Privacy Policy
Effective date: February 26, 2026
1. Introduction
This Privacy Policy explains how Udit Goenka ("we," "us," or "our"), operating the website udit.co (the "Website"), collects, uses, discloses, and protects your personal data. We are committed to safeguarding your privacy in accordance with applicable Indian law, including:
- The Information Technology Act, 2000 ("IT Act") and Section 43A thereof
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
- The Digital Personal Data Protection Act, 2023 ("DPDP Act")
As the Data Fiduciary under the DPDP Act, we determine the purpose and means of processing your personal data. By using this Website, you acknowledge that you have read and understood this Privacy Policy.
Data Fiduciary: Udit Goenka, Maharashtra, India. [email protected]
2. Information We Collect
2.1 Information You Provide Directly
- Email address when subscribing to our newsletter via the Substack embed on this Website.
2.2 Information Collected Automatically
- IP address (collected by our hosting provider, Railway)
- Device type, browser type, and operating system
- Pages visited, time spent, and referring URLs
2.3 Cookies
We use cookies as described in our Cookie Policy.
We do NOT collect Sensitive Personal Data or Information (SPDI) as defined under the SPDI Rules — including passwords, financial information, health data, biometric data, or sexual orientation.
3. How We Use Your Information
We process your personal data for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Deliver newsletter content | Email address | Your consent (Substack signup) |
| Website hosting and delivery | IP address, device info | Legitimate interest (IT Act S.43A) |
| Understand website usage | Usage data, cookies | Legitimate interest / consent |
| Improve website experience | Device info, usage data | Legitimate interest |
| Security and fraud prevention | IP address, server logs | Legal obligation (IT Act 2000) |
| Respond to inquiries | Email address | Your consent |
We do NOT sell, rent, or trade your personal data to third parties.
4. Third-Party Services
We use the following third-party services that may process your personal data. Each operates under its own privacy policy:
| Service | Purpose | Data Processed |
|---|---|---|
| Substack | Newsletter delivery | Email address |
| Railway | Website hosting | IP address, server logs |
| GitHub | Source code hosting | No user data from visitors |
Substack acts as an independent data controller for newsletter subscribers. Please review Substack's Privacy Policy to understand how they manage your data.
5. Data Retention
We retain your personal data only as long as necessary for the stated purpose:
| Data Type | Retention Period |
|---|---|
| Email address (newsletter) | Until you unsubscribe |
| Server logs (IP address) | 90 days |
| Analytics data | 26 months; anonymised after 90 days |
| Cookies | Varies (see Cookie Policy) |
After the retention period, data is securely deleted or anonymised in accordance with the DPDP Act 2023 and SPDI Rules.
6. Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:
- Right to Access: Obtain a summary of personal data processed and the processing activities undertaken.
- Right to Correction: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of personal data where it is no longer necessary for the purpose for which it was collected.
- Right to Grievance Redressal: Raise grievances regarding processing of your personal data.
- Right to Nominate: Nominate an individual to exercise rights on your behalf in the event of your death or incapacity.
To exercise any of these rights, contact us at [email protected]. We will respond within the timelines prescribed under applicable law.
For newsletter-related requests (unsubscribe, data deletion), you may also use the unsubscribe link in any newsletter email or contact Substack directly.
7. Cross-Border Data Transfers
Our third-party service providers (Substack and Railway) may store and process your personal data outside India. Such transfers are made in compliance with Section 16(1) of the DPDP Act 2023, which permits transfer of personal data to countries or territories not restricted by the Central Government.
As of the effective date of this Privacy Policy, no restricted jurisdictions have been notified by the Government of India under the DPDP Act. We will update this Policy if restrictions are imposed that affect these transfers.
We take reasonable steps to ensure that your data receives an adequate level of protection regardless of where it is processed.
8. Security Measures
We implement reasonable security practices and procedures as required under Section 43A of the IT Act and the SPDI Rules, including:
- HTTPS/TLS encryption for all data in transit
- Access controls limiting data access to authorised personnel only
- Secure hosting infrastructure via Railway
- Regular security updates and dependency patching
- No storage of sensitive personal data in plaintext
While we take reasonable precautions, no method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you as required by law.
9. Children's Privacy
This Website is not directed at children under the age of 18. We do not knowingly collect personal data from minors. The DPDP Act 2023 requires verifiable parental or guardian consent before processing personal data of individuals under 18.
If you believe we have inadvertently collected personal data from a child, please contact us immediately at [email protected] and we will promptly delete such data.
10. Cookies
We use cookies and similar tracking technologies on this Website. Cookies help us understand how visitors interact with the Website and improve your experience.
For detailed information on the types of cookies we use, their purpose, and how to manage your cookie preferences, please refer to our Cookie Policy.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make changes, we will:
- Update the effective date at the top of this page
- Post the revised Privacy Policy on this Website
Your continued use of the Website after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.
12. Grievance Officer
In accordance with the IT Act 2000, SPDI Rules 2011, and the DPDP Act 2023, we have designated a Grievance Officer to address any concerns or complaints regarding the processing of your personal data:
- Name: Udit Goenka
- Designation: Proprietor & Grievance Officer
- Address: Maharashtra, India
- Email: [email protected]
Response timelines:
- Acknowledgement: within 2 working days
- Resolution: within 10 business days of receipt
- Final resolution: within 30 days
If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India (once operational) or seek legal recourse through the courts of Maharashtra, India.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:
- Email: [email protected]
- Website: https://udit.co
For queries specific to your newsletter subscription, please contact Substack support directly.