Effective Date: 01-10-2024  |  Last Updated: 24-05-2026

1. Our Compliance Framework

Juris Services & Technology operates Lawtext in compliance with the following Indian laws and regulations:

2. Data We Process and Why

We process personal data only for specified, lawful purposes. The following table summarises what data we collect, why, and for how long:

Data Category	Purpose	Retention Period
Name, Email, Mobile	Account creation, authentication, service communications	Duration of account + 2 years post-deletion
GSTIN, PAN, Billing Address	GST-compliant invoicing, tax records	8 years (CGST Act requirement)
Payment Transaction Data	Subscription billing, dispute resolution, GST compliance	8 years (CGST Act requirement)
Usage & Analytics Data	Platform improvement, feature usage analysis, security monitoring	2 years rolling
Voice-to-Text & OCR Records	User's own document storage and retrieval	Until user deletes or account is closed
AI Interaction Content	Generating AI analysis (processed in transit; not retained for training)	Not retained beyond the session
IP Address & Device Data	Security, fraud prevention, access logging	90 days rolling

3. Data Security Measures

We implement the following technical and organisational security controls:

3.1 Technical Controls

HTTPS / TLS Encryption bcrypt Password Hashing SQL Prepared Statements CSRF Token Validation Session-Based Authentication Input Sanitisation XSS Protection PCI-DSS Payment Gateway (Cashfree)

3.2 Organisational Controls

• Access to user data is restricted to authorised personnel only on a need-to-know basis
• Payment card and bank data is never stored on our servers — all payment processing is handled by Cashfree Payments, which is PCI-DSS compliant
• Administrative access to the platform is role-controlled (admin, sales, editorial roles with separate permission scopes)
• Regular review of access logs and security configurations

3.3 Data Breach Response

In the event of a personal data breach, we will:

• Investigate and contain the breach immediately
• Notify affected users by email within 72 hours of becoming aware of the breach
• Report the breach to the Data Protection Board of India as required under the DPDP Act, 2023
• Take remedial measures to prevent recurrence

4. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act (DPDP), 2023, you have the following rights with respect to your personal data:

Right	What It Means	How to Exercise
Right to Access	Request a summary of personal data we hold about you and how it is processed	Email request to reachus@lawtext.in
Right to Correction	Request correction of inaccurate or incomplete personal data	Update via your account profile or email us
Right to Erasure	Request deletion of your personal data where we are no longer legally required to retain it	Email request to reachus@lawtext.in
Right to Withdraw Consent	Withdraw consent to data processing at any time (this does not affect the lawfulness of prior processing)	Email request or account closure request
Right to Grievance Redressal	Lodge a complaint with our Data Protection Officer if your rights are not honoured	Email reachus@lawtext.in with "DPDP Grievance" in subject
Right to Nominate	Nominate another person to exercise your data rights in the event of your death or incapacity	Email request with notarised nomination form

We will respond to all data rights requests within 30 days. Certain requests (such as erasure) may be subject to our legal data retention obligations under the CGST Act and other applicable law.

5. GST Compliance

Lawtext operates as a GST-registered business in India. All subscription payments and applicable one-time purchases attract GST as follows:

• Intrastate Transactions: CGST + SGST applied at the applicable rate
• Interstate Transactions: IGST applied at the applicable rate
• Nil-Rated: Free subscriptions and zero-value plans do not attract GST

GST-compliant tax invoices are automatically generated for every payment and sent to your registered email. Invoices include invoice number, HSN/SAC code, GSTIN (if provided), and a full GST breakup. You may update your GSTIN and billing details in your account profile to receive B2B invoices.

6. Payment Data and PCI Compliance

Lawtext does not collect, store, or process payment card data directly. All payment processing is handled by Cashfree Payments India Pvt. Ltd., which is:

• PCI-DSS Level 1 compliant
• Licensed and regulated by the Reserve Bank of India (RBI)
• Authorised to process payment mandates for recurring subscriptions

When you complete a payment, your card or bank details are entered directly on Cashfree's secure payment page and are never transmitted to or stored on Lawtext servers.

7. AI Data Processing

Lawtext uses AI (powered by DeepSeek API) to generate legal headnotes, summaries, and analysis from court judgment content. With respect to AI data processing:

• Only the judgment or legal text submitted for analysis is sent to the AI provider for processing
• No personally identifiable information (name, email, contact details) is included in AI API calls
• AI-processed content is not used to train external AI models under our service agreement
• AI-generated content is presented as informational assistance only and does not constitute legal advice

8. Third-Party Data Processors

We work with the following third-party data processors who may process personal data on our behalf:

Processor	Purpose	Data Shared
Cashfree Payments India Pvt. Ltd.	Payment processing, recurring mandates	Name, email, phone, transaction amount
DeepSeek API	AI-powered legal content analysis	Legal text content only (no PII)
SMTP Email Service (lawtext.in)	Transactional email delivery (invoices, alerts)	Email address, invoice content

All third-party processors are required to handle data in accordance with applicable data protection laws and our data processing agreements.

9. Cross-Border Data Transfers

Our primary data storage and processing infrastructure is located in India. Certain services (such as AI processing via DeepSeek API) may involve data transfer outside India. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with the DPDP Act, 2023 and applicable RBI and MEITY guidelines on data localisation.

10. Children's Data

Lawtext is not directed at children under 18 years of age and we do not knowingly collect personal data from minors. The DPDP Act, 2023 prohibits processing of children's personal data without verifiable parental consent. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete such data promptly.

11. Cookies and Tracking

We use essential cookies necessary for the operation of the platform (session management, CSRF protection, login state). We do not use third-party advertising cookies or behavioural tracking cookies. You can control cookie behaviour through your browser settings, though disabling essential cookies will affect platform functionality.

12. Grievance Officer / Data Protection Officer

For any data protection concerns, rights requests, or compliance-related queries, please contact our designated Grievance Officer:

• Organisation: Juris Services & Technology
• Email: reachus@lawtext.in (use subject: "Data Privacy Request")
• Phone: +91-93216 51108
• Response Timeline: Acknowledgement within 72 hours; resolution within 30 days

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDP Act, 2023.

13. Updates to This Policy

This Data & Compliance page will be updated to reflect changes in applicable law, our data practices, or our compliance framework. The effective date at the top of this page will be revised accordingly. We encourage you to review this page periodically. For significant changes, we will notify registered users by email.