← Back to home
Privacy Policy
Last updated: 2 May 2026 · NYAI is built for India and complies with the Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Who we are
NYAI ("we", "us") is the data fiduciary for personal data you provide. Contact: privacy@nyai.in. Grievance officer: grievance@nyai.in.
2. What we collect
| Category | Examples | Why |
| Identity | Name, email, password (hashed with argon2id) | Account creation, login |
| Matter data | Documents you upload to the vault, drafts you generate, research you pin | To deliver the core service |
| Usage | Per-call token counts, model used, endpoint, IP, user-agent | Billing, fraud detection, audit log |
| Audit | Who-accessed-what timestamps with hash-chained integrity | DPDP compliance, dispute defence |
3. Where it lives
- Postgres (auth, matters, drafts, ledger) — AWS Mumbai (ap-south-1)
- S3 bucket (vault documents) — AWS Mumbai, encrypted at rest with SSE-S3, isolated per user via prefix
- Elasticsearch (corpus search index) — public Supreme Court / High Court judgments only; no user data
- LLM provider (Google Gemini API) — your prompts and matter context are sent over HTTPS to Google's API for inference. Per Google's terms, paid-API content is not used to train Gemini models.
4. We do not
- ...sell or rent your matter documents to anyone, ever.
- ...use your matter data to train any model — neither ours nor a vendor's.
- ...share documents across users; tenant isolation is enforced at the database, object-storage, and audit-log levels.
- ...read your matter documents except where explicitly required to deliver the service you requested (e.g., search, draft, OCR).
5. Your rights under DPDP Act
You have the right to:
- Access: request a copy of all data we hold about you. Email privacy@nyai.in; we respond within 30 days.
- Correct or update: via the in-app profile page.
- Erasure: close your account and your matter documents are deleted within 30 days. Audit log entries (whose retention is mandated by financial-compliance norms) are retained for 7 years and then purged.
- Withdraw consent: at any time, with the consequence that the service stops working. Past usage already billed is not refunded.
- Grievance: raise a complaint to our grievance officer who responds within 30 days, or escalate to the Data Protection Board of India.
6. Cookies
We use a single cookie: nyai_sess — a 256-bit random session token, HttpOnly + SameSite=Lax, valid 30 days. No third-party tracking cookies, no analytics SDKs that capture form input.
7. Sub-processors
The following sub-processors handle limited categories of data on our behalf:
| Vendor | What they process | Where |
| Google Gemini (LLM API) | Prompts + matter context for inference | Multi-region (incl. ap-south) |
| Amazon Web Services | Postgres, S3, Elasticsearch hosting | Mumbai (ap-south-1) |
| Razorpay | Payment processing for top-ups and subscriptions | India |
| SendGrid (or India SMTP relay) | OTP delivery, transactional email | US (in transit) |
8. Data breaches
If we discover a breach affecting your personal data, we notify you and the Data Protection Board within 72 hours, with the scope, the data affected, and the steps we're taking. Honoring the DPDP-grade hash-chained audit log lets us reconstruct exactly what was accessed.
9. Children
NYAI is for legal-industry adults. We do not knowingly collect data from anyone under 18.
10. Changes
If we change this policy, we email all active users at least 14 days before the change takes effect.