Menthra India Compliance and DPDP Posture

India Compliance & DPDP Posture

Operating in India. Compliant by design.

Care that listens — even after the session ends. This page describes Menthra's regulatory posture for users, advisors, and enterprise customers in India. It is current as of April 21, 2026 and is reviewed quarterly.

← Back to global compliance

Operating posture in one line

Menthra operates as a wellness-support technology platform — not as a regulated medical device, not as a telemedicine practice — and complies with the data-protection, cyber-incident, and child-safety laws that apply to digital platforms serving users in India.

1. Data Protection

Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is India's first comprehensive personal data protection law. The DPDP Rules, 2025 were notified by the Ministry of Electronics and IT on 13 November 2025 and operationalize the Act in three phases.

Implementation timeline

01
Phase 1 — Active

since 14 November 2025

Data Protection Board of India established; procedural provisions in force.

02
Phase 2

effective 13 November 2026

Consent Manager registration framework comes into effect.

03
Phase 3

effective 13 May 2027

Substantive obligations — notice, consent, security, breach reporting, children's data, cross-border transfer.

Menthra's status and obligations

  • Menthra is the Data Fiduciary for Indian users — the entity determining the purpose and means of processing personal data.
  • We obtain consent that is free, specific, informed, unconditional, and unambiguous, with notices in plain language. Consent can be withdrawn at any time.
  • We implement reasonable security safeguards: encryption in transit and at rest, access controls and access logging, backups, and breach-detection mechanisms.
  • For users under 18, we require verifiable parental consent before processing personal data. Behavioural monitoring and targeted advertising directed at children is prohibited.
  • Personal data breaches are reported to the Data Protection Board and to affected Data Principals as required.

2. Cyber Incident Reporting

IT Act & CERT-In Directions, 2022

Menthra is a "body corporate" within the meaning of the Information Technology Act, 2000 and is bound by the Indian Computer Emergency Response Team (CERT-In) Directions of 28 April 2022.

  • Cybersecurity incidents are reported to CERT-In within 6 hours of detection.
  • ICT system logs are maintained securely for 180 days within Indian jurisdiction.
  • System clocks synchronize to NTP servers of the National Informatics Centre / National Physical Laboratory.

3. Wellness Positioning

Two-lane architecture

Three Indian frameworks govern the practice of mental healthcare and telemedicine — the Mental Healthcare Act, 2017, the Telemedicine Practice Guidelines, 2020, and the Telepsychiatry Operational Guidelines, 2020. Menthra operates two strictly separated lanes that are intentionally designed around these frameworks.

Wellness Support — default

AI companion conversations, journaling, mood tracking, psycho-education, behavioural insights. The AI does not diagnose, does not prescribe, does not establish a doctor-patient relationship, and is not held out as a substitute for clinical care. Users see clear AI disclosure on every session. This lane is not regulated under MHCA, TPG, or Telepsychiatry Guidelines.

Therapist-Supervised — Evoke

Where a licensed therapist (RCI-registered psychologist or NMC-registered psychiatrist) uses Menthra to extend their own practice. The therapist's existing professional licence and clinical obligations apply to the therapist; Menthra is the technology vendor.

Crisis Escalation — both lanes

Three-level architecture: Level 1 supportive response, Level 2 active resource provision, Level 3 emergency-services prompt. See the global compliance page for full escalation detail.

4. Child Safety

POCSO Act, 2012 + DPDP Children's Provisions

The Protection of Children from Sexual Offences Act, 2012 protects all persons under 18. Menthra's child-safety design includes:

  • Verifiable parental consent gate for users under 13 (Menthra Bloom).
  • Crisis-detection prompts tuned for teen-specific risk signals.
  • Documented escalation protocols where the platform has knowledge or apprehension of an offence within the meaning of Section 19 POCSO.
  • No behavioural monitoring or targeted advertising directed at minors.

5. Crisis Resources for India

If you or someone you know is in crisis.

Please reach out — you are not alone.

iCall (TISS)

9152987821

Vandrevala Foundation

1860-2662-345 / 1800-2333-330

24×7

AASRA

9820466726

24×7

KIRAN (Government of India helpline)

1800-599-0019

24×7

Emergency Services

112

6. Documentation Available on Request

Available to enterprise customers, advisors, investors, and regulators on request.

  • 📄Data Processing Agreement (DPDP-compliant)
  • 📄BAA template (for HIPAA-aligned engagements)
  • 📄SOC 2 Type II report
  • 📄Penetration test summary
  • 📄Subprocessors list with India data flow mapping
Request via the compliance documentation form →

7. Grievance Officer

For grievances under Indian IT Rules, 2021.

Per the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

  • Grievance Officer: Dinakara Nagalla, Founder & CEO
  • Email: dinakara.nagalla@menthra.ai
  • Response window: Acknowledgement within 24 hours; resolution within 15 days.

8. Primary Sources

For verification, please consult.

Questions? Email dinakara.nagalla@menthra.ai

Ready?

Want the full India compliance pack?

Enterprise customers, advisors, and regulators can request the complete documentation set.

No credit card · HIPAA-aligned · Your data is yours