Privacy Policy

Last updated: March 31, 2026

This Privacy Policy explains how APUA AI Private Limited ("APUA AI", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the ApuaLegal platform (product name: Arsenal), accessible at apualegal.com and arsenal.apualegal.com. This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules) of India.

1. Data We Collect

1.1 Account Information

When you register for an ApuaLegal account, we collect:

• Full name
• Email address
• Phone number (optional)
• Bar Council enrolment number (for verification)
• State and court preferences

1.2 Usage Data

We automatically collect certain information when you use our platform:

• Search queries and research history
• Documents created, drafted, or uploaded
• Feature usage patterns and session duration
• Device information, browser type, and IP address

1.3 Payment Information

Payment processing is handled by Razorpay. We do not store your credit card numbers, debit card numbers, or UPI credentials on our servers. Razorpay processes and stores payment information in compliance with PCI-DSS standards.

2. How We Use Your Data

We use your personal data for the following purposes:

• Providing services: To operate the ApuaLegal platform, including AI-powered legal research, document drafting, and case management features.
• Authentication: To verify your identity and manage your account via Firebase Authentication.
• AI processing: Your queries are processed by Google Gemini AI to generate legal research results and document drafts. Your data is processed in real-time and is not retained by the AI model for training purposes.
• Communication: To send you account-related notifications, security alerts, and service updates.
• Improvement: To analyse usage patterns (in aggregate, anonymised form) to improve our platform.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Data Storage and Infrastructure

All data is stored on Google Cloud Platform infrastructure in the Mumbai region (asia-south1), ensuring your data remains within India. We use the following Google Cloud services:

• Firebase Authentication: For secure user authentication and session management.
• Cloud Firestore: For structured data storage (user profiles, case data, research history).
• Cloud Storage: For document and file storage.
• Google Gemini AI: For AI-powered legal research and document generation.

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services to you. Specifically:

• Account data: Retained for the lifetime of your account plus 90 days after deletion.
• Research and case data: Retained until you delete it or close your account.
• Usage logs: Retained for 12 months in anonymised form.
• Payment records: Retained for 8 years as required under Indian tax laws.

5. Data Sharing

We do not sell your personal data to any third party. We do not share your data with third parties for their marketing purposes. Your data may be shared only in the following circumstances:

• Service providers: Google Cloud (infrastructure), Razorpay (payments), and essential service providers who are bound by contractual obligations to protect your data.
• Legal requirements: When required by law, court order, or government authority.
• With your consent: When you explicitly authorise sharing.

6. AI and Your Data

We take special care with how your data interacts with AI systems:

• Your data is never used to train any AI or machine learning model.
• AI queries are processed in real-time and are not stored by the AI provider.
• We design our AI features to respect attorney-client privilege.
• AI-generated content is clearly labelled and should be independently verified by the user.

7. Your Rights Under the DPDP Act 2023

As a Data Principal under the DPDP Act 2023, you have the following rights:

• Right to access: You may request confirmation of whether we are processing your personal data, and obtain a summary of the data we hold.
• Right to correction and erasure: You may request correction of inaccurate data or erasure of data that is no longer necessary for the purpose it was collected.
• Right to grievance redressal: You may raise a complaint with our Grievance Officer or the Data Protection Board of India.
• Right to nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, contact us at grievance@apua.ai.

8. Data Security

We implement industry-standard security measures to protect your data:

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Multi-factor authentication support
• Regular security audits and penetration testing
• Access controls and audit logging

For more details, see our Security Overview.

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies. For more details, see our Cookie Policy.

10. Children's Privacy

ApuaLegal is designed for legal professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our platform. Your continued use of ApuaLegal after changes constitutes acceptance of the updated policy.

12. Grievance Officer

In accordance with the DPDP Act 2023 and the Information Technology Act 2000, the details of our Grievance Officer are:

Name: Neelanchal Dixit
Email: neel@apua.ai (alternate: grievance@apua.ai)
Organisation: APUA AI Private Limited, India

We will acknowledge your grievance within 72 hours and resolve it within 30 days.

13. Contact Us

For questions or concerns about this Privacy Policy, contact us at:

Email: grievance@apua.ai
Website: apualegal.com