Privacy Policy
Last Updated: June 2026
1. Introduction
AMLEGALS (“Firm”, “we”, “us”, or “our”) operates the websites amlegals.com and amlegalsdpdpa.com (collectively, “Platforms”). This Privacy Policy sets forth our practices concerning the collection, use, and disclosure of information in accordance with:
- The Digital Personal Data Protection Act, 2023 (“DPDPA”) (India)
- The Digital Personal Data Protection Rules, 2025 (“DPDP Rules”)
- The Information Technology Act, 2000 and associated Rules
- General Data Protection Regulation (GDPR) (EU/EEA)
- Applicable international data protection frameworks
2. Technical Logs & Tracking Disclosure
Technical Telemetry Statement
Our Platforms (amlegals.com and amlegalsdpdpa.com) do not deploy behavioural tracking cookies, third-party advertising trackers, or profiling analytics. We strictly limit data capture to Essential Technical Telemetry — such as temporary server access logs, IP addresses, and user-agent details — processed exclusively under the legal basis of Legitimate Interest (Section 7, DPDPA read with Article 6(1)(f), GDPR) to maintain network security, prevent Denial of Service (DoS) attacks, and optimise platform delivery. These technical logs are automatically purged after 30 days and are never cross-referenced, profiled, or sold.
Cookie Consent Mechanism: Where the Platform utilises strictly necessary cookies for session management or security functions, a cookie consent slider is presented at first visit. Users may accept all cookies, reject non-essential cookies, or customise their preferences at any time. No non-essential cookie is activated until affirmative consent is recorded.
Users may browse the Platform freely. The Platform functions as an informational resource providing regulatory intelligence and legal analysis on global data privacy governance frameworks. Beyond essential technical telemetry described above, no personal data is collected, processed, or stored through automated means during passive browsing.
3. Identity of the Data Fiduciary & Platform Interoperability
Corporate Architecture Clause
Personal data collected across amlegals.com (general legal practice) and the specialised compliance platform amlegalsdpdpa.com (DPDPA advisory, Vibe Data Privacy™ framework delivery, automated compliance assessments, and regulatory intelligence) is controlled globally by AMLEGALS Law Firm as the sole Data Fiduciary within the meaning of Section 2(i) of the DPDPA.
By utilising our specialised resources or submitting enquiries on either Platform, you acknowledge that your data may be securely processed and synthesised within our centralised legal practice management infrastructure. This infrastructure utilises strict end-to-end encryption, partitioned access controls, and role-based authorisation to preserve legal professional privilege and client confidentiality.
Data originating from the specialised amlegalsdpdpa.com platform — including consultation intake forms, compliance assessment submissions, and Vibe Data Privacy™ framework interactions — may be transferred to the parent firm's internal enterprise systems (including centralised CRM, billing systems, and secure communication platforms) solely for the purpose of conflict-checking, service delivery, and professional engagement management.
4. Information Collection Through Client Engagement
Personal data is collected only when an individual or organisation directly approaches AMLEGALS to:
- Engage our legal advisory services
- Seek data privacy compliance advisory
- Request regulatory intelligence briefings
- Retain us for legal representation
- Submit enquiries through our Platform contact forms, compliance assessment tools, or consultation intake portals
- Download reports, guides, or research publications
- Apply for employment or internship positions
In such cases, we may collect:
- Identity Information: Name, professional credentials, organisation affiliation, designation
- Contact Information: Email address, phone number, business address
- Engagement Details: Nature of enquiry, scope of services requested, compliance assessment responses
- Corporate Identifiers: Organisation name, sector, employee count, geographical footprint (for compliance risk assessment)
- Transactional Information: Billing details, payment records (as required for service delivery)
5. Section 5 Notice — Point-of-Collection Consent Architecture
Standalone Section 5 Notice Under DPDPA
In compliance with Section 5 (Notice) and Section 6 (Consent) of the Digital Personal Data Protection Act, 2023, read with Rules 3 and 4 of the DPDP Rules, 2025, every data collection form on our Platforms includes an itemised consent mechanism. No form submission is processed until the Data Principal has:
- Read and understood the purpose of data collection specific to that form
- Affirmatively checked the consent checkbox
- Acknowledged the purpose limitation, data sharing disclosure, and right to withdraw consent
Purpose Limitation: Data submitted through any form on our Platforms will be used strictly to (a) conduct initial conflict checks, (b) evaluate the organisation's DPDPA/GDPR risk profile, and (c) facilitate direct advisory communications.
Data Sharing: Data collected through our forms will be stored securely within AMLEGALS' centralised enterprise legal practice systems with end-to-end encryption and partitioned access controls. Data will not be sold, rented, or shared with third parties except as described in Section 7 (Data Sharing and Disclosure) below.
Consent Withdrawal: You retain the right to withdraw your consent at any time by emailing [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.
6. Legal Basis for Processing
When we process personal data, we rely on the following legal bases:
7. Data Sharing and Disclosure
We do not sell, rent, or trade personal data. We may disclose information only in the following circumstances:
8. Data Retention Schedule
In compliance with the principle of Storage Limitation under the DPDPA and Rule 8 of the DPDP Rules, 2025, we maintain the following definitive retention schedule for each category of data subject:
| Data Subject Category | Processing Purpose | Retention Period | Legal Anchor |
|---|---|---|---|
| Website Enquirers / Leads (amlegalsdpdpa.com & amlegals.com) | Assessing corporate exposure & initial engagement outreach | 6 months from last contact (or immediate deletion upon request) | Purpose Limitation — Section 6, DPDPA |
| Retained Legal Clients | Provision of counsel, litigation management, conflict-checking | 7 years post-conclusion of active representation | Bar Council of India Rules, Income Tax Act (Section 44AA), AML Regulations |
| Job Applicants / Interns | Talent acquisition and candidate evaluation | 1 year post-rejection (for pipeline consideration, unless immediate deletion requested) | Consent-based Processing — Section 6, DPDPA |
| Technical Logs | Network security, DoS prevention, platform stability | 30 days (auto-purge) | Legitimate Interest — Section 7, DPDPA |
| Report / Resource Downloads | Content delivery and engagement tracking | 6 months from download (or immediate deletion upon request) | Consent-based Processing — Section 6, DPDPA |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Where a statutory retention obligation extends beyond the stated period, data is retained only to the extent required by the specific statute and is deleted promptly thereafter.
9. How We Use Information
Information collected through client engagement and Platform forms is used exclusively for:
- Providing legal advisory services
- Conducting initial conflict checks and risk assessments
- Responding to enquiries and maintaining client communications
- Fulfilling contractual obligations under professional engagement
- Maintaining client records as required by legal practice regulations
- Invoicing and payment processing
- Delivering requested reports, guides, and research publications
- Complying with statutory and regulatory obligations
10. Your Rights as a Data Principal
Under the DPDPA 2023, DPDP Rules 2025, and applicable international frameworks, you have the right to:
- Access (Section 11): Request confirmation of data processing and access your personal data
- Correction & Completion (Section 11): Request correction of inaccurate or incomplete data
- Erasure (Section 12): Request deletion of data, subject to legal retention requirements set out in Section 8 above
- Consent Withdrawal (Section 6(6)): Withdraw previously given consent at any time
- Portability (GDPR Article 20): Receive your data in a structured, machine-readable format (applicable to EU/EEA Data Principals)
- Objection (GDPR Article 21): Object to certain types of processing (applicable to EU/EEA Data Principals)
- Grievance Redressal (Section 13): Submit a grievance regarding data processing, with a guaranteed response timeline
11. Exercise of Statutory Rights & Grievance Mechanism
Data Privacy Desk & Grievance Architecture
To exercise your rights of access, correction, data minimisation, consent withdrawal, or erasure, you may submit a formalised request directly to our dedicated Data Privacy Desk:
Turnaround Commitment
- Acknowledgement: We will acknowledge receipt of all statutory data subject requests within forty-eight (48) business hours.
- Resolution: A formal decision and complete execution of your erasure, correction, or access request will be concluded within 30 calendar days — well within the maximum timeframe permissible under the DPDP Act 2023.
- Escalation: If unsatisfied with the resolution, you may approach the Data Protection Board of India under Section 13 of the DPDPA.
12. Security Measures
We implement the following measures to safeguard personal data:
- Encrypted communication channels (TLS 1.3 / SSL)
- End-to-end encryption for data at rest and in transit
- Partitioned access controls and role-based authorisation
- Secure document management systems
- Multi-factor authentication for administrative access
- Regular security audits and vulnerability assessments
- Confidentiality obligations for all firm personnel
13. Third-Party Links
This Platform may contain links to external websites for reference purposes. We are not responsible for the privacy practices of third-party sites. We recommend reviewing their privacy policies before providing any information.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or statutory amendments. Material changes will be prominently displayed on this page with an updated “Last Updated” date. Continued engagement with the Firm after such changes constitutes acceptance of the revised Policy.
15. Contact Information
AMLEGALS Law Firm — Data Fiduciary
201-203, Westface, Near Baghban Party Plot
Zydus Hospital Road, Thaltej
Ahmedabad - 380059, Gujarat, India
Privacy Email: [email protected]
General Email: [email protected]
Grievance Officer: Mr. Rohit Lalwani — [email protected]
Phone: +91-8448548549
16. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Ahmedabad, Gujarat, India.
By browsing this Platform, you acknowledge that you have read and understood this Privacy Policy. By submitting any form on this Platform, you confirm that you have read and consented to the data processing described in Section 5 above.