Privacy Policy

Gaveli collects only the data we need to run your case management workspace. We do not sell, rent, or share your data with advertisers, and we never use your case content to train AI models.

• Account information — your name, email address, organisation name, and the role you hold within your firm.
• Case data — case numbers, parties, court details, hearings, orders, notes, tasks, and any documents you upload or that we sync from official court portals on your behalf.
• Documents — PDFs, images, and other files you upload to a case, along with anything we cache from court order downloads.
• Usage data — login timestamps, feature usage, and audit-log entries needed for security, billing, and DPDPA compliance.

Service delivery

Managing your cases, hearings, tasks, invoices, and the client portal you grant access to.

Court synchronisation

Fetching case updates from official court portals on your behalf so you do not have to log in to each one.

AI features

Document summarisation, semantic search, and AI chat — only when you have given explicit consent.

Email notifications

Hearing reminders, case status changes, daily digests, and grievance acknowledgements.

Your data is held by a small set of named sub-processors. Each is bound by a data processing agreement and operates with encryption at rest and in transit. The full processor list — covering the database, file storage, AI processing, email delivery, and authentication — is published on the DPDPA Compliance page so you can see exactly who handles what.

Where any sub-processor stores data outside India, we rely on the cross-border transfer mechanism notified by the Central Government of India and document the basis in our internal records.

As a data principal, you have the right to:

Access

Request a machine-readable copy of your personal data at any time.

Correction

Update or correct your personal information directly in your account or by contacting us.

Erasure

Request permanent deletion of your data subject to legal-hold and retention obligations.

Withdraw consent

Revoke consent for AI processing or other optional features at any time.

You can exercise the access, correction, and erasure rights from the Privacy & Data section of your account settings. Consent withdrawal currently requires an email to support@gaveli.in so we can audit-log the change against your account.

Icons of what each right looks like in product

• Access: request a JSON export — download link valid for 72 hours.
• Correction: edit case, hearing, party, or contact data inline; audit log records every change.
• Erasure: request deletion — 48-hour cooling-off window before permanent removal.
• Consent withdrawal: email support@gaveli.in; AI features disable on the next session.

Active case data is retained for as long as your organisation’s subscription is in good standing. Case data for disposed cases is automatically deleted after the retention period set by your organisation (default: 3 years) — a window chosen to match common Indian appellate-limitation periods.

When an account or organisation is deleted, we wait 48 hours from the request before permanent deletion runs. You can cancel the deletion at any point during this window from the email we send you. After deletion runs, the data cannot be recovered.

Audit logs and billing records are kept beyond the retention window only to the extent required by tax law and regulatory record-keeping rules.

Files are stored with organisation-namespaced keys and accessed only through short-lived presigned URLs. Database rows are scoped by a strict organisation membership check on every read and write. All inter-service traffic is HTTPS / TLS. Secrets — API keys and OAuth tokens — are encrypted at rest using authenticated symmetric encryption. Server-side errors are captured for monitoring with personal data redacted at the source.

If we ever experience a personal-data breach affecting you, we will notify you without undue delay and report the incident to the Data Protection Board of India within 72 hours, in line with DPDPA 2023 and the DPDP Rules, 2025.

Gaveli is a business product for Indian law firms and is not directed at children. We do not knowingly collect personal data of anyone under 18. If you become aware that a child has provided personal data to us, please write to support@gaveli.in and we will delete it.

For questions about this policy, to exercise any right, or to report a security concern, write to us at support@gaveli.in. Our Grievance Officer’s contact details are published on the DPDPA Compliance page.