Data Protection

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), CourtNetra Technologies Pvt. Ltd. acts as a Data Fiduciary in respect of the personal data of our subscribers, their staff, and end-clients whose data they enter into the platform. For court-case data fetched from public registers, we act as a republisher of already-public information.

• Account data: name, email, phone, organisation, AOR/Bar Council number, role, GSTIN for billing.
• Usage data: IP address, device type, pages visited, features used, AI queries made (for abuse prevention and product improvement).
• Client and case data: names and contact details of your clients, opposing parties, witnesses, and third-parties you enter into case files. You are the Data Fiduciary for this data; we are your Data Processor.
• Court data: publicly-available case-status information from eCourts, Supreme Court, High Courts, and tribunals.
• Payment data: handled by Razorpay; we only store transaction IDs and invoice metadata, never full card numbers or UPI PINs.

• Consent — for marketing emails, WhatsApp alerts, and optional features (you explicitly opt in; opt-out available any time).
• Legitimate use — for providing the paid service, account management, billing, fraud prevention, and compliance with law.
• Voluntary disclosure — for data you choose to share (profile photo, custom fields).

You have the following rights under Sections 11–14 of the DPDP Act:

• Right to access — request a copy of the personal data we hold about you.
• Right to correction and erasure — ask us to fix inaccurate data or delete data no longer needed for the stated purpose.
• Right to grievance redressal — escalate to our Grievance Officer with a 15-day response commitment.
• Right to nominate — name a person who can exercise your rights in the event of death or incapacity.
• Right to withdraw consent — with the same ease with which you granted it.

To exercise any of these rights, email privacy@courtnetra.com from your registered address.

• Account data: retained while your subscription is active + 90 days after cancellation, then deleted.
• Invoices and billing records: retained for 8 years as required by the Companies Act and Income Tax Act.
• Audit logs: retained for 1 year for security and dispute resolution.
• Backups: 30-day rolling; deleted data is purged from backups within that window.

• TLS 1.3 for all data in transit; AES-256 encryption at rest.
• Multi-tenant data isolation — your organisation’s data is never visible to any other tenant.
• Role-based access controls and audit trails for every staff action.
• Quarterly penetration testing and continuous automated vulnerability scanning.
• Principal servers located in India (Mumbai / Hyderabad) with failover to Singapore.
• Vendor sub-processors limited to: Amazon Web Services (hosting), Razorpay (payments), Meta WhatsApp Business (alerts), Anthropic (NyayaLens AI — no PII sent by default).

In the event of a personal-data breach, we will notify the Data Protection Board and affected Data Principals within the timelines prescribed by Section 8(6) of the DPDP Act and any subordinate rules. Our target notification window is 72 hours from detection.

Personal data is primarily processed in India. Limited cross-border transfer occurs to Singapore (Anthropic API for AI inference, with personal-data scrubbing before dispatch) and USA (Google Analytics, aggregated only). We do not transfer personal data to any country restricted by the Central Government under Section 16 of the DPDP Act.

CourtNetra is a B2B legal-practice platform and not intended for persons under 18. We do not knowingly process children’s data. If you believe a minor has created an account, email privacy@courtnetra.com and we’ll delete it immediately.