Skip to content
checkDPDP

Your Rights · Section 12

How to delete or revoke your data from any website in India

Under Section 12 of the DPDP Act 2023, every person in India can demand that a website, app, hospital, bank, school or any other company correct, complete, update or erase the personal data it holds about them — and stop sharing it with third parties. Here is the free 4-step process and the email template you can copy-paste.

In one paragraph

What Section 12 actually entitles you to

Section 12(2) lets you ask any Data Fiduciary to correct, complete or update personal data it holds about you. Section 12(3) gives you a separate right to erasepersonal data that is no longer necessary for the purpose it was collected for — unless a specific law forces the company to keep it. Both are unconditional rights: you do not have to explain why, and the company cannot charge you for a normal request.

Together with Section 6(4) (withdraw consent), this is the most powerful combination in the Act. Send all three in the same email and the company is left only with whatever they are legally required to keep — which, for an unused account, is usually nothing.

Copy, paste, send

The Section 12 erasure email (works for any Indian website)

Subject: Correction and erasure request under Section 12 of the DPDP Act, 2023

To the Grievance Officer / Data Protection Officer,
[Company name]

I am a Data Principal under the Digital Personal Data Protection Act, 2023.
Please action the following under Section 12, in respect of personal data
you hold about me:

  1. CORRECTION / COMPLETION / UPDATING (Section 12(2)):
     • [Field]: change “[old value]” to “[new value]”
     • [Field]: complete with “[missing value]”
     • [or: “no corrections required at this time”]

  2. ERASURE (Section 12(3)):
     Please erase all personal data you hold about me, including back-ups
     and data shared with any processor or third party, EXCEPT data you
     are specifically required by law to retain. For any data you must
     retain, please tell me:
       (a) what data,
       (b) under which law,
       (c) for how long, and
       (d) confirm it will not be used for any other purpose.

  3. THIRD PARTIES: Please forward this instruction to every Data
     Fiduciary or Data Processor with whom you have shared my data, and
     confirm in writing once each has actioned it.

  4. WITHDRAWAL OF CONSENT (Section 6(4)): To the extent any future
     processing relies on consent I previously gave, I withdraw that
     consent.

Please link this request to my account using:
  • Registered email: [your email]
  • Registered phone: [+91 ...]
  • Account / customer ID: [if known]

I expect a substantive response within 30 days, with marketing stopped
within 48 hours. If I do not hear back, I will proceed under Section 13
(grievance redressal) and, if needed, file a complaint with the Data
Protection Board of India.

Sincerely,
[Your full name]
[Date]

Tip: send it from the email address on file with the company so they can verify your identity from headers alone. Cc yourself and keep the sent mail — it is your timestamp for the 30-day window.

The 4-step process

From “I want my data gone” to confirmation in writing

  1. Step 1 · 2 min

    Find the Grievance Officer

    Privacy policy → search “Grievance” or “DPO”. Every Indian website must publish this under Section 8(9).

  2. Step 2 · 5 min

    Personalise the template

    Paste, fill in your registered email / phone / account ID. You don’t need to give any reason.

  3. Step 3 · < 30 days

    Wait the response window

    Acknowledgement should arrive in days; substantive reply in 30. Marketing should stop within 48 hours.

  4. Step 4 · only if needed

    Escalate to the DPB

    No response or weak response? File a complaint with the Data Protection Board →

Worth knowing

The 4 things companies routinely get wrong

“We will close your account”

Closing the account is not erasure. Insist they confirm in writing that the underlying personal data has been deleted, not just deactivated.

“We need to keep it for our records”

Their commercial preference is not a legal obligation. Make them name the law and the retention period — most internal “records” do not qualify.

“We have shared it, we cannot recall it”

Section 8(5) makes them responsible for instructing every processor and third party they shared the data with. They have to forward your instruction and confirm each one actions it.

“We will anonymise it instead”

Truly anonymised data is fine. “Hashed email” or “pseudonymised user_id” is not anonymisation — it is still personal data under the DPDP Act. Demand actual erasure.

Common questions

FAQ — including the most-searched ones

How do I delete my data from a website in India?

Send a written erasure request under Section 12(3) of the DPDP Act to the company’s Grievance Officer (their email is in the privacy policy). The 6-line template below is enough. They must erase the data unless a specific law requires them to keep it.

How do I revoke consent I already gave a website?

Use Section 6(4) of the DPDP Act and the withdrawal email. That stops future processing. To also delete the data they have already collected, send the erasure request on this page in the same email — “withdraw my consent AND erase my data”.

How long does the company have to delete my data?

The DPDP Rules expect a substantive response within 30 days. Marketing must stop within 48 hours. If the company says it must legally retain part of the data, it has to tell you exactly which part, under which law, and for how long.

What if the company refuses to delete my data?

They can only refuse if a specific law forces them to keep it (e.g. tax records under the Income-tax Act). Even then, they must (a) stop using it for anything else, (b) tell you what is retained and why, and (c) delete it once the legal hold lifts. A blanket refusal is grounds for a complaint to the Data Protection Board.

Can I delete data from Indian apps like Paytm, Zomato, BookMyShow, Swiggy?

Yes. Every Indian-facing app or website is a Data Fiduciary under the DPDP Act and is subject to Section 12. Find the Grievance Officer in the app’s privacy policy or “Help / Contact us” section and send the template below.

What if my data was sold or shared with a third party?

Under Section 8(5) the original Data Fiduciary remains responsible for the data they shared. Ask them to forward your erasure instruction to every party they shared it with, and to confirm in writing that each one has actioned it.

Related

Send these together for maximum effect

Withdraw consent →

Stops future processing. Pair with erasure for the strongest effect.

See what they hold →

Send an access request first if you want to verify what they actually deleted.

If they ignore you →

Escalate to the Data Protection Board — they can fine the company up to ₹250 crore.