Privacy Policy

01.Introduction

TrickyLaw Legal LLP ("TrickyLaw", "we", "us", or "our") is a private legal consultancy firm registered in India, operating the website gem.trickylaw.com. We are committed to protecting the privacy and confidentiality of every individual and business who engages with our services.

This Privacy Policy describes the categories of personal data we collect, how we use it, the legal basis for processing, your rights as a data principal, and the safeguards we apply. It is drafted in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and applicable rules thereunder.

02.Information We Collect

We collect personal data only when it is necessary for delivering our consultancy services. The categories of data we collect include:

A. Information You Provide Directly

• Identity data: Full name, gender, date of birth (where required for KYC)
• Contact data: Email address, mobile number, business address, residential address
• Business data: Company name, PAN, GSTIN, MSME / Udyam registration number, CIN/LLPIN, type of business entity, nature of products/services
• Financial data: Bank account details, cancelled cheque, payment transaction IDs (collected only when necessary for verification or refunds; we do not store full credit card or net banking credentials)
• Documents: PAN card, Aadhaar (last 4 digits only, masked), GST certificate, MSME certificate, bank proofs, ITRs, address proofs
• Communication data: Emails, WhatsApp messages, call recordings (with prior consent), notes from consultation calls

B. Information Collected Automatically

• IP address, browser type, device identifier, operating system
• Pages visited, time spent, referring URLs, click patterns
• Cookies and similar tracking technologies (see Section 9)

C. Information from Third Parties

• Payment confirmation details from Razorpay / payment gateways
• Verification results from authorized government APIs (where authorized by you)
• Marketing analytics from Google Ads, Meta Pixel, and similar (anonymous/aggregated only)

03.Purpose & Use of Information

We process your personal data strictly for the following specified purposes:

1. Service delivery: Providing consultancy assistance for GeM seller registration, catalog listing, bid support, vendor assessment, and related advisory services.
2. Verification: Confirming the authenticity of documents and information you provide.
3. Communication: Sending service updates, status notifications, payment reminders, and consultation summaries.
4. Payment processing: Processing fees, generating invoices, processing refunds via authorized payment gateways.
5. Legal compliance: Meeting our obligations under tax laws, GST regulations, and anti-money-laundering requirements.
6. Service improvement: Analyzing usage patterns (anonymized) to improve our website and service quality.
7. Marketing (with consent): Sending newsletters, service offers, and updates — only where you have opted in. You may opt out at any time.
8. Dispute resolution & legal claims: Maintaining records to defend or pursue legal claims where necessary.

We do not use your data for automated profiling, decision-making with legal consequences, or behavioral advertising on third-party platforms without explicit consent.

04.Legal Basis for Processing

Under the DPDP Act, we process your personal data on the following lawful bases:

• Consent: When you voluntarily submit information through our website forms, agreements, or consultation bookings.
• Contractual necessity: When processing is required to deliver the consultancy services you have engaged us for.
• Legal obligation: When required by law (tax, accounting, KYC, court orders).
• Legitimate interest: For fraud prevention, security, internal business operations, and direct marketing where lawful.

05.Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients, and only to the extent necessary:

• Service partners: Document verification services, KYC providers, cloud storage (AWS / Google Cloud — India region), email service providers (under DPA agreements)
• Payment processors: Razorpay, RBI-authorized payment gateways — only payment-related data
• Government authorities: Where required by law, court order, or to comply with statutory obligations (e.g., income tax, GST)
• Professional advisors: Our auditors, lawyers, and bankers under strict confidentiality
• Successor entities: In the event of merger, acquisition, or reorganization (subject to confidentiality)

All third parties are bound by written agreements requiring them to maintain confidentiality and use data only for the specified purpose.

06.Data Storage & Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: All data in transit is encrypted using TLS 1.2+ / HTTPS. Sensitive data at rest is encrypted using AES-256.
• Access control: Role-based access restricted to authorized personnel only, with multi-factor authentication.
• Server location: Primary data stored on Indian servers (compliant with data localization preferences under DPDP Act).
• Audit logs: All access to client data is logged and reviewed periodically.
• Confidentiality agreements: All employees and contractors sign NDAs before accessing client data.
• Breach notification: In the unlikely event of a data breach, we will notify affected users and the Data Protection Board within 72 hours of becoming aware, as required by the DPDP Act.

Despite our best efforts, no internet transmission or storage system is 100% secure. We cannot guarantee absolute security, but we continuously work to enhance our safeguards.

07.Retention Period

We retain your personal data only for as long as necessary for the purposes set out in this policy:

• Active engagement data: For the duration of our service engagement plus 12 months for follow-up support.
• Financial records: 8 years, as required under the Income Tax Act and GST Act.
• Legal advisory records: 7 years from closure, per Bar Council guidelines.
• Marketing data: Until you withdraw consent or 24 months of inactivity, whichever is earlier.
• Website analytics: 26 months (Google Analytics default), anonymized.

After the retention period, data is securely deleted or anonymized.

08.Your Rights Under the DPDP Act

As a Data Principal, you have the following rights:

• Right to access: Request a summary of personal data we hold about you and the processing activities.
• Right to correction & erasure: Request correction of inaccurate data or deletion when no longer required.
• Right to grievance redressal: File a complaint about how we handle your data (see Section 13).
• Right to nominate: Nominate another individual to exercise your rights in case of death or incapacity.
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to opt out of marketing: Unsubscribe from newsletters and promotional communications via the link in every email.

To exercise any of these rights, email privacy@trickylaw.com with your request. We will respond within 30 days as required by the DPDP Act.

09.Cookies & Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience. Categories of cookies we use:

• Essential cookies: Required for site functionality (cannot be disabled).
• Analytics cookies: Google Analytics — measures site usage anonymously.
• Marketing cookies: Google Ads, Meta Pixel — only with your explicit consent.
• Preference cookies: Remember your form inputs, language, region.

You can manage cookie preferences via your browser settings or our cookie consent banner. Disabling non-essential cookies will not affect core website functionality.

10.Minors

Our services are intended exclusively for individuals aged 18 and above who can legally enter into contracts in India. We do not knowingly collect data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will delete it immediately. Parents or guardians who believe their child has provided us with personal data may contact us for immediate removal.

11.International Data Transfers

Your data is primarily processed and stored within India. However, certain third-party tools (e.g., email service providers, cloud infrastructure) may transfer data to servers located outside India. Where this occurs, we ensure:

• The recipient country is not blacklisted under the DPDP Act.
• Adequate safeguards (Standard Contractual Clauses, encryption) are in place.
• Transfers are limited to what is strictly necessary.

12.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify active clients via email at least 15 days before changes take effect.
• Display a notice on our website homepage.

Continued use of our services after such notice constitutes acceptance of the revised policy.

13.Grievance Officer

In compliance with the DPDP Act, 2023 and the Information Technology Rules, 2011, we have designated a Grievance Officer to address your concerns:

14.Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@trickylaw.com
• Phone: +91 88888 88888
• Postal Address: TrickyLaw Legal LLP, [Your Registered Office Address], India

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts located at [Your City], India.