Privacy Policy

1. Introduction and Scope

1.1 About This Policy

AnrakLegal, operated by Anrak Technologies Private Limited ("AnrakLegal," "we," "our," or "us"), is committed to protecting the privacy, confidentiality, and security of our users' information. This Privacy Policy ("Policy") describes our practices regarding the collection, use, storage, disclosure, and protection of personal information when you access or use our AI-powered legal research and document assistance platform (the "Platform" or "Services").

1.2 Our Commitment to Legal Professionals

We recognize that legal professionals handle highly sensitive and confidential client information protected by attorney-client privilege and professional secrecy obligations. Our Platform has been designed with privacy as a foundational principle, implementing robust security measures and data handling practices that respect the unique confidentiality requirements of the legal profession.

1.3 Applicability

This Policy applies to:

• All visitors to our website and Platform
• Registered users and account holders
• Subscribers to any of our service plans
• Users of our API and integration services
• Users of our Microsoft Word Add-in and other extensions
• Participants in our beta programs or trials
• Recipients of our communications and newsletters

1.4 Legal Framework

This Policy is designed to comply with applicable data protection laws, including but not limited to the Digital Personal Data Protection Act, 2023 (DPDPA) of India, the Information Technology Act, 2000 and its rules, and where applicable, international data protection standards including the General Data Protection Regulation (GDPR) for users in the European Economic Area.

2. Definitions

For the purposes of this Policy:

• "Personal Data" means any information that relates to an identified or identifiable natural person, including but not limited to name, email address, identification numbers, location data, and online identifiers.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• "Data Principal" means the individual to whom the Personal Data relates (referred to as "you" or "user" in this Policy).
• "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of Processing of Personal Data (AnrakLegal acts as a Data Fiduciary).
• "User Content" means documents, files, text, queries, and any other content you upload, create, or transmit through the Platform.
• "AI Processing" means the use of artificial intelligence and machine learning technologies to analyze, generate, or process information.

3. Information We Collect

3.1 Information You Provide Directly

3.1.1 Account Registration Information

• Email address (primary identifier and communication channel)
• Name or professional name (if provided)
• Password or authentication credentials
• Organization or law firm name (optional)
• Professional designation or bar registration details (optional)
• Contact preferences and communication settings

3.1.2 Subscription and Billing Information

• Subscription plan selection and history
• Billing address and contact information
• Payment method details (processed securely by our payment partners; we do not store complete payment card numbers)
• Transaction history and invoices
• Tax identification numbers where required by law

3.1.3 User Content and Documents

• Legal documents you upload for analysis (pleadings, contracts, judgments, evidence)
• Case files and matter information you create
• Queries, prompts, and instructions you provide to our AI systems
• Contracts and legal documents you draft using our tools
• Notes, annotations, and comments you add
• Audio recordings for transcription features (if used)
• Mindmaps, visualizations, and other generated content

3.1.4 Communications

• Support requests and customer service inquiries
• Feedback, suggestions, and survey responses
• Email correspondence with our team
• Testimonials or reviews you submit

3.2 Information Collected Automatically

3.2.1 Device and Access Information

• IP address and approximate geographic location (city/region level)
• Device type, operating system, and browser type
• Device identifiers and unique device tokens
• Screen resolution and display settings
• Time zone and language preferences

3.2.2 Usage and Analytics Data

• Features and tools you access and frequency of use
• Session duration, timestamps, and activity patterns
• Navigation paths and user interface interactions
• Token consumption and feature usage metrics
• Search queries and filter selections (metadata only, not content)
• Error logs and performance data (without sensitive content)
• API endpoint usage and request patterns

3.2.3 Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to:

• Maintain your authentication session and security
• Remember your preferences and settings
• Analyze usage patterns and improve our Services
• Ensure proper functioning of the Platform

See Section 11 for detailed information about our cookie practices.

3.3 Information from Third Parties

• Authentication providers (if you sign in using social or enterprise authentication)
• Payment processors (transaction confirmations and fraud prevention data)
• Legal database providers (case law and legal research results, which are public information)
• Analytics partners (aggregated and anonymized usage insights)

3.4 Special Categories of Data

We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. However, User Content you upload may incidentally contain such information within legal documents. Such data is processed solely for the purpose of providing our Services and is subject to enhanced confidentiality protections.

4. Legal Basis for Processing

We process your Personal Data based on the following legal grounds:

4.1 Contractual Necessity

Processing necessary to perform our contract with you, including providing access to the Platform, processing your documents, delivering AI-powered analysis, managing your subscription, and providing customer support.

4.2 Consent

Where you have provided explicit consent for specific processing activities, such as receiving marketing communications, participating in surveys, or enabling optional features. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4.3 Legitimate Interests

Processing necessary for our legitimate business interests, provided such interests are not overridden by your rights and freedoms. Our legitimate interests include:

• Improving and optimizing our Platform and Services
• Ensuring network and information security
• Preventing fraud and unauthorized access
• Analyzing usage patterns to develop new features
• Enforcing our Terms of Service

4.4 Legal Obligations

Processing necessary to comply with legal obligations to which we are subject, including tax and accounting requirements, responding to lawful government requests, and maintaining records as required by applicable laws.

5. How We Use Your Information

5.1 Core Service Delivery

• Providing AI-powered legal research and case law analysis
• Processing and analyzing documents you upload
• Generating contracts, legal documents, and drafts
• Enabling case management and paralegal features
• Providing real-time transcription services
• Creating mindmaps and document visualizations
• Facilitating moot court simulations and legal training
• Powering AI chat and assistant functionality

5.2 Account and Subscription Management

• Creating, authenticating, and securing your account
• Processing subscription payments and billing
• Tracking token usage and enforcing plan limits
• Sending transactional communications (receipts, plan changes, security alerts)
• Providing account-related customer support

5.3 Platform Improvement and Development

• Analyzing aggregated usage patterns to improve features
• Identifying and fixing bugs, errors, and performance issues
• Developing new features and capabilities
• Conducting A/B testing and user experience research
• Training and improving our AI systems (see Section 7.3 for important details)

5.4 Security and Fraud Prevention

• Detecting and preventing unauthorized access attempts
• Monitoring for suspicious or fraudulent activity
• Investigating security incidents and breaches
• Enforcing our Terms of Service and acceptable use policies
• Protecting against abuse and misuse of our Services

5.5 Communications

• Sending essential service notifications and updates
• Responding to your inquiries and support requests
• Providing product announcements and feature updates (you may opt out)
• Sending marketing communications (only with your consent)

5.6 Legal and Regulatory Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Maintaining records as required by tax, accounting, and other laws
• Establishing, exercising, or defending legal claims

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

We engage trusted third-party service providers who assist us in operating our Platform. These providers:

• Are bound by contractual obligations to protect your data
• Only access data necessary to perform their specific functions
• Are prohibited from using your data for their own purposes
• Are required to implement appropriate security measures

Categories of service providers include:

• Cloud infrastructure and hosting providers
• Payment processing services
• Authentication and identity verification services
• Email and communication delivery services
• Analytics and monitoring services
• Customer support and help desk services

6.2 Legal and Regulatory Disclosures

We may disclose your information when required or permitted by law, including to:

• Comply with legal processes, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of AnrakLegal, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims that content violates the rights of third parties

Where legally permitted, we will attempt to notify you before disclosing your information in response to legal process and will seek to limit the scope of any required disclosure.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your Personal Data becomes subject to a different privacy policy and will ensure that any successor entity is bound by commitments substantially similar to this Policy.

6.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so for a specific purpose.

6.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analysis, benchmarking, and other purposes. This data does not include any Personal Data or User Content that could identify you or your clients.

7. Data Storage and Security

7.1 Data Storage Infrastructure

• Your data is stored on secure, enterprise-grade infrastructure
• We utilize multiple data centers with geographic redundancy
• All data is encrypted at rest using industry-standard encryption
• Regular automated backups ensure data durability and recovery capability
• Access to infrastructure is strictly controlled and monitored

7.2 Security Measures

We implement comprehensive security measures including:

Technical Safeguards

• End-to-end TLS/HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Secure authentication with modern protocols and standards
• Multi-factor authentication options for account security
• Regular security assessments and vulnerability scanning
• Automated threat detection and intrusion prevention systems
• Web application firewalls and DDoS protection
• Secure API authentication and rate limiting

Organizational Safeguards

• Principle of least privilege for all system access
• Background checks and confidentiality agreements for personnel
• Regular security awareness training for all employees
• Documented incident response and disaster recovery procedures
• Segregation of duties for critical operations
• Regular security audits and third-party assessments

Data Isolation

• Each user's data is logically isolated from other users
• Access controls ensure you can only access your own data
• Strict access policies prevent unauthorized cross-account access
• Audit logging tracks all data access events

7.3 AI Processing and Model Training

7.4 Data Breach Response

In the event of a data breach that affects your Personal Data:

• We will notify affected users without unreasonable delay, and within 72 hours where required by law
• We will provide information about the nature of the breach and data affected
• We will describe the measures taken to address the breach and mitigate its effects
• We will provide recommendations for protective steps you can take
• We will notify relevant regulatory authorities as required by applicable law

8. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

• Account Data: Retained while your account is active and for a reasonable period thereafter (typically 90 days after account closure) to support account recovery, unless you request immediate deletion.
• Documents and Cases: Retained until you delete them or close your account. Deleted documents may remain in backups for up to 30 days.
• Chat and Conversation History: Retained to maintain context for your AI interactions. You may delete conversation history at any time.
• Usage Logs: Retained for operational and security purposes for up to 12 months, then anonymized or deleted.
• Billing and Transaction Records: Retained as required by applicable tax, accounting, and legal requirements (typically 7 years in India).
• Support Communications: Retained for up to 3 years to maintain service history and quality assurance.
• Security Logs: Retained for up to 12 months for security analysis and incident investigation.

8.2 Deletion and Anonymization

When data is no longer needed, we securely delete or anonymize it. Anonymization involves irreversibly removing or modifying Personal Data such that the data subject can no longer be identified. Anonymized data may be retained indefinitely for statistical and analytical purposes.

9. Your Rights and Choices

Subject to applicable law, you have the following rights regarding your Personal Data:

9.1 Right of Access

You can access your account data, documents, and usage information through the Platform at any time. You may also request a copy of the Personal Data we hold about you.

9.2 Right to Correction

You can update and correct your account information through your profile settings. You may also request correction of any inaccurate or incomplete Personal Data we hold about you.

9.3 Right to Erasure (Right to be Forgotten)

You can delete individual documents, cases, conversations, or your entire account. Upon account deletion, we will delete your Personal Data, subject to our legal retention obligations and legitimate interests. Some data may be retained in anonymized form.

9.4 Right to Data Portability

You can export your documents and data in standard, machine-readable formats. We provide export functionality within the Platform for your convenience.

9.5 Right to Withdraw Consent

Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

9.6 Right to Object

You may object to processing of your Personal Data where we are relying on legitimate interests as the legal basis. We will assess your objection and cease processing unless we have compelling legitimate grounds.

9.7 Right to Restriction

You may request that we restrict processing of your Personal Data in certain circumstances, such as while we verify the accuracy of your data or assess an objection you have raised.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection authority if you believe we have violated your privacy rights. In India, you may contact the Data Protection Board of India once operational under the DPDPA.

9.9 Exercising Your Rights

To exercise any of these rights, please contact us using the information provided in Section 16. We will respond to your request within the timeframe required by applicable law (typically within 30 days). We may request verification of your identity before processing your request.

10. Communication Preferences

10.1 Transactional Communications

We will send you essential transactional communications related to your account, including subscription confirmations, billing notifications, security alerts, and service changes. These communications are necessary for providing our Services and cannot be opted out of while maintaining an active account.

10.2 Marketing Communications

With your consent, we may send you marketing communications about new features, products, or promotional offers. You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or adjusting your preferences in account settings.

10.3 Product Updates

We may send you notifications about new features, improvements, and changes to the Platform. You can manage these preferences in your account settings.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Essential Cookies (Strictly Necessary)

These cookies are necessary for the Platform to function and cannot be disabled:

• Authentication and session management cookies
• Security cookies (CSRF protection, fraud prevention)
• Load balancing and technical performance cookies
• User preference cookies (language, display settings)

Analytics Cookies

These cookies help us understand how users interact with our Platform:

• Page view and navigation tracking
• Feature usage and engagement metrics
• Error and performance monitoring
• A/B testing and optimization

11.2 Cookie Duration

• Session cookies: Expire when you close your browser
• Persistent cookies: Remain for a specified period (typically up to 12 months)

11.3 Managing Cookies

You can control and manage cookies through:

• Your browser settings (blocking or deleting cookies)
• Our cookie consent banner when you first visit the Platform
• Browser extensions designed for privacy management

Note: Disabling essential cookies may prevent you from using certain features of the Platform.

11.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals as there is no industry standard for interpreting such signals. We will update this policy if standards are established.

12. Third-Party Services and Links

12.1 Integrated Services

Our Platform integrates with third-party services to provide certain functionality:

• Payment processors for secure subscription billing
• Authentication providers for account sign-in options
• Cloud infrastructure providers for hosting and data storage
• Legal databases for case law and legal research
• Email delivery services for communications
• Analytics services for Platform improvement

12.2 Third-Party Privacy

Each third-party service provider has its own privacy policy governing their collection and use of information. We carefully select providers with strong privacy and security practices and require them to protect your data through contractual obligations. However, we are not responsible for the privacy practices of third-party services.

12.3 External Links

Our Platform may contain links to external websites (such as legal databases, courts, or reference materials). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any external sites you visit.

13. International Data Transfers

13.1 Data Location

Our primary data storage and processing facilities are located in India. However, to provide our Services, your information may be processed on servers located in other countries where our service providers maintain facilities.

13.2 Transfer Safeguards

When we transfer Personal Data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant authorities
• Data processing agreements with all service providers
• Compliance with applicable data protection laws in each jurisdiction
• Technical and organizational security measures

13.3 Your Consent

By using our Platform, you consent to the transfer and processing of your information in accordance with this Policy, including transfers to countries that may have different data protection laws than your country of residence.

14. Children's Privacy

Our Platform is designed for use by legal professionals and is not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children under 18.

If we become aware that we have inadvertently collected Personal Data from a child under 18, we will take steps to delete such information promptly. If you believe we may have collected information from a child under 18, please contact us immediately using the information in Section 16.

15. Changes to This Policy

15.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational, legal, or regulatory reasons. We will update the "Last Updated" date at the top of this Policy when we make changes.

15.2 Notification of Changes

For material changes to this Policy, we will provide notice through:

• A prominent notice on our Platform
• Email notification to registered users
• In-app notification when you next access the Platform

15.3 Your Continued Use

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you should discontinue use of the Platform and may request deletion of your account and data.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. For complex requests, we may require additional time and will keep you informed of our progress.

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. Any disputes arising from this Policy or our data practices shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.