# DPDP-ready customer support agent policy

## Description

Use this policy when an AI support agent processes personal data collected during chat, call, email, ticketing, CRM, or helpdesk workflows.

## Placeholder fields

- Company name: [COMPANY_NAME]
- Support system name: [SUPPORT_AGENT_NAME]
- Privacy contact: [PRIVACY_CONTACT_EMAIL]
- Support owner: [SUPPORT_OWNER]
- Security owner: [SECURITY_OWNER]
- Effective date: [EFFECTIVE_DATE]
- Retention period: [RETENTION_PERIOD]

## Approved purposes

[SUPPORT_AGENT_NAME] may process customer data only to answer support requests, classify tickets, retrieve account-specific context, detect policy risk, summarize support history, and route unresolved issues to human teams.

Customer data must not be reused for advertising, unrelated profiling, or model training by [COMPANY_NAME] unless separate notice, consent, and purpose documentation are approved.

## Data categories

The support agent may encounter name, email, phone number, order ID, account ID, device details, product usage context, chat transcripts, call summaries, and complaint information. Payment card data, Aadhaar, PAN, health data, passwords, OTPs, and authentication secrets must be blocked or redacted from model-visible content.

## DPDP controls

- Present a clear support privacy notice before AI-assisted support begins.
- Limit prompts to information required to resolve the specific support request.
- Redact sensitive identifiers and secrets before model routing.
- Keep audit metadata for support decisions without exposing raw PII to unauthorised roles.
- Allow customers to request access, correction, grievance review, and deletion through [PRIVACY_CONTACT_EMAIL].
- Store support logs only for [RETENTION_PERIOD] unless legal retention is required.

## Escalation

The AI support agent must escalate to a human when a request involves legal claims, financial loss, account closure, identity verification failure, child data, breach reporting, or high-risk personal data.

## Incident response

Suspected support-data leakage must be reported to [SECURITY_OWNER] immediately and handled under [COMPANY_NAME]'s DPDP breach notification process.

This template was reviewed by CrewCheck and aligns with the DPDP Act 2023 obligations.