Privacy Policy

Specter AI (operated by Nikhil Kadian, an individual / proprietor, hereinafter “Specter,” “we,” “us,” or “our”) is the Data Fiduciary as defined under the DPDP Act, 2023 for all personal data processed through specterai.legal and its associated services.

Registered address and correspondence: Bangalore, Karnataka, India.
Contact: nikhilkadian990@gmail.com  ·  +91 7665000435

We collect the following categories of personal data:

• Identity & Contact Data: Full name, email address, phone number, and professional designation provided when you join our waitlist, request early access, or contact us.
• Usage Data: IP address, browser type, pages visited, time of access, and device identifiers collected automatically via our servers and analytics tools.
• Professional Data: Bar Council enrolment details, firm name, and practice area information provided voluntarily during onboarding.
• Document Data: Legal documents, drafts, templates, and matter files you upload to Specter for processing. This data is treated as highly sensitive and is subject to additional safeguards (see Section 7).
• Communication Data: Emails and messages you send to us, including enquiry messages submitted via the website.

We do not intentionally collect data from children below the age of 18. If you are below 18, please do not use our services.

Under Section 6 of the DPDP Act, we process your personal data only for the following specified, explicit, and legitimate purposes:

• Service Delivery: To provide, maintain, and personalise Specter's AI legal assistant features, including drafting, research, comparison, and matter memory.
• Waitlist & Access Management: To manage your early access request and communicate updates about product availability.
• Product Communication: To send you product updates, security notices, and service-related communications. You may opt out of marketing communications at any time.
• Analytics & Improvement: To understand how the product is used and improve its performance and features. Analytics data is aggregated and de-identified wherever possible.
• Legal Compliance: To comply with applicable Indian law, court orders, or regulatory requirements.
• Fraud Prevention & Security: To detect, investigate, and prevent fraudulent or unauthorised activity.

We will not process your personal data for any purpose other than those stated above without obtaining fresh, explicit, and informed consent from you as required by the DPDP Act.

In accordance with Sections 5 and 6 of the DPDP Act, we provide this notice clearly and in plain language before or at the time of collecting your personal data. Your submission of personal data through our website constitutes free, specific, informed, unconditional, and unambiguous consent.

You have the right to withdraw consent at any time by writing to us at nikhilkadian990@gmail.com. Withdrawal of consent will be without prejudice to the lawfulness of processing based on consent before its withdrawal. It may, however, result in inability to access certain services.

We do not sell your personal data. We may share your data with the following categories of third parties solely to the extent necessary for service delivery:

• AI Model Providers: Underlying large language model APIs (such as Google Gemini or Anthropic Claude) for processing document drafts and research queries. These providers are contractually bound to zero-retention and non-training obligations on your data. We do not share identifying personal information with model providers unless strictly required.
• Cloud Infrastructure: Vercel (hosting and deployment) and Neon PostgreSQL (database). Data in transit is encrypted via TLS 1.3 and data at rest is encrypted via AES-256.
• Analytics: Vercel Analytics is used to track aggregated usage patterns. No personally identifiable information is shared with Vercel Analytics beyond what is necessary for standard web analytics.
• E-Signature Providers (future feature): eMudhra or Zoho Sign, both India-compliant digital signature platforms, for document signing workflows. You will be notified and asked for additional consent before this feature is enabled for your account.

All third-party processors are required to process your data only on our instructions and in compliance with applicable data protection law.

Some of our third-party service providers operate servers outside India. Any transfer of your personal data outside India is made in compliance with Section 16 of the DPDP Act and applicable Central Government notifications. We ensure that equivalent data protection measures are in place through contractual clauses and processor agreements.

Document data and matter files are stored on Indian data centres to the maximum extent practicable.

We implement reasonable security practices and procedures as required under Rule 8 of the IT Rules, 2011 and Section 8(5) of the DPDP Act, including:

• AES-256 encryption for data at rest.
• TLS 1.3 encryption for all data in transit.
• Role-based access controls restricting data access to authorised personnel only.
• Regular security audits and vulnerability assessments.
• Document data and legal matter files are logically isolated per client account and not accessible across accounts.

In the event of a personal data breach, we will notify the affected Data Principals and the Data Protection Board of India within the timelines prescribed under the DPDP Act.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law:

• Waitlist / Contact Data: Retained until your access request is fulfilled or you request deletion, and for a further period of 1 year for internal records.
• Account & Usage Data: Retained for the duration of your active use of Specter and for 1 year after account closure.
• Document / Matter Data: Retained for the duration of your subscription. Upon termination or deletion request, document data is permanently deleted within 30 days.

Data required to be retained for compliance with applicable law (e.g., GST, tax records) will be retained for the statutory period notwithstanding any deletion request.

Under the DPDP Act, 2023, you have the following rights as a Data Principal, exercisable by writing to our Grievance Officer:

• Right to Access (Section 11): The right to obtain a summary of personal data processed by us and the processing activities undertaken.
• Right to Correction and Erasure (Section 12): The right to correct inaccurate or outdated personal data, and to erase personal data where it is no longer necessary for the purpose it was collected.
• Right to Grievance Redressal (Section 13): The right to have your grievances addressed by us within the time prescribed, and thereafter by the Data Protection Board of India.
• Right to Nominate (Section 14): The right to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact our Grievance Officer with your details and the specific right you wish to exercise. We will respond within 30 days of receipt of a valid request.

In accordance with Section 13 of the DPDP Act and Rule 5 of the IT Rules, 2011, we have designated a Grievance Officer:

Our website uses essential cookies to ensure basic functionality and secure operation. We use Vercel Analytics for aggregate, anonymised usage analytics which does not use third-party advertising cookies. You may control cookie settings through your browser; however, disabling essential cookies may impact the functionality of the website.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email (if we have your contact details) or by a prominent notice on the website at least 15 days prior to the change taking effect. Continued use of our services after the effective date of the revised policy constitutes your acceptance of the changes.

For any privacy-related queries, concerns, or requests, please first contact our Grievance Officer. If your concern is not satisfactorily resolved, you may approach the Data Protection Board of India once constituted under the DPDP Act, 2023, or any other competent regulatory or judicial authority having jurisdiction.