Privacy Policy

Vaadhan is a legal-practice management platform built for Indian advocates. Because we handle privileged information — client matters, court filings, fee records, and personal contact details — privacy is foundational, not optional. This policy describes what we collect, why, how we protect it, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Who we are

Vaadhan is operated by an Indian individual entity (the "Data Fiduciary" under DPDP Act terminology). Until incorporation completes, the developer of record is Manoj Rahul. We will update this section once a private limited company is registered.

2. What we collect

2.1 Identity & account data

• Full name (as on Bar Council certificate)
• Bar Council registration number and the issuing State Bar Council
• Registered mobile number (for OTP authentication)
• Email address (if you sign in with email or Google)
• Profile photo (only if you sign in with Google — derived from your Google profile)

2.2 Matter & case data you upload or import

• Case Numbers (CNR, suit numbers, writ petition numbers)
• Petitioner, respondent and other party details you enter
• Court, judge, bench, filing dates, hearing dates
• Notes, time entries, and documents you upload to your Vault
• Client/litigant names and contact details, only if you choose to add them

Data fetched on your behalf from eCourts (via the official eCourts MCP / NJDG public data) is part of the public record. We cache it in your private account to power features like the Morning Desk and Limitation Radar.

2.3 Usage & technical data

• Timestamps of logins and feature use (for audit and security)
• Browser type, device type, and IP address (transient, used to flag suspicious access)
• Service-worker cache metadata (purely client-side, used for offline support)

2.4 What we do NOT collect

• We do not access your phone book, SMS inbox, or microphone
• We do not collect biometric data
• We do not sell, rent, or share your data with advertisers — there is no ad layer in Vaadhan
• We do not run third-party analytics that follow you across the web

3. Why we process it (purposes & legal basis)

Under the DPDP Act, every processing activity must have a lawful basis. The two primary bases we rely on are consent (Section 6 of the DPDP Act) and legitimate use (Section 7 — for specified service purposes you have requested).

• To provide the service you signed up for — populating your dashboard, tracking limitations, syncing your docket, drafting documents
• To authenticate you — phone OTP, Google sign-in, or email login
• To improve reliability — anonymous error logging that does not include matter content
• To comply with law — bar council, court orders, or statutory disclosures, where applicable

4. How & where data is shared

Vaadhan relies on a small set of trusted infrastructure providers to actually deliver the service. We share only the minimum data required with each, and only as a data processor relationship (the data remains yours and ours, not theirs).

• Google Firebase (Authentication + Firestore) — stores your account, profile, and matter data. Data residency: multi-region.
• Google Cloud (Gemini API) — used only for the AI Research feature. Only the public legal query and IndianKanoon search results are sent. Your private matter data is not sent to Gemini.
• IndianKanoon — public legal database used for the Research feature. Receives the search query you type.
• eCourts MCP server — receives your name and Bar Council ID/state when you sync your docket. This is the same data already public on the eCourts website.
• Vercel — hosts the application's static files and serverless functions. Does not see decrypted Firestore data.

We do not transfer your data to any country in violation of DPDP Act Section 16. Where our processors hold data outside India, the transfer is governed by the contracts you implicitly authorise by using the service.

5. Security & encryption

• All connections to and from Vaadhan are over HTTPS (TLS 1.2 or higher)
• Authentication is handled by Firebase Authentication; we never see your password
• Firestore documents are scoped per advocate via security rules — you cannot see another advocate's matters and they cannot see yours
• API endpoints that touch your data require a verified Firebase ID token
• We log access events for 90 days for security review (purged after that)

6. Retention & deletion

We keep your data only as long as you have an active account, plus a short grace period.

• While you have an account — all matter data is retained until you delete it or close your account
• When you request deletion — we begin a 30-day grace period (in line with DPDP Act guidance on reasonable timeframes), during which you can cancel the deletion. After 30 days, your account, profile, matter data, vault files, time entries, and research history are erased.
• Audit logs — kept for 90 days after the event, then automatically purged
• Anonymised aggregates — non-identifiable statistics (e.g., total active users) may be retained indefinitely

7. Your rights under the DPDP Act

As a Data Principal under the DPDP Act, you have the right to:

• Access — request a copy of what we hold about you
• Correct — fix any inaccurate or incomplete personal data
• Erase — request deletion of your account and all associated data
• Withdraw consent — at any time, for any processing based on your consent
• Grievance redressal — escalate to our Grievance Officer (see Contact) and, if unresolved, to the Data Protection Board of India
• Nominate — appoint another person to exercise your rights in the event of your death or incapacity

8. Children's data

Vaadhan is a tool for practising advocates. We do not knowingly collect or process the personal data of children under 18. If we learn that we have inadvertently collected such data, we will erase it promptly.

9. Changes to this policy

We will update this page whenever the practice changes materially. For significant changes affecting your rights, we will notify you in-app and by email at least 14 days before the change takes effect.

10. Contact & grievance officer

For any privacy question, data-rights request, or grievance, contact:

• Grievance Officer: Manoj Rahul
• Email: privacy@vaadhan.com
• Response time: within 7 days for acknowledgement, 30 days for resolution

If you are not satisfied with our response, you may approach the Data Protection Board of India as constituted under the DPDP Act, 2023.