DPDPA 2023 Compliance

The Digital Personal Data Protection Act, 2023 (DPDPA) was passed in August 2023. The Digital Personal Data Protection Rules, 2025 — which operationalise the Act — were notified on 13 November 2025. Provisions on Consent Managers come into force on 13 November 2026 and the substantive obligations on Data Fiduciaries take full effect on 13 May 2027. Gaveli is built and operated to meet those obligations now, ahead of the enforcement date, so that our customers (Indian law firms acting as Data Fiduciaries themselves) can rely on the platform from day one.

For the data your law firm enters about its own staff and clients, your organisation is the Data Fiduciary and Gaveli Technologies Pvt. Ltd. is the Data Processor. We process that data only on documented instructions from your firm.

For the limited data we collect to operate your subscription — your account name, email, billing details, and audit logs — Gaveli Technologies Pvt. Ltd. is the Data Fiduciary and you are the Data Principal.

We process personal data for the following lawful purposes, each tied to a specific feature:

• Service delivery — running your case management workspace, sending notifications, processing billing.
• Contractual necessity — fulfilling our subscription agreement with your firm.
• Legitimate use — security, fraud prevention, audit-log retention, and statutory record-keeping.
• Consent — AI-assisted features such as document summarisation, semantic search, and AI chat. Consent is opt-in, granular, and revocable.

Identity & contact

Name, email, phone, organisation, role, profile photo (if provided).

Authentication

Hashed passwords, session tokens, MFA artefacts, OAuth tokens for connected services.

Case content

Case numbers, parties, courts, hearings, orders, notes, tasks — entered by you or synced from official court portals on your behalf.

Documents

Pleadings, judgments, correspondence, and any other files you choose to upload.

Billing

GSTIN, billing address, invoice and payment history.

Telemetry

Login timestamps, feature usage, audit-log entries, anonymised error reports.

Sensitive personal data such as Aadhaar numbers, biometric data, financial credentials, or health information should not be uploaded to Gaveli unless it is part of a court document already in the public record. We do not request or use such data for any other purpose.

We use a small set of named sub-processors. Each is bound by a written data-processing agreement.

Convex (database)

Application database — encrypted at rest, accessed only via authenticated server functions.

Cloudflare

Application hosting, file storage for documents and court-order PDFs, authentication store, and supporting AI infrastructure. All data is encrypted at rest; file access is restricted to short-lived presigned URLs scoped to your organisation.

Anthropic (AI)

AI inference for summaries, search, and chat. Per Anthropic’s terms, prompts and documents are not used to train their models.

Resend (email)

Transactional email — hearing reminders, status changes, deletion notices, exports.

Sentry (error monitoring)

Server-side error capture with personal data redacted at the source.

Some of these processors may store data outside India. Where this is the case, we rely on the cross-border transfer mechanism notified by the Central Government from time to time and document the basis in our internal records.

Right to information

Know what categories of personal data we hold, the purposes, and our processors — set out on this page.

Right to access & portability

Request a JSON export of your data; download link valid for 72 hours.

Right to correction & erasure

Edit your data inline or request permanent deletion.

Right to consent withdrawal

Revoke consent for AI features (or any optional processing) at any time.

Right to nominate

Nominate another individual to exercise these rights on your behalf in the event of incapacity or death.

Right to use a Consent Manager

Once Consent Manager registration takes effect under the DPDP Rules, 2025 (from 13 November 2026), you will be able to route consent decisions through a registered Consent Manager of your choice.

Right to grievance redressal

Reach our Grievance Officer for any complaint relating to your personal data.

Access, correction, erasure, and export can be exercised directly from the Privacy & Data section of your account settings. Consent withdrawal and nominations are handled today by emailing support@gaveli.in so the change can be audit-logged against your account; we are working to surface a self-service withdrawal toggle in the same settings page so the experience matches the ease-of-withdrawal standard set out in DPDPA Section 6.

• Disposed cases — automatically purged after the retention window your organisation configures (default 3 years from disposal date).
• Account or organisation deletion — runs 48 hours after request. You receive a notice email and can cancel from the email at any point during the window.
• Data exports — generated as JSON and made available via a download link valid for 72 hours.
• Audit logs & billing — retained beyond the deletion window only to the extent needed for tax law and statutory record-keeping.

Two named consents are tracked and versioned in product:

Privacy Notice

Acceptance of our privacy notice covering data collection, storage, and processing purposes. Required to use the platform.

AI Document Processing

Consent to process your case documents using AI for summarisation, search, and chat. Documents are sent to our AI provider for processing.

When we publish a new version of either notice, your existing consent is marked as outdated and you are prompted to review and re-confirm. Withdrawn consent disables the relevant feature on the next session.

• HTTPS / TLS for all network traffic; HSTS enforced.
• Row-level organisation membership checks on every read and write.
• Documents stored with organisation-namespaced keys and accessed only through short-lived presigned URLs.
• API keys and OAuth tokens encrypted at rest with authenticated symmetric encryption.
• Centralised, queryable audit log for consent, deletion, export, and admin actions.
• Server-side error monitoring with personal data redacted at the source.
• Regular dependency review and security patching.

In the event of a personal-data breach, we will (a) notify affected Data Principals without undue delay in clear and plain language, and (b) report the incident to the Data Protection Board of India within 72 hours, in line with DPDPA 2023 and Rule 7 of the Digital Personal Data Protection Rules, 2025.

For any question about this page or to exercise any right, write to support@gaveli.in or to the Grievance Officer above. We will respond within the timelines set out in the Act.