Privacy Policy
This Privacy Policy explains how Sharkify Technology Private Limited operating under the brand Vaksy, with its registered office in Hyderabad, India, collects, uses, shares, retains and protects your personal data when you use the Vaksy web platform at vaksy.in or our mobile application (together, the Platform).
Vaksy is an AI-powered legal-technology platform. Vaksy is not a law firm; it connects users with independent advocates empanelled with the Bar Council of India and with other professionals. This Policy is issued pursuant to the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and rules made thereunder, and applicable rulings of the Bar Council of India.
1. Who we are
For the purposes of the DPDP Act, the Data Fiduciary is Sharkify Technology Private Limited. You, the user, are the Data Principal. Where Vaksy processes your data on the instructions of an empanelled advocate (for example, documents shared inside a matter workspace), the advocate may act as an independent Data Fiduciary or joint fiduciary for that data.
2. What we collect
| Category | Examples |
|---|---|
| Identity | Name, mobile number, email, preferred language, city, photograph (optional). |
| Verification (KYC) | PAN or Aadhaar reference (last 4 digits only, where required for advocate engagement), one-time verification status from authorised KYC providers. |
| Case content | Facts you describe, documents you upload, prompts you send to Kanoon AI, notes and chat history within a matter. |
| Payments | Transaction IDs, plan, invoice address. Card or UPI credentials are processed by RBI-regulated payment aggregators; Vaksy does not store card numbers. |
| Device & usage | IP address, device model, OS, browser, app version, crash logs, feature events. |
| Communications | Support tickets, OTP and WhatsApp delivery receipts, voice or video session metadata (not content unless you record it). |
3. Why we collect it
We process each category for a specific, lawful purpose, and only for that purpose.
- KYC and eligibility: to confirm you are 18+, an Indian resident, and to satisfy advocate due-diligence under Bar Council of India Rules.
- Communication: to send OTPs, transaction alerts, matter updates, and grievance responses.
- Advocate routing: to match your matter to a suitably qualified empanelled advocate based on practice area, language and jurisdiction.
- AI partner (Kanoon AI): to generate research summaries, drafts and explanations from your prompts. Your matter content is not used to train foundation models.
- Service operation, security and fraud prevention: to keep the Platform available, detect abuse and meet obligations under the IT Act, 2000.
- Legal compliance: to respond to lawful orders, tax filings and statutory record-keeping.
Under §6 of the DPDP Act, we rely on your free, specific, informed and unambiguous consent (or, where applicable, on the legitimate uses listed in §7) for each of these purposes. You may withdraw consent at any time as described in Section 7.
4. How we share
- With empanelled advocates: only after you explicitly accept an engagement, and only the case content necessary for that engagement.
- With Data Processors: cloud hosting, telephony, payment aggregators, KYC verifiers, analytics and crash-reporting providers, each bound by written contracts requiring DPDP-compliant safeguards and onward processing restrictions. Our key sub-processors include:
- Supabase Inc. (US) - primary database hosting; data stored in Indian-region servers with US-based management plane for administration access.
- Anthropic, PBC (US) - AI language model provider. Your prompts and matter content sent to Kanoon AI are processed by Anthropic's Claude API. Anthropic does not train its models on your data by default; see anthropic.com/privacy. This constitutes a cross-border transfer to the United States under DPDP §16.
- Razorpay Software Pvt Ltd (India) - payment processing.
- With regulators or courts: where required by a lawful written order under the IT Act, 2000, the Bharatiya Nagarik Suraksha Sanhita, 2023, the Bharatiya Nyaya Sanhita, 2023, or any other Indian law in force.
- On a business transfer: in a merger, acquisition or insolvency, subject to the acquirer assuming this Policy or offering you an opportunity to withdraw.
We do not sell your personal data, and we do not share case content with advertisers under any circumstance.
5. How long we keep your data
We retain your account and matter data for the duration of an active matter and for a further seven (7) years after resolution, in line with the limitation period under the Limitation Act, 1963 and the prudential requirement to preserve professional records. Payment records are retained for the period required by the Income-tax Act, 1961 and GST law (currently eight years). On lapse of these periods, data is securely deleted or anonymised.
6. Cookies and similar technologies
We use first-party cookies for session authentication, security and remembering your language preference. We use limited analytics cookies (aggregated, IP-truncated) to understand product usage. We do not use third-party advertising cookies. You can control cookies via your browser settings; disabling essential cookies may break log-in.
7. Your rights under the DPDP Act
As a Data Principal, you have the following rights:
- Right to access a summary of the personal data we hold and how we have shared it (§11).
- Right to correction, completion, updation and erasure of your data, subject to legal retention obligations (§12).
- Right of grievance redressal through our Grievance Officer (§13).
- Right to nominate another individual to exercise your rights in the event of your death or incapacity (§14).
- Right to withdraw consent at any time, with effect from the date of withdrawal.
How to exercise these rights
Write to hello@vaksy.in from the mobile number associated with your account, or use the in-app Privacy & Data screen. We will verify your identity and respond within the statutory timeline (currently 15 calendar days for grievances under DPDP §13).
Account and data deletion
You may request complete deletion of your account and personal data at any time through any of these channels:
- In-app (fastest): open the Vaksy app → Me tab → scroll to the bottom → tap Delete account. Your deletion request is submitted immediately and processed within 72 hours.
- By email: write to hello@vaksy.in with subject Account deletion request from your registered mobile number. Please confirm: (a) deletion is irreversible and (b) certain case records are retained for legal compliance (see below).
- Web form: visit vaksy.in/data-deletion to submit a deletion request without signing in to the app.
What is deleted: your name, phone number, AI query history, documents in Vault, matter content, preferences, payment history and all other personal data associated with your account.
What is retained: anonymised case tombstone records (no PII) are retained for up to 7 years to satisfy our obligations under the Advocates Act, 1961 and the Limitation Act, 1963. This retention does not include any content you submitted; only the structural record (matter ID, date created, date closed, practice area) is kept.
Timeline: deletion is completed within 72 hours of your request. A confirmation SMS is sent to your registered number once complete. If you uninstalled the app before requesting deletion, use the email or web form channels above.
8. Security
Personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Documents in the Vaksy Vault are stored with envelope encryption and key access scoped per matter. Access by Vaksy personnel is role-restricted, logged and reviewed. In the event of a reportable personal data breach, we will notify affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by DPDP §8(6) read with the draft DPDP Rules.
9. Children
The Platform is intended for persons aged 18 years and above. We do not knowingly collect personal data of children or persons with a lawful guardian requiring guardian consent under DPDP §9. If you believe a child has used the Platform, please write to our Grievance Officer; we will delete the data promptly.
10. Cross-border transfers
Primary database storage is in Indian-region data centres. The following cross-border transfers occur:
- Anthropic (United States): prompts and matter content you send to Kanoon AI are processed via Anthropic's API servers in the United States. This transfer is necessary to deliver the AI features you have consented to under the AI partner purpose.
- Supabase management plane (United States): administrative access to the database is routed through Supabase's US management infrastructure.
Each transfer is governed by a data-processing agreement. None of these sub-processors are located in countries restricted by the Central Government under DPDP §16. We review this list whenever we engage new sub-processors.
11. Grievance Officer
In accordance with §10 of the DPDP Act, 2023 and Rule 3(11) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:
Grievance Officer & Data Protection Officer
Sharkify Technology Private Limited
Hyderabad, Telangana, India
Email: grievance@vaksy.in
Acknowledgement within 48 hours; resolution within 15 calendar days as required by DPDP §13. If you are not satisfied with our response, you may approach the Data Protection Board of India.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by in-app banner and email at least 7 days before they take effect. The current version is always available at vaksy.in/privacy.
13. Contact
General privacy questions: hello@vaksy.in. Formal grievances: grievance@vaksy.in.