Summary: We collect only what we need. We never sell your data. Legal matter details are shared only with the advocate you engage. You have full rights under DPDPA 2023.
1. Data We Collect
You provide directly
- Identity: Full name, date of birth, PAN/Aadhaar (KYC where required)
- Contact: Email, mobile, postal address
- Legal matter: Case description, documents uploaded, advocate communications
- Payment: Transaction IDs — card details stored only by PCI-DSS gateways, never on our servers
Collected automatically
- Device ID, IP address, browser, OS, session duration
- Location (city-level, for advocate matching) — explicit permission required
2. How We Use Your Data
- Contract performance: Match you with advocates, process payments, deliver services
- Legitimate interest: Platform improvement, fraud detection, security
- Legal obligation: IT Act 2000, GST compliance, PMLA 2002, court orders
- Consent: Marketing (opt-in only, revocable at any time)
We do not sell, rent, or trade your personal data to any third party under any circumstances.
3. Data Sharing
With Advocates
When you book, the advocate receives your name, contact, and case details necessary to render the service. Advocates are bound by professional confidentiality under BCI Rules.
With Service Providers
Cloud infrastructure, payment gateways, SMS/email delivery — all bound by data processing agreements meeting DPDPA 2023 standards.
Legal Requirements
When required by law, court order, or government authority. We notify you where permitted.
4. Data Security
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Role-based access controls — minimal employee access
- Regular penetration testing and security audits
- 72-hour breach notification under DPDPA 2023
5. Your Rights under DPDPA 2023
- Access (s.11): Request a summary of data we hold about you
- Correction (s.12): Request correction of inaccurate data
- Erasure (s.12): Request deletion of data no longer needed
- Grievance (s.13): Raise formal complaints — resolved within 30 days
- Nominate (s.14): Nominate someone to exercise rights on your behalf
- Withdraw consent: Revoke marketing consent at any time
Submit requests to grievance@instalegl.in. Response within 30 days.
6. Cookies & Tracking
7. Data Retention
- Account data: Duration + 2 years post-deletion
- Transaction records: 7 years (GST Act)
- KYC documents: 5 years (PMLA 2002)
- Legal matter communications: 3 years post-case
- Server logs: 90 days
8. Children's Privacy
Instalegl is not intended for users under 18. Under DPDPA 2023 Section 9, we do not knowingly collect data from minors. Contact grievance@instalegl.in if you believe a minor's data has been collected.
9. Cross-border Data Transfers
Tramarkify Business LLC is registered in India. Some infrastructure is located outside India. All cross-border transfers comply with DPDPA 2023 and Government of India notifications on permitted jurisdictions, protected by Data Processing Agreements with all international vendors.