Suvarna Nyayanidhi Private Limited
1. Introduction, Scope and Application
1.1 This Privacy Policy (hereinafter referred to as the "Policy") sets forth the manner in which Suvarna Nyayanidhi Private Limited, a company incorporated under the Companies Act, 2013, bearing Corporate Identification Number U69100KA2024PTC190185, having its registered office at #47, Boothanapatte Estate, Masagali Village, Chikkamangalur, Mallandur, Chickmagalur, Karnataka 577130, India (hereinafter referred to as the "Company," "we," "us," or "our"), collects, uses, stores, processes, transfers, and protects personal data through its contract management platform accessible at www.rilin.ai (hereinafter referred to as the "Platform").
1.2 This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "DPDPA"), the Information Technology Act, 2000 (hereinafter referred to as the "IT Act"), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the "SPDI Rules"), to the extent that the said Rules remain in force and are not inconsistent with the provisions of the DPDPA.
1.3 This Policy constitutes the notice required to be given to Data Principals under Section 6(1) of the DPDPA, specifying the personal data collected and the purposes for which such data is processed.
1.4 This Policy applies to all Data Principals who access or use the Platform from within the territory of India or whose personal data is processed by the Company in connection with the provision of the Platform services, regardless of the Data Principal’s location.
1.5 By accessing, registering on, or using the Platform, the Data Principal acknowledges having read, understood, and agreed to be bound by the terms of this Policy. Where a Data Principal accesses the Platform on behalf of an organisation, such Data Principal represents and warrants that they possess the requisite authority to bind the said organisation to the terms hereof.
1.6 This Policy is to be read in conjunction with the Terms of Service governing the use of the Platform. In the event of any conflict between this Policy and the Terms of Service on matters relating to the processing of personal data, this Policy shall prevail.
1.7 If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction or by the Data Protection Board of India, such invalidity, illegality, or unenforceability shall not affect the remaining provisions of this Policy, which shall continue in full force and effect.
2. Definitions
2.1 In this Policy, unless the context otherwise requires, the following terms shall have the meanings ascribed to them below:
(a) "Client" shall mean any organisation that subscribes to and utilises the Platform for contract drafting, storage, obligation management, and related services.
(b) "Contract Data" shall mean the contents of contracts, agreements, and related documents uploaded to or drafted on the Platform by a Client, including all text, terms, clauses, obligations, and any personal data of third parties contained therein.
(c) "Data Fiduciary" shall have the meaning ascribed to it under Section 2(i) of the DPDPA, namely, any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. In the context of the Platform, the Company is the Data Fiduciary.
(d) "Data Principal" shall have the meaning ascribed to it under Section 2(j) of the DPDPA, namely, the individual to whom the personal data relates. This includes users of the Platform, authorised representatives and signatories of Clients, and any individual whose personal data appears in Contract Data.
(e) "Data Processor" shall have the meaning ascribed to it under Section 2(k) of the DPDPA, namely, any person who processes personal data on behalf of a Data Fiduciary.
(f) "Personal Data" shall have the meaning ascribed to it under Section 2(t) of the DPDPA, namely, any data about an individual who is identifiable by or in relation to such data.
(g) "Personal Data Breach" shall have the meaning ascribed to it under Section 2(u) of the DPDPA, namely, any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data, that compromises the confidentiality, integrity, or availability of personal data.
(h) "Platform" shall mean the Company’s proprietary contract management platform, including all associated web applications, APIs, and services.
(i) "Processing" shall have the meaning ascribed to it under Section 2(x) of the DPDPA, and includes any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.
3. Personal Data Collected
3.1 Account and Registration Data
3.1.1 At the time of onboarding a Client on the Platform, the Company collects the following categories of personal data pertaining to the Client’s authorised representatives and signatories:
| Category of Personal Data | Specific Data Elements | Purpose of Collection |
|---|---|---|
| Identity Data | Full legal name, designation or role within the Client organisation, signing capacity | Account creation, identification and authentication of authorised users, population of contract templates |
| Contact Data | Email address (including primary, notice, and signatory email addresses) | Platform communications, transactional notifications, service-related correspondence, delivery of legal notices |
| Authentication Data | Login credentials (stored exclusively in hashed form using the bcrypt algorithm), single sign-on tokens where Google, Microsoft, or GitHub authentication is utilised | Account security, access control, session management |
3.1.2 The Company does not collect or store plaintext passwords. All authentication credentials are processed using the bcrypt cryptographic hashing algorithm prior to storage.
3.1.3 The foregoing categories are not exhaustive. In the event that the Company collects additional categories of personal data, this Policy shall be updated in accordance with Section 13.
3.2 Contract Data
3.2.1 When Clients upload existing contracts or draft new contracts on the Platform, the Contract Data may contain personal data of third parties who are not direct users of the Platform, including but not limited to names, addresses, government-issued identification numbers, financial terms, employment details, and other particulars of counterparties, directors, guarantors, shareholders, and other individuals named in such contracts.
3.2.2 The Company processes Contract Data using automated systems, including third-party large language models, for the purposes of extracting contractual obligations, segmenting and indexing clauses, mapping cross-clause dependencies, assessing contractual risk, and generating structured risk reports. This processing is integral to the services provided through the Platform and is performed on all contracts stored thereon.
3.2.3 In the course of the processing described in Clause 3.2.2, the full text of Contract Data is transmitted to the following third-party artificial intelligence service providers for analysis:
| Service Provider | Processing Activities | Server Location | Data Retention by Provider |
|---|---|---|---|
| OpenAI, L.L.C. (United States) | Field extraction, clause segmentation, cross-clause mapping, boundary detection, translation, redline review | United States | Not used for model training; abuse-monitoring log retention of 30 days |
| Anthropic, PBC (United States) | Contract drafting, conversational Q&A, risk assessment, redline review | United States | Not used for model training; API log retention of 7 days per standard commercial terms |
| Google LLC (United States) | Obligation extraction, obligation verification, domain review, OCR, conversational drafting, semantic search (RAG) | Global (Gemini API); Tokyo, Japan (RAG embeddings) | Not used for model training per Vertex AI Service Specific Terms (Section 17); in-memory cache with 24-hour TTL only |
3.2.4 Under the standard terms of service applicable to each of the aforementioned service providers: (a) OpenAI does not use API customer data for model training, but retains inputs and outputs in abuse-monitoring logs for up to thirty (30) days; (b) Anthropic does not use API customer data for model training and retains API logs for seven (7) days under its standard commercial terms; and (c) Google does not use Vertex AI customer data for model training under Section 17 of the Google Cloud Service Specific Terms and retains data only in-memory with a twenty-four (24) hour time-to-live.
3.3 Usage and Technical Data
3.3.1 The Company automatically collects certain technical and operational data in the course of providing the Platform services. The Company does not employ any third-party analytics, product telemetry, session replay, or advertising tools. The technical data collected is limited to the following:
| Source | Data Collected | Storage Location | Retention Period |
|---|---|---|---|
| Application Logs | Request paths, HTTP status codes, organisation and contract identifiers, error traces | Mumbai, India (Google Cloud Logging) | Ninety (90) days |
| Server Access Logs | HTTP method, request path, status code, latency, user agent, source IP address | Mumbai, India (Google Cloud Run) | Ninety (90) days |
| Cloud Audit Logs | Administrative and data access events on infrastructure services | Mumbai, India (Google Cloud) | Four hundred (400) days for administrative activity logs (Google Cloud Platform default); ninety (90) days for data access logs |
4. Purpose and Lawful Basis of Processing
4.1 The Company processes personal data for the purposes set forth below. Under the DPDPA, the lawful basis for processing is consent obtained in accordance with Section 6, except where a legitimate use under Section 7 is expressly identified.
4.2 Provision of Platform Services
The Company processes Account Data and Contract Data for the purpose of providing the Platform services, including contract storage, drafting, obligation extraction, clause indexing, cross-clause dependency mapping, risk assessment, and the generation of structured risk reports. The lawful basis for this processing is the consent of the Data Principal, obtained at the time of registration in accordance with Section 5 of this Policy.
4.3 Automated Contract Processing
The Company employs automated systems, including third-party large language models as specified in Clause 3.2.3, to parse the contents of contracts uploaded to or drafted on the Platform. This automated processing extracts contractual obligations, identifies and indexes key terms, maps dependencies across clauses, and generates risk assessments categorised by severity and domain. This processing is performed on all contracts on the Platform and constitutes an integral component of the services provided.
4.4 Communications
The Company processes Contact Data for the purpose of sending transactional communications to Data Principals, including subscription confirmations, service updates, security alerts, and customer support correspondence. The lawful basis for this processing is the consent obtained at the time of registration.
4.5 Promotional and Marketing Communications
The Company may, from time to time, send promotional emails, product announcements, newsletters, and other marketing communications to Data Principals. The lawful basis for this processing is a separate and specific consent obtained through a distinct opt-in mechanism at the time of registration or at a subsequent point during the use of the Platform, in accordance with Section 6 of the DPDPA. Such consent shall be independent of, and shall not be bundled with, consent for the processing activities described in Clauses 4.2 through 4.4.
Consent for marketing communications is optional and is not a precondition for access to or use of the Platform. The Data Principal may decline marketing consent at registration without any impact on the availability or functionality of the Platform services.
The Data Principal may withdraw consent for marketing communications at any time by utilising the "unsubscribe" link provided in each marketing communication or through the communication preferences section of the account settings. Withdrawal of consent for marketing communications shall not affect the Data Principal’s access to the Platform or the processing of personal data for the purposes described in Clauses 4.2 through 4.4.
4.6 Security and Fraud Prevention
The Company processes Usage and Technical Data for the purpose of detecting and preventing unauthorised access, security incidents, and fraudulent activity on the Platform. This processing is covered by the consent obtained at the time of registration, as the purposes of security monitoring and fraud prevention are disclosed in this Policy and form part of the informed basis upon which consent is given.
4.7 Legal and Regulatory Compliance
The Company may process personal data where such processing is necessary to comply with any judgment, decree, or order issued by any court or tribunal, or to comply with any applicable law or regulation for the time being in force. The lawful basis for this processing is the legitimate use under Section 7(c) of the DPDPA.
5. Consent
5.1 Manner of Obtaining Consent
5.1.1 The Company obtains the consent of the Data Principal at the time of registration on the Platform through a clear affirmative action, namely, an unticked checkbox requiring the Data Principal to confirm that they have read this Policy and consent to the processing of their personal data for the purposes described herein.
5.1.2 Such consent is free, specific, informed, unconditional, and unambiguous, and is signified through a clear affirmative action, in accordance with the requirements of Section 6 of the DPDPA.
5.2 Withdrawal of Consent
5.2.1 The Data Principal may withdraw consent at any time by utilising the "Withdraw Consent" function available in the account settings of the Platform. The mechanism for withdrawal is designed to be no more onerous than the mechanism by which consent was originally given, in compliance with Section 6(4) of the DPDPA.
5.2.2 Upon withdrawal of consent, the Company shall cease processing the personal data of the Data Principal and shall initiate the erasure process in accordance with Clause 8.3 of this Policy, unless retention of specific data is mandated by applicable law.
5.2.3 The withdrawal of consent shall not affect the lawfulness of any processing carried out on the basis of consent prior to such withdrawal, in accordance with Section 6(5) of the DPDPA. The Data Principal acknowledges that withdrawal of consent may result in the termination of access to the Platform, insofar as certain processing activities are essential to the provision of the services.
6. Personal Data of Third Parties in Contracts
6.1 The Platform processes Contract Data that may contain personal data of individuals who are not direct users of the Platform, including counterparties, directors, guarantors, employees, shareholders, and other individuals named in contracts uploaded or drafted by Clients.
6.2 The Company acknowledges its obligations as Data Fiduciary with respect to such third-party personal data under the DPDPA. The Company processes such data solely for the purpose of providing the contract management services described in this Policy, including obligation extraction, clause indexing, and risk assessment.
6.3 Any individual whose personal data appears in a contract stored on the Platform and who wishes to exercise any right available under applicable data protection law may contact the Company using the details set out in Section 14 of this Policy. The Company shall process such request in accordance with the provisions of Section 11.
6.4 The Terms of Service governing use of the Platform require each Client to represent and warrant that it possesses a lawful basis under applicable law for sharing Contract Data containing third-party personal data with the Company, and that where required, it has provided appropriate notice to such third parties.
7. Sharing and Disclosure of Personal Data
7.1 Data Processors
7.1.1 The Company engages third-party service providers who process personal data on its behalf in connection with the operation of the Platform. These Data Processors act under valid contracts in accordance with Section 8(2) of the DPDPA and are bound by obligations of confidentiality and security no less protective than those set forth in this Policy.
7.1.2 The following table sets forth the categories and identities of Data Processors engaged by the Company, the nature of data shared, and the jurisdictions in which such data is processed:
| Service Provider | Purpose | Data Shared | Location | Contract Content Transmitted? |
|---|---|---|---|---|
| OpenAI, L.L.C. | AI-driven contract analysis, clause segmentation, translation | Full contract text | USA | Yes |
| Anthropic, PBC | AI-driven drafting, risk assessment, Q&A, redline review | Full contract text | USA | Yes |
| Google LLC (Vertex AI, Gemini, Cloud Vision) | AI-driven obligation extraction, OCR, semantic search, infrastructure hosting | Full contract text; all Platform data (infrastructure) | India (infra); USA/Global (AI); Japan (RAG) | Yes |
| Zoho Corporation Pvt. Ltd. | Electronic signature services | Full contract document, signer name, email, phone | India | Yes |
| Razorpay Software Pvt. Ltd. | Payment processing | Billing details, transaction data | India | No |
| Resend, Inc. | Transactional email delivery | Recipient email, subject, body; occasional signed PDF attachments | USA | Occasionally (signed PDFs) |
| Vercel, Inc. | Frontend hosting and content delivery | HTTP requests, static assets | USA (HQ); global CDN edges | No |
| Google LLC (Identity) | Social sign-in (Sign in with Google) | Google ID token (email, name) | Global | No |
| Google LLC (Drive API) | Document ingestion from and export to Client’s Google Drive (conditional) | Read/write access to Client’s chosen Drive folders; OAuth refresh tokens stored encrypted | Global | Yes (contract documents) |
| Google LLC (Calendar API) | Counsel call scheduling (conditional) | Calendar event metadata (titles, attendee emails, times) | Global | No |
| Microsoft Corporation | Social sign-in (conditional) | Microsoft auth token (email, name) | USA/Global | No |
| GitHub, Inc. | Social sign-in (conditional) | GitHub auth token (email, name) | USA | No |
7.1.3 The social sign-in services, Google Drive integration, and Google Calendar integration listed above are engaged conditionally and are utilised only where the Data Principal or Client elects to enable the corresponding functionality.
7.2 Legal and Regulatory Disclosures
The Company may disclose personal data where required by applicable law, regulation, legal process, or governmental request, including in response to orders, summons, or directions issued by any court, tribunal, or regulatory authority having jurisdiction.
7.3 Business Transfers
In the event of a merger, amalgamation, acquisition, corporate restructuring, or transfer of assets of the Company, personal data held by the Company may be transferred to the successor entity. The Company shall notify affected Data Principals of any such transfer prior to its completion and shall ensure that the successor entity is bound by obligations no less protective than those set forth in this Policy. Data Principals who do not wish their personal data to be transferred to the successor entity may withdraw their consent in accordance with Section 5.2 prior to the completion of such transfer.
7.4 No Sale of Personal Data
The Company does not sell, rent, lease, trade, or otherwise make available personal data to any third party for such third party’s independent use or commercial benefit.
8. Data Retention and Erasure
8.1 Retention Periods
8.1.1 The Company retains personal data only for such period as is necessary to fulfil the purposes for which it was collected, or as mandated by applicable law. The following retention periods apply:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account Data | Duration of active subscription plus sixty (60) days | DPDPA Section 8(7) |
| Contract Data | Duration of active subscription plus sixty (60) days | DPDPA Section 8(7) |
| Financial and Billing Data | Eight (8) years from the date of the relevant transaction | Income Tax Act, 1961, Section 149; Central Goods and Services Tax Act, 2017 |
| Application and Server Logs | Ninety (90) days | Operational and security necessity |
| Cloud Audit Logs (administrative activity) | Four hundred (400) days | Google Cloud Platform default; retained for infrastructure security and compliance audit purposes |
8.2 Erasure Upon Subscription Termination
8.2.1 Upon the termination or expiry of a Client’s subscription, the Company shall retain Account Data and Contract Data for a period of sixty (60) days to enable the Client to export its data from the Platform (the "Export Period").
8.2.2 Upon the expiry of the Export Period, all personal data and Contract Data associated with the Client’s account shall be permanently and irreversibly deleted from the Company’s active systems. Deletion from backup systems shall occur in accordance with the Company’s backup rotation schedule.
8.2.3 Notwithstanding the foregoing, the Company may retain specific data where such retention is mandated by applicable law, including financial records required to be maintained under the Income Tax Act, 1961, or the Central Goods and Services Tax Act, 2017, and Cloud Audit Logs which are retained for the periods specified in Clause 8.1.1.
8.3 Erasure on Request
Data Principals may request erasure of their personal data in accordance with Section 12 of the DPDPA, subject to the rights and procedures described in Section 11 of this Policy.
9. Cross-Border Transfer of Personal Data
9.1 The primary storage of all Platform data, including the application database, uploaded documents, and generated outputs, is in Mumbai, India (Google Cloud, asia-south1 region).
9.2 In the course of providing the Platform services, personal data and Contract Data may be transferred to, stored in, or processed in jurisdictions outside India, as set forth below:
| Jurisdiction | Services and Data Transferred |
|---|---|
| United States | OpenAI API (contract text); Anthropic API (contract text); Resend (transactional emails); Vercel (frontend hosting); social sign-in providers (authentication tokens) |
| Japan (Tokyo) | Google Vertex AI RAG Engine (vector embeddings of contract content for semantic search) |
| Global (Google multi-region) | Google Gemini API (configured for global routing); Google Cloud Vision OCR; Google Identity, Drive, and Calendar APIs |
9.3 Such transfers are currently permitted under Section 16(1) of the DPDPA, which permits the transfer of personal data to all countries except those specifically restricted by the Central Government by notification. As of the effective date of this Policy, no country has been restricted under Section 16(1).
9.4 In the event that any jurisdiction to which personal data is transferred is subsequently restricted by notification under Section 16(1), the Company shall take such measures as may be necessary, including migration of data to compliant jurisdictions.
9.5 The Company ensures that all service providers in jurisdictions outside India are bound by contractual obligations to maintain the confidentiality and security of personal data in accordance with standards no less protective than those required under Indian law.
10. Security Safeguards
10.1 The Company implements reasonable security safeguards to protect personal data in its possession or under its control against Personal Data Breaches, in accordance with Section 8(4) of the DPDPA. The Company’s security measures are designed to be consistent with the IS/ISO/IEC 27001 standard and include the following:
(a) Encryption: All personal data and Contract Data are encrypted at rest using AES-256 encryption and in transit using Transport Layer Security (TLS) version 1.2 or higher.
(b) Access Controls: Role-based access controls are implemented to ensure that data is accessible only to authorised personnel. Client data is logically segregated such that one Client cannot access the data of another Client.
(c) Monitoring and Logging: The Company maintains detailed access logs and employs continuous monitoring to detect unauthorised access or anomalous activity.
(d) Vulnerability Assessments: The Company conducts periodic vulnerability assessments and penetration testing of its systems and infrastructure.
(e) Personnel Controls: Access to personal data is restricted to personnel who require such access for the performance of their duties, and such personnel are bound by obligations of confidentiality.
11. Rights of Data Principals
11.1 Under the DPDPA, Data Principals are entitled to the following rights with respect to their personal data. The Company shall respond to any request made under this Section within thirty (30) days of receipt of such request.
11.2 Right to Information (Section 11, DPDPA)
The Data Principal has the right to obtain from the Company a summary of the personal data processed by the Company pertaining to such Data Principal, and of the processing activities undertaken with respect to such data, upon making a request through the mechanism described in Section 14.
11.3 Right to Correction and Erasure (Section 12, DPDPA)
The Data Principal has the right to request the correction of inaccurate or misleading personal data, the completion of incomplete personal data, the updating of personal data that is no longer current, and the erasure of personal data that is no longer necessary for the purpose for which it was collected.
11.4 Right to Grievance Redressal (Section 13, DPDPA)
The Data Principal has the right to have any grievance relating to the Company’s processing of personal data addressed through the grievance redressal mechanism described in Section 14 of this Policy. In the event that the Data Principal is not satisfied with the Company’s resolution, the Data Principal may file a complaint with the Data Protection Board of India established under the DPDPA.
11.5 Right to Nominate (Section 14, DPDPA)
The Data Principal has the right to nominate any individual who shall, in the event of the Data Principal’s death or incapacity, exercise the rights of the Data Principal under the DPDPA. Such nomination may be made by contacting the Company using the details provided in Section 14 of this Policy.
12. Personal Data Breach Notification
12.1 In the event of a Personal Data Breach, the Company shall notify the Data Protection Board of India and each affected Data Principal in such form and manner as may be prescribed under the DPDPA, in accordance with Section 8(6).
12.2 The Company shall endeavour to provide such notification within seventy-two (72) hours of becoming aware of the breach. Upon becoming aware of a breach that is likely to result in harm to Data Principals, the Company shall take immediate steps to contain the breach, assess its scope and impact, and notify affected parties.
12.3 The Company shall cooperate with any investigation initiated by the Data Protection Board of India in connection with a Personal Data Breach.
13. Amendments to this Policy
13.1 The Company may amend this Policy from time to time to reflect changes in its processing activities, applicable law, or regulatory guidance. Amendments shall be handled as follows:
(a) Non-material amendments, including typographical corrections, formatting changes, or clarifications that do not alter the substance of the Policy, shall be reflected by updating the "Last Updated" date on the Policy.
(b) Material amendments affecting the scope of data collection, the purposes of processing, or the categories of third parties with whom personal data is shared shall be notified to Data Principals by email to their registered email address and by posting a conspicuous notice on the Platform, not less than fifteen (15) days prior to the effective date of such amendment.
(c) Amendments that affect the lawful basis or purpose of processing in a manner inconsistent with the consent originally obtained shall require the Company to obtain the fresh consent of the Data Principal before such amendments take effect.
14. Contact Information and Grievance Redressal
14.1 Grievance Officer
In accordance with Section 13 of the DPDPA and Rule 5(9) of the SPDI Rules (to the extent in force), the Company has designated the following Grievance Officer:
Name: Mr. Dinesh Babu
Designation: Founding Engineer
Email: dinesh@nyayanidhi.in
Address: 3rd Floor, No. 133, Raheja Chancery, Brigade Road, Bengaluru, Karnataka 560025, India
14.2 The Grievance Officer shall acknowledge receipt of any grievance within forty-eight (48) hours and shall endeavour to resolve such grievance within thirty (30) days of receipt. In the event that the Data Principal is not satisfied with the resolution provided, the Data Principal may escalate the matter to the Data Protection Board of India.
14.3 General Enquiries
For general enquiries regarding this Policy, Data Principals may contact the Company at: legal@nyayanidhi.in
14.4 Third-Party Data Requests
Any individual whose personal data appears in contracts stored on the Platform and who wishes to exercise any right available under applicable data protection law or to raise a concern may contact the Grievance Officer using the details set out in Clause 14.1 above. The Company shall endeavour to respond to such request within thirty (30) days.
15. Cookies and Client-Side Storage
15.1 First-Party Cookies
15.1.1 The Platform utilises the following first-party cookies, all of which are strictly necessary for the provision of the service and the authentication of users:
| Cookie Name | Purpose | Duration | Category | First / Third Party |
|---|---|---|---|---|
| access_token | JWT access token for API authentication | 7 days | Strictly necessary | First-party |
| refresh_token | Long-lived JWT for silent token renewal | 30 days | Strictly necessary | First-party |
| token_type | Stores authentication header format (Bearer) | 7 days | Strictly necessary | First-party |
15.1.2 The Platform does not utilise any third-party analytics, advertising, session replay, or marketing cookies.
15.2 Client-Side Storage
15.2.1 In addition to cookies, the Platform utilises browser localStorage and IndexedDB for the following purposes, all of which are strictly necessary for the operation of the Platform or are functional in nature:
(a) Authentication state management: backup copies of authentication tokens for cross-tab coordination and proactive token refresh.
(b) User preferences: last logged-in email address (for login form pre-population) and selected organisation preference.
(c) Collaborative editing state: contract draft content is cached locally in the Data Principal’s browser using the Y.js collaborative editing framework and stored in IndexedDB. This cached content may include the full text of contract drafts and persists until the browser storage is cleared by the Data Principal.
(d) Workflow continuation: session state for in-progress document operations to enable uninterrupted resumption across page reloads.
15.2.2 To the extent that any data stored in browser localStorage or IndexedDB identifies or relates to an identifiable individual, such data constitutes personal data under the DPDPA and is subject to the terms of this Policy.
15.3 Third-Party Widgets
15.3.1 The following third-party services may load scripts or set cookies in their own domains when a specific user action triggers their functionality:
(a) Razorpay Checkout (Razorpay Software Pvt. Ltd., India): loaded when the Data Principal initiates a payment transaction. Razorpay may set its own session cookies on the checkout.razorpay.com domain.
(b) Zoho Sign (Zoho Corporation Pvt. Ltd., India): loaded as an embedded iframe when the Data Principal opens a document for electronic signature. Zoho may set its own session cookies on the sign.zoho.in domain.
(c) Social sign-in providers (Google LLC, Microsoft Corporation, GitHub Inc.): loaded when the Data Principal elects to authenticate via the corresponding provider. Each provider may set its own authentication cookies on its respective domain.
15.3.2 The Company does not control the cookies set by these third-party services. Data Principals are advised to consult the respective privacy policies of these service providers for information regarding their cookie practices.
16. General Provisions
16.1 Governing Law and Jurisdiction
This Policy shall be governed by and construed in accordance with the laws of India. Any dispute, difference, or question arising out of or in connection with this Policy, including any question regarding its existence, validity, interpretation, or termination, shall be subject to the exclusive jurisdiction of the competent courts at Bengaluru, Karnataka, India, without prejudice to the jurisdiction of the Data Protection Board of India under the DPDPA.
16.2 Relationship with Terms of Service
This Policy is to be read in conjunction with the Terms of Service governing use of the Platform. The Terms of Service contain additional provisions relating to data handling, Client warranties regarding third-party personal data, data export and deletion mechanics, and limitation of liability, which supplement this Policy.
16.3 No Waiver
The failure of the Company to exercise or enforce any right or provision of this Policy shall not constitute a waiver of such right or provision. Any waiver of any provision of this Policy shall be effective only if made in writing and signed by the Company.
16.4 Severability
If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction or by the Data Protection Board of India, such invalidity, illegality, or unenforceability shall not affect the remaining provisions of this Policy, which shall continue in full force and effect.
— End of Privacy Policy —