Trust & Compliance / Data Rights
DPDP Data Rights Procedure
Version 1.0 · Effective 8 May 2026
1. What this procedure is
This procedure explains how individuals (and customers acting on behalf of their own data principals) can exercise the rights granted by the Digital Personal Data Protection Act, 2023 (the "DPDP Act") in respect of personal data processed by LegalInk ("LegalInk", "we"). It is published as part of LegalInk's Trust & Compliance package alongside the Subprocessor List, Document Retention Policy, and Data Processing Addendum.
Specifically, this document explains:
- Which DPDP rights LegalInk supports.
- Who is entitled to submit a request.
- How to submit a request, and what to include.
- How LegalInk verifies the requester's identity.
- Response timelines we commit to.
- What we do internally to fulfil each right.
- Statutory exceptions where we cannot delete data immediately.
2. Rights covered
§11(1)(a) — Right to Access
Obtain a summary of personal data we process about you, the processing activities, and the categories of data shared with subprocessors.
§11(1)(b) — Right to Correction
Request correction of inaccurate or misleading personal data, and completion of incomplete personal data.
§11(1)(c) — Right to Erasure
Request erasure of personal data that is no longer necessary for the purpose for which it was processed, subject to statutory exceptions.
§13 — Right of Grievance Redressal
Raise a grievance with our designated Grievance Officer in respect of any act or omission relating to your personal data.
§14 — Right to Nominate
Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
3. Who can submit a request
- Direct Data Principals — individuals whose personal data is processed by LegalInk through their own LegalInk account or interaction with our website.
- Authorised representatives — a person authorised in writing by the Data Principal to act on their behalf, including a parent or guardian for a child or a person with a disability.
- Customers acting as Data Fiduciaries — enterprise customers who have collected personal data from their own data principals and, in their role as Data Fiduciary, need LegalInk (as Data Processor) to action a request received from their data principal.
4. How to submit a request
Send an email to support@legalink.ai from the email address registered with your LegalInk account, using one of the subject lines below:
| Right | Subject line convention |
|---|---|
| §11(1)(a) Access | "DPDP Access Request" |
| §11(1)(b) Correction | "DPDP Correction Request" |
| §11(1)(c) Erasure | "DPDP Erasure Request" |
| §13 Grievance | "DPDP Grievance" |
| §14 Nomination | "DPDP Nomination" |
Include the following in your request:
- The email address registered with your LegalInk account (or, if acting as an authorised representative, the Data Principal's registered email).
- A clear description of the right being exercised and the personal data or category of data concerned.
- Any additional context that helps us locate the relevant records (draft IDs, team workspace name, approximate date range).
- If you are an authorised representative, attach the written authorisation from the Data Principal.
5. Identity verification
Before acting on a request that affects access, correction, or erasure of personal data, we verify the requester's identity using one or more of the following methods:
- Confirmation that the request originates from the email address registered with the LegalInk account.
- A confirmation reply to a verification email sent to the registered email address.
- For authorised representatives, written authorisation from the Data Principal plus identity confirmation from the Data Principal's registered email where feasible.
- For enterprise customers acting as Data Fiduciaries, the request must come from the designated administrator email on the customer's team workspace.
We retain a record of the verification step performed, but not copies of identity documents beyond what is necessary to confirm the request is legitimate.
6. Response timelines
| Step | Timeline |
|---|---|
| Acknowledgement of receipt | Within 7 working days |
| Completion of standard request | Within 30 days |
| Complex request (multi-account, large dataset, third-party dependency) | Within 60 days, with written status update at day 30 |
7. What LegalInk does for each right
7.1 Access (§11(1)(a))
- Locate all account, draft, chat, and audit records associated with the verified Data Principal.
- Compile a written summary of categories of data held, processing purposes, and subprocessors with whom data has been shared.
- Deliver the summary to the verified email address as a downloadable PDF.
- Where bulk export of drafts or chat history is requested, provide a structured export (PDF or JSON) within the same timeline.
7.2 Correction (§11(1)(b))
- Identify the specific personal data the Data Principal asserts is inaccurate, misleading, or incomplete.
- For self-service fields (name, phone, firm, role), guide the customer to update them directly from the account settings.
- For fields not exposed in the UI, action the correction in the database and confirm in writing once complete.
- Record the change in the audit log with timestamp and the basis for the correction.
7.3 Erasure (§11(1)(c))
- Confirm the categories of data the Data Principal wishes to erase.
- Apply statutory exceptions (see §8 below) and notify the requester of any data we are required to retain, with the basis.
- Erase eligible data from primary storage; flag residual copies in encrypted backups for expiry on the 30-day rolling cycle.
- Confirm completion in writing, including the categories erased and any retained data with reasons.
7.4 Grievance (§13)
- Acknowledge receipt of the grievance within 7 working days.
- Investigate the act or omission complained of, including any relevant logs, communications, and processing records.
- Provide a written response from the designated Grievance Officer within 30 days of receipt.
- Where the response does not resolve the grievance, inform the Data Principal of the right to escalate to the Data Protection Board of India under §27.
7.5 Nomination (§14)
- Record the nominee's name and contact details against the Data Principal's account.
- On verified notification of the Data Principal's death or incapacity, treat requests from the nominee as if from the Data Principal, subject to the verification rules in §5.
- Allow the Data Principal to update or revoke the nomination at any time in writing.
8. Statutory exceptions
Certain categories of data cannot be erased on request because Indian statute or regulation requires LegalInk to retain them for a defined period:
| Data | Retention required by |
|---|---|
| Invoices, GST records, payment metadata | Income Tax Act §44AA; CGST §35; Companies Act §128 — 7 years |
| Razorpay payment records | RBI / PA-PG payment-aggregator regulation |
| Audit log entries (payments, plan changes, team invites, deletions) | Security and dispute defence — 24 months (pseudonymised where possible) |
| Records subject to a binding legal hold | Court / regulator order or active law-enforcement investigation |
9. Cost
The first request from a Data Principal in any rolling 12-month period is processed free of charge.
Where a request is manifestly unfounded, excessive, or repetitive (for example, the same access request submitted multiple times in quick succession with no material change), LegalInk may either decline the request with reasons or charge a reasonable fee to cover administrative costs. We will notify the requester in writing before any fee is applied.
10. Escalation
- Step 1 — Grievance Officer. Write to the designated Grievance Officer at support@legalink.ai with the subject line "DPDP Grievance". We will respond within 30 days of receipt.
- Step 2 — Data Protection Board of India. If the grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India under §27 of the DPDP Act.
11. Grievance Officer
| Designated email | support@legalink.ai |
| Office hours | IST, Monday–Friday, 10:00–18:00 |
| Response SLA | 30 days from receipt of grievance |
| Escalation path | Data Protection Board of India (DPDP §27) |
12. Update history
| Date | Version | Change | Reason |
|---|---|---|---|
| 8 May 2026 | 1.0 | Initial publication of DPDP Data Rights Procedure. | Trust & Compliance Kit Part 2. |
13. Contact
For DPDP-related requests, write to support@legalink.ai using one of the subject conventions below. For general support, write to the same address without a DPDP subject prefix.
- "DPDP Access Request" — §11(1)(a) access requests.
- "DPDP Correction Request" — §11(1)(b) correction requests.
- "DPDP Erasure Request" — §11(1)(c) erasure requests.
- "DPDP Grievance" — §13 grievances to the Grievance Officer.
- "DPDP Nomination" — §14 nominations.