Back to home

Privacy Policy

Effective date: 9 April 2026

1. Who we are and our role under the DPDP Act

ParaLAI is operated by [TBD: Registered company name], registered office at [TBD: Registered office address]. Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we act as a Data Fiduciary in respect of the personal data of our account holders (the lawyers and law-firm staff who sign up), and as a Data Processor in respect of any personal data contained in the legal documents you upload — that data continues to belong to your firm or your firm's clients, and you remain the Data Fiduciary for it.

2. Personal data we collect

From account holders, we collect:

  • email address (used for sign-in and account recovery);
  • password hash (we never see your plaintext password);
  • session metadata (IP address, browser, login timestamps) for security and rate-limiting;
  • usage telemetry (which features are invoked, document IDs, AI token counts) for billing and abuse prevention.

From documents you upload, we extract and store:

  • the full text of the document (extracted from PDF or DOCX);
  • structured metadata derived by AI (parties, jurisdiction, governing law, dates, summary, risk flags);
  • your chat conversations and editing instructions about that document.

We do not retain the original PDF or DOCX file. Files are processed in memory during upload and discarded immediately after text extraction.

3. Why we process this data

  • To provide the Service — extracting, analysing, generating, editing, and exporting your documents.
  • To secure the Service — preventing abuse, enforcing rate limits, investigating incidents.
  • To bill you — measuring AI usage against your plan's allowance.
  • To communicate with you — sending product, service, and security notices.

The legal basis for processing is your consent (given when you create an account) and the necessity of processing to perform our contract with you.

4. Sub-processors

To deliver the Service we share your data with the following sub-processors:

  • Anthropic PBC (United States) — operates the Claude large language model that powers extraction, analysis, generation, editing, and chat. Document text and your prompts are transmitted to Anthropic over an encrypted connection. Anthropic does not use ParaLAI customer inputs or outputs to train its models. See Anthropic's privacy policy at https://www.anthropic.com/legal/privacy.
  • Supabase Inc. — provides authentication and database hosting. Data is stored in the [TBD: e.g. ap-south-1 (Mumbai)] region.
  • Vercel Inc. — hosts the application and processes incoming requests.

We will update this list before adding new sub-processors that materially affect data handling.

5. Data retention

Documents, templates, and conversations are retained for as long as your account is active. When you delete an account or an individual document, the corresponding rows are permanently removed from our database, and removal cascades to all related documents, templates, and conversations within seconds. Backups containing residual data are overwritten within 30 days.

6. Your rights as a Data Principal

Under the DPDP Act you have the right to:

  • access a summary of the personal data we process about you;
  • correct inaccurate personal data;
  • erase your account and all associated data — available in-product via Settings → Delete Account, which cascades across our database and removes the underlying authentication record;
  • nominate another person to exercise your rights in case of death or incapacity;
  • file a grievance with our Grievance Officer (see Section 9).

7. Security

Personal data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is limited to authorised personnel and protected by multi-factor authentication. Each account holder can only access their own data; per-row authorisation is enforced both in application code and in database row-level security policies. We log security-relevant events for incident response.

8. Children

ParaLAI is intended for legal professionals and is not directed to anyone under 18. We do not knowingly collect personal data from children.

9. Grievance Officer

In accordance with Rule 4 of the Information Technology (Intermediary Guidelines) Rules and Section 8(9) of the DPDP Act, our Grievance Officer is:

  • Name: [TBD: Grievance officer full name]
  • Email: [TBD: grievance officer email]
  • Address: [TBD: Registered office address]

We aim to acknowledge grievances within 48 hours and resolve them within 30 days.

10. Contact

For any other privacy-related questions, email [TBD: support email].

11. Changes to this policy

We will notify account holders by email of any material changes to this policy at least 14 days before they take effect.