Privacy Policy
Last updated: 2026-04-16. This policy explains how Online Vakil Technologies Pvt. Ltd. ("Online Vakil") processes your personal data under the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000.
1. Who we are
Online Vakil is an online legal workflow platform operating as a neutral technological intermediary under Section 79 of the Information Technology Act, 2000. We do not practise law. We connect citizens with verified advocates enrolled with State Bar Councils, and we provide the digital infrastructure (document drafting, eSign, payments, case tracking) for the advocate–client engagement.
2. Data we collect
| Category | Purpose | Retention | Legal basis |
|---|---|---|---|
| Phone number (E.164) | Identity + OTP login | Until account deletion + 30 day grace | Consent + contract |
| Name, pincode, language | Advocate matching | Until account deletion | Consent |
| Intake description (text + voice) | Case triage | 7 years (statutory litigation window) | Contract performance |
| Uploaded documents | Evidence, case file | 7 years | Contract performance |
| Hearing dates + eCourts data | Calendar + alerts | Until case closure + 7 years | Contract performance |
| Payment records | Statutory accounting | 8 years (Income Tax Act) | Legal obligation |
| Audit logs (access events) | Security, fraud prevention | 1 year (auth) / 7 years (case) | Legitimate interest |
| Device / IP (for rate limiting) | Abuse prevention | 60 days | Legitimate interest |
3. What we never collect
- We do not collect your Aadhaar number. Aadhaar-based eSign is performed by a licensed eSign Service Provider (Digio); we only receive the signed document and a confirmation reference.
- We do not maintain ratings, reviews, or public profiles of advocates. The Bar Council of India, Rule 36 strictly prohibits advocate advertising.
- We do not share your data with advertisers and we run no third-party analytics that personalise ads.
4. Who we share data with (processors)
- Neon (PostgreSQL hosting) — encrypted at rest (AES-256), in-region backups.
- Cloudflare R2 — document storage, encrypted at rest, object-level access control.
- Digio — licensed eSign Service Provider for Aadhaar-based document execution (IT Act §3A).
- Razorpay — RBI-regulated payment aggregator for technology fees. PCI-DSS scope resides with Razorpay; we never see card numbers.
- Bhashini — MeitY's government language translation API for vernacular voice intake. Data is used only for transcription and not retained by Bhashini.
- Pingen — print-and-mail provider for physical legal notice dispatch (Speed Post AD).
- WhatsApp Business API (Meta) — utility messaging for hearing reminders and case updates. We use only pre-approved utility-category templates (no marketing).
Each processor is bound by a Data Processing Agreement consistent with DPDPA §8.
5. Your rights under DPDPA 2023
- Right to access — download a copy of your data at any time from /account.
- Right to correction & erasure — edit your profile, or delete your account with a 30-day grace period after which data is anonymised (audit rows retained for the statutory 7-year window).
- Right to withdraw consent — revoke processing consent from the account page; ongoing proceedings will be paused pending advocate handover.
- Right to grievance redressal — contact our Data Protection Officer (see §9).
- Right to nominate — appoint another person to exercise your rights in the event of death or incapacity.
6. Security
All traffic is TLS 1.3. Passwords are not used — login is phone-OTP with a per-phone lockout (5 wrong attempts → 30 min cooldown). Sessions use short- lived access tokens (15 min) paired with rotating refresh tokens (30 day). Document access requires server-side ownership verification. See our security overview for the full technical posture.
7. Retention & deletion
Active case data is retained for the statutory 7-year litigation window. Audit logs follow the schedule in §2 above. Deletion is executed by a weekly automated job that anonymises the user row and purges uploaded documents; audit rows are retained where required by Indian law to evidence prior processing.
8. Children
Online Vakil is not intended for users under 18. If you become aware that a minor has registered, contact the DPO immediately and the account will be removed.
9. Data Protection Officer & grievances
Data Protection Officer: dpo@onlinevakil.in
Grievance Officer (as required by IT Rules 2021): see /contact.
Escalation: you may file a complaint with the Data Protection Board of India under DPDPA §27.
10. Changes
Material changes to this policy will be notified via an in-app banner and by WhatsApp utility template to the phone number on your account, at least 15 days before taking effect.