Legal & Compliance Reference — MyNikkahOnline
Indian Law Compliance Gap Analysis
A technical audit comparing current platform implementation against mandatory requirements under Indian IT Act, DPDP Bill 2023, and matrimonial platform best practices.
Source document: AI Agent Implementation Specs for MyNikkahOnline — covering
Indian IT Act 2000, Intermediary Guidelines 2021, DPDP Bill 2023, and matrimonial fraud
liability. This page audits each requirement against the live codebase and lists every gap
with priority and recommended fix.
9
Implemented
4
Partial
7
Missing
3
Blocked (need docs)
1
Mandatory Configuration & UI Banners
Legal basis: Consumer Protection (E-Commerce) Rules 2020 — platforms must clearly disclose their service status and limitations. Running a beta without a visible notice risks being treated as a commercial service subject to full compliance.
| Requirement | Status | Priority | Gap / Action Needed |
|---|---|---|---|
| Global Beta Banner Non-dismissible notice on index, register, dashboard | Missing | CRITICAL | No beta notice exists anywhere. Inject a top-of-page strip banner in
base.html controlled by a SiteSetting("beta_mode") flag.
Copy: "Closed Beta — demonstration only. No premium fees charged." |
| PAYMENT_ENABLED feature flag Config gate blocking all payment flows | Missing | CRITICAL | Payment routes (/donate, /membership) are fully live with
no feature flag. Add PAYMENT_ENABLED = False to
TestingConfig and ProductionConfig (until corporate docs
obtained) with a guard in the donate/membership blueprints. |
| Age gate — gender-specific 18 for females, 21 for males (Indian law) | Partial | CRITICAL | Current code: if age < 18 for ALL genders.
Fix: In auth/routes.py:137, read gender
from the request and apply min_age = 21 if gender == "male" else 18.
Mirror this on the frontend wizard step. IT Act §67B |
| COMPLIANCE_STATUS config flag NON_COMMERCIAL_INTERMEDIARY declaration | Missing | MEDIUM | Add COMPLIANCE_STATUS = "NON_COMMERCIAL_INTERMEDIARY" to
config.py. Expose in admin panel for visibility. No functional impact
but important for audit trail if ever questioned by authorities. |
2
Mandatory Data Retention — The 1-Year Rule
Legal basis: IT (Intermediary Guidelines) Rule 3(1)(j) 2021 — intermediaries must retain user information for at least one year after account deletion to assist law enforcement. Failure = personal criminal liability for the founder.
| Requirement | Status | Priority | Gap / Action Needed |
|---|---|---|---|
| Soft delete (is_deleted / deleted_at) No hard DELETE on user records | Done | LOW | User.soft_delete() sets deleted_at = NOW().
User.is_deleted property exists.
Verify: the account-deletion route in
account/routes.py must call user.soft_delete() and
not db.session.delete(user). |
| user_compliance_logs table Tracks SIGNUP, LOGIN, PROFILE_UPDATE, DELETE_REQUEST with IP + UA | Missing | CRITICAL | No compliance log model exists. The existing AuditLog import in
__init__.py references a model that does not have a file in
app/models/. Create app/models/compliance_log.py with
columns: user_id, action_type, ip_address, user_agent, timestamp.
Run migration. Log events in: auth login, register, account delete handlers.
IT Rules 2021 Rule 3(1)(j) |
| 365-day retention enforcement Auto-purge compliance logs older than 1 year | Missing | HIGH | No scheduled purge job exists. Add a Flask CLI command
flask compliance purge that hard-deletes compliance log rows
and user records where deleted_at < NOW() - 365 days.
Schedule via cron on the server. |
| IP address capture on login/register request.remote_addr stored per session event | Missing | HIGH | Current login/register routes do not capture request.remote_addr or
request.user_agent. Blocked by the compliance_log table not
existing. Once table is created, add logging calls to
auth/routes.py login and register handlers. |
3
Anti-Scam & Intermediary Liability Shield
Legal basis: IPC §420 / BNS §318 (cheating) — an unregistered platform founder is personally liable if a scammer defrauds a user and you cannot show due-diligence friction was in place at onboarding. IT Act §79 safe-harbour requires the intermediary to "not initiate the transmission" and "exercise due diligence".
| Requirement | Status | Priority | Gap / Action Needed |
|---|---|---|---|
| Email OTP at registration Prevents disposable email abuse | Done | LOW | Fully implemented. Email OTP sent on register; account locked until verified.
Gmail App Password configured via admin panel and .env. |
| SMS / WhatsApp OTP for mobile verification Verified mobile = primary liability defence | Missing | HIGH | Mobile number is collected but never verified. Anyone can enter a
fake number. Recommended: integrate Twilio Verify or MSG91 (Indian, cheaper).
Add mobile_verified_at column to users. Block messaging
until mobile is verified. Estimated effort: 1–2 days.
IT Rules 2021 Rule 3(1)(b) |
| Photo moderation queue Photos pend admin review before going live | Done | LOW | ProfilePhoto.is_approved = False by default. Admin photo queue
exists at /admin/photos with Approve / Reject / Delete actions.
All-approved-photos browse at /admin/photos/all. |
| Admin block / unblock users Remove bad actors immediately | Done | LOW | users.blocked_at and users.block_reason columns exist.
Admin can block/unblock with a reason via /admin/members.
Login route checks user.blocked_at and shows a flash error. |
| Profanity filter on user-generated content English + Tamil vulgar words blocked | Done | LOW | app/utils/profanity.py blocks vulgar content in profile fields and
messages. Regex-based, word-boundary aware, covers Tamil script and
transliterated words. |
| Report profile mechanism Users can flag fake/abusive profiles | Done | LOW | /profile/report/<code> accepts categories: fake, spam, abuse,
inappropriate_photo. Rate limited to 5 per hour. Admin can review reports.
Self-report blocked (returns 400). |
4
Mandatory Legal Pages
Legal basis: IT (Intermediary Guidelines) Rule 3(1)(a) — every intermediary must publish Terms of Service, Privacy Policy, and a Grievance Officer notice. Without these, the IT Act §79 safe-harbour is forfeited. DPDP Bill 2023 §5 requires explicit notice of data collected.
| Requirement | Status | Priority | Gap / Action Needed |
|---|---|---|---|
| /terms — Role identification Explicit "intermediary, NOT marriage bureau" language | Partial | HIGH | Terms says "technology platform" — not legally precise. Must explicitly state:
"MyNikkahOnline is a matrimonial matchmaking intermediary utility and is
NOT a marriage bureau, matrimonial agency, or investigative agency."
Add this as the first paragraph of Section 1 in pages/terms.html.
Marriage Bureau Regulation Act |
| /terms — Bold liability disclaimer "Users assume 100% responsibility for verification" | Partial | HIGH | A general disclaimer exists but is not in a visually prominent block.
PDF requires a bold, highlighted clause:
"The platform does not guarantee the accuracy of profiles, background checks,
or marital status. Users assume 100% responsibility for verifying the credentials
of other members before entering into personal or financial interactions."
Add in a .highlight-box block in the terms template. |
| /privacy — DPDP compliance notice Explicit list of data collected + no-third-party-sale pledge | Done | LOW | Privacy page states data types collected, "never sell" pledge, HTTPS/TLS encryption, and no ad-network sharing. Covers DPDP §5 notice requirements. Add: explicit DPDP Bill 2023 reference by name for future audit readiness. |
| /refunds — Refund & cancellation policy Required by payment gateways (Razorpay, Cashfree) | Missing | HIGH | No /refunds route or template exists. Payment gateways will not
issue live keys without a publicly accessible refund policy page. Create
pages/refunds.html with: no-refund policy (free beta), future
subscription cancellation terms, contact email for disputes.
Consumer Protection Act 2019 |
| Grievance Officer block in footer Name, email, 36-hr acknowledgement, 15-day resolution | Missing | CRITICAL | No Grievance Officer section in base.html footer.
IT Rules 2021 Rule 3(2)(b) mandates this.
Fix: Add a footer column — "Grievance Redressal Officer:
[Name], support@mynikkah.online — Acknowledged within 36 hours, resolved within
15 days." This is legally mandatory regardless of company registration status.
|
| Cookies policy page (/cookies) GDPR/IT Act disclosure for EU visitors | Done | LOW | Cookie policy page exists at /cookies. Footer link present. |
5
Transition to Commercial Launch — Blocked Requirements
Legal basis: Payment gateways (Razorpay / Cashfree / CCAvenue) will not issue live API keys without verifying corporate documents and a live refund policy. Collecting real money without GST registration is an offence under CGST Act §122.
| Requirement | Status | Priority | Gap / Action Needed |
|---|---|---|---|
| Corporate registration (LLP or Pvt Ltd) Company PAN, TAN, Certificate of Incorporation | Blocked | CRITICAL | Must be completed by founder before any commercial launch. Required by all
payment gateways and by Companies Act 2013 if
collecting subscription fees. Until then, keep
PAYMENT_ENABLED = False in config. |
| GSTIN registration GST on subscription tiers at 18% | Blocked | CRITICAL | Cannot register for GST without corporate entity. Once company is formed,
register at gst.gov.in. Add GSTIN to invoice generation logic in
membership/routes.py. SAC code for matrimonial services: 999722. |
| Live payment gateway keys Razorpay / Cashfree live credentials | Blocked | CRITICAL | Razorpay test keys are configured. Live keys require: corporate docs,
GSTIN, approved T&C page, and live refund policy. Code is ready in
membership/routes.py — just needs live keys in .env. |
6
Immediate Action Plan — Priority Order
-
Add Grievance Officer to footer Edit
base.htmlfooter. Legally mandatory under IT Rules 2021 Rule 3(2)(b). 30-minute fix. -
Fix age gate to 21 for males Edit
auth/routes.py:137. Current code allows 18-year-old males to register — violates Indian law. -
Create user_compliance_logs model + migration New file
app/models/compliance_log.py. Log SIGNUP, LOGIN, DELETE_REQUEST with IP + User-Agent. -
Add Beta Banner to index, register, dashboard Inject a non-dismissible top strip in
base.htmlgated bySiteSetting("beta_mode"). -
Create /refunds page Required by Razorpay for live keys. Template + route in
main/routes.py. 1-hour task. -
Update /terms with explicit intermediary language + bold disclaimer Change "technology platform" to "matrimonial matchmaking intermediary utility, NOT a marriage bureau." Add highlighted disclaimer box.
-
Add PAYMENT_ENABLED = False flag to config Gate all payment routes in
donate/andmembership/blueprints. Prevents accidental live charging. -
Integrate mobile OTP (MSG91 / Twilio Verify) Collect mobile at registration but verify via SMS before profile goes live. Add
users.mobile_verified_atcolumn. -
Add 365-day purge CLI command Flask CLI command to hard-delete compliance logs and user records older than 365 days post-deletion. Schedule via cron.
-
Register company (LLP / Pvt Ltd) — founder action Cannot be done by code. Required before live payment gateway keys. MCA21 portal, ~2–4 weeks.
Disclaimer: This page is an internal technical compliance reference, not legal advice.
Consult a qualified Indian IT/corporate lawyer before commercial launch.
Last updated: 17 May 2026.
Source document: AI Agent Implementation Specs — MyNikkahOnline (Laws.pdf).