Privacy Policy

Sanhita is a legal-research and document-drafting workspace built for Indian advocates. This policy explains what we collect from you, why we collect it, how we store it, and what controls you have over your data.

1. Information we collect

We collect three categories of information. Account data: your name, email, phone (optional), bar council registration number (optional), and the firm or chamber you are affiliated with. Workspace data: the chat threads, drafts, matter notes, contract files, and vault uploads you create inside Sanhita. Operational telemetry: IP address, user-agent, login timestamps, and feature-usage events used to keep the service running and to investigate abuse.

2. How we use it

Account data is used to authenticate you, route your invoices, and let firm administrators see which seats are active. Workspace data is private to you and the colleagues you explicitly share a matter with; we use it to surface your own past work to you and to power retrieval that's anchored to your matter. Operational telemetry is used for security monitoring, capacity planning, and bug triage — never for advertising profiles.

3. Where your data lives

All workspace data is stored on infrastructure inside India. Vault uploads are encrypted at rest with AES-256. Database backups are encrypted and retained in the same region. Sanhita does not transfer your matter data outside India for processing without your explicit, in-product consent. This posture is designed to align with the Digital Personal Data Protection Act, 2023 and the rules notified on 13 November 2025.

4. Sharing with third parties

We do not sell your data. We engage a small number of processors — payment infrastructure, email delivery, error-reporting, and large-language-model inference — under contracts that bind them to use your data only to provide the service you requested. Inference providers (Anthropic, Google, Groq, Cloudflare) see the contents of your queries when you invoke the assistant; we route those calls through region-aware gateways where the provider offers them.

5. Retention

Threads and drafts are retained for the lifetime of your account. Deleted items move to a 30-day soft-delete archive before being purged. Operational logs are retained for 90 days then aggregated; raw IP addresses are dropped at 30 days. You may request earlier deletion in writing.

6. Your rights

Under the DPDPA you have the right to access the data we hold about you, to correct it, to request erasure, and to nominate a person to exercise these rights after you. Write to privacy@sanhita.co with the email registered to your account. We respond within seven working days.

7. Changes to this policy

If we materially change how we handle your data we will notify you by email at least fourteen days before the change takes effect. Minor edits (clarifications, formatting) are made without notice; the "Last updated" date at the top of this page always reflects the most recent revision.

← Back to Sanhita