A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Compliance for Coworking Spaces

Coworking spaces handle a lot of personal data – member details, access logs, payment info. Talk to our experts.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Compliance for Coworking Spaces, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can we keep CCTV footage of the common area for a full year?

No. You must set a specific retention period, such as 30 or 60 days, based on genuine security needs. Keeping footage indefinitely without a documented security incident violates data minimization rules.

Do we need consent to display a freelancer’s name on a cabin door?

Yes. If the signage identifies an individual, it is personal data. You must give the member the option to use a generic company name or room number instead of their personal name.

Can we share the member list with our in-house cafe partner?

Only if each member gave explicit, granular consent for third-party marketing. You cannot bundle this permission into the standard membership agreement or the "Terms of Service."

Real-World Examples Companies struggling with this issue

Matrimony

Matrimony.com

41

Matrimony.com collects India's most sensitive personal data categories: caste, religion, income, family background, physical appearance, horoscope details, and disability status. At 41/100, the platform processes data that reveals every protected characteristic under DPDP — creating the highest concentration of sensitive data of any platform analyzed.

⚠️ No DPDP Act 2023 reference
⚠️ Caste, religion, income, and family background data = most sensitive data
+5 more gaps detected
Feb 2026 View Report
Book clarity call