India — DPDP Act & TRAI Regulations
Organizations operating in India or handling Indian personal data must comply with the Digital Personal Data Protection Act 2023 (DPDP) and TRAI's telemarketing and DND regulations. This page explains the relevant controls in Converse.
Digital Personal Data Protection Act 2023 (DPDP)
India's DPDP Act governs the processing of digital personal data of Indian residents. It establishes rights for "Data Principals" (individuals) and obligations for "Data Fiduciaries" (organizations processing data) and "Data Processors" (services like Converse).
Key obligations under DPDP
Consent
Collect personal data only with free, specific, informed, unconditional consent. The consent request must be in clear language and list each purpose.
Use Consent Tracking (Settings → Security) to record consent at the start of calls. The flow can be configured to end gracefully if consent is not given.
Purpose limitation
Use personal data only for the purpose for which consent was given. Do not use data collected for support calls to run marketing campaigns.
Agent-level knowledge and tool isolation ensures each agent only accesses data relevant to its configured purpose.
Data minimization
Collect only the personal data necessary for the stated purpose.
Configure Collect Data nodes to ask for only required fields. Enable PHI Protection to prevent incidental collection being stored.
Storage limitation
Retain personal data only for as long as needed for the stated purpose.
Configure transcript and recording retention policies. Use the Campaign and Calls APIs to delete individual contact records.
Data Principal rights
Individuals have the right to access their data, correct inaccuracies, and request erasure.
Use the Calls API filtered by phone number to export individual call data. Delete contacts from campaigns via the API.
Grievance redressal
Appoint a Data Protection Officer and provide a mechanism for individuals to raise complaints.
Configure a "speak to an officer" path in your flow or agent for callers who raise complaints.
Data localization
DPDP and certain RBI/SEBI sector guidelines require that sensitive financial and personal data of Indian residents be stored in India. Contact us to configure India data residency for your account — all call data, transcripts, recordings, and campaign contacts will be stored in Indian data centers.
TRAI — Telemarketing & DND Regulations
The Telecom Regulatory Authority of India (TRAI) regulates telemarketing and unsolicited commercial communications. The key regulations are:
- NCPR (Do Not Disturb) registry: Do not call numbers registered on the National Customer Preference Registry.
- Calling hours: Unsolicited commercial calls can only be made between 9am and 9pm. The platform's campaign schedule should be set accordingly.
- Identification: The calling party must identify itself at the start of every commercial call.
- CLI (Caller Line Identification): The actual calling number must be transmitted — no number spoofing.
- Opt-out mechanism: Callers must be told they can opt out. The platform automatically marks contacts as do_not_call when they express this wish.
Check DND before dialing
Configuring TRAI-compliant campaigns
Set campaign calling hours to 9am–9pm only (use schedule_start_hour: 9, schedule_end_hour: 21)
System prompt must include: "This is an automated call from [Company Name]. You can opt out at any time."
System prompt must include: "Press * or say 'remove me' to stop receiving calls from us."
Configure "do not call", "remove me", "stop", "opt out" as campaign opt-out keywords
Ensure the campaign from_number has a valid CLI registered with your telecom provider
Scrub contact lists against NCPR before uploading — maintain proof of scrubbing
Log each campaign run with start time, end time, and contact list hash for audit purposes
RBI guidelines for financial institutions
For banks, NBFCs, and payment companies regulated by the Reserve Bank of India:
- Fair Practices Code: AI agents used for collections must comply with RBI's Fair Practices Code — no harassment, threats, or calling outside permitted hours.
- Grievance redressal: Every customer interaction must have a clear path to a human for complaints and escalations.
- Record retention: Customer communication records typically must be retained for 5–7 years. Configure recording retention accordingly.
- Data localization: Certain payment system data must be stored exclusively in India. See data localization section above.
Agent configuration for India
Add these instructions to your agent system prompts for India-compliant calls:
# Add to system prompt:
At the start of every call, introduce yourself:
"Hello, this is an automated call from [Company Name]."
If the customer asks to not be called again, uses phrases like
"remove me", "don't call", "stop calling", "DND",
confirm you will note their request and end the call politely.
Do not call back after an opt-out. Never use threatening language.
If the caller wants to file a complaint, provide this number: [Grievance number].
