Privacy Policy - SYNK AI

We, PANGEA CORPORATION, operating the website https://www.synk-ai.com/for-law-firms delivering AI-powered services for legal professionals specializing in litigation, such as automated case analysis, document drafting, legal research and secure case collaboration tools. This comprehensive Privacy Policy demonstrates our commitment to receiving, collecting, storing, processing, transmitting, protecting, and utilizing Personal Information (PI) and Sensitive Personal Data or Information (SPDI) in compliance with the Information Technology Act, 2000 ("IT Act"), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), Digital Personal Data Protection Act, 2023 ("DPDP Act"), and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules").

As a Data Fiduciary under the DPDP Act and body corporate under SPDI Rules, we publish this Policy prominently on our Site for easy access, ensuring transparency, notice, and choice. It applies to all users ("Users" or "Data Principals") in India and governs Digital Personal Data (DPD) processing.

Definitions

Personal Information (PI): Any data relating to an identified or identifiable natural person, as per Section 43A of IT Act and Section 2(s) DPDP.

Sensitive Personal Data or Information (SPDI): Passwords, financial details, official identifiers, sexual orientation, biometric data, or any detail belonging to a child, per Rule 3 SPDI.

Data Principal: Individual to whom DPD relates (Section 2(t) of DPDP).

Data Fiduciary: Pangea Corporation, determining processing purpose/means (DPDP Section 2(4)).

Processing: Collection, storage, use, sharing, erasure, etc., of DPD.

User: Registered legal professional using services.

Information We Collect

We collect only necessary DPD to deliver services, categorized as:

Registration and Profile Data

Full name, email, mobile number, Bar Council ID/enrolment number, law firm details, professional designation (e.g., advocate, litigator), and password.

Usage and Technical Data

IP address, device ID, browser/OS details, geolocation (city-level for service optimization), session logs, and interaction patterns with AI features (e.g., query timestamps).

Litigation-Specific Data

Uploaded case files (e.g., pleadings, judgments, evidence PDFs), client details (names, case numbers pseudonymized), AI-generated outputs (e.g., case summaries, arguments), and collaboration notes.

Consent and Preference Data

Records of consents given/withdrawn, newsletter opt-ins, cookie preferences.

Sensitive uploads (e.g., client personal data in briefs) are processed transiently for AI tasks and not stored post-session unless saved by user. No biometric, health, or financial data beyond payments is collected.

Methods of Information Collection

We collect personal data through two primary channels to facilitate our services and ensure operational security:

Information You Provide

We collect information that you explicitly provide to us. This includes data entered into registration forms, content uploaded to the platform, communications via chat interfaces, and preferences configured within your account settings.

Automatically Collected Information

When you interact with our platform, certain information is gathered automatically to maintain service integrity. This includes server logs generated during site navigation and metadata captured during the processing of AI queries.

Change in purpose triggers fresh notice/consent.

Purpose and Usage of Data

We process personal data strictly for specified, legitimate purposes communicated at the time of collection, adhering to the principle of data minimization. Your information is utilized solely to:

Deliver and operate our litigation AI services and functionality.
Manage user accounts, process subscriptions, and handle billing inquiries.
Improve the accuracy and performance of our AI models using exclusively anonymized and aggregated data.
Maintain the security of our infrastructure, prevent fraud, and ensure compliance with applicable legal and regulatory obligations.
Send essential service updates, security alerts, and customer support responses.

Consent Framework and Management

We process your data based on consent that is free, specific, informed, unconditional, and unambiguous. We adhere to a granular consent model, allowing you to approve specific data types and processing purposes independently.

We utilize "opt-in" mechanisms (such as unchecked checkboxes) at all data collection points. You will be presented with clear notices, such as: "I consent to SYNK AI processing my data for litigation AI tools."

You may withdraw your consent at any time by contacting us via email. Withdrawal is effective prospectively; upon receipt, we will cease processing and erase your historical data unless retention is required for a legitimate legal purpose.

To demonstrate compliance, we maintain records of your consent and withdrawal requests for a period of three (3) years following the withdrawal date.

We strictly prohibit the sale, auction, or commercial trading of your personal data.

Data Sharing, Disclosures, and Processors

We are committed to maintaining the confidentiality of your data. We do not sell, trade, or rent your personal information to third parties for marketing purposes. Your data is only shared in the following limited circumstances:

Service Providers

We engage trusted service providers for essential infrastructure (Cloud hosting), functionality (AI APIs), and communication (Email services). All such processors are bound by strict Data Processing Addendums (DPAs) compliant with the DPDP Act. These agreements mandate confidentiality and explicitly prohibit the engagement of sub-processors without our prior written approval.

Affiliates

We may disclose data to our affiliates solely for operational support and service delivery. These transfers are governed by valid DPAs to ensure your data remains protected to the same standard.

Legal Requirements

We may disclose information to law enforcement agencies, regulators, or public authorities only upon receipt of a valid legal order or when required to comply with applicable laws.

Data Security and Protection

We implement reasonable security practices and procedures as mandated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection (DPDP) Act. To safeguard your information, we utilize a multi-layered security approach:

Encryption and Infrastructure

Your data is protected using industry-standard AES Encryption at rest and during transmission. Our infrastructure is fortified by advanced firewalls to prevent unauthorized access.

Access Control

We strictly adhere to the "principle of least privilege," ensuring that only authorized personnel with a legitimate business need can access your data. Furthermore, we mandate Multi-Factor Authentication (MFA) for administrative access and conduct regular security audits to verify compliance.

Breach Notification

In the unlikely event of a personal data breach, we are committed to transparency. We will notify the Data Protection Board and affected users within 72 hours, in accordance with the DPDP Rules.

Data Retention and Disposal

We implement distinct retention schedules based on the nature and sensitivity of the data we process:

Case Data

To minimize exposure and ensure confidentiality, all Case Data, including uploaded documents, specific legal queries, and AI-generated outputs is retained for a strict maximum period of thirty (30) days from the date of creation or upload. Upon the expiration of this period, Case Data is permanently deleted from our active servers.

Account Data

Information necessary for the administration of your account (including login credentials, billing details, and usage preferences) is retained indefinitely for the duration of your active relationship with us, or until you explicitly request account deletion.

Legal Obligations

Notwithstanding the above, we may retain specific data for longer periods if strictly required to comply with applicable legal obligations, resolve disputes, or enforce our agreements.

Rights of Data Principal

In accordance with the Digital Personal Data Protection (DPDP) Act, you are entitled to specific rights regarding your personal information. As a Data Principal, you may exercise the following:

Right to Access and Correction: You may request a summary of the personal data we process and the identities of any Data Processors with whom it has been shared. You also have the right to correct inaccurate or misleading data and complete any incomplete data.
Right to Erasure: You may request the deletion of personal data ("Right to be Forgotten"), provided its retention is not required for a specific legal purpose.
Right to Grievance Redressal: You have the right to register a complaint with our designated Grievance Officer if you believe your rights have been compromised.
Right to Withdraw Consent: You may withdraw consent for data processing at any time, with such withdrawal applicable to future processing activities.
Right to Nominate: You are entitled to nominate an individual to exercise your rights as a Data Principal in the event of death or incapacity.

Data Breach Protocol

In the event of a personal data breach, we adhere to a strict incident response framework. Upon becoming aware of a breach, we will:

Intimate the Data Protection Board of India within 72 hours, providing details of the nature of the breach, affected data, and remedial actions taken.
Inform affected Data Principals without undue delay, outlining the likely consequences and the measures taken to mitigate harm.

Cookies and Tracking Technologies

We utilize cookies to ensure platform functionality and enhance user experience. These include only Essential Cookies strictly necessary for the operation of our services.

Amendments to Policy

We reserve the right to modify this Privacy Policy to reflect changing legal or operational requirements.

Material changes will be communicated via email or a prominent notice on our platform.

We will issue an annual notification regarding our Terms and Policies as mandated by the IT Rules.

Your continued use of the platform following the effective date of such changes constitutes your acceptance of the revised terms.

Grievance Redressal Mechanism

In compliance with the Information Technology Act, 2000 and the Digital Personal Data Protection (DPDP) Act, we have appointed a dedicated Grievance Officer to address any discrepancies or grievances you may have regarding the processing of your personal data.

Grievance Officer: Girish Bhargava

Email: girishbhargava@synk-ai.com

We acknowledge all grievances within 24 hours and commit to resolving them within a maximum period of thirty (30) days from the date of receipt.

If your grievance is not resolved to your satisfaction within the stipulated period, you may escalate the matter to our Data Protection Officer (DPO) or file a complaint with the Data Protection Board of India.

Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India, including the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023.

Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in Bengaluru, Karnataka.

If any provision of this Policy is determined to be invalid, unlawful, or unenforceable, such provision shall be severed from the remaining terms, which shall continue to be valid and enforceable to the fullest extent permitted by law.

Contact Information

For inquiries, clarifications, or feedback regarding this Privacy Policy, please contact the SYNK AI Team: