Privacy Policy.

This Privacy Policy (the “Policy”) explains how Nyaya Vidhi (the “Platform”, “we”, “us”, or “our”) collects, uses, shares, retains, transfers, and protects information — including personal data — when you visit nyayavidhi.in, subscribe to our newsletter, contact us, or otherwise interact with our services (collectively, the “Services”).

This Policy is published in compliance with applicable Indian law, including:

• the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the rules framed thereunder once notified;
• Sections 43A and 72A of the Information Technology Act, 2000 (the “IT Act”);
• the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”);
• the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Intermediary Rules”);
• and any other rules, regulations, guidelines, or notifications issued by the Government of India from time to time.

By accessing or using the Services, you acknowledge that you have read and understood this Policy and consent to the processing of your personal data in accordance with it.

• “Data Principal” means the natural individual to whom the personal data relates (i.e., you, the User).
• “Data Fiduciary” means the person who, alone or in conjunction with others, determines the purpose and means of processing of personal data — in this Policy, that is Nyaya Vidhi.
• “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
• “Sensitive Personal Data or Information” (“SPDI”) has the meaning ascribed to it in Rule 3 of the SPDI Rules and includes passwords; financial information such as bank account or card details; physical, physiological, and mental health condition; sexual orientation; medical records; and biometric information.
• “Processing” means a wholly or partly automated operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, retrieval, use, disclosure, erasure, or destruction.
• “Cookies” means small text files placed on your device that store information for the purposes described in Section 7.

We adopt a data-minimisation approach and collect only what is necessary for the lawful purposes set out in this Policy.

3.1 Information you provide

• Newsletter subscription: your email address and, optionally, your name.
• Correspondence: the contents of your emails or messages and any information you voluntarily share.
• Feedback & corrections: any information you submit when reporting an inaccuracy or suggesting a topic.

3.2 Information collected automatically

• Technical data: IP address, device identifiers, browser type and version, operating system, screen size, language, and time-zone setting.
• Usage data: pages visited, referring URL, session duration, navigation paths, search terms used on the Platform, and interaction events with components such as the “Know Your Rights” cards or learning paths.
• Cookies and similar technologies: as described in Section 7.

3.3 Information from third parties

Where we use analytics, hosting, or email-delivery providers, we may receive aggregated or pseudonymised information from them about how users interact with the Platform.

3.4 Sensitive Personal Data or Information

We do not intentionally collect SPDI such as financial information, passwords, biometric data, or health data. You are requested not to share such information with us through any channel.

We process personal data only for specified, explicit, and lawful purposes, and on the grounds set out below.

We will not use your personal data for purposes materially different from those listed above without first obtaining your fresh consent, where required.

Wherever the lawful ground for processing is consent, such consent is sought in a manner that is free, specific, informed, unconditional, and unambiguous, with a clear affirmative action, and is limited to the personal data necessary for the specified purpose, in accordance with Section 6 of the DPDP Act.

You may withdraw your consent at any time with equal ease, by:

• clicking the “unsubscribe” link present in every newsletter email; or
• writing to our Grievance Officer at the address provided in Section 14.

Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Following withdrawal, we shall, within a reasonable period, cease and cause our data processors to cease processing the personal data unless retention is required for compliance with any law for the time being in force.

The Platform is not directed at children below the age of eighteen (18) years. We do not knowingly collect personal data of children or persons with disabilities who have lawful guardians without obtaining verifiable consent of the parent or lawful guardian, in line with Section 9 of the DPDP Act. If you believe we have inadvertently collected such data, please write to our Grievance Officer and we shall promptly delete it.

We use cookies and similar technologies (such as local storage and pixels) to operate the Platform, remember your preferences, understand how the Services are used, and improve them. We distinguish between the following categories:

• Strictly necessary: required for core functionality such as page navigation and form submission. These cannot be switched off in our systems.
• Functional / preference: remember choices such as theme (light/dark) or recently viewed laws.
• Analytics: help us understand aggregate usage patterns. Wherever feasible, we configure analytics with IP anonymisation and respect the “Do Not Track” signal.

You can control cookies through your browser settings and may configure your browser to refuse cookies or to alert you when cookies are being sent. Disabling certain cookies may affect functionality of the Platform.

We do not sell, rent, or trade your personal data. We share personal data only in the following limited circumstances:

• Service providers (data processors): with vetted third-party providers (such as hosting, content delivery, analytics, and email delivery) acting on our written instructions and bound by confidentiality and data-protection obligations consistent with this Policy.
• Legal compliance: with courts, statutory authorities, regulators, or law-enforcement agencies, when required by a duly issued summons, notice, order, or warrant under applicable law including the IT Act and the Bharatiya Nagarik Suraksha Sanhita, 2023.
• Protection of rights: to enforce our terms, protect the rights, property, or safety of Nyaya Vidhi, our Users, or others, or to investigate fraud or security incidents.
• Business transfer: in connection with a merger, acquisition, restructuring, or sale of assets, subject to the transferee assuming obligations no less protective than those in this Policy.

Our service providers may be located in jurisdictions outside India. Where personal data is transferred outside India, such transfer shall be made only to countries or territories not specifically restricted by the Central Government under Section 16 of the DPDP Act, and shall be subject to appropriate contractual safeguards consistent with the protections afforded under Indian law.

We retain personal data only for as long as is necessary for the purposes for which it was collected or as required under applicable law, whichever is longer. Indicative retention periods:

• Newsletter subscribers: until you unsubscribe or withdraw consent, plus a reasonable period to action your request and maintain proof of consent.
• Correspondence: up to twenty-four (24) months from the last interaction.
• Server logs: up to one hundred eighty (180) days for security and diagnostic purposes, save where retention is mandated under Rule 3(1)(g) of the Intermediary Rules or any other law.

On expiry of the retention period, we shall erase personal data and cause our data processors to erase it, except where retention is required by law.

Subject to applicable law, you have the following rights in respect of your personal data:

1. Right to information about personal data being processed and the activities undertaken (Section 11, DPDP Act).
2. Right to correction and erasure of inaccurate, incomplete, or outdated personal data (Section 12, DPDP Act).
3. Right to grievance redressal through a readily available means (Section 13, DPDP Act).
4. Right to nominate any other individual to exercise your rights in the event of death or incapacity (Section 14, DPDP Act).
5. Right to withdraw consent at any time (Section 6(4), DPDP Act).
6. Where applicable under the SPDI Rules, the right to review the information you have provided and ensure that any inaccuracy is corrected.

To exercise any of these rights, please contact our Grievance Officer (Section 14). We will verify your identity before processing your request and respond within a reasonable timeframe, generally not exceeding thirty (30) days.

You also have the right to register a complaint with the Data Protection Board of India if you are not satisfied with our response.

We implement reasonable security practices and procedures commensurate with the nature of the personal data and the risk to which it is exposed, in accordance with Section 8(5) of the DPDP Act and Rule 8 of the SPDI Rules. These include:

• transport-layer encryption (HTTPS / TLS) for all communications with the Platform;
• access controls, role-based permissions, and the principle of least privilege;
• secure software-development practices, dependency monitoring, and timely patching;
• logical separation of production and non-production environments; and
• periodic review of our security posture.

Notwithstanding such measures, no method of transmission over the internet or electronic storage is fully secure. In the event of a personal-data breach, we shall give intimation to the Data Protection Board of India and to each affected Data Principal in the manner and within the timelines prescribed under the DPDP Act and the rules made thereunder.

The Platform may contain links to or embedded content from third-party services. We are not responsible for the privacy practices of such third parties. You are encouraged to review their respective privacy policies before providing any personal data to them.

In compliance with Section 10(2)(j) of the DPDP Act, Section 5(9) of the Intermediary Rules, 2021, and Rule 5(9) of the SPDI Rules, the name and contact details of our Grievance Officer are published below.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The latest version will always be available on this page, with the “Last updated” date refreshed accordingly. Where the change is material, we will provide a more prominent notice (such as an in-product notice or, where appropriate, an email notification).

This Policy is governed by the laws of the Republic of India. Any dispute, controversy, or claim arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts at Kolkata, West Bengal, without prejudice to your right to approach the Data Protection Board of India under the DPDP Act.