Compliance Summary
Effective: 1 May 2026
This page summarizes the major laws and standards that apply when you use the Splashify Pro Email API. It is informational — it is not a substitute for legal advice from a lawyer qualified in your jurisdiction.
The full obligations are documented in the API Terms of Service, Acceptable Use Policy, Anti-Spam Policy, Data Processing Agreement, and Privacy Policy.
India
Information Technology Act, 2000
The IT Act governs electronic records, intermediary liability, and reasonable security practices.
Our compliance:
- We operate as an “intermediary” under §2(1)(w) and observe intermediary due diligence under Rule 3 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
- We have appointed a Grievance Officer with public contact details.
- Reasonable security practices implemented per §43A and ISO 27001- aligned controls.
- Take-down on receipt of court order or government notification per §69A and Rule 3(1)(d).
Your obligation: Don’t send content prohibited by §66, §67, §69 of the IT Act (impersonation, obscenity, defamation, hate speech).
Digital Personal Data Protection Act, 2023
India’s first comprehensive privacy law. Key concepts:
- Data Fiduciary — you, when sending to your end-customers.
- Data Processor — Splashify Pro, processing recipient data on your instructions.
- Data Principal — the recipient (or you, when we hold your account data).
Key obligations on you (Data Fiduciary):
| Obligation | What it means for email senders |
|---|---|
| Lawful purpose (§4) | Only send for a lawful purpose with a valid lawful basis |
| Notice (§5) | Tell recipients what data you collect, for what purpose, and how to withdraw consent — at the point of collection, in their preferred language |
| Consent (§6) | Free, specific, informed, unconditional, unambiguous; clear affirmative action |
| Withdrawal (§6(4)) | As easy to withdraw as to give |
| Purpose limitation (§7) | Don’t repurpose data without fresh consent |
| Storage limitation (§8(7)) | Delete when purpose is fulfilled |
| Data Principal rights (§11–13) | Honor access, correction, erasure, grievance |
| Breach notification (§8(6)) | Notify Data Protection Board “without delay” |
| Children (§9) | Don’t process personal data of minors without parental consent; no behavioral monitoring |
Significant Data Fiduciaries (designated by the Central Government for high-volume or sensitive processing) have additional obligations including a Data Protection Officer, audits, and DPIA. We act as DPF and meet those requirements; you should evaluate whether you do too.
Penalties: Up to INR 250 crore per violation.
Telecom Commercial Communications Customer Preference Regulations, 2018 (TRAI)
Primarily targets SMS and voice but referenced in connection with unsolicited commercial communications. Email is largely governed by the IT Act and DPDP. Senders should observe DND (Do Not Disturb) preferences on multi-channel campaigns.
Income Tax Act, 1961 — Record retention
We retain billing records for 8 years per §44AA. Tax invoices issued through Zoho Payments include GSTIN and HSN/SAC codes per GST law.
European Union / EEA
General Data Protection Regulation (GDPR) — Regulation 2016/679
Applies to processing of personal data of EU/EEA residents, regardless of where the processor is located.
Roles: You are the Controller; Splashify Pro is the Processor. The DPA is the Article 28 written contract.
Key obligations on you (Controller):
- Lawful basis (Article 6) — for marketing email, this is typically consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)) balanced against the recipient’s privacy rights.
- Information at collection (Articles 13–14).
- Purpose limitation, data minimization, storage limitation (Article 5).
- Records of processing (Article 30).
- Data Subject rights (Articles 15–22).
- Breach notification within 72 hours (Article 33).
- Data Protection Impact Assessment for high-risk processing (Article 35).
- Lawful international transfers (Articles 44–49).
Penalties: Up to EUR 20 million or 4% of global annual turnover, whichever is higher.
ePrivacy Directive — 2002/58/EC (as amended)
Requires prior opt-in consent for direct marketing email to natural persons in the EU/EEA, even where GDPR would allow legitimate interest. Limited “soft opt-in” exception for similar products to existing customers (Article 13(2)) with each message offering an unsubscribe.
LGPD (Brazil) — Lei Geral de Proteção de Dados Pessoais
GDPR-aligned. Same consent rigor and rights. We comply for transfers involving Brazilian residents.
United States
CAN-SPAM Act, 2003
Federal law. Applies to commercial email sent to US recipients.
Key obligations:
- Accurate From, Reply-To, and routing information.
- Truthful Subject lines.
- Identification as advertisement (where applicable).
- Valid physical postal address of the sender.
- Functional unsubscribe processed within 10 business days.
Penalties: Up to USD 50,120 per email under FTC enforcement.
State laws
California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and other state privacy laws may impose additional requirements depending on the recipients you target.
TCPA — Telephone Consumer Protection Act
Primarily covers calls and SMS, but cited in unsolicited-message litigation. Email senders should be aware in case of mixed-channel campaigns.
Canada
CASL — Canada’s Anti-Spam Law
Among the strictest anti-spam laws globally.
Key obligations:
- Express consent (verbal recording or written log) for marketing.
- Identification of the sender, including any person on whose behalf the message is sent.
- Functional unsubscribe processed within 10 business days.
Penalties: Up to CAD 10 million per violation.
Other notable jurisdictions
| Country | Key law | Notes |
|---|---|---|
| UK | UK GDPR + Data Protection Act 2018 | Substantially aligned with EU GDPR post-Brexit |
| Australia | Spam Act 2003 + Privacy Act 1988 | Express, inferred, or implied consent |
| Singapore | PDPA 2012 + Spam Control Act 2007 | Opt-in / opt-out hybrid |
| UAE | PDPL 2021 | GDPR-aligned, UAE-specific bases |
| Switzerland | revFADP 2023 | GDPR-aligned |
Standards and certifications
We work toward and align with:
- ISO 27001 (Information Security Management System) — design aligned; certification roadmap on the trust portal.
- SOC 2 Type 2 — audit roadmap on the trust portal.
- PCI DSS — payment processing is delegated to Zoho Payments (PCI Level 1); we never store cardholder data.
Trust portal: trust.splashifypro.com (forthcoming).
What this means in practice
If you are sending email through Splashify Pro:
- Have a lawful basis for every recipient on your list. For most, that’s clear affirmative consent.
- Maintain a record of consent — what was said, when, from where.
- Include in every marketing email: accurate sender identity, a valid physical address, a functional unsubscribe link.
- Honor unsubscribes immediately (we do this within seconds).
- Don’t use the API for content prohibited by the Acceptable Use Policy.
- If you experience a data breach involving recipient data, notify us at security@splashifypro.in within 24 hours so we can support you in the breach-notification timeline.
Get help
For specific compliance questions, consult a lawyer in the relevant jurisdiction. For Splashify Pro’s compliance posture, email legal@splashifypro.in. For data-protection enquiries, email dpo@splashifypro.in.