DPDP Act 2023 Notice
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.
As a Data Fiduciary, Vakalat Diary is committed to lawful processing, purpose limitation, data minimisation,
and upholding your rights as a Data Principal under the DPDP Act.
1. Who We Are
Vakalat Diary is a legal practice management platform operated in India, designed exclusively for advocates,
law firms, and legal professionals registered under the Advocates Act, 1961.
We process your data solely to provide case management, billing, document drafting, hearing management,
and client communication services.
Data Fiduciary: Vakalat Diary (operator)
Jurisdiction: Republic of India
Governing Law: DPDP Act 2023, IT Act 2000, Information Technology (Reasonable Security Practices) Rules 2011
2. Attorney-Client Privilege — Our Core Commitment
The attorney-client privilege is sacred. We treat it as such.
Every piece of case data you enter — client names, case facts, hearing notes, documents, strategies —
is protected as potentially privileged information. Our platform is architected so that:
- No Vakalat Diary employee can read your case data or client details
- Data is never used for advertising, profiling, or sold to any third party
- Our support team accesses only metadata (account ID, plan, error logs) — never case content
- AI features (if used) process data transiently and are never stored for model training
- Client data entered by you remains your exclusive property at all times
3. Data We Collect
We collect only what is strictly necessary to provide our service (data minimisation per DPDP Act):
| Category | What We Collect | Why |
|---|
| Account | Name, email, phone, bar council number, firm name | Authentication & communication |
| Case Data | Case numbers, court details, hearing dates, client info, documents | Core service delivery |
| Billing | Invoice records, payment status (no card data — Razorpay handles PCI) | Subscription management |
| Notifications | WhatsApp/email delivery logs | Reminder service |
| Technical | IP address, browser type, session token | Security & fraud prevention |
We do NOT collect: Audio/video recordings of court proceedings, biometric data, health data, financial account details, or any sensitive personal data beyond what is listed above.
4. Data Residency — Stored in India
All your data is stored exclusively on servers located in India.
We do not transfer your case data to servers outside India. Our infrastructure is hosted on
Indian data centres compliant with Indian IT law. This means your data is subject only to Indian jurisdiction
and cannot be accessed under foreign surveillance laws (e.g., US CLOUD Act).
5. Legal Basis for Processing (DPDP Act 2023)
- Consent: You provide explicit consent at registration. You may withdraw consent at any time by deleting your account.
- Contractual Necessity: Processing required to deliver the subscribed service.
- Legitimate Use: Security monitoring, fraud prevention, and statutory compliance.
6. Data Sharing — We Do Not Sell Your Data
We share your data with third parties only where strictly necessary:
- Razorpay — Payment processing only. They receive your name, email, and payment amount. They do not receive case data.
- CallMeBot / Email SMTP — Message delivery only. They receive phone numbers/emails and message text you compose. No case metadata.
- eCourts API — Case number lookups are sent to the government eCourts system. No account data is shared.
- Law enforcement / Courts — Only if required by a valid court order under Indian law.
We never share, sell, rent, or license your data to marketing companies, data brokers, insurance companies, or any other party.
7. Your Rights Under DPDP Act 2023
As a Data Principal under the DPDP Act, you have the right to:
- Access — Request a copy of all personal data we hold about you
- Correction — Request correction of inaccurate or incomplete data
- Erasure (Right to be Forgotten) — Request deletion of your account and all associated data
- Grievance Redressal — Raise complaints with our Data Protection Officer
- Nominate a Representative — Nominate someone to exercise rights on your behalf
To exercise any right, email: privacy@vakalat.in. We respond within 72 hours and fulfil requests within 30 days.
8. Data Security
- All data in transit is encrypted using TLS 1.3
- Passwords are hashed using bcrypt (never stored in plaintext)
- Database encrypted at rest using AES-256
- Sessions expire automatically after 24 hours of inactivity
- Rate limiting on all authentication endpoints
- Regular security audits and penetration testing
- Access to production systems is restricted to the minimum number of personnel (principle of least privilege)
9. Data Retention
- Active accounts: Data retained for the duration of your subscription
- After account deletion: All personal data erased within 30 days
- Billing records: Retained for 7 years as required under Indian tax law
- Notification logs: Retained for 90 days for debugging, then purged
10. Cookies
We use only essential cookies for authentication (session management). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cross-site tracking occurs.
11. Client Portal Users
When an advocate invites their client to the Client Portal, the client's registration data (name, email, phone) is collected with their explicit consent at registration. This data is visible only to the inviting advocate and used solely to provide portal access. Clients may delete their account at any time from the portal settings.
12. Grievance Officer
In accordance with the DPDP Act 2023 and IT Act 2000, our Grievance Officer is reachable at:
Grievance Officer / Data Protection Officer
Vakalat Diary
Email:
privacy@vakalat.in
Response time: 72 hours acknowledgement, 30 days resolution
13. Changes to This Policy
We will notify you by email and in-app notification at least 30 days before any material changes to this policy. Continued use after that period constitutes acceptance.