Lawyers Diary — Privacy Policy

Version 1.0 · Dated 8 July 2026 · Version code v1.0-2026-07-08 · DRAFT — not yet in force

This Privacy Policy is the notice given by Lawyers Diary as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). It uses the defined terms of the Lawyers Diary Terms & Conditions where the same terms appear (for example, "Firm", "User", "Firm Data", "Account Metadata", "Reminder", "Court Data").


Plain-Language Summary / सरल भाषा में सारांश

This summary is for convenience only. It is not part of the Policy. The numbered English clauses below are the only terms that govern. In case of any difference between this summary (in either language) and the English clauses, the English clauses prevail.

यह सारांश केवल सुविधा हेतु है। यह नीति का भाग नहीं है। केवल नीचे दिए गए अंग्रेज़ी अनुच्छेद ही मान्य हैं। किसी भी भिन्नता की स्थिति में अंग्रेज़ी पाठ ही मान्य होगा।

The eight things that matter most / आठ सबसे महत्वपूर्ण बातें:

  1. We collect only what runs the service. From advocates and firms: name, email, phone, firm details, login and usage logs, and IP address. From clients (entered by the firm): name, phone and consent status. Nothing more. हम केवल वही एकत्र करते हैं जो सेवा चलाने हेतु आवश्यक है। अधिवक्ता/फ़र्म से: नाम, ईमेल, फ़ोन, फ़र्म विवरण, लॉगिन एवं उपयोग लॉग, IP पता। मुवक्किल से (फ़र्म द्वारा दर्ज): नाम, फ़ोन एवं सहमति-स्थिति। इससे अधिक कुछ नहीं।
  2. We do not read your case content. In the ordinary course we access only Account Metadata — who the account holder is, plan and payment records, and logs — never the substance of your cases, notes or documents. हम आपकी केस-सामग्री नहीं पढ़ते। सामान्य कार्य-व्यवहार में हम केवल खाता-मेटाडेटा तक पहुँचते हैं — खाताधारक कौन है, योजना एवं भुगतान अभिलेख, तथा लॉग — कभी भी केस, नोट्स या दस्तावेज़ की विषय-वस्तु तक नहीं।
  3. We share data only with service providers who work for us. WhatsApp (Meta) and email/SMTP to deliver reminders; our India hosting provider; and, where you use it, court-data providers. They are our processors, bound to use the data only to run the service. We do not sell your data. हम डेटा केवल हमारे लिए कार्य करने वाले सेवा-प्रदाताओं से साझा करते हैं। रिमाइंडर भेजने हेतु WhatsApp (Meta) एवं ईमेल/SMTP; हमारा भारत-आधारित होस्टिंग प्रदाता; तथा जहाँ आप उपयोग करें, कोर्ट-डेटा प्रदाता। ये हमारे प्रोसेसर हैं। हम आपका डेटा नहीं बेचते।
  4. Your data is stored in India. We host on AWS Mumbai (ap-south-1), including backups and logs. आपका डेटा भारत में संग्रहीत होता है। हम AWS मुंबई (ap-south-1) पर होस्ट करते हैं — बैकअप एवं लॉग सहित।
  5. You have rights. You can access and export your data, correct it, ask us to erase it, raise a grievance with a named officer, and nominate someone to act for you. आपके अधिकार हैं। आप अपना डेटा देख एवं निर्यात कर सकते हैं, सुधार करा सकते हैं, मिटाने का अनुरोध कर सकते हैं, नामित अधिकारी के समक्ष शिकायत रख सकते हैं, तथा अपनी ओर से कार्य करने हेतु किसी को नामांकित कर सकते हैं।
  6. We keep your data while your account is active and for 30 days after it ends, then delete it. The 30 days let you export everything before it goes. खाता सक्रिय रहने तक तथा समाप्ति के 30 दिन बाद तक हम डेटा रखते हैं, फिर मिटा देते हैं। ये 30 दिन आपको निर्यात का अवसर देते हैं।
  7. If there is a data breach, we will act and inform you. We follow India's CERT-In 6-hour reporting rule today, and will follow the DPDP Board notification rules when they come into force. डेटा उल्लंघन की स्थिति में हम कार्रवाई करेंगे एवं आपको सूचित करेंगे। हम आज CERT-In के 6-घंटे नियम का पालन करते हैं तथा लागू होने पर DPDP बोर्ड नियमों का पालन करेंगे।
  8. Voice typing is optional, and we never store your audio. If you turn on voice typing, your speech is transcribed to text and the audio is immediately discarded — we never store recordings and never train AI on them. Where the browser supports it, transcription runs on your device; otherwise your browser's speech service (Google on Chrome, Apple on Safari) transcribes it. You can turn it off any time in Settings. वॉइस टाइपिंग वैकल्पिक है, और हम आपका ऑडियो कभी संग्रहीत नहीं करते। वॉइस टाइपिंग चालू करने पर आपकी बोली टेक्स्ट में बदलती है और ऑडियो तुरंत हटा दिया जाता है — हम रिकॉर्डिंग कभी सेव नहीं करते और न ही उन पर AI प्रशिक्षित करते हैं। जहाँ ब्राउज़र समर्थन करे वहाँ यह आपके डिवाइस पर चलती है; अन्यथा आपके ब्राउज़र की स्पीच सेवा (Chrome पर Google, Safari पर Apple) इसे ट्रांसक्राइब करती है। आप इसे Settings में कभी भी बंद कर सकते हैं।

Language of this Policy. This Policy is drafted, agreed and governed in English. Any translation, including the Hindi summary above, is provided for convenience only and has no legal effect.


1. Who we are and our role

1.1 This Platform, "Lawyers Diary", is operated by [OPERATOR LEGAL NAME] (the "Operator", "we", "us"), presently a sole proprietor. Contact details are in Clause 12.

1.2 Under the DPDP Act, a person's role depends on who decides the purpose and means of processing:

(a) For Account Metadata — the identity and contact details of Users, plan and payment records, and login/usage logs — we decide the purpose and means, so we are the Data Fiduciary and this Policy is our notice to you.

(b) For Firm Data about a Firm's own clients — the client names, phone numbers and consent status a Firm enters — the Firm is the Data Fiduciary and we act as its Data Processor under contract. Our handling of that data is governed by the Data Processing Agreement (see the Lawyers Diary DPA), and the Firm gives its clients the required notice. This Policy explains, for transparency, how we process that data on the Firm's behalf, but it does not replace the Firm's own notice to its clients.

2. What personal data we collect

2.1 From advocates and firms (Account Metadata):

  • identity and contact details: name, email address, phone number;
  • firm details: firm/chamber name, Bar registration or enrolment details (where you provide them), office address, GSTIN (where applicable);
  • account and plan records: chosen Plan, payment records (UPI UTR you report, receipt numbers, plan history);
  • usage and audit logs: actions taken in the Platform, delivery-attempt trails for Reminders, timestamps, and the identity of the acting User;
  • technical data: IP address, browser/device type, and session information collected automatically when you use the Platform.

2.2 From clients (Firm Data, entered by the Firm):

  • client name;
  • client phone number;
  • consent status recorded by the Firm (whether the client agreed to receive Reminders);
  • hearing, case-reference and diary entries the Firm associates with the client.

We do not ask firms to enter, and do not require, client email, address, identity- document numbers, health or financial data, or any special-category data. Firms are asked not to place such data in free-text fields.

2.3 We do not collect: biometric data, precise geolocation, cookies for third-party advertising, or data about persons who are not Users or the Firm's own clients.

3. What we deliberately do NOT access — the privilege boundary

3.1 The single most important thing to understand about Lawyers Diary is what we do not touch. In the ordinary course of operating the Platform, we access only Account Metadata. We do not access the content of your Firm Data — the substance of your cases, your diary notes, your uploaded documents, or your privileged communications.

3.2 Access to the content of Firm Data is limited to narrow, logged circumstances:

  • where you, the Firm, explicitly ask us to (for example, a support request where you share a specific record); or
  • where strictly necessary to fix a specific technical fault you have reported, under access controls and with the access recorded in the audit trail; or
  • where compelled by a valid, binding legal order — in which case we will, unless legally barred, notify the Firm before disclosure so it may assert privilege (consistent with In Re: Summoning of Advocates, 2025 INSC 1275).

3.3 We do not use Firm Data content to train models, to profile clients, or for any purpose other than providing the Service to you.

4. Why we process your data, and our legal basis

PurposeData usedLegal basis under the DPDP Act
Create and run your account; authenticate UsersAccount MetadataNecessary to perform the service you signed up for; consent given at signup
Send hearing and task RemindersClient name/phone, hearing data, consent statusConsent (advocate at signup; client consent recorded by the Firm)
Show delivery-attempt audit trailsReminder logsLegitimate use — running and evidencing the service
Verify manual UPI payments and issue receiptsPayment recordsNecessary for the contract; legal/accounting obligation
Security, fraud prevention, and abuse detectionUsage logs, IPLegitimate use — security of the Platform
Comply with law (CERT-In, tax, court orders)As required by the relevant lawLegal obligation
Sync Court Data where you enable itCase reference / CNR you provideConsent; public-record processing where applicable

4.1 Where processing rests on consent, you may withdraw it at any time (Clause 8); withdrawal does not affect processing already carried out, and may mean we can no longer provide a feature that depends on it (for example, Reminders to a client who has withdrawn consent).

5. Third parties and processors

5.1 We share personal data only with service providers who process it on our behalf, to run the Service, under contract. Current categories:

  • Messaging — Meta Platforms (WhatsApp Business API): to deliver Reminders by WhatsApp. The recipient's name and phone number and the Reminder content are processed by WhatsApp to deliver the message.
  • Email / SMTP provider: to deliver Reminders and account emails.
  • Hosting — Amazon Web Services (AWS), Mumbai region (ap-south-1): stores and runs the Platform, its database, backups and logs, all within India.
  • Court-data providers (only where you use the Court Data feature): to fetch case status / cause-list information for a case reference you supply.

5.2 We do not sell personal data and do not share it for third-party advertising.

5.3 We will publish a current list of sub-processors and give notice of material changes, consistent with the Lawyers Diary DPA. A firm may object to a new sub-processor as provided there.

5.4 We may disclose data where compelled by valid legal process, on the terms in Clause 3.2.

5.5 Voice typing (optional feature). If you enable voice typing, speech-to-text runs in your browser. On browsers that support on-device recognition, the audio never leaves your device. Otherwise the browser's own speech service transcribes it — on Google Chrome this sends the audio to Google, and on Apple Safari to Apple — after which the audio is discarded. We do not store your audio, do not retain voice recordings, and do not use them to train models; only the text you review and save becomes a normal case or diary record, handled exactly like your other Firm Data (including export and erasure). Voice typing is off by default and can be turned off at any time in Settings. We will keep this clause and our sub-processor list current as the feature's processing changes.

6. Where your data is stored (India hosting)

6.1 We host the Platform, including its primary database, backups, Redis and logs, on AWS Mumbai (ap-south-1) — within India. This is our intent and current configuration.

6.2 There is presently no legal mandate to keep legal or case data in India; we do so by choice, to keep the privilege story simple and to make CERT-In log production straightforward. Some processors (for example, message delivery) may route through their own global infrastructure to complete delivery; we minimise the personal data involved and prefer India-region endpoints where offered.

7. How long we keep your data (retention)

7.1 We keep personal data for as long as your account is active.

7.2 When your account ends (you close it, or it is terminated), we keep your data for a 30-day post-termination window so that you can export it. During this window the Platform provides export access as described in the Terms.

7.3 After the 30-day window, we delete Firm Data and personal data, except where a shorter or longer period is required by law — for example:

  • security/ICT logs are retained for 180 days to meet the CERT-In Directions 2022 (see Clause 10 and the CERT-In runbook);
  • payment and tax records are retained for the period required under Indian tax law;
  • data under legal hold is retained until the hold is lifted.

7.4 Backups are cycled on a rolling basis; data in backups is overwritten in the normal backup rotation after deletion from the live system.

8. Your rights as a Data Principal, and how to exercise them

8.1 Under the DPDP Act you have the right to:

(a) Access a summary of the personal data we process about you and the processing activities;

(b) Correction, completion and updating of inaccurate or incomplete data;

(c) Erasure of your personal data where it is no longer needed for the purpose it was collected and no law requires us to keep it;

(d) Grievance redressal — to raise a grievance with us and receive a response (Clause 12);

(e) Nomination — to nominate another individual to exercise your rights in the event of your death or incapacity.

8.2 How to exercise them:

  • Access and portability: you can export your data as CSV at any time from within the Platform, including for 30 days after your account ends. For anything the in-app export does not cover, write to the grievance contact in Clause 12.
  • Correction: most account and case fields are editable directly in the Platform. For fields you cannot edit yourself, write to the grievance contact.
  • Erasure / withdrawal of consent / nomination / any other right: write to the grievance contact in Clause 12. We will verify your identity and respond within a reasonable period, and in any event within the timeframe required by the DPDP Rules once in force.

8.3 If you are a client of a Firm (not the account holder), your Firm is the Data Fiduciary for your data. Direct your access/correction/erasure requests to the Firm; we will support the Firm in fulfilling them.

8.4 You must exercise your rights in good faith and not make false or frivolous requests, as the DPDP Act requires of Data Principals.

9. How we protect your data (security)

9.1 We describe our security measures honestly — we do not claim protections we have not implemented:

  • Encryption in transit: all traffic to and from the Platform is encrypted using TLS (HTTPS).
  • Encryption at rest: provided by the managed database/disk encryption of our hosting environment (AWS ap-south-1), enabled at production deployment. Application-layer document encryption with keys we control is planned, not yet shipped; we do not, and will not, claim "our host cannot read your data" until that is true in code.
  • Access control: role-based access (RBAC), firm-isolated data so one firm cannot see another's data, and least-privilege operator access.
  • Audit logging: actions and access are recorded in an audit trail, including Reminder delivery attempts.
  • Operational measures: clock sync to NIC/NPL NTP, 180-day security-log retention, and the incident-response runbook in Clause 10.

9.2 No system is perfectly secure. We work to protect your data using reasonable security practices proportionate to a service handling privileged data.

10. Breach notification

10.1 If we become aware of a personal-data breach or a reportable cyber incident, we follow our incident-response runbook, which operates on two clocks:

  • CERT-In (in force now): report qualifying cyber incidents to CERT-In within 6 hours of noticing them, under the CERT-In Directions 2022.
  • DPDP Data Protection Board (from full enforcement, expected 13 May 2027): notify the Board and affected Data Principals of a personal-data breach in the manner and timeframe the DPDP Rules require.

10.2 Where we act as Processor for a Firm's client data, we notify the Firm of a breach without undue delay so the Firm can meet its own obligations, as set out in the LPMS DPA.

10.3 Our breach notice to you will describe, to the extent known, the nature of the breach, the data affected, the likely consequences, and the steps we are taking and you can take.

11. Consent Manager readiness

11.1 The DPDP Act contemplates registered Consent Managers through which Data Principals may give, manage and withdraw consent. As the ecosystem and DPDP Rules mature, we intend to make the Platform interoperable with a registered Consent Manager, so that your consents (including client consent to Reminders) can be managed through it. Until then, consent is captured and withdrawable within the Platform as described in this Policy.

12. Grievances and contact

12.1 If you have a question, request, or grievance about your personal data, contact our Grievance Officer:

  • Grievance Officer: [GRIEVANCE OFFICER NAME]
  • Email: [CONTACT EMAIL]
  • Post: [POSTAL ADDRESS]
  • WhatsApp: [WHATSAPP NUMBER]

12.2 We will acknowledge your grievance and respond within a reasonable period, and in any event within the timeframe required by the DPDP Rules once in force. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is operational.

13. Children's data

13.1 The Platform is intended for practising advocates, their staff, and the Firm's adult clients. It is not directed at, and we do not knowingly collect personal data of, individuals under 18 (children).

13.2 Firms must not enter a child's personal data as a "client" without the verifiable consent of a parent or lawful guardian as the DPDP Act requires, and must not enable Reminders to a child's phone number. If we learn we have inadvertently collected a child's data without the required consent, we will delete it.

14. Changes to this Policy

14.1 We may update this Policy. The version and date at the top change with each update, and the version code is recorded against your account at signup and on material updates.

14.2 For material changes affecting your rights or how we use your data, we will give notice within the Platform or by email before the change takes effect, and — where the law requires it — seek fresh consent.


End of Privacy Policy (v1.0-2026-07-08, DRAFT). This document requires review by a qualified Indian advocate before public launch, and every factual claim above must be verified true in the shipped system before publication.