Last updated: 11 May 2026
This Privacy Policy explains how LawyerBuddy Technologies Private Limited (the "Company", "LawyerBuddy", "we") collects, uses, discloses, retains, and protects your personal data when you use the LawyerBuddy platform (the "Platform"). It is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules").
We are the "Data Fiduciary" of your personal data under the DPDPA. You are the "Data Principal". By using the Platform, you confirm that you have read, understood, and consented to this Policy.
Account identity: Indian mobile number, email address, name, optional company name, profile photo (Google OAuth or upload), preferred language.
Legal queries and content: Free-text questions you submit to the Automated Legal Information Service; case briefs and "Additional User Notes" you write; uploaded documents (PDF, DOCX, images, up to 10 MB per file) for automated document review or case-attachment sharing with your engaged Counsel; in-chat messages and attachments in the secure case workspace.
Payment data: Payment method (UPI, card, netbanking, wallet) and transaction identifiers are collected by our PCI-DSS compliant payment processors (Razorpay, Chingari). We do not store card numbers, CVV, UPI PINs, or bank credentials on our servers; we only retain payment status, masked references, amounts, and receipts.
Device and connection metadata (IP address, browser, OS, language, time-zone), access logs, in-app actions for analytics and security, and rate-limit counters for free-quota enforcement.
We process SPDI as defined under the SPDI Rules only to the extent voluntarily provided by you (for instance, financial information processed through payment partners, or details of legal proceedings you choose to upload). You may decline to provide SPDI; in such case certain features will be unavailable.
The Platform is restricted to users aged 18 and above. If we discover an account belongs to a minor (under DPDPA: under 18), we will suspend the account and delete the data, save records we are legally required to retain.
We process your personal data for the following purposes:
Some of our processors (notably OpenAI and Google) are located outside India. Transfers occur over encrypted channels (TLS 1.2+). Under DPDPA §16 and Notification [insert notification reference when issued by Central Government], such transfers are presently permitted to all jurisdictions except those expressly restricted. We will update this Policy if the Central Government restricts any destination country.
Application data is stored in India (MongoDB Atlas / Oracle Cloud Infrastructure Mumbai region). Uploaded documents, KYC files, and case attachments are stored in OCI Object Storage (ap-mumbai-1) and accessed via short-lived pre-authenticated URLs (1-hour expiry) scoped to authorised case participants only. Backups are encrypted at rest.
We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law:
Under the DPDPA you have the right to:
To exercise any of these rights, write to grievance@lawyerbuddy.io. We will acknowledge your request within 24 hours and respond within 15 days. Note that we may need to retain certain records to fulfil legal obligations, as set out in Section 6.
We follow industry-standard security practices including TLS 1.2+ in transit, encryption at rest for backups and file storage, hashed and salted secrets, JWT-based authentication with short expiries, rate limiting, role-based access controls, principle of least privilege for staff access, structured audit logging, and periodic penetration testing. We further comply with the "reasonable security practices" under Rule 8 of the SPDI Rules (alignment with ISO/IEC 27001 control families).
No system is impenetrable. We cannot guarantee absolute security. In the unlikely event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals within the timelines prescribed by the DPDPA (within seventy-two (72) hours of becoming aware of the breach where feasible).
When you submit a query, brief, or document, the content of that submission is transmitted in real time to a third-party large language model provider (currently OpenAI) for inference. Submissions are sent via TLS, with no user-identifying account metadata other than a hashed session reference required to route the response back to you.
Per our agreement with OpenAI, your data is not used to train their foundation models. However, the providers may retain inputs for abuse monitoring per their published policies. Do not submit any information you do not want transmitted to a third-party language-model service provider.
As required under Rule 3(2) of the Intermediary Rules, 2021 and §13 of the DPDPA, the Grievance Officer of LawyerBuddy is:
Acknowledgement within 24 hours, resolution within 15 days. Escalation: Grievance Redressal Policy.
We may update this Policy from time to time. Material changes will be communicated by email, SMS, or prominent in-app notice at least seven (7) days before they take effect.
Questions or complaints regarding this Policy: grievance@lawyerbuddy.io.
Have a question about this policy? Email our Grievance Officer at grievance@lawyerbuddy.io.