1. Overview and Regulatory Framework

Kanoonseva Technologies Private Limited ("Kanoonseva," "we," "our," or "us"), acting as a "Data Fiduciary" within the meaning of the Digital Personal Data Protection Act, 2023 ("DPDPA"), is committed to the responsible collection, processing, storage, and protection of your personal data.

This Privacy Policy ("Policy") governs the processing of personal data of "Data Principals" (i.e., individuals whose personal data is processed) who use our platform at kanoonseva.in.

This Policy is published in compliance with the following legislative framework:

The Information Technology Act, 2000 ("IT Act"), particularly Section 43A
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
The Digital Personal Data Protection Act, 2023 ("DPDPA"), including applicable rules notified thereunder
The CERT-In Directions on Cyber Security issued in April 2022
All other Applicable Laws pertaining to data protection and privacy in India

By accessing or using the Platform, you, as the Data Principal, consent to the collection and processing of your personal data as described in this Policy, subject always to your right to withdraw consent as described in Clause 7 hereof.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below, consistent with the definitions under the DPDPA, 2023, and the IT Act, 2000:

2.1 "Consent Manager" means an entity registered with the Data Protection Board of India that acts as a single point of contact for a Data Principal to give, manage, review, and withdraw consent for the processing of their personal data.

2.2 "Data Fiduciary" means any person, including the Company, who alone or in conjunction with other persons determines the purpose and means of processing of personal data (Section 2(i), DPDPA 2023).

2.3 "Data Principal" means the individual to whom personal data relates (Section 2(j), DPDPA 2023). Where such individual is a child (under 18 years), references to Data Principal include the parent or legal guardian.

2.4 "Personal Data" means any data about an individual who is identifiable by or in relation to such data (Section 2(t), DPDPA 2023).

2.5 "Sensitive Personal Data or Information" ("SPDI") has the meaning given to it under Rule 3 of the SPDI Rules, 2011, and includes passwords, financial information (bank accounts, payment card details), physical, physiological, and mental health conditions, biometric data, and information received for the purposes of providing a service.

2.6 "Processing" means the wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction (Section 2(x), DPDPA 2023).

2.7 "Data Protection Board" means the Data Protection Board of India established under Section 18 of the DPDPA, 2023.

3. Personal Data We Collect

We collect the following categories of personal data, processed in accordance with Section 4 of the DPDPA, 2023:

Personal Information (provided by you at registration):

Full name and email address
Mobile number (optional; used for document verification notifications)
Profile details: occupation, city, and state (used to personalise legal templates by jurisdiction)
Google OAuth profile data if you choose to sign in via Google

Document Data (entered by you during document generation):

Names, addresses, identification numbers, financial amounts, and dates entered into document templates
Documents you generate, save, or upload to the Platform
Uploads via the Verify Draft feature (processed in-session and not retained beyond the session unless explicitly saved by you)

Payment Information:

Transaction identifiers and Subscription status (we do not store payment card numbers; these are handled exclusively by Razorpay in compliance with PCI-DSS standards)

Usage and Technical Data (collected automatically):

IP address and derived geographic location (city/country level)
Browser type, device type, and operating system
Pages visited, features used, session duration, and referring URLs
Crash logs and error reports

Communications:

Emails and messages submitted to our support team
Feedback or survey responses submitted voluntarily

4. Legal Basis for Processing

The Company processes your personal data on the following legal grounds, consistent with Section 4 of the DPDPA, 2023, which permits processing only for a lawful purpose:

4.1 Consent: For non-essential processing activities (such as sending marketing communications, or using your data to improve AI models), we rely on your freely given, specific, informed, and unambiguous consent as required under Section 6 of the DPDPA, 2023. You may withdraw this consent at any time (see Clause 7).

4.2 Contractual Necessity: Processing your name, email, and document data is necessary to perform our contractual obligations to you under the Terms of Service - including creating your Account, generating Documents, and managing your Subscription.

4.3 Legitimate Use: Certain processing - such as security monitoring, fraud prevention, and anonymised analytics - is carried out on the basis of legitimate use, provided such processing does not override your fundamental right to privacy.

4.4 Legal Compliance: We process and retain certain data (such as payment records and transaction logs) as required by Applicable Law, including GST record-keeping obligations under the Central Goods and Services Tax Act, 2017, and other statutory obligations.

5. How We Use Your Personal Data

Consistent with the principle of "purpose limitation" under Section 6(2) of the DPDPA, 2023, we use your personal data only for the following specified, lawful purposes:

Service Delivery:

Creating and managing your Account
Generating, storing, and managing your legal Documents
Processing Subscription payments and issuing GST-compliant invoices
Providing customer support and responding to queries

Platform Improvement and Research (with consent where required):

Analysing anonymised, aggregated usage patterns to improve our templates and AI systems
Developing new features, templates, and services
Conducting anonymised research on document types and user needs

Communications:

Transactional emails (document generation confirmations, Subscription receipts, security alerts)
Important service updates, policy changes, and legal notices
Marketing communications (only with your explicit consent; you may opt out at any time)

Legal Compliance and Safety:

Complying with court orders, government directions, or requests from lawful authorities
Investigating and preventing fraud, security breaches, and violations of our Terms of Service
Protecting the rights and safety of the Company, its Users, and the public

6. Consent and Consent Management

6.1 Obtaining Consent: In accordance with Section 6 of the DPDPA, 2023, where the Company relies on your consent as the legal basis for processing, such consent shall be:

Freely given (not bundled with acceptance of Terms of Service as a condition of access to the Platform, except where strictly necessary for service delivery)
Specific to the stated purpose
Informed - accompanied by a clear notice of the purpose and manner of processing
Unambiguous - evidenced by a clear affirmative action (such as ticking a checkbox)

6.2 Granular Consent: You may grant or withhold consent separately for different categories of non-essential processing (for example, marketing communications and AI model improvement) through your Account Settings.

6.3 Withdrawal of Consent: You may withdraw your consent for any non-essential processing at any time, without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent may be effected through:

Your Account Settings > Privacy Controls
Emailing privacy@kanoonseva.in with the subject line "Consent Withdrawal"

6.4 Consent Manager: Upon the operationalisation of the Consent Manager framework under the DPDPA, 2023, the Company will publish the mechanism by which you may manage your consent through a registered Consent Manager.

7. Disclosure of Your Personal Data

We do NOT sell, rent, or trade your personal data to any third party for commercial purposes. Your data may be shared only in the following limited circumstances:

Service Providers (acting as "Data Processors"):

Razorpay Software Private Limited: Payment processing, subject to their privacy policy and PCI-DSS compliance
Supabase Inc.: Database hosting and authentication infrastructure (data stored in compliant data centres)
Google LLC: AI/ML services (Gemini API) for document generation assistance and clause rewriting
Email service providers: For transactional and marketing communications

All third-party service providers with whom we share personal data are contractually bound by Data Processing Agreements that require them to (a) process personal data only on documented instructions from the Company; (b) implement appropriate technical and organisational security measures; and (c) not engage sub-processors without the Company's prior written consent.

Legal and Regulatory Disclosures:

When required by a valid court order, summons, subpoena, or statutory direction from a competent government authority under Applicable Law
To protect the rights, property, or safety of the Company, its Users, or others, where disclosure is permitted by law
In connection with a merger, acquisition, reorganisation, or sale of all or substantially all of the Company's assets, provided that the acquiring entity assumes obligations equivalent to those set forth in this Policy, and Users are given advance written notice

We shall, to the extent permitted by law, notify you before disclosing your personal data in response to legal process, so that you may seek appropriate legal protection.

8. Confidentiality of Your Documents

The Company recognises that the documents you create on the Platform may contain highly sensitive information - including financial details, property information, family and personal matters, and confidential business information.

Our commitments in respect of your Documents:

All Documents and User Content are encrypted in transit using TLS 1.2 or higher (HTTPS), and encrypted at rest using AES-256 encryption
Kanoonseva employees and contractors shall not access the content of your Documents except (a) when strictly necessary to resolve a specific support issue raised by you, and (b) only with your explicit permission for that specific purpose
We do not use the substantive content of your Documents to train, fine-tune, or improve any AI or machine learning model without your explicit, informed, and separately obtained consent
You may delete any Document from your Account at any time through the Platform interface. Deleted Documents will be permanently and irreversibly removed from our systems within thirty (30) days of deletion, subject to any legally mandated retention period
Version history copies of deleted Documents are deleted within the same thirty (30)-day window

9. Cross-Border Data Transfers

9.1 The Platform relies on third-party infrastructure and service providers (including Supabase for database services and Google for AI services) that may process or store your personal data outside India.

9.2 In accordance with Section 16 of the DPDPA, 2023, the Company shall transfer personal data outside India only to countries or territories notified by the Central Government as permissible destinations, or pursuant to contractual arrangements that ensure a standard of protection equivalent to the protections afforded under the DPDPA, 2023.

9.3 Specifically:

Data transfers to Google LLC are governed by Google's Data Processing Addendum incorporating Standard Contractual Clauses
Data transfers to Supabase are governed by Supabase's Data Processing Agreement

9.4 By using the Platform, you acknowledge and consent to the transfer of your personal data to these service providers outside India, subject to the safeguards described in this Clause.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations, consistent with the storage limitation principle under Section 8(7) of the DPDPA, 2023, which requires erasure of personal data upon the purpose being no longer served.

Specific retention periods:

Account and profile data: Retained for the duration of your Account, plus ninety (90) days following Account deletion (to allow for Account recovery requests)
User Documents: Retained until you delete them, plus thirty (30) days for permanent deletion from all systems and backups
Payment records and transaction logs: Seven (7) years, as required by the Income Tax Act, 1961, and GST legislation
Usage and technical logs: Twelve (12) months from the date of generation
Support communications: Three (3) years from the date of closure of the relevant support case
Consent records: For the duration of the processing activity plus three (3) years

You may request deletion of your Account and associated personal data at any time via Settings > Account > Delete Account. We will process such requests within thirty (30) days, subject to legally mandated retention requirements.

11. Security Measures

The Company implements technical and organisational security measures consistent with Section 8(5) of the DPDPA, 2023, and the reasonable security practices required under Section 43A of the IT Act, 2000, and Rule 8 of the SPDI Rules, 2011.

Technical measures in place:

TLS 1.2+ encryption for all data in transit (HTTPS enforced across all Platform endpoints)
AES-256 encryption for sensitive data at rest
Role-based access controls (RBAC) for all internal systems, with the principle of least privilege applied
Multi-factor authentication available for User Accounts (strongly recommended)
Regular automated vulnerability scanning and security patching
Third-party security audit conducted annually

Organisational measures in place:

Mandatory data protection training for all employees with access to personal data
Confidentiality agreements with all employees and contractors
Data access logs maintained and reviewed periodically
Documented incident response plan

Limitation: Despite these measures, no method of electronic transmission or storage is one hundred percent (100%) secure. The Company cannot guarantee absolute security and shall not be liable for any breach of security except to the extent caused by the Company's own proven gross negligence or wilful misconduct.

12. Data Breach Notification

12.1 In the event of a "personal data breach" (i.e., any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed), the Company shall act in accordance with:

Section 8(6) of the DPDPA, 2023, which requires the Company to notify affected Data Principals and the Data Protection Board of India of any personal data breach in such form and manner as may be prescribed
The CERT-In Directions on Cyber Security (April 2022), which require reporting of certain cyber security incidents to CERT-In within six (6) hours of becoming aware thereof

12.2 Notification to Data Principals shall be made by email to the registered email address of the affected Account, and shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Principals affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.

12.3 You should promptly notify us at security@kanoonseva.in if you become aware of any actual or suspected security vulnerability or breach affecting the Platform.

13. Your Rights as Data Principal

Under Chapter IV of the Digital Personal Data Protection Act, 2023, and other Applicable Laws, you have the following rights in respect of your personal data:

Right to Information (Section 11, DPDPA 2023): You have the right to obtain from us a summary of the personal data we process about you, the processing activities being carried out, and the identity of all Data Fiduciaries and Data Processors with whom your data has been shared.

Right to Correction and Erasure (Section 12, DPDPA 2023): You have the right to request correction of inaccurate or incomplete personal data, and to request erasure of personal data that is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent.

Right to Grievance Redressal (Section 13, DPDPA 2023): You have the right to have your grievances redressed promptly. If your grievance is not satisfactorily addressed, you may escalate to the Data Protection Board of India.

Right to Nominate (Section 14, DPDPA 2023): You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights under the DPDPA in respect of your personal data.

Right to Data Portability: You may request a copy of your Documents and profile data in a portable, machine-readable format (PDF or JSON) through Account Settings > Export Data.

Right to Opt Out of Marketing: You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or through Account Settings > Notification Preferences.

To exercise any of the above rights, please contact privacy@kanoonseva.in or use the controls available in your Account Settings. We will respond to all substantive requests within thirty (30) days.

14. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies on the Platform:

Essential Cookies: Strictly necessary for the Platform to function, including session management and authentication tokens. These cannot be disabled without impairing core functionality, and no consent is required for their use.

Analytics Cookies: Help us understand how Users interact with the Platform (pages visited, features used, session duration). All analytics data is anonymised and aggregated before analysis. You may opt out of analytics cookies through your browser settings or through Account Settings > Privacy Controls.

Preference Cookies: Remember your chosen language, display settings, and other preferences to enhance your experience on return visits.

The Company does not use third-party advertising cookies, cross-site tracking, or behavioural profiling technologies.

15. Protection of Children's Personal Data

15.1 The Platform is intended for use by individuals who are eighteen (18) years of age or older. The Company does not knowingly collect or process personal data of children (individuals under 18 years of age).

15.2 In compliance with Section 9 of the DPDPA, 2023, the Company shall, prior to processing the personal data of a child, obtain verifiable consent from the parent or lawful guardian of such child.

15.3 The Company prohibits processing of personal data of children that is likely to cause detrimental effects on their wellbeing, and shall not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

15.4 If you believe that a child has registered on the Platform or provided personal data without appropriate parental consent, please notify us immediately at privacy@kanoonseva.in. We will promptly investigate and delete any such data upon verification.

16. Data Protection Officer

16.1 In compliance with the requirements applicable to Data Fiduciaries under the DPDPA, 2023, the Company has appointed a Data Protection Officer ("DPO") responsible for overseeing the Company's data protection strategy and ensuring compliance with Applicable Laws.

16.2 The DPO is the primary point of contact for all matters relating to the processing of personal data and the exercise of Data Principal rights.

16.3 Contact details of the Data Protection Officer: Email: dpo@kanoonseva.in Postal Address: Data Protection Officer, Kanoonseva Technologies Private Limited, India

16.4 The DPO shall respond to all queries and requests within a reasonable time, and in any event within the timelines prescribed under Applicable Law.

17. Grievance Officer

17.1 In compliance with Rule 5(9) of the SPDI Rules, 2011, and Rule 3(2)(b) of the IT Intermediary Guidelines Rules, 2021, the Company has designated a Grievance Officer to address complaints and grievances relating to the processing of personal data and other privacy-related concerns.

17.2 Contact details of the Grievance Officer: Email: grievance@kanoonseva.in Response Time: Acknowledgement within twenty-four (24) hours; resolution within fifteen (15) days

17.3 If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint to the Data Protection Board of India (once operational under the DPDPA, 2023), or to the appropriate consumer forum under the Consumer Protection Act, 2019.

18. Amendments to This Policy

18.1 The Company may amend this Privacy Policy from time to time to reflect changes in our data processing practices, new services offered, or amendments to Applicable Law.

18.2 All amendments shall be:

Published on this page with a revised "Last updated" date
For material changes that adversely affect your rights or the manner in which your personal data is processed, communicated to registered Users by email at least fifteen (15) days before the changes take effect, as required under the DPDPA, 2023
For changes that require fresh consent under the DPDPA, 2023 (such as changes to the purpose of processing), presented to you for re-consent before the change takes effect

18.3 Your continued use of the Platform after the effective date of any amendment constitutes your acceptance of the revised Policy, provided that for changes requiring consent, continued use shall not substitute for the required affirmative consent.

This Policy was last reviewed and updated on 28 April 2026.