DPDP Act Compliance

Last updated: 30 March 2026

LexiReview is fully committed to compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"). As a platform that processes contracts containing personal data, we recognise our obligations as both a Data Fiduciary for our users' account data and as a Data Processor when handling documents on behalf of our customers.

Our Role Under the DPDP Act

As a Data Fiduciary

When we collect and process your personal data (account information, contact details, usage data) to provide our services, we act as a Data Fiduciary and bear all obligations under the DPDP Act accordingly.

As a Data Processor

When you upload contracts for AI review, those documents may contain personal data of third parties. In this context, you are the Data Fiduciary and LexiReview processes data on your behalf. Our processing is strictly limited to providing the contracted services.

Lawful Purpose and Consent

• We collect personal data only for specified, clear, and lawful purposes directly related to providing AI contract intelligence services.
• Consent is obtained through clear, affirmative action at the time of account creation.
• We provide granular consent options — you can consent to essential processing while opting out of analytics or marketing communications.
• Consent can be withdrawn at any time through your account settings or by contacting our Data Protection Officer.
• Upon withdrawal of consent, we cease processing and delete relevant data within the timeframes specified in our Privacy Policy.

Data Principal Rights

We uphold all rights of Data Principals as defined in the DPDP Act:

Right to Access (Section 11)

You can request a summary of your personal data being processed, the processing activities being carried out, and the categories of third parties with whom your data has been shared. We respond to access requests within 72 hours.

Right to Correction and Erasure (Section 12)

You can request correction of inaccurate personal data or erasure of data that is no longer necessary for the purpose for which it was collected. Correction requests are processed within 48 hours. Erasure requests are completed within 30 days, subject to legal retention requirements.

Right to Grievance Redressal (Section 13)

Our Grievance Officer is available to address any concerns regarding processing of your personal data. Grievances are acknowledged within 24 hours and resolved within 30 days.

Right to Nominate (Section 14)

You can nominate an individual to exercise your data rights in the event of your death or incapacity. Nominations can be registered through your account settings.

Data Protection Measures

• Encryption — AES-256 at rest, TLS 1.3 in transit for all personal data.
• Access controls — Role-based access with least-privilege principle. Only authorised personnel access personal data, and only for specified purposes.
• Audit trails — Chain-hashed SHA-256 audit trails log every access and processing action on personal data.
• Data minimisation — We collect and process only the minimum personal data necessary for each specified purpose.
• Purpose limitation — Personal data is used only for the purpose for which it was collected. No secondary use without fresh consent.
• Storage limitation — Data is retained only as long as necessary. Automated deletion schedules ensure data is not held beyond its useful life.

Data Localisation

All personal data processed by LexiReview is stored on servers located in India. We do not transfer personal data outside India except where explicitly permitted under the DPDP Act and with appropriate safeguards in place. Cross-border transfers, if any, will only occur to jurisdictions notified by the Central Government as permissible.

Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India within the prescribed timeframe.
• Notify affected Data Principals without undue delay.
• Provide clear information about the nature of the breach, the data affected, and the steps taken to mitigate the impact.
• Document the breach in our incident response log with chain-hashed audit trail entries.

Children's Data

LexiReview is a business platform designed for professional use. We do not knowingly process personal data of children (individuals below 18 years of age). If we become aware that we have inadvertently collected a child's data, we will delete it promptly.

Third-Party Data Processors

Where we engage third-party service providers who process personal data on our behalf, we ensure:

• Data processing agreements are in place with all sub-processors.
• Sub-processors meet equivalent data protection standards.
• Processing is limited to the specific services contracted.
• Regular audits of sub-processor compliance.

Helping You Comply

Beyond our own compliance, LexiReview helps your organisation meet DPDP Act obligations:

• Contract review — Our AI engines check your contracts for DPDP-compliant data protection clauses, flagging gaps in consent mechanisms, data principal rights, and cross-border transfer provisions.
• Contract generation — The Contract Generation Wizard includes DPDP-compliant clauses in every relevant contract type by default.
• LexiBrain alerts — Our regulatory intelligence system monitors DPDP Act rules, notifications, and amendments, alerting you when your contracts need updating.
• Compliance certificates — Generate compliance assessment reports for your contract portfolio.

Grievance Officer

In accordance with the DPDP Act, our Grievance Officer can be contacted at:

• Email: grievance@lexireview.in
• Response time: Acknowledgement within 24 hours, resolution within 30 days.

Data Protection Officer

For all data protection inquiries:

• Email: privacy@lexireview.in

For more details on how we handle your data, see our Privacy Policy. For questions about platform security, visit our Security page.