Privacy & Cookie Policy
Last Updated: June 2026
Two Documents, One Standard
This policy governs your interaction with our websites as a visitor or prospective client. The handling of personal data once you become a retained client is governed separately and in greater detail by your Engagement Letter / Legal Retainership Agreement and the data protection terms incorporated therein.
Where this Website Privacy & Cookie Policy and a signed engagement agreement differ in respect of client matter data, the engagement agreement prevails.
1. Introduction & Scope
AMLEGALS ("Firm", "we", "us", or "our") sets forth in this Privacy & Cookie Policy its practices concerning the collection, use, retention, disclosure and protection of personal data, in accordance with:
- The Digital Personal Data Protection Act, 2023 ("DPDPA") and the Rules framed thereunder (India)
- The Information Technology Act, 2000 and the rules made under it
- The General Data Protection Regulation ("GDPR"), Regulation (EU) 2016/679, where applicable
- Other applicable international data protection frameworks
2. Platforms Covered by This Policy
This policy applies to the following AMLEGALS-operated domains (collectively, the "Platforms"):
- amlegals.com and amlegals.in - the firm's primary websites
- amlegalsdpdpa.com - our data privacy / DPDPA knowledge platform
- amlegalsai.com - our AI law & governance platform
These are primarily informational websites. We do not deploy advertising or behavioural-tracking cookies, third-party analytics, or marketing pixels for browsing. Where a specific page or sub-domain uses a strictly necessary security cookie, an enquiry / intake form, or an embedded third-party component (for example, a map or a video player), that page will say so and will operate as described in Section 4 (Cookies) and Section 6 (Data Processors). We do not assert a universal "no-collection" rule for any page where a form or embed is in fact present.
3. Information We Collect
3.1 Browsing the website. When you simply read our pages, we do not require you to provide personal data and we do not profile you for advertising.
3.2 When you contact us or submit a form. If you use a contact form, request a briefing, subscribe to an update, or otherwise approach us to engage our services, we collect the data you choose to provide - typically your name, organisation, email address, phone number and the details of your enquiry.
3.3 When you become a client. On engagement we may additionally process Identity Information (professional credentials, organisation affiliation), Engagement Details (scope of matter), KYC documentation, and Transactional Information (billing and payment records). The detailed handling of this category is set out in your Engagement Letter / Retainership Agreement.
4. Cookies & Tracking
Strictly Necessary Only
Our Platforms do not use advertising cookies, cross-site tracking, behavioural analytics or marketing pixels. We may use a minimal number of strictly necessary cookies required for site security, load-balancing and basic functionality (for example, to remember that you have dismissed a notice). These cannot be switched off without breaking the site and do not require consent under applicable law. If, in the future, any Platform introduces optional or third-party cookies, we will first present a granular cookie banner allowing you to accept or reject each non-essential category, and this section will be updated accordingly.
5. Consent & Itemized Notice (DPDPA Section 5)
Where we process personal data on the basis of your consent, that consent is preceded or accompanied by a clear, itemised notice describing the personal data sought and the purpose of processing, as required by Section 5 of the DPDPA. Each enquiry, intake and subscription form on our Platforms therefore carries an explicit consent notice in substantially the following terms:
"By submitting this form, you acknowledge that AMLEGALS will process your name, email address and the details you provide strictly to respond to your enquiry, on the basis of your consent. You may withdraw this consent at any time, as easily as it was given, by writing to [email protected]. For details of your rights and our data deletion practices, please see this Privacy & Cookie Policy."
Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and may, where applicable, prevent us from continuing to provide a requested service.
6. Sharing With Data Processors
We do not sell or rent your personal data. In the course of operating the firm and delivering legal services, we engage a limited number of trusted third-party Data Processors, including:
- Enterprise cloud storage and productivity providers (for example, Microsoft 365 / OneDrive or Google Workspace)
- Secure, access-controlled email and document management services
- Encrypted legal billing and practice-management software
Each such processor acts only on our documented instructions and is bound by contractual confidentiality and data-protection obligations. We may also disclose information where required by law, court order, or a competent regulatory or statutory authority.
7. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, after which it is securely destroyed or anonymised:
- Prospective enquiries that do not result in a legal engagement are deleted within six (6) months of the last substantive communication.
- Active client case files, transaction records and KYC documents are securely retained for seven (7) years following the conclusion of the matter, to comply with statutory tax, anti-money-laundering, and professional-indemnity obligations, after which they are permanently destroyed or anonymised.
- Where a longer period is mandated by law, regulation, or a pending legal proceeding, data is retained only for that mandated period.
8. Legal Basis for Processing
8.1 Consent: for enquiries, subscriptions and prospective-client communications.
8.2 Contractual necessity: for processing essential to perform legal services under an engagement agreement.
8.3 Legal obligation / legitimate uses: for compliance with applicable law, including professional-conduct rules and anti-money-laundering requirements.
9. Data Security
All personal data is protected using reasonable, industry-standard security safeguards, including encryption in transit, access controls on a need-to-know basis, and secure storage. We maintain strict confidentiality consistent with legal professional privilege and our client-confidentiality obligations. In the event of a personal-data breach, we will notify the Data Protection Board of India and affected individuals in the manner and within the timelines prescribed under the DPDPA.
10. Your Rights
Subject to applicable law, you have the right to:
- Access a summary of the personal data we process about you
- Request correction, completion or updating of inaccurate data
- Request erasure of your data (subject to legal retention requirements)
- Withdraw consent at any time
- Nominate another individual to exercise your rights in the event of death or incapacity (DPDPA)
- Have your grievance redressed through the channel below
- Lodge a complaint with the Data Protection Board of India or the relevant supervisory authority
11. Grievance Redressal & Exercise of Rights
To exercise any of the rights above, or to raise a complaint regarding your data, you may contact our designated Grievance Officer:
Grievance Officer / Data Protection Officer
Rohit Lalwani, Associate Partner
Email: [email protected]
201-203, Westface, Near Baghban Party Plot, Zydus Hospital Road, Thaltej, Ahmedabad - 380059, Gujarat, India
We will acknowledge your request within 48 hours and resolve it within the statutory timelines prescribed under the DPDPA and applicable law.
12. International Data Transfers
Our Platforms and data are primarily hosted on secure servers located in India (including reputable cloud infrastructure such as data centres in the Mumbai region). Where we process the personal data of individuals in the EU/EEA or the UK, and a cross-border transfer occurs, that transfer is safeguarded by appropriate measures recognised under the GDPR, such as the European Commission's Standard Contractual Clauses (SCCs), supplemented by technical and organisational measures where legally required. The DPDPA permits transfer of personal data outside India except to territories specifically restricted by the Central Government; we comply with any such restriction.
13. Contact Information
For general privacy queries you may also reach the firm at:
AMLEGALS
201-203, Westface, Near Baghban Party Plot,
Zydus Hospital Road, Thaltej,
Ahmedabad - 380059, Gujarat, India
General email: [email protected]
Privacy & grievances: [email protected]
Phone: +91-8448548549
See also our contact page to reach a partner directly.
14. Updates to This Policy
We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices or applicable laws. Any changes will be posted on this page with an updated revision date.