This Privacy Policy is available in English. Hindi version — available soon. As required under Section 5(3) of the DPDP Act, 2023, this Policy will be made available in Hindi and other languages listed in the Eighth Schedule of the Constitution of India.

Privacy Policy

Vidhiconnect Private Limited (Brand: GoLegal)

Data Fiduciary: Vidhiconnect Private Limited Effective Date: March 26, 2026 Version: 2.0

This Privacy Policy ("Policy") is a formal notice to you ("Data Principal" or "User") regarding the collection, processing, and protection of your personal data by Vidhiconnect Private Limited ("Company", "we", "us", "our"), operating under the brand name GoLegal.

This Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the DPDP Rules, 2025, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

By accessing our website (https://thegolegal.com), purchasing our courses, or using our services, you provide your free, specific, informed, and unconditional consent to the data practices described herein, as required under Section 6 of the DPDP Act, 2023.

1. Scope & Applicability

This Policy applies to all "Personal Data" (as defined under the DPDP Act) collected by us via:

Our website, mobile applications, and learning management systems (LMS).
Direct interactions — email, phone, WhatsApp.
Our specialised services, including the GoLegal WhatsApp Business API integration.
Cookies and tracking technologies deployed on our platform.

This Privacy Policy is presented as a standalone document, separate from our Terms of Service, and is independently accessible at all times.

2. Identity & Contact Information of Data Fiduciary

Data Fiduciary

Company Name: Vidhiconnect Private Limited (Brand: GoLegal)

Address: 824/28, Jyoti Park, Gurugram, Haryana — 122001

Email: support@thegolegal.com

Phone: +91-8383843679

Website: https://thegolegal.com

Grievance Officer / Data Protection Officer

Name: Mr. Sushant Sapra

Email: support@thegolegal.com

Phone: +91-8383843679

You may contact the Grievance Officer for any concerns regarding your personal data. We will acknowledge your grievance and respond within 15 days of receipt.

Not satisfied with our response? You have the right to file a complaint with the Data Protection Board of India as per Section 13 of the DPDP Act, 2023. Details on the complaint process are available on the Board's official website once constituted by the Central Government.

3. Personal Data We Collect

We collect only the personal data that is necessary for the purposes specified in this Policy. We do not collect data for unspecified or future use. This is in compliance with the principle of data minimisation under Sections 4 and 6(1) of the DPDP Act.

A. Data You Provide Voluntarily

Data Category	Specific Data Points
Identity Data	Name, username, date of birth
Contact Data	Email address, phone number, billing address, shipping address
Professional Data	Course enrollment details, Bar Council registration (if applicable), institutional affiliation
Payment Data	Transaction ID and payment status only (we do not store full card numbers or banking passwords — payments processed via Razorpay)
Correspondence	Feedback, survey responses, support tickets, WhatsApp messages related to service queries

B. Data Collected Automatically

Data Category	Specific Data Points
Technical Data	IP address, browser type and version, time zone, operating system, device type
Usage Data	Pages visited, course progress, login frequency, session duration, referral source
Cookie Data	Data collected via cookies and tracking technologies (see Section 10)

C. How We Collect Your Data

Forms — when you register, enrol in courses, or contact us via the website.
Cookies & Tracking Technologies — automatically when you browse our website (see Section 10).
Direct Communication — via email, phone, or WhatsApp.
Third-Party Sources — payment confirmation from Razorpay; analytics data from Google Analytics and Facebook Pixel.

D. Sensitive Personal Data

GoLegal does not collect sensitive personal data such as health records, biometric data, sexual orientation, political opinions, or genetic data. If our data practices change in the future, we will update this Policy and obtain your explicit consent before processing any sensitive data.

E. Children's Data

Our services are intended for individuals above the age of 18 (legal professionals, law students, entrepreneurs). In compliance with Section 9 of the DPDP Act, we do not knowingly collect personal data from children under 18. We do not track or behaviourally monitor children. If we discover that a minor has provided personal data without verifiable parental consent, we will delete such data immediately.

4. Purpose of Processing

We process your personal data only for specific, lawful purposes directly linked to the goods and services we provide. Each purpose below is tied to the specific data it requires:

Purpose	Data Used	Service Enabled
Account Registration & Management	Identity Data, Contact Data	Creating your GoLegal account, managing course access, LMS login
Course Delivery	Identity Data, Professional Data, Usage Data	Providing access to legal education courses, tracking progress, issuing certificates
Payment Processing	Payment Data (via Razorpay)	Processing course purchases, generating GST invoices
Transactional Communications	Contact Data	Sending invoices, password resets, service updates, course reminders
WhatsApp API Services	Client business data (for API clients)	Configuring, verifying, and managing WhatsApp Business Accounts with Meta Platforms
Legal Compliance	Identity Data, Payment Data	GST invoicing, KYC norms, responding to court orders or lawful requests
Security & Fraud Prevention	Technical Data, Usage Data	Detecting fraud, abuse, security incidents, protecting platform integrity
Website Analytics	Technical Data, Cookie Data	Understanding site traffic and user behaviour to improve our platform (via Google Analytics)

No Secondary Use: We will not process your personal data for any purpose other than those specified above, unless we obtain your separate, explicit consent for the new purpose.

Legitimate Uses (Processing Without Consent)

In certain limited cases, we may process your personal data without explicit consent where permitted under Section 7 of the DPDP Act, including:

Compliance with any judgment, order, or decree of a court or tribunal.
Responding to a medical emergency involving a threat to life.
Taking steps during a disaster or breakdown of public order.
Compliance with applicable laws, including tax and regulatory requirements.

5. Consent — Basis, Withdrawal & Consequences

A. Consent Basis

We process your personal data based on your free, specific, informed, and unconditional consent as required under Section 6 of the DPDP Act, 2023. Your consent is obtained at the time of data collection through clear, affirmative action.

B. Granular Consent

We request your consent separately for each distinct purpose. You may consent to some purposes and not others:

Service Delivery — Required for core platform functionality.
Marketing Communications — Optional; you may opt out at any time.
Analytics & Cookies — Optional; managed via our cookie consent banner (powered by CookieYes).

C. Right to Withdraw Consent

You have the right to withdraw your consent at any time. Withdrawal of consent is as easy as giving consent.

How to Withdraw Consent

Send an email to support@thegolegal.com with the subject line: "Withdraw Consent — [Your Name]"

We will process your withdrawal request within 7 working days.

D. Consequences of Withdrawal

If you withdraw your consent:

We will stop processing your personal data for the specified purpose.
We will erase your data unless retention is required by law (see Section 8).
Certain services — including course access and account features — may no longer be available to you.
Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.

6. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights:

Right	What It Means	Legal Basis
Right to Access	Request a summary of all personal data we hold about you, details of our processing activities, and the identities of all entities we have shared your data with.	Section 11(1)
Right to Correction	Request correction of inaccurate, incomplete, or misleading personal data.	Section 12(1)
Right to Erasure	Request deletion of your personal data, subject to legal retention obligations.	Section 12(1)
Right to Grievance Redressal	File a grievance with our Grievance Officer regarding any data processing concern. Response within 15 days.	Section 13(1), Rule 14
Right to Nominate	Nominate an individual to exercise your rights in the event of your death or incapacity.	Section 14

How to Exercise Your Rights

Email: support@thegolegal.com — Subject: "Data Request — [Your Name]"

WhatsApp: +91-8383843679

We will verify your identity and respond within 15 days of receiving your request. If your request is complex or voluminous, we may extend by an additional 15 days with prior notice.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India under Section 13 of the DPDP Act.

7. Data Sharing & Third-Party Processors

We do not sell your personal data. We share your data only with the following Data Processors, each for a specific and limited purpose:

Data Processor	Purpose	Data Shared
Google Analytics (Google LLC)	Website usage analytics — understanding traffic patterns, user behaviour, and platform performance	Technical Data (IP, browser, pages visited — anonymised)
Facebook Pixel (Meta Platforms, Inc.)	Ad conversion tracking and audience insights	Technical Data (page views, events, device info)
Razorpay Software Pvt. Ltd.	Payment processing	Payment Data (transaction details only — we do not store card numbers)
LMS Hosting Provider	Course delivery and content hosting	Identity Data, Usage Data (course progress)
Meta Platforms, Inc. (WhatsApp Cloud API)	WhatsApp Business API integration for clients	Client business configuration data

Contractual Safeguards

All Data Processors engaged by us are bound by Data Processing Agreements that mandate equivalent security safeguards, including encryption, access controls, and breach notification obligations. Each processor receives only the data necessary for their specific function and is contractually prohibited from using it for any other purpose.

Other Disclosures

Legal Authorities: Courts, law enforcement agencies, or government bodies if required under Indian law (e.g., under BNSS or any applicable statute).
Business Transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity with equivalent data protection commitments.

8. Data Retention & Erasure

Retention Periods

Data Category	Retention Period	Legal Basis
Account & Identity Data	Duration of account + 1 year after account closure	Contractual necessity
Transaction & Payment Data	As required by tax law (currently up to 7 years for GST records)	Legal obligation — GST Act
Communication Data	1 year after last interaction	Service improvement
System Logs & Security Data	Minimum 1 year	DPDP Rules 2025, Rule 6(3) — for detection, investigation, and remediation of security incidents
Analytics & Cookie Data	As per third-party retention policies (Google Analytics: 14 months default)	Consent-based

Erasure Triggers

Your personal data will be erased when:

The specified purpose for which it was collected is no longer served.
You withdraw your consent.
You submit a deletion request.
Your account is inactive beyond the prescribed retention period.

Unless retention is required by law, we will erase your data within 30 days of the erasure trigger.

Instruction to Data Processors to Erase Data

Upon erasure of your personal data, Vidhiconnect Private Limited will instruct all Data Processors — including Google Analytics, Facebook Pixel, Razorpay, and any other third-party processor to whom your data was shared — to erase and delete your personal data from their systems as well. This instruction will be issued without delay and we will take reasonable steps to verify that such erasure has been carried out by each Data Processor.

9. Data Security & Breach Notification

Security Safeguards Implemented by Vidhiconnect Private Limited (Data Fiduciary)

As the Data Fiduciary, Vidhiconnect Private Limited implements the following reasonable security safeguards to protect your personal data from unauthorised access, loss, misuse, or breach. These are our own internal security measures, independent of any obligations on our Data Processors:

Encryption in Transit: All data transmitted between your browser and our servers is protected using SSL/TLS encryption.
Encryption at Rest: Personal data stored on our servers and databases is encrypted at rest.
Role-Based Access Controls: Only authorised personnel within Vidhiconnect Private Limited can access user personal data, based on their role and need-to-know basis.
Regular Security Audits: We conduct periodic security audits and vulnerability assessments of our systems and infrastructure.
Access Logging & Monitoring: All access to personal data is logged and monitored to detect unauthorised access or anomalies.
Password & Authentication Security: We enforce strong password policies and secure authentication mechanisms for all accounts.
Business Continuity: We maintain business continuity and disaster recovery plans to ensure data availability and integrity.

These measures are aligned with ISO/IEC 27001 standards and constitute "reasonable security practices and procedures" as required under Section 8(4) of the DPDP Act and Rule 6(1) of the DPDP Rules, 2025.

Personal Data Breach — Notification Commitment by Vidhiconnect Private Limited

Vidhiconnect Private Limited, as the Data Fiduciary, commits to the following breach notification obligations:

A. Notification to the Data Protection Board of India (DPB):

In the event of any personal data breach, Vidhiconnect Private Limited will notify the Data Protection Board of India without delay and will submit a detailed incident report within 72 hours of becoming aware of the breach, as required under Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025.

B. Notification to Affected Data Principals (You):

Vidhiconnect Private Limited will notify each affected Data Principal without delay. The notification will be sent via email or other available communication channels.

Contents of Breach Notification

Every breach notification sent to you will include the following details:

Nature of the Breach: A description of what happened, including the type of personal data affected.
Potential Consequences: The likely impact of the breach on you as a Data Principal.
Mitigation Steps: The specific measures Vidhiconnect Private Limited has taken or proposes to take to address the breach and reduce its impact.
Contact for Follow-Up: The name and contact details of our Grievance Officer (Mr. Sushant Sapra, support@thegolegal.com, +91-8383843679) for you to reach out with questions or concerns.

Commitment to Transparency — No Suppression of Breach Information

Vidhiconnect Private Limited is committed to full transparency in breach reporting. We will never suppress, conceal, or delay notification of any personal data breach. We recognise that failure to report a breach constitutes a violation of the DPDP Act, 2023 and may attract penalties up to ₹200 Crore as prescribed under the Schedule to the Act.

10. Cookies & Tracking Technologies

What We Use

Cookie Type	Provider	Purpose	Consent Required
Essential Cookies	GoLegal (first-party)	Login session, site security, basic functionality	No — required for site operation
Analytics Cookies	Google Analytics (Google LLC)	Understanding site traffic, user behaviour, page performance	Yes
Marketing Cookies	Facebook Pixel (Meta Platforms, Inc.)	Ad conversion tracking, audience measurement	Yes
Consent Management	CookieYes	Managing your cookie preferences	No — functional requirement

Cookie Consent

Non-essential cookies (analytics, marketing) are only placed with your explicit, opt-in consent via our cookie consent banner powered by CookieYes. You may manage, accept, or reject cookie categories at any time through the cookie settings accessible on every page of our website.

Essential cookies required for basic site functionality do not require consent.

Third-Party Tracking Policies

Google Analytics and Facebook Pixel operate under their own privacy policies. We recommend reviewing:

11. WhatsApp Business Cloud API — Specific Provisions

For clients using our WhatsApp Business Cloud API integration services, we act as a Technology Provider. In this capacity:

Meta Policy Compliance: We adhere strictly to the WhatsApp Business Policy.
No Ownership of Chat Data: You (the Client) retain ownership of your customer chat data. We do not use your customer data for our own marketing or profiling.
Limited Access: Our access is limited to technical configuration, template management, and API troubleshooting. We do not manually read end-user messages unless explicitly requested by you for technical support.

12. Cross-Border Data Transfer

Your personal data is transferred outside India. Specifically, we transfer personal data to servers and processors located in the United States and other countries through our use of the following services:

Google Analytics (Google LLC, USA) — website usage data is transferred to Google's servers located outside India.
Facebook Pixel (Meta Platforms, Inc., USA) — ad conversion and event data is transferred to Meta's servers located outside India.
Cloud Hosting (e.g., Google Cloud / AWS) — account and platform data may be stored on servers outside India.
Razorpay — payment transaction data may be processed through international payment networks.

Legal Basis for Cross-Border Transfer

All cross-border transfers of personal data are carried out in compliance with Section 16 of the Digital Personal Data Protection Act, 2023 and Rule 15 of the DPDP Rules, 2025. We transfer data only to countries that have not been notified as "restricted" by the Central Government of India. We ensure, through contractual and technical safeguards, that every entity receiving your data outside India maintains the same level of data protection as mandated under Indian law.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or services.

How You Will Be Notified of Changes

We will notify you of any material changes to this Privacy Policy through the following methods:

Email Notification: We will send an email to all registered users at their registered email address, informing them of the changes before they take effect.
Website Banner: A prominent notice will be displayed on our website (https://thegolegal.com) highlighting the updated Privacy Policy.
Updated Effective Date: The "Effective Date" at the top of this page will be revised to reflect the date of the latest update.

We encourage you to review this page periodically. Continued use of our platform after the updated Policy takes effect constitutes your acceptance of the changes. If you do not agree with the changes, you may withdraw your consent and request erasure of your data as described in Section 5 of this Policy.