Converse Logo
Security & Compliance

India — DPDP Act & TRAI Regulations

Organizations operating in India or handling Indian personal data must comply with the Digital Personal Data Protection Act 2023 (DPDP) and TRAI's telemarketing and DND regulations. This page explains the relevant controls in Converse.

Digital Personal Data Protection Act 2023 (DPDP)

India's DPDP Act governs the processing of digital personal data of Indian residents. It establishes rights for "Data Principals" (individuals) and obligations for "Data Fiduciaries" (organizations processing data) and "Data Processors" (services like Converse).

Key obligations under DPDP

Consent

Collect personal data only with free, specific, informed, unconditional consent. The consent request must be in clear language and list each purpose.

Use Consent Tracking (Settings → Security) to record consent at the start of calls. The flow can be configured to end gracefully if consent is not given.

Purpose limitation

Use personal data only for the purpose for which consent was given. Do not use data collected for support calls to run marketing campaigns.

Agent-level knowledge and tool isolation ensures each agent only accesses data relevant to its configured purpose.

Data minimization

Collect only the personal data necessary for the stated purpose.

Configure Collect Data nodes to ask for only required fields. Enable PHI Protection to prevent incidental collection being stored.

Storage limitation

Retain personal data only for as long as needed for the stated purpose.

Configure transcript and recording retention policies. Use the Campaign and Calls APIs to delete individual contact records.

Data Principal rights

Individuals have the right to access their data, correct inaccuracies, and request erasure.

Use the Calls API filtered by phone number to export individual call data. Delete contacts from campaigns via the API.

Grievance redressal

Appoint a Data Protection Officer and provide a mechanism for individuals to raise complaints.

Configure a "speak to an officer" path in your flow or agent for callers who raise complaints.

Data localization

DPDP and certain RBI/SEBI sector guidelines require that sensitive financial and personal data of Indian residents be stored in India. Contact us to configure India data residency for your account — all call data, transcripts, recordings, and campaign contacts will be stored in Indian data centers.

TRAI — Telemarketing & DND Regulations

The Telecom Regulatory Authority of India (TRAI) regulates telemarketing and unsolicited commercial communications. The key regulations are:

Check DND before dialing

Before uploading contacts to a campaign, scrub your contact list against the NCPR database. TRAI imposes significant penalties for calling DND-registered numbers. The Converse platform does not automatically check the NCPR registry — this is your organization's responsibility.

Configuring TRAI-compliant campaigns

Set campaign calling hours to 9am–9pm only (use schedule_start_hour: 9, schedule_end_hour: 21)

System prompt must include: "This is an automated call from [Company Name]. You can opt out at any time."

System prompt must include: "Press * or say 'remove me' to stop receiving calls from us."

Configure "do not call", "remove me", "stop", "opt out" as campaign opt-out keywords

Ensure the campaign from_number has a valid CLI registered with your telecom provider

Scrub contact lists against NCPR before uploading — maintain proof of scrubbing

Log each campaign run with start time, end time, and contact list hash for audit purposes

RBI guidelines for financial institutions

For banks, NBFCs, and payment companies regulated by the Reserve Bank of India:

Agent configuration for India

Add these instructions to your agent system prompts for India-compliant calls:

# Add to system prompt:

At the start of every call, introduce yourself:

"Hello, this is an automated call from [Company Name]."

If the customer asks to not be called again, uses phrases like

"remove me", "don't call", "stop calling", "DND",

confirm you will note their request and end the call politely.

Do not call back after an opt-out. Never use threatening language.

If the caller wants to file a complaint, provide this number: [Grievance number].