Trust & Compliance / Data Rights

    DPDP Data Rights Procedure

    Version 1.0 · Effective 8 May 2026

    1. What this procedure is

    This procedure explains how individuals (and customers acting on behalf of their own data principals) can exercise the rights granted by the Digital Personal Data Protection Act, 2023 (the "DPDP Act") in respect of personal data processed by LegalInk ("LegalInk", "we"). It is published as part of LegalInk's Trust & Compliance package alongside the Subprocessor List, Document Retention Policy, and Data Processing Addendum.

    Specifically, this document explains:

    • Which DPDP rights LegalInk supports.
    • Who is entitled to submit a request.
    • How to submit a request, and what to include.
    • How LegalInk verifies the requester's identity.
    • Response timelines we commit to.
    • What we do internally to fulfil each right.
    • Statutory exceptions where we cannot delete data immediately.

    2. Rights covered

    §11(1)(a) — Right to Access

    Obtain a summary of personal data we process about you, the processing activities, and the categories of data shared with subprocessors.

    §11(1)(b) — Right to Correction

    Request correction of inaccurate or misleading personal data, and completion of incomplete personal data.

    §11(1)(c) — Right to Erasure

    Request erasure of personal data that is no longer necessary for the purpose for which it was processed, subject to statutory exceptions.

    §13 — Right of Grievance Redressal

    Raise a grievance with our designated Grievance Officer in respect of any act or omission relating to your personal data.

    §14 — Right to Nominate

    Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

    3. Who can submit a request

    • Direct Data Principals — individuals whose personal data is processed by LegalInk through their own LegalInk account or interaction with our website.
    • Authorised representatives — a person authorised in writing by the Data Principal to act on their behalf, including a parent or guardian for a child or a person with a disability.
    • Customers acting as Data Fiduciaries — enterprise customers who have collected personal data from their own data principals and, in their role as Data Fiduciary, need LegalInk (as Data Processor) to action a request received from their data principal.

    4. How to submit a request

    Send an email to support@legalink.ai from the email address registered with your LegalInk account, using one of the subject lines below:

    RightSubject line convention
    §11(1)(a) Access"DPDP Access Request"
    §11(1)(b) Correction"DPDP Correction Request"
    §11(1)(c) Erasure"DPDP Erasure Request"
    §13 Grievance"DPDP Grievance"
    §14 Nomination"DPDP Nomination"

    Include the following in your request:

    1. The email address registered with your LegalInk account (or, if acting as an authorised representative, the Data Principal's registered email).
    2. A clear description of the right being exercised and the personal data or category of data concerned.
    3. Any additional context that helps us locate the relevant records (draft IDs, team workspace name, approximate date range).
    4. If you are an authorised representative, attach the written authorisation from the Data Principal.

    5. Identity verification

    Before acting on a request that affects access, correction, or erasure of personal data, we verify the requester's identity using one or more of the following methods:

    1. Confirmation that the request originates from the email address registered with the LegalInk account.
    2. A confirmation reply to a verification email sent to the registered email address.
    3. For authorised representatives, written authorisation from the Data Principal plus identity confirmation from the Data Principal's registered email where feasible.
    4. For enterprise customers acting as Data Fiduciaries, the request must come from the designated administrator email on the customer's team workspace.

    We retain a record of the verification step performed, but not copies of identity documents beyond what is necessary to confirm the request is legitimate.

    6. Response timelines

    StepTimeline
    Acknowledgement of receiptWithin 7 working days
    Completion of standard requestWithin 30 days
    Complex request (multi-account, large dataset, third-party dependency)Within 60 days, with written status update at day 30

    7. What LegalInk does for each right

    7.1 Access (§11(1)(a))

    • Locate all account, draft, chat, and audit records associated with the verified Data Principal.
    • Compile a written summary of categories of data held, processing purposes, and subprocessors with whom data has been shared.
    • Deliver the summary to the verified email address as a downloadable PDF.
    • Where bulk export of drafts or chat history is requested, provide a structured export (PDF or JSON) within the same timeline.

    7.2 Correction (§11(1)(b))

    • Identify the specific personal data the Data Principal asserts is inaccurate, misleading, or incomplete.
    • For self-service fields (name, phone, firm, role), guide the customer to update them directly from the account settings.
    • For fields not exposed in the UI, action the correction in the database and confirm in writing once complete.
    • Record the change in the audit log with timestamp and the basis for the correction.

    7.3 Erasure (§11(1)(c))

    • Confirm the categories of data the Data Principal wishes to erase.
    • Apply statutory exceptions (see §8 below) and notify the requester of any data we are required to retain, with the basis.
    • Erase eligible data from primary storage; flag residual copies in encrypted backups for expiry on the 30-day rolling cycle.
    • Confirm completion in writing, including the categories erased and any retained data with reasons.

    7.4 Grievance (§13)

    • Acknowledge receipt of the grievance within 7 working days.
    • Investigate the act or omission complained of, including any relevant logs, communications, and processing records.
    • Provide a written response from the designated Grievance Officer within 30 days of receipt.
    • Where the response does not resolve the grievance, inform the Data Principal of the right to escalate to the Data Protection Board of India under §27.

    7.5 Nomination (§14)

    • Record the nominee's name and contact details against the Data Principal's account.
    • On verified notification of the Data Principal's death or incapacity, treat requests from the nominee as if from the Data Principal, subject to the verification rules in §5.
    • Allow the Data Principal to update or revoke the nomination at any time in writing.

    8. Statutory exceptions

    Certain categories of data cannot be erased on request because Indian statute or regulation requires LegalInk to retain them for a defined period:

    DataRetention required by
    Invoices, GST records, payment metadataIncome Tax Act §44AA; CGST §35; Companies Act §128 — 7 years
    Razorpay payment recordsRBI / PA-PG payment-aggregator regulation
    Audit log entries (payments, plan changes, team invites, deletions)Security and dispute defence — 24 months (pseudonymised where possible)
    Records subject to a binding legal holdCourt / regulator order or active law-enforcement investigation

    9. Cost

    The first request from a Data Principal in any rolling 12-month period is processed free of charge.

    Where a request is manifestly unfounded, excessive, or repetitive (for example, the same access request submitted multiple times in quick succession with no material change), LegalInk may either decline the request with reasons or charge a reasonable fee to cover administrative costs. We will notify the requester in writing before any fee is applied.

    10. Escalation

    1. Step 1 — Grievance Officer. Write to the designated Grievance Officer at support@legalink.ai with the subject line "DPDP Grievance". We will respond within 30 days of receipt.
    2. Step 2 — Data Protection Board of India. If the grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India under §27 of the DPDP Act.

    11. Grievance Officer

    Designated emailsupport@legalink.ai
    Office hoursIST, Monday–Friday, 10:00–18:00
    Response SLA30 days from receipt of grievance
    Escalation pathData Protection Board of India (DPDP §27)

    12. Update history

    DateVersionChangeReason
    8 May 20261.0Initial publication of DPDP Data Rights Procedure.Trust & Compliance Kit Part 2.

    13. Contact

    For DPDP-related requests, write to support@legalink.ai using one of the subject conventions below. For general support, write to the same address without a DPDP subject prefix.

    • "DPDP Access Request" — §11(1)(a) access requests.
    • "DPDP Correction Request" — §11(1)(b) correction requests.
    • "DPDP Erasure Request" — §11(1)(c) erasure requests.
    • "DPDP Grievance" — §13 grievances to the Grievance Officer.
    • "DPDP Nomination" — §14 nominations.