Skip to main content

Privacy Policy

Last updated: January 16, 2026

Law By Heart (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our legal document automation platform. This policy complies with the Digital Personal Data Protection Act, 2023 (DPDPA) of India and the General Data Protection Regulation (GDPR) of the European Union.

1. Information We Collect

1.1 Personal Information

We collect information you provide directly to us:

  • Name and email address (during registration)
  • Phone number (for OTP verification)
  • Professional information (role, bar council number for advocates)
  • Payment information (processed by Razorpay)

1.2 User-Generated Content

Content you create or upload using our Service:

  • Legal documents and drafts
  • Case information and notes
  • Search queries
  • Uploaded evidence files (for ODR)

1.3 Automatically Collected Information

We automatically collect certain information when you use the Service:

  • Device information (browser type, operating system)
  • IP address and location data
  • Usage patterns and feature interactions
  • Session information and access times

2. How We Use Your Information

We use collected information for the following purposes:

  • Providing and maintaining the Service
  • Processing transactions and sending related information
  • Sending notifications and reminders (e.g., hearing dates)
  • Responding to your inquiries and support requests
  • Improving our Service through analytics
  • Enforcing our Terms of Service
  • Complying with legal obligations

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your data based on:

  • Contract: Processing necessary to provide our Service
  • Consent: Where you have given explicit consent (e.g., marketing)
  • Legitimate Interest: For analytics and service improvement
  • Legal Obligation: To comply with applicable laws

4. Data Principal Rights (DPDPA Compliance)

Under the Digital Personal Data Protection Act, 2023, you have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Erase your data (right to be forgotten)
  • Nominate another person to exercise rights in case of death/incapacity
  • Receive data in a portable format
  • Lodge grievances with the Data Protection Board of India

To exercise these rights, contact our Data Protection Officer at dpo@lawbyheart.com

5. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Supabase (database), Vercel (hosting), Razorpay (payments), Sentry (error tracking)
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In connection with a merger or acquisition
  • With Your Consent: For any purpose you explicitly agree to

We do not sell your personal information to third parties.

6. Data Storage and Security

Data localized in India.All personal and user-generated data is stored on servers located in India — application hosting on Vercel’s Mumbai region (bom1) and database on Supabase’s ap-south-1 (Mumbai) region. No primary data crosses Indian borders without your explicit consent. We implement appropriate technical and organizational measures:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row Level Security (RLS) policies in database
  • Regular security audits and penetration testing
  • Access controls and authentication mechanisms
  • Automated backups with point-in-time recovery

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

  • Account data: Until account deletion + 30 days
  • Generated documents: 24 hours (then auto-deleted)
  • Search logs: 90 days
  • Transaction records: 7 years (legal requirement)
  • Support tickets: 3 years

8. Cookies and Tracking

We use cookies and similar technologies to:

  • Essential Cookies: Authentication and security (always active)
  • Analytics Cookies: Usage patterns via Plausible (opt-in)

You can manage cookie preferences through our cookie consent banner. Note that blocking essential cookies may prevent you from using certain features.

9. International Data Transfers

Primary data storage is in India. For users outside India, data may be transferred internationally with appropriate safeguards:

  • Standard Contractual Clauses (for EU users)
  • Adequacy decisions where applicable
  • Compliance with DPDPA cross-border transfer requirements

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related inquiries or to exercise your rights:

Data Protection Officer: dpo@lawbyheart.com

General Inquiries: privacy@lawbyheart.com

12A. Grievance Officer (DPDPA Section 13)

Under the Digital Personal Data Protection Act, 2023, you may contact our Grievance Officer for any data-related concerns, complaints, or to exercise your data principal rights.

Name: Grievance Officer, Law By Heart

Email: grievance@lawbyheart.com

Response Time: Within 72 hours of receiving your complaint

13. Supervisory Authority

You have the right to lodge a complaint with:

  • India: Data Protection Board of India (once established under DPDPA)
  • EU: Your local Data Protection Authority

This Privacy Policy was last reviewed and updated on January 16, 2026. A full legal review is recommended before production deployment.