Privacy Policy

1. Introduction

This Privacy Policy explains how Verida Law (the “Firm”, “we”, “us”, or “our”) collects, uses, stores, discloses, and protects personal data of users (the “User”, “you”, or “your”) who access or interact with the website www.veridalaw.com (the “Website”).

The Firm is a sole proprietorship concern having its office at R6 LG 004, Lower Ground Floor, M3M CornerWalk, Sector 74, Gurugram – 122101, Haryana, India. For the purposes of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “IT Act and SPDI Rules”), the Firm is the Data Fiduciary in respect of personal data collected through the Website.

This Privacy Policy should be read together with the Disclaimer, the Terms and Conditions, the Cookie Policy, and the Grievance Redressal Policy published on the Website.

This Privacy Policy applies to all access to and use of the Website, regardless of the device, browser, or means by which the User accesses the Website.

2. Definitions

In this Privacy Policy, the following terms shall have the meanings ascribed to them:

1. “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2 of the DPDP Act.
2. “Sensitive Personal Data or Information” or “SPDI” has the meaning ascribed under Rule 3 of the SPDI Rules.
3. “Data Principal” means the natural person to whom the Personal Data relates, as defined under Section 2 of the DPDP Act.
4. “Data Fiduciary” has the meaning ascribed under Section 2 of the DPDP Act.
5. “Process” or “Processing” means any operation or set of operations performed on Personal Data, as defined under Section 2 of the DPDP Act.
6. “Cookies” means small text files placed on a User’s device when the User accesses the Website, as further explained in the Cookie Policy.

3. Personal Data we collect

We collect the following categories of Personal Data:

1. Contact information submitted by the User. When a User submits an enquiry through the contact form on the Website, we collect the User’s name, email address, telephone number, and the contents of the message (“Contact Data”).
2. Technical and usage data automatically collected. When a User accesses the Website, we may automatically collect technical data including the User’s Internet Protocol (IP) address, browser type and version, device type and operating system, referring webpage, pages visited on the Website, and the time and date of visit (“Technical Data”). Technical Data is collected through Cookies and similar technologies, as described in the Cookie Policy.
3. Newsletter subscription data (where applicable). If the Website offers a newsletter or mailing list subscription, and the User chooses to subscribe, we collect the User’s name and email address for the purpose of sending such communications.
4. Chat or messaging data (where applicable). If the Website provides a chat or messaging feature, and the User initiates a conversation, we collect the contents of the conversation along with any contact details voluntarily provided by the User during the chat.
5. Location data (where activated by the User). The Website provides a “find us on map” feature which, when activated by the User, may request the User’s permission to access the precise geographic location of the User’s device through the User’s browser. If the User grants permission, the location data will be used to display directions from the User’s location to the Firm’s office, including by transmission of such location data to a third-party mapping service integrated into the Website. The User may decline this request without losing access to any other functionality of the Website. Location data accessed through this feature is used solely for the purpose of generating directions and is not retained by the Firm beyond the duration of the User’s session.
6. Push notification subscription data (where applicable). The Website may, from time to time, offer the User the option to receive browser-based push notifications about new content, legal updates, or other communications from the Firm. If the User opts in to receive such notifications through the User’s browser, the Firm or its push notification service provider may collect a push subscription identifier (a unique endpoint generated by the User’s browser), the User’s browser type and version, and certain technical data necessary to deliver notifications to the User’s device. The User may withdraw consent for push notifications at any time by changing the notification permission for the Website in the User’s browser settings, or by following any unsubscribe mechanism provided in connection with such notifications.

The Website does not require the User to register an account, and the Firm does not collect Personal Data beyond what is necessary for the purposes set out in Clause 5 below.

4. No collection of sensitive personal data

We do not collect Sensitive Personal Data or Information from Users through the Website. The Website does not request, and the User should not submit through the Website, any of the following: passwords; financial information including bank account, credit card, debit card, or other payment instrument details; physical, physiological, or mental health information; sexual orientation; medical records and history; biometric information; or any other information falling within the scope of Sensitive Personal Data or Information.

If a User inadvertently submits any Sensitive Personal Data or Information through the Website (for example, in the message field of the contact form), the Firm shall, upon becoming aware of the same, take reasonable steps to delete such information from its records.

5. Purposes of Processing

We Process Personal Data for the following purposes:

1. to respond to enquiries submitted through the Website;
2. to communicate with Users in connection with such enquiries by email, telephone, or other means as may be appropriate;
3. to operate, maintain, secure, and improve the Website;
4. to detect, prevent, and address technical issues, fraud, or unauthorised access;
5. to send Users newsletters or other communications, where the User has subscribed to such communications;
6. to comply with applicable laws, including responding to lawful requests from competent authorities;
7. to enforce the Terms and Conditions and to protect the legal rights of the Firm; and
8. to provide map and direction services through the “find us on map” feature, where the User has activated such feature and granted permission to access the User’s location;
9. to deliver browser-based push notifications to Users who have opted in to receive such notifications, and to manage the User’s notification preferences; and
10. for any other purpose disclosed to the User at the time of collection of the relevant Personal Data, with the User’s consent.

6. Legal basis for Processing

We Process Personal Data on one or more of the following legal bases:

1. Consent of the User, obtained at the time of collection of Personal Data, in accordance with Section 6 of the DPDP Act. Consent is sought through clear, specific, and informed means at the point of data collection (for example, through a checkbox on the contact form);
2. Legitimate uses recognised under Section 7 of the DPDP Act, including where the User has voluntarily provided Personal Data and has not indicated that the User does not consent to its use, or where Processing is necessary for compliance with applicable law; and
3. Compliance with legal obligations binding on the Firm under applicable laws.

7. Sharing and disclosure of Personal Data

We do not sell, rent, or trade Personal Data. We may share Personal Data only in the following circumstances:

1. With service providers and processors. We may engage third-party service providers (each a “Processor”) to perform functions on our behalf, including website hosting, analytics, email and communication services, customer relationship management, and chat or messaging services. Such Processors are permitted to access Personal Data only to the extent necessary to perform their functions and are required to maintain appropriate security and confidentiality standards.
2. With professional advisors. We may share Personal Data with our auditors, legal counsel, and other professional advisors where reasonably required.
3. For legal compliance and protection of rights. We may disclose Personal Data where required by law, court order, regulatory direction, or other legal process, or where we believe in good faith that disclosure is necessary to protect our rights, the rights of Users, or to investigate or prevent fraud or other illegal activity.
4. In the event of a business transition. In the event of a transfer, sale, or restructuring of the Firm or any part of its practice, Personal Data may be transferred as part of such transaction, subject to applicable law.

In all other cases, Personal Data will not be disclosed to any third party without the User’s consent.

8. Third-party tools and analytics

The Website may use, or may in the future use, the following categories of third-party tools, each of which involves the Processing of certain Technical Data and may set Cookies on the User’s device:

1. Web analytics services, such as Google Analytics, which collect information about User interactions with the Website to help the Firm understand and improve Website performance;
2. Chat or messaging widgets, which enable real-time communication between Users and the Firm;
3. Newsletter and email marketing services, which manage subscriber lists and the delivery of newsletter communications; and
4. Website hosting services, which store and serve the Website’s content.
5. Map and direction services, such as Google Maps, which provide map display and route-generation functionality on the Website, and which may receive the User’s location coordinates (where the User has activated the “find us on map” feature and granted permission for such access) for the purpose of computing directions; and
6. Push notification services, which manage the registration of push subscribers and the delivery of browser-based push notifications to Users who have opted in to receive such notifications.

The use of any such tool is disclosed in the Cookie Policy and is subject to the User’s consent where required by applicable law. The Firm is not responsible for the privacy practices of third parties operating outside the Website; Users are encouraged to review the privacy policies of such third parties directly.

9. Cross-border transfer of Personal Data

The Website is currently hosted on servers located outside India (in the United States of America), and certain Processors engaged by the Firm may store or Process Personal Data on servers located outside India. By using the Website and providing Personal Data, the User acknowledges and consents to the transfer, storage, and Processing of Personal Data outside India.

Such transfers are made in accordance with Section 16 of the DPDP Act, which permits the transfer of Personal Data outside India to any country or territory other than those in respect of which the Central Government has, by notification, restricted such transfer. The Firm shall give effect to any such restriction as and when notified, and shall take reasonable steps to ensure that Personal Data transferred outside India is afforded a level of protection consistent with this Privacy Policy and applicable law.

10. Retention of Personal Data

We retain Personal Data only for so long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by applicable law, whichever is longer. In particular:

1. Contact Data submitted through the contact form is retained for a period of three (3) years from the date of submission, unless a professional engagement results from the enquiry, in which case retention is governed by the engagement and the Firm’s record-keeping obligations under applicable law and professional conduct rules;
2. Newsletter subscription data is retained until the User unsubscribes from the relevant communication;
3. Technical Data collected through Cookies is retained for the period specified in the Cookie Policy; and
4. Personal Data required to be retained under any law (including for tax, regulatory, or professional record-keeping purposes) is retained for the period prescribed by such law.
5. Location data accessed through the “find us on map” feature is not retained by the Firm beyond the duration of the User’s session. Any retention of such data by the third-party mapping service is governed by the privacy practices of that service; and
6. Push notification subscription data is retained for so long as the User remains opted in to receive push notifications. Upon the User’s withdrawal of consent, whether through browser settings, an unsubscribe mechanism, or a request to the Grievance Officer, the relevant subscription is deactivated and the associated subscription identifier is deleted within a reasonable time.

Upon the expiry of the applicable retention period, Personal Data is securely deleted or anonymised.

11. Security

We have implemented reasonable security practices and procedures within the meaning of Section 43A of the IT Act and Rule 8 of the SPDI Rules, and consistent with the obligations of a Data Fiduciary under Section 8(5) of the DPDP Act, to protect Personal Data from unauthorised access, alteration, disclosure, or destruction. These include access controls, encryption in transit where appropriate, secure storage, and periodic review of security practices.

Despite these measures, no method of transmission over the internet or method of electronic storage is entirely secure. The User acknowledges that the User submits Personal Data at the User’s own risk.

In the event of a personal data breach, the Firm shall comply with the notification requirements applicable under Section 8(6) of the DPDP Act and any rules made thereunder.

12. Rights of the Data Principal

Subject to the conditions set out in the DPDP Act, the User (as a Data Principal) has the following rights in respect of the User’s Personal Data:

1. Right to access information about Personal Data being Processed and the Processing activities undertaken (Section 11 of the DPDP Act);
2. Right to correction and erasure of Personal Data, including the right to request correction of inaccurate or misleading data, completion of incomplete data, updating of data, and erasure of data which is no longer necessary for the purpose for which it was Processed (Section 12 of the DPDP Act);
3. Right to grievance redressal in respect of any act or omission of the Firm regarding the User’s Personal Data (Section 13 of the DPDP Act). The procedure for raising a grievance is set out in the Grievance Redressal Policy and in Clause 16 below;
4. Right to nominate any other individual who shall, in the event of the User’s death or incapacity, exercise the rights of the User under the DPDP Act (Section 14 of the DPDP Act); and
5. Right to withdraw consent previously given for the Processing of Personal Data, with such withdrawal having prospective effect.

To exercise any of these rights, the User may contact the Grievance Officer at the contact details provided in Clause 16. The Firm shall respond to such requests within the timelines prescribed under applicable law.

13. Cookies

The Website uses Cookies and similar technologies. Detailed information about the Cookies used, their purposes, and the User’s choices in relation to them is set out in the Cookie Policy.

14. Children’s data

The Website is not directed at children. We do not knowingly collect Personal Data from any individual under the age of eighteen (18) years. If we become aware that we have inadvertently collected Personal Data from a child, we shall take steps to delete such data and discontinue any related Processing in accordance with Section 9 of the DPDP Act.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The updated Privacy Policy will be posted on the Website with a revised “Last Updated” date. Material changes will be notified to Users by reasonable means (which may include a notice on the Website or, for Users who have provided email addresses, by email). Continued use of the Website following such update constitutes acceptance of the updated Privacy Policy.

16. Grievance Officer

The Firm is not a Significant Data Fiduciary within the meaning of Section 2(z) of the DPDP Act. Accordingly, the Firm is not required to appoint a Data Protection Officer under Section 10(2)(a) of the DPDP Act. The Grievance Officer named in this Clause is the Firm’s principal point of contact for all matters relating to the Processing of Personal Data, including queries, requests for the exercise of Data Principal rights, and grievances.

In accordance with Rule 5(9) of the SPDI Rules and Section 8(10) of the DPDP Act, the Grievance Officer of the Firm in respect of this Privacy Policy is:

The Grievance Officer shall acknowledge receipt of any grievance within forty-eight (48) hours and endeavour to resolve the grievance within thirty (30) days from the date of receipt, in accordance with applicable law.

17. Right to approach the Data Protection Board of India

If the User is not satisfied with the resolution of a grievance by the Grievance Officer, the User may approach the Data Protection Board of India in accordance with Section 13(3) and Chapter V of the DPDP Act, as and when the Board becomes operational and the relevant procedures are notified.

18. Contact

For any questions regarding this Privacy Policy or our data practices, please contact us at: