← Back to home

Privacy Policy

Last updated: 2 May 2026 · NYAI is built for India and complies with the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Who we are

NYAI ("we", "us") is the data fiduciary for personal data you provide. Contact: privacy@nyai.in. Grievance officer: grievance@nyai.in.

2. What we collect

CategoryExamplesWhy
IdentityName, email, password (hashed with argon2id)Account creation, login
Matter dataDocuments you upload to the vault, drafts you generate, research you pinTo deliver the core service
UsagePer-call token counts, model used, endpoint, IP, user-agentBilling, fraud detection, audit log
AuditWho-accessed-what timestamps with hash-chained integrityDPDP compliance, dispute defence

3. Where it lives

4. We do not

5. Your rights under DPDP Act

You have the right to:

6. Cookies

We use a single cookie: nyai_sess — a 256-bit random session token, HttpOnly + SameSite=Lax, valid 30 days. No third-party tracking cookies, no analytics SDKs that capture form input.

7. Sub-processors

The following sub-processors handle limited categories of data on our behalf:

VendorWhat they processWhere
Google Gemini (LLM API)Prompts + matter context for inferenceMulti-region (incl. ap-south)
Amazon Web ServicesPostgres, S3, Elasticsearch hostingMumbai (ap-south-1)
RazorpayPayment processing for top-ups and subscriptionsIndia
SendGrid (or India SMTP relay)OTP delivery, transactional emailUS (in transit)

8. Data breaches

If we discover a breach affecting your personal data, we notify you and the Data Protection Board within 72 hours, with the scope, the data affected, and the steps we're taking. Honoring the DPDP-grade hash-chained audit log lets us reconstruct exactly what was accessed.

9. Children

NYAI is for legal-industry adults. We do not knowingly collect data from anyone under 18.

10. Changes

If we change this policy, we email all active users at least 14 days before the change takes effect.