AMLEGALS
Legal Document

Privacy Policy

Last Updated: June 2026

1. Introduction

AMLEGALS (“Firm”, “we”, “us”, or “our”) operates the websites amlegals.com and amlegalsdpdpa.com (collectively, “Platforms”). This Privacy Policy sets forth our practices concerning the collection, use, and disclosure of information in accordance with:

  • The Digital Personal Data Protection Act, 2023 (“DPDPA”) (India)
  • The Digital Personal Data Protection Rules, 2025 (“DPDP Rules”)
  • The Information Technology Act, 2000 and associated Rules
  • General Data Protection Regulation (GDPR) (EU/EEA)
  • Applicable international data protection frameworks

2. Technical Logs & Tracking Disclosure

Technical Telemetry Statement

Our Platforms (amlegals.com and amlegalsdpdpa.com) do not deploy behavioural tracking cookies, third-party advertising trackers, or profiling analytics. We strictly limit data capture to Essential Technical Telemetry — such as temporary server access logs, IP addresses, and user-agent details — processed exclusively under the legal basis of Legitimate Interest (Section 7, DPDPA read with Article 6(1)(f), GDPR) to maintain network security, prevent Denial of Service (DoS) attacks, and optimise platform delivery. These technical logs are automatically purged after 30 days and are never cross-referenced, profiled, or sold.

Cookie Consent Mechanism: Where the Platform utilises strictly necessary cookies for session management or security functions, a cookie consent slider is presented at first visit. Users may accept all cookies, reject non-essential cookies, or customise their preferences at any time. No non-essential cookie is activated until affirmative consent is recorded.

Users may browse the Platform freely. The Platform functions as an informational resource providing regulatory intelligence and legal analysis on global data privacy governance frameworks. Beyond essential technical telemetry described above, no personal data is collected, processed, or stored through automated means during passive browsing.

3. Identity of the Data Fiduciary & Platform Interoperability

Corporate Architecture Clause

Personal data collected across amlegals.com (general legal practice) and the specialised compliance platform amlegalsdpdpa.com (DPDPA advisory, Vibe Data Privacy™ framework delivery, automated compliance assessments, and regulatory intelligence) is controlled globally by AMLEGALS Law Firm as the sole Data Fiduciary within the meaning of Section 2(i) of the DPDPA.

By utilising our specialised resources or submitting enquiries on either Platform, you acknowledge that your data may be securely processed and synthesised within our centralised legal practice management infrastructure. This infrastructure utilises strict end-to-end encryption, partitioned access controls, and role-based authorisation to preserve legal professional privilege and client confidentiality.

Data originating from the specialised amlegalsdpdpa.com platform — including consultation intake forms, compliance assessment submissions, and Vibe Data Privacy™ framework interactions — may be transferred to the parent firm's internal enterprise systems (including centralised CRM, billing systems, and secure communication platforms) solely for the purpose of conflict-checking, service delivery, and professional engagement management.

4. Information Collection Through Client Engagement

Personal data is collected only when an individual or organisation directly approaches AMLEGALS to:

  • Engage our legal advisory services
  • Seek data privacy compliance advisory
  • Request regulatory intelligence briefings
  • Retain us for legal representation
  • Submit enquiries through our Platform contact forms, compliance assessment tools, or consultation intake portals
  • Download reports, guides, or research publications
  • Apply for employment or internship positions

In such cases, we may collect:

  • Identity Information: Name, professional credentials, organisation affiliation, designation
  • Contact Information: Email address, phone number, business address
  • Engagement Details: Nature of enquiry, scope of services requested, compliance assessment responses
  • Corporate Identifiers: Organisation name, sector, employee count, geographical footprint (for compliance risk assessment)
  • Transactional Information: Billing details, payment records (as required for service delivery)

5. Section 5 Notice — Point-of-Collection Consent Architecture

Standalone Section 5 Notice Under DPDPA

In compliance with Section 5 (Notice) and Section 6 (Consent) of the Digital Personal Data Protection Act, 2023, read with Rules 3 and 4 of the DPDP Rules, 2025, every data collection form on our Platforms includes an itemised consent mechanism. No form submission is processed until the Data Principal has:

  1. Read and understood the purpose of data collection specific to that form
  2. Affirmatively checked the consent checkbox
  3. Acknowledged the purpose limitation, data sharing disclosure, and right to withdraw consent

Purpose Limitation: Data submitted through any form on our Platforms will be used strictly to (a) conduct initial conflict checks, (b) evaluate the organisation's DPDPA/GDPR risk profile, and (c) facilitate direct advisory communications.

Data Sharing: Data collected through our forms will be stored securely within AMLEGALS' centralised enterprise legal practice systems with end-to-end encryption and partitioned access controls. Data will not be sold, rented, or shared with third parties except as described in Section 7 (Data Sharing and Disclosure) below.

Consent Withdrawal: You retain the right to withdraw your consent at any time by emailing [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

6. Legal Basis for Processing

When we process personal data, we rely on the following legal bases:

6.1 Consent (Section 6, DPDPA): Explicit, informed, affirmative consent provided by the Data Principal when submitting forms or initiating engagement. Each form collects granular consent before submission is permitted.
6.2 Legitimate Use (Section 7, DPDPA): Processing under defined “legitimate uses” including (a) performance of professional services under an engagement agreement, (b) compliance with legal obligations, and (c) essential technical telemetry for platform security and stability.
6.3 Legal Obligation: Compliance with professional regulatory requirements (Bar Council of India Rules), anti-money laundering laws, Income Tax Act, and applicable legal practice standards.

7. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may disclose information only in the following circumstances:

7.1 Client Consent: With explicit authorisation from the Data Principal
7.2 Legal Authorities: When required by law, court order, or government request
7.3 Professional Advisors: Co-counsel, expert witnesses, or consultants retained for the client's matter, bound by confidentiality obligations
7.4 Service Providers: Third-party vendors providing essential services (secure document management, billing systems, cloud hosting) under strict data processing agreements compliant with Section 8(2) of the DPDPA
7.5 Inter-Platform Transfers: Data collected on amlegalsdpdpa.com may be transferred to AMLEGALS' centralised enterprise systems as described in Section 3 above, for legitimate practice management purposes

8. Data Retention Schedule

In compliance with the principle of Storage Limitation under the DPDPA and Rule 8 of the DPDP Rules, 2025, we maintain the following definitive retention schedule for each category of data subject:

Data Subject CategoryProcessing PurposeRetention PeriodLegal Anchor
Website Enquirers / Leads
(amlegalsdpdpa.com & amlegals.com)
Assessing corporate exposure & initial engagement outreach6 months from last contact
(or immediate deletion upon request)
Purpose Limitation — Section 6, DPDPA
Retained Legal ClientsProvision of counsel, litigation management, conflict-checking7 years post-conclusion of active representationBar Council of India Rules, Income Tax Act (Section 44AA), AML Regulations
Job Applicants / InternsTalent acquisition and candidate evaluation1 year post-rejection
(for pipeline consideration, unless immediate deletion requested)
Consent-based Processing — Section 6, DPDPA
Technical LogsNetwork security, DoS prevention, platform stability30 days (auto-purge)Legitimate Interest — Section 7, DPDPA
Report / Resource DownloadsContent delivery and engagement tracking6 months from download
(or immediate deletion upon request)
Consent-based Processing — Section 6, DPDPA

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Where a statutory retention obligation extends beyond the stated period, data is retained only to the extent required by the specific statute and is deleted promptly thereafter.

9. How We Use Information

Information collected through client engagement and Platform forms is used exclusively for:

  • Providing legal advisory services
  • Conducting initial conflict checks and risk assessments
  • Responding to enquiries and maintaining client communications
  • Fulfilling contractual obligations under professional engagement
  • Maintaining client records as required by legal practice regulations
  • Invoicing and payment processing
  • Delivering requested reports, guides, and research publications
  • Complying with statutory and regulatory obligations

10. Your Rights as a Data Principal

Under the DPDPA 2023, DPDP Rules 2025, and applicable international frameworks, you have the right to:

  • Access (Section 11): Request confirmation of data processing and access your personal data
  • Correction & Completion (Section 11): Request correction of inaccurate or incomplete data
  • Erasure (Section 12): Request deletion of data, subject to legal retention requirements set out in Section 8 above
  • Consent Withdrawal (Section 6(6)): Withdraw previously given consent at any time
  • Portability (GDPR Article 20): Receive your data in a structured, machine-readable format (applicable to EU/EEA Data Principals)
  • Objection (GDPR Article 21): Object to certain types of processing (applicable to EU/EEA Data Principals)
  • Grievance Redressal (Section 13): Submit a grievance regarding data processing, with a guaranteed response timeline

11. Exercise of Statutory Rights & Grievance Mechanism

Data Privacy Desk & Grievance Architecture

To exercise your rights of access, correction, data minimisation, consent withdrawal, or erasure, you may submit a formalised request directly to our dedicated Data Privacy Desk:

Dedicated Email:[email protected]
Grievance Officer:Mr. Rohit Lalwani, AMLEGALS Law Firm — [email protected]
Postal Address:201-203, Westface, Near Baghban Party Plot, Zydus Hospital Road, Thaltej, Ahmedabad — 380059, Gujarat, India

Turnaround Commitment

  • Acknowledgement: We will acknowledge receipt of all statutory data subject requests within forty-eight (48) business hours.
  • Resolution: A formal decision and complete execution of your erasure, correction, or access request will be concluded within 30 calendar days — well within the maximum timeframe permissible under the DPDP Act 2023.
  • Escalation: If unsatisfied with the resolution, you may approach the Data Protection Board of India under Section 13 of the DPDPA.

12. Security Measures

We implement the following measures to safeguard personal data:

  • Encrypted communication channels (TLS 1.3 / SSL)
  • End-to-end encryption for data at rest and in transit
  • Partitioned access controls and role-based authorisation
  • Secure document management systems
  • Multi-factor authentication for administrative access
  • Regular security audits and vulnerability assessments
  • Confidentiality obligations for all firm personnel

13. Third-Party Links

This Platform may contain links to external websites for reference purposes. We are not responsible for the privacy practices of third-party sites. We recommend reviewing their privacy policies before providing any information.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or statutory amendments. Material changes will be prominently displayed on this page with an updated “Last Updated” date. Continued engagement with the Firm after such changes constitutes acceptance of the revised Policy.

15. Contact Information

AMLEGALS Law Firm — Data Fiduciary

201-203, Westface, Near Baghban Party Plot
Zydus Hospital Road, Thaltej
Ahmedabad - 380059, Gujarat, India

Privacy Email: [email protected]

General Email: [email protected]

Grievance Officer: Mr. Rohit Lalwani — [email protected]

Phone: +91-8448548549

16. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Ahmedabad, Gujarat, India.

By browsing this Platform, you acknowledge that you have read and understood this Privacy Policy. By submitting any form on this Platform, you confirm that you have read and consented to the data processing described in Section 5 above.