Privacy Policy

LawPal is a legal-practice management service built for Indian law offices — individual advocates, chambers, and firms registered under the Advocates Act, 1961. It is operated by [Entity name to be confirmed], a company incorporated in India with its registered office at [Address to be confirmed] (“LawPal,” “we,” “us”).

Under the DPDP Act, we play two different roles depending on whose data is being processed:

• Data Fiduciary for the personal data of the individual lawyer or firm representative who creates an account (name, email, phone, bar council ID, billing details). Here, we decide the purposes and means of processing, and we owe you the full set of rights under the DPDP Act.
• Data Processor for the client-matter data that a law office uploads to LawPal on behalf of its clients (case metadata, hearing notes, filed documents, chat between team members). The law office — your firm — remains the Data Fiduciary. We process that data only on your instructions and cannot repurpose it.

This policy covers both roles; where they diverge we call it out explicitly.

We collect the following categories of personal data:

Account-level data is processed to:

• create and maintain your LawPal account;
• authenticate you on each sign-in (including via SMS or email OTP);
• provide customer support, billing, and service notifications;
• comply with statutory obligations (e.g. tax records under the Income-Tax Act, 1961 and GST);
• detect, investigate, and prevent abuse of the service or security incidents.

Client-matter data is processed only to:

• store and retrieve it on your firm’s behalf, as instructed by you through the product interface;
• enrich it with data from the Indian eCourts system (case status, listings, uploaded orders) when you opt in to that feature;
• operate infrastructure (backup, failover, routine maintenance).

We do not train machine-learning models on client-matter data and we do not share it with third parties except as described in section 5.

Under the DPDP Act, personal data is processed either with your consent or on a specified legitimate use. For LawPal:

• Consent for marketing communications, optional integrations (like eCourts sync), and analytics cookies. You can withdraw consent at any time — see section 8.
• Performance of contract for data strictly needed to deliver the service you signed up for (your account, your firm’s matter data, billing).
• Legal obligation for tax, accounting, and court / law-enforcement disclosures where a valid legal process compels us.
• Legitimate use (employment / employment-like purposes) where a firm administrator grants access to a team member who is part of the firm’s engagement.

We share personal data only with the following categories of recipients, and only to the minimum extent needed:

• Sub-processors under contract: Supabase (hosted Postgres + object storage, data centres in Singapore and Mumbai), email delivery providers for transactional mail, SMS OTP providers for phone login, and cloud infrastructure providers. Each sub-processor is bound by a data-processing agreement no less protective than this policy.
• Payment processors to charge paid subscriptions (Razorpay or similar). They collect payment instrument data directly; we receive only tokenised references.
• Law-enforcement and regulatory bodies when compelled by a valid Indian court order, statutory notice, or equivalent cross-border legal process. We review every such request for validity before responding.
• Successor in interest in the event of a merger, acquisition, or sale of the LawPal business. Successors inherit the obligations in this policy.

We do not sell personal data to advertisers or data brokers and we do not share client-matter data between customer firms.

We retain data only as long as needed for the purposes above, or as required by law:

• Account data: while your account is active, plus up to 90 days after closure so you can recover an accidentally closed account. We anonymise beyond that window, except records we must keep longer (e.g. tax invoices retained for 8 years under the Income-Tax Act).
• Client-matter data: as long as your firm chooses. When you delete a case or document, we soft-delete immediately and purge from backups within 30 days. If your firm closes its account we hand over or permanently delete matter data per your written instruction, subject to any statutory retention duty resting on the firm (typically 5–10 years after matter closure under Bar Council rules).
• Security and audit logs: 12 months, longer if needed for an active investigation.

Documents you upload to a case may be privileged communication between advocate and client under Sections 126 and 129 of the Indian Evidence Act, 1872 and the Bharatiya Sakshya Adhiniyam, 2023. We do not access, read, or process the contents of these documents for any purpose other than storing and retrieving them on your firm’s instructions.

Our staff access to stored documents is restricted to authorised engineers investigating an operational incident, with per-access logging and a reviewable audit trail. We never use the contents of privileged documents for product improvement, analytics, or machine-learning training.

If you are a Data Principal (an individual whose personal data we process as a Data Fiduciary — typically the lawyer who signs up), the DPDP Act gives you the following rights:

• Right to access: confirmation of whether we process your data, a summary of what we hold, and the recipients we share it with. Request this via the Settings screen or by emailing the Grievance Officer (section 12).
• Right to correction and erasure: correct inaccurate data, complete incomplete data, update stale data, and erase data that is no longer needed for the purposes above. Your firm can erase their own profile information in-app; we handle other erasure requests manually within 30 days.
• Right of grievance redressal: contact our Grievance Officer (section 12). If we do not resolve your grievance to your satisfaction, you may approach the Data Protection Board of India under section 13 of the DPDP Act.
• Right to nominate: nominate another individual who may exercise your rights on your behalf in the event of your death or incapacity.
• Right to withdraw consent: where processing relies on your consent, you can withdraw it at any time without affecting the lawfulness of processing before the withdrawal.

If you are a client of a LawPal-using firm and your personal data sits on the platform because your lawyer put it there, your firm is the Data Fiduciary. Please direct access, correction, and erasure requests to the firm first; we will support the firm in fulfilling them.

We apply the following technical and organisational measures:

• TLS 1.2+ on all client-server traffic; HTTPS-only for the web app.
• Data at rest is encrypted via our infrastructure provider (AES-256). Database backups are encrypted.
• Row-Level Security (RLS) in Postgres enforces that each firm’s data is isolated from every other firm at the query layer, not just the application layer.
• Multi-factor authentication via OTP for all account sign-ins; passwords are stored only as bcrypt hashes.
• Principle of least privilege for staff access, with quarterly access reviews.
• Incident-response runbook with a dedicated on-call rotation.

No system is perfectly secure. If you notice something that looks wrong — a suspicious login, an unexpected email, anything — email security@lawpal.tech immediately.

If we learn of a personal-data breach that is likely to result in harm to you, we will notify you and the Data Protection Board of India within 72 hours of confirming the breach, subject to the rules made under the DPDP Act. The notice will describe the nature of the breach, the data involved, the measures we are taking, and what you can do to protect yourself.

LawPal uses a Supabase project hosted in Mumbai (Asia-South-1) as its primary data store. Some operational data (email delivery logs, error traces) may transit through servers in Singapore or the European Union operated by our sub-processors. We transfer data only to jurisdictions and entities that offer protections consistent with the DPDP Act and subject to contractual safeguards.

If the Central Government restricts transfers to specific countries under section 16 of the DPDP Act, we will update our sub-processor list and, if necessary, relocate data.

As required under section 10(2)(c) of the DPDP Act, our Grievance Officer is:

We acknowledge grievances within 48 hours and aim to resolve them within 30 days. If we cannot meet that window we will tell you why and when you can expect resolution.

LawPal is a professional tool for advocates and is not intended for use by anyone under 18. We do not knowingly process the personal data of a child as a Data Principal. If you believe a child has created a LawPal account, email the Grievance Officer and we will verify and delete.

When we make material changes we post the updated policy here, update the version number, and email registered users at least 15 days before the change takes effect. The effective date at the top of this page is always the binding date.

This policy and any dispute arising out of it is governed by the laws of India. Subject to the mandatory provisions of the DPDP Act and the jurisdiction of the Data Protection Board of India, the courts at [Seat city — to be confirmed] have exclusive jurisdiction.

General privacy questions: privacy@lawpal.tech. Grievances and DPDP requests: grievance@lawpal.tech. Security issues: security@lawpal.tech.