020 (mandatory disclosures if you sell or list goods), and the DPDP Act 2023 (a lawful basis and notice before you process personal data). Add the commercial gates (payments, app stores) and the answer for any founder building a serious product is the same: you need these documents before you launch, not after.

T&C vs Terms of Service vs Privacy Policy vs EULA vs disclaimer: which documents you actually need

Here’s a question that trips up almost every first-time founder: do you need one legal document or five? The labels float around interchangeably online, which doesn’t help. Terms of Use, Terms of Service, Terms and Conditions, EULA, disclaimer, privacy policy: are these the same thing wearing different names, or genuinely separate instruments?

The short answer: some overlap, some don’t, and the distinction decides what you actually have to draft.

The five documents, and when each applies

Terms and Conditions, Terms of Use, and Terms of Service are, for practical purposes, the same document under different names. They set the rules of the relationship between you and the user: who can use the service, what’s prohibited, payment terms, liability limits, and how disputes get resolved. Whichever label you pick, draft it as your master rulebook. Most Indian websites and apps need exactly one of these, not three.

A privacy policy is a different animal entirely. It’s not about the rules of use; it’s a mandatory disclosure of what personal data you collect, why, how you use it, who you share it with, and how a user can exercise their rights. Under the DPDP Act 2023, this is a legally regulated document, not optional boilerplate. Does your website need a privacy policy? If you collect any personal data, including something as basic as an email address or an analytics cookie that identifies a user, then yes.

A EULA (End User Licence Agreement) is specific to software you license rather than a service you host. It governs the user’s right to install and use your application. An app that simply provides a hosted service may fold these terms into its Terms of Service; downloadable software that the user installs and runs locally is the classic EULA case. A disclaimer is narrower still: a notice limiting your liability for the accuracy or use of content (think a finance blog that says “this is not investment advice”). Do you need a privacy policy and a disclaimer? Often yes, because they do different jobs: one governs data, the other governs reliance on your content.

Why the privacy policy is now your highest-risk document

What experienced data-protection counsel know is that founders almost always have the risk allocation backwards. They pour energy into the liability clause and the prohibited-use list, then grab a privacy policy off the nearest competitor. Post-DPDP, that’s exactly the wrong way round.

Here’s why. Penalties under the DPDP Act 2023 attach to data handling, and they’re large (up to Rs 250 crore for a security-safeguard breach). The liability clause in your Terms protects you in a private dispute; the privacy policy is the document a regulator reads against your actual data practices. A pasted privacy policy that promises consent flows or rights mechanisms you never built isn’t just sloppy. It’s a written misrepresentation of your compliance posture. The privacy policy, not the headline Terms, is where the regulatory exposure now concentrates.

The legal stack: which laws govern Terms and Conditions for an Indian website or app (2026)

Most competitor guides name one statute (usually the IT Act) and stop. That’s how you end up with terms that are five years out of date. The real legal stack for a 2026 Indian website or app is a layered structure, and missing any layer leaves a hole a regulator or a payment gateway can fall through. Why does the full map matter before you draft a single clause? Because each layer dictates specific language you’ll need.

The Contract Act 1872 and IT Act 2000

The foundation is the Indian Contract Act, 1872. Your Terms and Conditions are, legally, a contract, and they bind only if the basics are present: offer (your published terms), acceptance (the user agreeing), consideration (use of the service, payment, or access), and free consent. Strip away the digital wrapper and a clickwrap agreement is an ordinary contract.

The next layer is the Information Technology Act, 2000. The crucial provision here is Sec. 10A, which confirms that contracts formed by electronic means are valid and enforceable, the reason an “I Agree” click can bind a user at all. Indian courts have treated electronically concluded agreements as binding where consensus is evident, a principle the Supreme Court applied in Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1 when it held that a contract concluded over email was valid and enforceable. The IT Act also supplies Sec. 79 (the intermediary safe-harbour discussed above) and, historically, Sec. 43A on sensitive personal data (now sunsetting, covered below).

IT Rules 2021 and the IT Amendment Rules 2026

Sitting on top of the IT Act are the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. If your platform hosts user content, these rules require you to publish your rules and regulations, privacy policy, and user agreement, and to appoint a grievance officer with a defined response timeline. That grievance-officer detail is not optional decoration; it’s a named requirement that belongs in your Terms.

The newer layer is the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, notified on 10 February 2026 and in force from 20 February 2026. These introduced India’s first statutory framework on synthetically generated information (SGI), the labelling of AI-generated and deepfake content. If your product lets users create or upload AI-generated media, your Terms will increasingly need an SGI declaration and labelling clause. Early signals suggest this becomes standard drafting as the framework beds in, so build the hook now even if you keep the clause light.

The DPDP Act 2023, DPDP Rules 2025 and the Sec. 43A sunset

The biggest reset is the Digital Personal Data Protection Act, 2023, and its implementing DPDP Rules 2025, notified on 13-14 November 2025 (these are final, not draft). Together they govern how you collect, use, store, and delete personal data, and they’re the reason your privacy policy is now a regulated instrument rather than filler.

There’s a historical shift baked in here. The old data-protection regime ran on Sec. 43A of the IT Act and the SPDI Rules, 2011, which since 2011 governed “sensitive personal data.” That regime is sunsetting: the repeal takes effect on 13 May 2027, when the DPDP core obligations bite. The practical implication for drafters is that a privacy policy still written to the 2011 SPDI standard is on a deadline. The data-protection layer of every Indian privacy policy must migrate to DPDP language before that date.

Consumer Protection (E-Commerce) Rules 2020

The final layer applies if you sell or list goods or services. The Consumer Protection (E-Commerce) Rules, 2020, made under the Consumer Protection Act, 2019, require specific disclosures: the seller’s identity and contact details, total price breakdowns, return, refund, exchange and cancellation terms, grievance-redressal contacts, and country of origin where relevant. A marketplace that lists third-party sellers carries additional duties. When does a site cross into this territory? The moment money changes hands for goods or services, your Terms and your refund policy have to carry these disclosures, which is why a generic template borrowed from a non-commercial site leaves you exposed.

Must-have clauses in a website or app Terms and Conditions

If you take one section away from this guide, make it this one. Below is the working clause checklist (the must-have building blocks of any India-ready Terms and Conditions document), followed by what each one actually has to do. Which clauses are genuinely must-have, and which are optional padding? Here’s the core set:

• Identity, scope and eligibility (who you are, what the service is, who may use it)
• User obligations and prohibited use (the rules users must follow)
• Payment, subscription, refund and cancellation (if you charge)
• Liability limitation, indemnity and disclaimer (your risk allocation)
• Intellectual property and licence (what you own, what you let users do)
• Governing law, jurisdiction and dispute resolution (where and how disputes are settled)
• Privacy and data-handling cross-reference (a link to your DPDP-compliant privacy policy)
• Grievance officer and contact (named, with a response timeline, per IT Rules 2021)
• Termination and suspension (when and how you can cut off access)
• Amendment and versioning (how you change the terms and notify users)

That list is the skeleton. The flesh is in getting each clause to fit your specific business, which is where templates fall apart.

Identity, scope and eligibility

Start by stating who you actually are: the legal entity behind the service, its registered address, and how to reach you. Then define the scope (what the service does and does not include) and eligibility (minimum age, jurisdiction restrictions, any account requirements). For Indian products, the age question matters because the DPDP Act 2023 imposes heightened obligations around children’s data, so an eligibility clause that quietly assumes adult users isn’t enough if your product reaches minors.

User obligations and prohibited use

This clause sets the rules of conduct: no unlawful use, no infringement, no scraping, no uploading prohibited content. For an intermediary, this isn’t just housekeeping. It’s the published “rules and regulations” the IT Rules 2021 require, and it underpins your Sec. 79 safe-harbour. Be specific about the categories of prohibited content rather than waving at “anything illegal,” because a vague clause is harder to enforce when you actually need to remove something or terminate an account.

Payment, subscription, refund and cancellation

If you charge, this clause has to state pricing, billing cycle, auto-renewal mechanics, and the refund and cancellation position clearly. Worth flagging: this is the clause most exposed to consumer law. The E-Commerce Rules 2020 require refund and cancellation disclosures, and (as the refund section below explains) you can’t contract away a consumer’s statutory rights on defective goods or deficient services just by writing “no refunds” in bold.

Liability limitation, indemnity and disclaimer

Here you cap your exposure, disclaim warranties, and shift certain risks to the user through indemnity. Founders love this clause, which is part of the problem: a limitation that’s wildly one-sided invites scrutiny. The Supreme Court in LIC of India v. Consumer Education & Research Centre, (1995) 5 SCC 482 held that standard-form, take-it-or-leave-it contracts signed under unequal bargaining power are open to judicial review for unfairness. A liability clause that tries to disclaim everything can be read down, so balanced drafting is enforceability insurance, not weakness.

Intellectual property and licence

State clearly that you own your content, code, trademarks, and design, and define the limited licence the user gets (to use the service, not to copy or resell it). If users generate content, address who owns it and what licence they grant you to host and display it. This clause prevents the common dispute where a user assumes they own something the platform built, or the platform over-claims rights to user content it never bargained for. The discipline here is the same one that underpins drafting a clean SaaS and technology agreement for an Indian product: precision about who holds what right, and on what terms.

Governing law, jurisdiction and dispute resolution

Specify Indian law as the governing law and name the courts that have jurisdiction. Exclusive-jurisdiction clauses are valid in India: the Supreme Court in Swastik Gases Pvt. Ltd. v. Indian Oil Corporation Ltd., (2013) 9 SCC 32 held that an exclusive-jurisdiction clause is enforceable even without the words “only,” “alone,” or “exclusive,” so long as the intent is clear. For e-commerce, remember that selling to customers in a place can itself confer jurisdiction there, a point the Delhi High Court made in World Wrestling Entertainment, Inc. v. M/s Reshma Collection, 2014 SCC OnLine Del 2031 when it held that online sales to customers in Delhi amounted to “carrying on business” there. Draft the clause with that reality in view rather than assuming your registered office is the only forum that matters.

Privacy and data-handling cross-reference

Your Terms should not try to be your privacy policy. Instead, include a clean cross-reference clause that points to your separate, DPDP-compliant privacy policy and makes clear that use of the service is subject to it. This keeps the two documents in their lanes (rules of use here, data disclosures there) and lets you update the privacy policy on its own DPDP-driven schedule without rewriting the whole Terms document each time.

How to draft your Terms and Conditions step by step

Enough theory. Here is the actual drafting workflow, start to finish, the same sequence an experienced drafter follows. Think of it as eight steps, each one building on the last. Can you do this without a lawyer? For a straightforward product, yes, if you follow the order and resist the urge to copy. Here’s how.

1. Map what your site or app actually does. Before writing a word, list what data you collect, whether you take payments, whether you host user content, and whether you reach minors. This map decides which clauses and which documents you need. Most drafting mistakes trace back to skipping this step. (And no, you don’t wait until launch to do it: build the map at MVP stage, because the answers shape your product design too.)

2. Pick your document set. Based on the map, decide what you need: a Terms and Conditions document and a privacy policy are the baseline for almost everyone. Add a refund/cancellation policy if you sell, a EULA if you license installable software, and a disclaimer if you publish advice-adjacent content. Don’t draft documents you don’t need; don’t skip ones you do.

3. Draft clause by clause from the checklist. Work through the must-have clause list above, writing each clause to fit your specific business rather than lifting a competitor’s wording. This is the slow part, and it’s the part that matters. A clause that describes a refund policy you don’t actually run is worse than no clause at all.

4. Layer in DPDP-compliant privacy notice and consent language. In the privacy policy, set out what personal data you collect, the specific purpose for each, your lawful basis, retention periods, and how users exercise their rights. The notice has to be clear and itemised, not a vague catch-all. This is the document a regulator reads, so write it to describe your real practices.

5. Add the acceptance mechanism. Use clickwrap, an active “I Agree” checkbox or gate the user must tick before proceeding, not browsewrap (terms buried in a footer link that the user never actively accepts). As the enforceability section explains, clickwrap is far safer in India. Capture and log the acceptance so you can later prove the user agreed.

6. Set governing law, jurisdiction and grievance-officer details. Name Indian law, the courts with jurisdiction, and (for intermediaries) a grievance officer with contact details and a response timeline, as the IT Rules 2021 require. These are concrete, named items, not generic placeholders.

7. Host and link the documents correctly. Publish both documents as live HTML pages on your own domain (not a PDF, not a Google Doc), link them in the footer and at the point of acceptance, and for an app, link them on the store listing and inside the app. Hosting errors are a leading cause of store rejection, so treat this step as part of the legal work, not an afterthought.

8. Review, version-date, and set a refresh trigger. Add a “last updated” date, version the document, and set a calendar trigger to review it (DPDP deadlines, e-commerce amendments, and your own product changes all force updates). Where a change is material and affects data processing, plan a re-consent flow rather than quietly swapping the page. A living document needs a maintenance schedule.

Here’s what this looks like in practice. Take an Indian SaaS company selling a subscription analytics tool to businesses. Its map flags personal data (account and usage data), payments (subscriptions), and no minors. So it drafts a Terms of Service plus a DPDP-compliant privacy policy, adds a refund/cancellation clause for the subscription, gates signup behind an “I Agree” checkbox, names Indian law and its home-city courts, hosts both as live pages, and sets a quarterly review. No EULA (it’s hosted, not installed), no children’s-data clause. The document set fits the business because the map came first.

Drafting for an app vs a website: the differences that get apps rejected

Almost every guide online writes “website terms and conditions” and stops there. But apps get rejected for reasons websites never face, and the developer forums are full of builders who learned this at the submission gate. So what actually differs when you’re drafting for an app instead of a website?

Play Store and App Store policy requirements

Both Google Play and Apple require a valid, live privacy policy URL as a condition of listing, and they enforce it independently of Indian law. Here’s the trap that catches the most developers: the requirement applies even if your app collects no personal data at all. “I collect no data, so I’m exempt” is one of the most common assumptions in developer communities, and it’s wrong. The store policy is a listing requirement, not a data-collection requirement, so a no-data app still needs a published privacy policy or it doesn’t ship. Plenty of builders discover this only after their submission bounces.

Where the privacy-policy link must appear, and how to host it

A common question in r/androiddev runs along the lines of: “My app was rejected because the URL does not link to a valid page. What am I doing wrong?” The answer is almost always hosting. The privacy-policy link has to point to a live, publicly accessible HTML page, not a PDF, not a login-gated document, not a file that 404s.

Where must the link appear? In two places at least: on the store listing (the data-safety or privacy section) and inside the app itself, typically in settings or an “about” screen. Host the page on a stable URL on your own domain, keep it reachable without a login, and test the link from a fresh browser before you submit. Most “valid page” rejections are a hosting fix, not a legal one.

EULA vs Terms of Service for apps

When do you need a EULA versus a Terms of Service for an app? If your app is a hosted service the user accesses (most modern apps), a Terms of Service usually covers you, and you can fold any licence language into it. If your app is installable software the user runs locally, a EULA governing the installation and use of that software is the cleaner fit. Many apps end up with a Terms of Service that includes a limited-licence clause, which does the EULA’s core job without a separate document. The practical reality is that you rarely need both: pick the instrument that matches whether you’re providing a service or licensing software, and don’t draft a second document just because a competitor has one.

Making your Terms enforceable: clickwrap, not browsewrap

You can draft a perfect set of Terms and still lose, if you can’t prove the user agreed to them. This is the enforceability question, and it’s where a lot of Indian guides quietly mislead readers by leaning on US case law. So how do you display and capture acceptance so your Terms actually hold up in an Indian court?

Why pure browsewrap is not settled-enforceable in India

Two models dominate. Clickwrap requires the user to take an active step (tick “I Agree,” click a button) before proceeding. Browsewrap simply posts the terms via a link, usually in the footer, and assumes the user is bound by continuing to use the site. The difference is consent: clickwrap captures it, browsewrap presumes it.

Here’s the correction Indian readers need. Several competitor guides cite US decisions to argue that browsewrap is enforceable. That’s misleading. Indian courts have not definitively upheld pure browsewrap, and you should not rely on US precedents to assume they will.

What Indian law does support is electronic acceptance where consensus is genuinely evident, the principle in Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., where an email-concluded contract was held binding because agreement was clear. Browsewrap, by design, makes that agreement much harder to demonstrate. Our recommendation is simple: don’t bet your enforceability on an unsettled browsewrap theory.

How to capture acceptance so it holds up

In practice, the safe pattern is an unambiguous clickwrap gate: a checkbox or button the user must actively engage, placed where the terms are accessible (linked, in full) at the moment of acceptance. Then log it: record the user, the timestamp, and the version of the terms they accepted. That record is what you produce if the agreement is ever challenged.

There’s a fairness dimension too. Even a clicked clause can be scrutinised if it’s oppressive and the bargaining power is grossly unequal, the concern the Supreme Court raised in LIC of India v. Consumer Education & Research Centre. So the strongest position combines clean acceptance capture with terms that are balanced enough to survive a fairness challenge. Do sites have to show terms before collecting personal information? For data, yes: under the DPDP Act 2023 you need notice and a lawful basis before processing, which means the privacy notice has to come at or before the point of collection, not buried after the fact.

Can you copy a competitor’s T&C, use a generator, or ask ChatGPT? The real risk

Be honest: the temptation is real. A competitor’s Terms are right there, a free generator is one search away, and ChatGPT will produce a full draft in thirty seconds. So what’s the actual risk in each, for an Indian product in 2026?

Copy-paste: copyright and a DPDP misrepresentation landmine

The community splits roughly in half on this, with one camp insisting “just copy a competitor’s, everyone does it” and the other warning it’s plain infringement. Both miss the bigger 2026 problem. Yes, Terms and privacy policies are original literary works and can be protected by copyright, so wholesale copying carries an infringement risk. But that’s the smaller exposure now.

The real landmine is DPDP misrepresentation. When you paste a competitor’s privacy policy, you import their data practices, their consent mechanisms, their retention periods, their rights-handling flows. If your product hasn’t built those, your published policy now describes a compliance posture you don’t have. That’s not laziness; it’s a written misstatement of how you handle personal data, and under the DPDP Act 2023, with penalties up to Rs 250 crore in play, it’s a far costlier mistake than a copyright claim. Copying got riskier, not just lazier.

Free generators and ChatGPT: where they help, where they fail

Generators and AI tools aren’t useless. They’re genuinely helpful for structure: they’ll give you a clause skeleton, remind you of categories you forgot, and produce readable boilerplate fast. That’s where their value ends.

Where they fail for India is currency and specificity. Most generators are US or EU-centric and won’t reflect the DPDP Rules 2025, the IT Rules 2021 and their 2026 SGI amendment, or the E-Commerce Rules 2020 disclosures. And ChatGPT, helpful as it is, will confidently produce clauses that don’t match your actual business or the current Indian statute stack. Use them to draft a first skeleton if you like, then do the real work: rewrite every clause to fit your product and verify it against current law.

The business-specificity test

Here’s a simple test that settles most copy-paste questions. Read the borrowed clause and ask: does this describe what my business actually does? A competitor’s refund clause assumes their refund policy. Their data clause assumes their data flows. Their liability cap assumes their risk profile.

The more specific a clause is to a real operation, the worse it fits yours, and the more dangerous it is to keep. Boilerplate that’s generic enough to be harmless is also generic enough to be useless. If you want to do this professionally for clients rather than just for your own product, that’s a distinct skill set: there’s a separate craft to reviewing other companies’ terms and conditions professionally, which is the mirror image of drafting your own.

The DPDP Act 2023 and your privacy policy: what changed and what to write

If one statute reshapes how you draft in 2026, it’s the DPDP Act 2023. Most underlying guidance online still describes the old draft-rules or Sec. 43A position, which means a lot of what you’ll find is stale. So what does DPDP actually require you to write, and when do the obligations start?

What DPDP Rule 3 requires you to put in writing

DPDP Rule 3 (on the privacy notice and consent) sets out what your notice has to contain. In plain terms, you must give the user a clear, itemised notice: the personal data you collect, the specific purpose for each category, and how the user can withdraw consent and exercise their rights. The notice has to be standalone and understandable, not folded into dense legalese. How do you prepare for DPDP as a startup? Start by writing the notice to match your real data flows, then build the consent capture and withdrawal mechanisms the notice promises. The notice and the product have to agree. (If you want the full picture of the new regime, our deeper guide to how the DPDP Act 2023 reshapes privacy compliance walks through the obligations clause by clause.)

The key DPDP timelines you must plan around

The dates matter for drafting, because they tell you what to build and by when. The DPDP Rules 2025 were notified on 13-14 November 2025. The Consent Manager registration framework is set to become operational around 13 November 2026. The core obligations (notice and consent, breach reporting, Data Principal rights, Significant Data Fiduciary duties) become enforceable on 13 May 2027, the same date the old Sec. 43A and SPDI Rules 2011 are repealed. The practical takeaway: a privacy policy written to the 2011 standard is on a clock, and you should be drafting to DPDP language now rather than scrambling in 2027.

Breach reporting and the data-deletion vs retention conflict

The DPDP framework requires prompt breach notification to the Data Protection Board and affected users (the Rules set a tight, hours-not-days window). Your internal terms and incident process should reflect that timeline, because the obligation runs whether or not your privacy policy mentions it.

There’s a genuine tension a lot of founders hit, and it’s worth naming. DPDP gives users a right to erasure on account deletion, but sectoral laws pull the other way: RBI directions, the Prevention of Money Laundering Act, and CERT-In directions can require you to retain certain records for fixed periods. So which wins? The practical answer is that you don’t blanket-delete; you draft a retention clause that distinguishes data you must erase on request from data a specific law requires you to keep, and you state the legal basis for each retention. Drafting around that conflict, rather than ignoring it, is what separates a compliant policy from a hopeful one.

DPDP vs GDPR in one paragraph

How different is India’s regime from Europe’s? Broadly, DPDP is consent-centric and leaner than the GDPR. It leans heavily on consent (and a few legitimate uses) as the lawful basis, where the GDPR offers six bases including legitimate interest. DPDP’s data-principal rights are narrower (no standalone right to portability or to object in the GDPR sense), and its cross-border transfer model is a “blocklist” approach rather than the GDPR’s adequacy-and-safeguards regime. If you’ve copied a GDPR-shaped privacy policy, it won’t map cleanly onto DPDP, which is one more reason the borrowed-policy shortcut backfires.

Refund, return and cancellation terms under the e-commerce rules

If you sell anything, this is the clause that gets you consumer complaints when it’s wrong. A lot of founders assume they can write “all sales final, no refunds” and be done. Indian law doesn’t quite let them. So what do the e-commerce rules actually require, and is a no-refund clause even legal?

What the Consumer Protection (E-Commerce) Rules 2020 require you to disclose

The Consumer Protection (E-Commerce) Rules, 2020 require online sellers and marketplaces to disclose specific information up front: the total price with a breakdown, the return, refund, exchange, warranty and cancellation terms, the seller’s identity and contact details, and grievance-redressal contacts. These aren’t suggestions; they’re mandatory disclosures, and a marketplace listing third-party sellers carries extra duties around seller information. Your refund and cancellation clause is where most of this lives, so draft it as a real, accurate description of your process, not a deterrent. For sellers, these duties go well beyond the refund clause, so map the full disclosure list before you publish.

Is a “no refund” clause enforceable in India?

Here’s the myth worth busting: “Indian law doesn’t require refunds, so I can just say no.” Not quite. You can set a commercial refund policy (no refunds on change-of-mind digital purchases, for instance), but you cannot contract away a consumer’s statutory rights. Where goods are defective or a service is deficient, the Consumer Protection Act, 2019 gives the consumer remedies, and a blanket “no refund” clause won’t override that protection. The mistake we see most often is treating a “no refunds” line as armour; in practice it’s enforceable only for the discretionary cases, not for defects and deficiencies. Draft the clause to be honest about both, and you avoid the consumer-forum complaint that an over-broad clause invites.

DIY vs generator vs lawyer: what drafting Terms and Conditions actually costs in India

The most-asked unanswered question in this whole topic is also the most practical: what does this cost? Community answers swing wildly from “free” to “over a lakh,” with no framework in between. So here are the real ranges, and a rule for deciding which path fits your product.

The rupee ranges

At the free end, you draft it yourself from a checklist (your time, no cash). A free or low-cost generator typically runs from zero to around Rs 5,000 and gives you a structured but generic skeleton. A template plus a lawyer review sits in the middle: you pay for a professional to check and tailor a draft you started. A full custom draft by a competent lawyer commonly runs from around Rs 25,000 to Rs 1,00,000 or more, depending on the complexity of your product and how much data and commerce it handles. Why do lawyers charge so much? Because a real custom draft is bespoke risk allocation, not form-filling, and (the flip side) it’s worth asking whether a lawyer has over-engineered a simple product with clauses you’ll never use.

A decision rule: when DIY is fine, when you must pay

Here’s a clean rule. DIY (or generator-plus-heavy-editing) is reasonable when your product is simple, low-data, and low-money: a content site, a basic app collecting an email, a small store with a standard refund flow. You must pay for professional drafting when the stakes climb: you process sensitive or large-scale personal data, you handle payments at volume, you’re an intermediary with real content-liability exposure, or you’re raising funding where investors will diligence your compliance. The decision isn’t about budget; it’s about risk. The better approach, in our view, is to match the spend to the exposure, not to default to the cheapest option and hope.

Why drafting is now an ongoing skill, not a one-time buy

Here’s the shift most cost discussions miss. With phased DPDP deadlines through 2027, the new SGI labelling rules, and e-commerce amendments circulating, Terms and privacy policies have become living documents. They need periodic re-issue, version control, and sometimes re-consent. That changes the economics: a one-off template bought today is stale by the next deadline, while the ability to draft and update these documents in-house is a skill that keeps paying off. Practitioners expect this maintenance burden to grow, not shrink, which is exactly why drafting capability (yours or your counsel’s) is becoming more valuable than any single template.

Your downloadable India-specific Terms and Conditions clause checklist

Pulling it together, here is the consolidated checklist you can work straight through when you draft. It’s the same clause set from the must-have section, grouped so you can tick each one off as you go. A quick caveat before you use it: a checklist is a starting point, not a substitute for tailoring each clause to your actual business and the current statute stack.

• Identity and scope: legal entity, registered address, contact, service description, eligibility and age
• Use rules: user obligations, prohibited use, content rules (the IT Rules 2021 “rules and regulations”)
• Payment and refund: pricing, billing cycle, auto-renewal, refund, cancellation (E-Commerce Rules 2020 disclosures)
• Liability: limitation of liability, indemnity, warranty disclaimer (balanced, per the unfair-contract caution)
• Intellectual property: ownership of your content and marks, the user’s limited licence, user-generated-content licence
• Governing law: Indian law, named jurisdiction, dispute-resolution mechanism
• Privacy cross-reference: link to a separate, DPDP-compliant privacy policy
• Grievance officer: named officer, contact, response timeline (IT Rules 2021)
• Acceptance: clickwrap “I Agree” gate, with logged acceptance
• Maintenance: version number, last-updated date, amendment and re-consent process

Work through every item, write each clause to fit your product, host the documents as live pages, and you’ll have a Terms and Conditions document that clears the gates instead of getting stuck at them.

Frequently asked questions

1. Are Terms and Conditions mandatory for a website or app in India? There’s no single section that fines you for omitting them, but they’re effectively mandatory for any real product. The IT Rules 2021 require intermediaries to publish a user agreement and privacy policy, payment gateways won’t onboard you without them, and app stores reject apps that lack a valid privacy policy. For a serious digital business, treat them as a launch prerequisite.

2. What is the difference between Terms and Conditions, Terms of Service, Privacy Policy and EULA? Terms and Conditions, Terms of Use and Terms of Service are the same document under different names: the rules of using your service. A privacy policy is a separate, DPDP-regulated disclosure of your data practices. A EULA governs the licence to install and use software you distribute. They do different jobs, so most products need a Terms document plus a privacy policy at minimum.

3. Are website Terms and Conditions legally binding in India? Yes, when they meet contract-law basics and the user actively accepts them. Sec. 10A of the IT Act recognises electronically formed contracts, so a properly captured “I Agree” clickwrap is as binding as a signed paper contract. Enforceability depends on clean acceptance capture and terms that aren’t oppressively one-sided.

4. What must be included in a website or app Terms and Conditions? At minimum: identity and scope, user obligations and prohibited use, payment and refund terms (if you charge), liability limitation and disclaimer, intellectual property, governing law and jurisdiction, a privacy-policy cross-reference, and grievance-officer details. Each clause should describe what your business actually does, not a generic ideal.

5. Do users have to click “I Agree”, or can I just post the terms? Use clickwrap, an active “I Agree” step, rather than browsewrap (a footer link you hope binds them). Indian courts have not settled pure browsewrap, so relying on it is risky. An active acceptance gate plus a stored log of who agreed and when is the pattern that survives a challenge.

6. How does the DPDP Act 2023 and DPDP Rules 2025 affect my privacy policy, and when do obligations start? DPDP makes your privacy policy a regulated document: it must give clear, itemised notice of what data you collect, why, and how users exercise their rights. The Rules were notified on 13-14 November 2025; the Consent Manager registration framework opens around 13 November 2026; core obligations and the Sec. 43A/SPDI repeal land on 13 May 2027. Draft to DPDP language now rather than later.

7. Why was my app rejected from the Play Store for the privacy policy, even after I added one? Usually a hosting problem. The store needs a live, publicly accessible HTML page at a valid URL, not a PDF, a login-gated file, or a link that 404s. Also note the store requires a policy even if your app collects no data, so “no data, no policy” still gets you rejected. Test the link from a fresh browser before resubmitting.

8. Can I copy another website’s Terms and Conditions or use a free generator? Copying carries a copyright risk, but the bigger danger is DPDP misrepresentation: a pasted privacy policy describes data practices you may not actually have, which is a written compliance misstatement. Generators help with structure but are often US/EU-centric and stale on Indian law. Use them for a skeleton, then rewrite every clause to fit your business and current statutes.

9. Should I use a lawyer or a generator, and how much does drafting cost in India? DIY or a generator (roughly zero to Rs 5,000) is fine for simple, low-data, low-money products. A full custom lawyer draft commonly runs from about Rs 25,000 to Rs 1,00,000 or more and is worth it when you handle sensitive data, payments at volume, intermediary liability, or investor diligence. Match the spend to your risk, not your budget.

10. Is a no-refund clause legal for an Indian e-commerce website? You can set a commercial refund policy (for example, no refunds on change-of-mind purchases), but you can’t contract away a consumer’s statutory rights. Where goods are defective or a service is deficient, the Consumer Protection Act, 2019 gives the consumer remedies that a blanket “no refund” clause can’t override. Draft the clause to be honest about both the discretionary and the protected cases.

References

Case Law

1. LIC of India v. Consumer Education & Research Centre, (1995) 5 SCC 482; AIR 1995 SC 1811
2. Shreya Singhal v. Union of India, (2015) 5 SCC 1; AIR 2015 SC 1523
3. Swastik Gases Pvt. Ltd. v. Indian Oil Corporation Ltd., (2013) 9 SCC 32
4. Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1
5. World Wrestling Entertainment, Inc. v. M/s Reshma Collection, 2014 SCC OnLine Del 2031; Delhi High Court (Division Bench)

Statutes

1. Indian Contract Act, 1872
2. Information Technology Act, 2000 (Sec. 10A, Sec. 43A, Sec. 79)
3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules; repeal effective 13 May 2027)
4. Consumer Protection Act, 2019
5. Consumer Protection (E-Commerce) Rules, 2020
6. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
7. Digital Personal Data Protection Act, 2023
8. Digital Personal Data Protection Rules, 2025
9. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (SGI / synthetically generated information; in force 20 February 2026)

This article is for informational purposes only and does not constitute legal advice. For specific legal guidance, consult a qualified legal professional.