Privacy Policy & Legal Disclaimer

a) Information you voluntarily provide

• Contact details: name, email address, telephone number
• Organisational information: name of organisation or employer
• Matter information: type of legal matter and brief description as submitted through the inquiry form
• Consultation details: preferred dates, time zone, and pre-consultation notes submitted through our booking platform (Cal.com)
• Correspondence: content of emails, letters, or messages sent to the Firm

b) Information collected automatically

• Technical data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps
• Cookie data: as described in Section 9 below

a) Account and identity data

• Registration credentials: full name, email address, mobile number, and a password (stored as a one-way bcrypt hash; the plaintext password is never retained)
• Client profile: address (line 1, line 2, city, state, PIN), identity document type, organisation name where applicable
• KYC status and consent records

b) Matter and case data

• Case/matter details: matter reference, title, type, court, CNR number, case number, filing date, state code, and status
• Hearing records: hearing dates, purposes, court room, judge name, next date, previous date — shared with clients at the Firm's discretion
• Internal notes: lawyer-authored notes associated with matters (not disclosed to clients)

c) Documents

• Uploaded files: documents uploaded by lawyers or clients (PDF, Word, Excel, image, or plain text), stored in Cloudflare R2 object storage
• Document metadata: filename, file type, file size, upload timestamp, uploader identity, and document category
• Virus scan result: a SHA-256 cryptographic hash of each uploaded file is transmitted to VirusTotal (Google LLC) to check against known malware signatures; the file itself is not transmitted
• Visibility controls: lawyers control whether each document is shared with the client

d) Privileged case facts submissions

• Clients may submit privileged case facts (factual narratives for legal use) through the Portal
• These submissions are encrypted at rest using AES-256 encryption with a dedicated key (PRIVILEGED_CONTENT_KEY) before storage in the database
• Submissions are accessible only to authorised lawyers; access is recorded in an append-only audit log
• Reviewer notes added by lawyers to case facts submissions are internal and are never disclosed to clients

e) Billing and financial data

• Invoice records: invoice number, status, line items, amounts, GST components, due dates, and payment history
• Payment records: payment method, transaction reference, and payment date
• No card numbers, bank account numbers, or UPI credentials are collected or stored by the Firm or the Portal; payment processing is handled entirely by third-party payment gateways outside the Portal

f) Session and technical data

• Session tokens: JSON Web Tokens (JWT) stored as httpOnly, Secure cookies; session tokens are signed and expire automatically
• Audit logs: an append-only record of significant events including login, case facts access, and document downloads, recording actor type, actor ID, action, resource type, resource ID, and timestamp
• Technical metadata: IP address, browser information, and timestamps associated with Portal activity

Website purposes

• Responding to inquiries and assessing whether the Firm is in a position to assist with a matter
• Scheduling and managing consultation appointments
• Performing conflict-of-interest checks before accepting instructions
• Communicating with prospective clients regarding the Firm's services
• Operating, maintaining, and improving this Website

Portal purposes

• Managing ongoing client-lawyer engagements, including matter records, hearings, documents, and billing
• Enabling clients to access case information, upload documents, submit privileged case facts, and view invoices
• Enabling lawyers to manage all aspects of client matters within the Portal
• Sending transactional notifications: document published alerts, hearing reminders, password reset emails, and invoice notifications
• Maintaining audit trails for regulatory compliance and privilege protection
• Detecting and preventing security threats through virus scanning of uploaded files

Common purposes

• Complying with applicable legal and regulatory obligations, including record-keeping requirements under Bar Council rules
• Establishing, exercising, or defending legal claims
• Internal administration and business continuity

• Consent: where you have voluntarily provided your information by completing the contact form, booking a consultation, registering for the Portal, or communicating with us
• Performance of a contract: where processing is necessary to deliver legal services under an engagement letter or to maintain the Portal for the benefit of registered clients
• Legitimate interests: to operate the Firm's practice, conduct conflict checks, maintain client and matter records, communicate about legal services, and ensure the security of the Portal — where such interests are not overridden by your fundamental rights
• Compliance with law: where processing is necessary to comply with a legal obligation applicable to the Firm, including obligations under the Advocates Act, Bar Council rules, or orders of a competent court

• Platform infrastructure providers: third-party technology providers who host and operate the Website and Portal under appropriate data processing terms (see Section 8 for a full list)
• Professional advisers: other advocates, barristers, or experts retained in connection with a matter, and regulatory or court bodies as required in the course of legal proceedings
• Legal compliance: where required by law, court order, or lawful request by a governmental authority in India
• Conflict checks: limited matter information may be shared with other counsel for the sole purpose of conducting a conflict-of-interest check
• Business transfers: in the event of restructuring or dissolution of the Firm, data may transfer to a successor practice under equivalent confidentiality obligations
• With your consent: for any other purpose to which you have expressly consented

Hosting and Deployment

• Vercel Inc. (vercel.com) — hosts and serves both the Website and the Portal globally via its edge network. All web traffic, including uploaded files during transit, passes through Vercel's infrastructure. Vercel is incorporated in the United States; data may be processed in multiple global regions. Subject to Vercel's Privacy Policy.

Database

• Neon Inc. (neon.tech) — provides the cloud-hosted PostgreSQL database that stores all Portal data, including client profiles, matter records, hearing data, invoice records, encrypted case fact submissions, document metadata, session tokens, and audit logs. Neon servers may be located outside India. Subject to Neon's Privacy Policy.

Document Storage

• Cloudflare Inc. — R2 Object Storage (cloudflare.com) is used to store documents uploaded through the Portal. Files are stored at rest in Cloudflare's global network. Access to stored files is controlled via time-limited pre-signed URLs generated on demand; files are never publicly accessible by default. Subject to Cloudflare's Privacy Policy.

Transactional Email

• Resend Inc. (resend.com) — used to send transactional emails from the Portal, including document published notifications, hearing date reminders, password reset links, matter linked confirmations, and invoice notifications. Resend receives the recipient's email address, name, and the content of the notification. Resend is incorporated in the United States. Subject to Resend's Privacy Policy.

Malware Detection

• VirusTotal (Google LLC, virustotal.com) — when a document is uploaded to the Portal, a SHA-256 cryptographic hash of the file is transmitted to VirusTotal's API to check whether the file is known to contain malware. The file itself, its name, and its contents are never transmitted to VirusTotal — only the hash. VirusTotal is operated by Google LLC and is subject to Google's Privacy Policy. Files whose hashes are unknown to VirusTotal are treated as clean without further submission.

Source Code Version Control

• GitHub Inc. (github.com) — the source code of the Website and Portal is stored in a private repository on GitHub. No client personal data, document contents, or database credentials are stored in the repository. Subject to GitHub's Privacy Policy.

Website-only services

• Formspree Inc. (formspree.io) — processes contact form submissions on the Website. Data is transmitted to Formspree's servers and forwarded to the Firm's email. Formspree is incorporated in the United States.
• Cal.com (cal.com) — processes consultation booking requests submitted through the Website. Subject to Cal.com's Privacy Policy.
• Google LLC — Google Maps is embedded on the Website and is subject to Google's Privacy Policy.

Website cookies

• Strictly necessary cookies: required for the Website to function correctly
• Analytics cookies: used to understand how visitors interact with the Website using aggregated, anonymised data only
• Embedded content cookies: set by third-party services (Google Maps, Cal.com) when you interact with embedded features

Portal session cookies

• client_session / lawyer_session: httpOnly, Secure cookies containing a signed JWT that authenticates your Portal session. These cookies are strictly necessary and cannot be disabled without logging out. They expire automatically on logout or after the configured session lifetime.
• No third-party advertising or tracking cookies are set by the Portal.

Website inquiry data

• Inquiry data from prospective clients who do not proceed to a formal engagement is retained for three years from the date of the inquiry, after which it is securely deleted or anonymised.

Portal data

• Active Portal accounts: retained for the duration of the client-Firm engagement and for a minimum of six years following the conclusion of all matters, in accordance with applicable limitation periods under Indian law
• Uploaded documents: soft-deleted documents (marked isDeleted) are retained for 30 days before permanent deletion from R2 storage; permanently deleted documents cannot be recovered
• Case fact submissions: retained for six years following the conclusion of the relevant matter
• Audit logs: retained indefinitely as they constitute an append-only compliance record
• Session tokens: expire at logout or after the configured session lifetime and are not retained thereafter
• Invoice and billing records: retained for eight years in accordance with applicable accounting and tax laws

• Right to access: to obtain confirmation of whether we process your personal data and a summary of the data we hold
• Right to correction: to have inaccurate or incomplete personal data corrected — Portal users may update their profile directly through the Portal settings page
• Right to erasure: to have your personal data erased where it is no longer necessary for the purposes for which it was collected, subject to overriding legal obligations (including retention of audit logs and billing records)
• Right to withdraw consent: to withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing
• Right to grievance redressal: to have grievances regarding our data processing practices addressed in a timely manner
• Right to nominate: to nominate a person to exercise your rights in the event of your death or incapacity

In transit

• All communications between your browser and the Website or Portal are encrypted using TLS 1.2 or higher (HTTPS). HTTP connections are redirected to HTTPS.
• Documents are transmitted to Cloudflare R2 over encrypted connections; download links are time-limited pre-signed URLs that expire automatically.

At rest

• Passwords are hashed using bcrypt with a work factor of 12 before storage; plaintext passwords are never stored or logged
• Privileged case fact submissions are encrypted using AES-256 encryption with a dedicated encryption key before storage in the database
• Database credentials, API keys, and encryption keys are stored as encrypted environment variables in Vercel and are never committed to source code

Access controls

• Role-based access: clients, lawyers, and administrators access only the data their role permits; client data is scoped to the authenticated client's own matters
• Session management: authenticated sessions use signed, httpOnly, Secure JWTs; sessions expire automatically and are invalidated on logout
• Audit logging: an append-only audit log records access to privileged data, including case fact submissions

File safety

• Every uploaded document is checked against the VirusTotal malware database by hash before it is made available for download
• Files flagged as infected are quarantined and cannot be published to clients or downloaded

• Vercel Inc. — United States and global edge network (Website and Portal hosting)
• Neon Inc. — United States (Portal database)
• Cloudflare Inc. — Global network (Portal document storage)
• Resend Inc. — United States (transactional email)
• Google LLC / VirusTotal — United States (malware hash lookup)
• Formspree Inc. — United States (Website contact forms)
• Cal.com — as per Cal.com's data processing terms (Website booking)

• Reliance on any information published on this Website
• Inability to access or use this Website or the Portal
• Unauthorised access to or alteration of your data by third parties
• Service interruptions, outages, or errors in third-party platforms (including Vercel, Neon, Cloudflare, or Resend)
• Any content or conduct of any third party on or linked from this Website or the Portal
• Errors or omissions in document scan results provided by VirusTotal