Legal · Privacy

Privacy at Gotham.

Gotham acts as a data fiduciary for the personal data we process on behalf of Indian law firms and their clients. This policy explains what we collect, why we collect it, and how we honour our obligations under the Digital Personal Data Protection Act, 2023 (DPDP).

Effective: 2026-05-26 · Last updated: 2026-05-26

01

What we collect

Account data. Name, work email, firm or institution, role, and authentication metadata (including .ac.in verification for students). We collect this to create and secure your account.

Usage data. Product telemetry — features used, query volumes, latency, error traces — so we can keep the product reliable and improve it.

Matter data. Documents, pleadings, contracts, briefs, transcripts and related content uploaded by your firm or generated within a matter workspace. This data belongs to the firm and is processed strictly under instructions in the firm's MSA.

02

How we use it

We use account and usage data to operate, secure and improve the Gotham product. We use matter data only to deliver the workflows you ask us to run on it.

We do not train foundation models on customer matter data. Matter data is never used to train, fine-tune, or evaluate any Gotham or third-party model outside of the customer's own tenant.

03

Where it lives

All customer data is stored within India, in AWS's Mumbai (ap-south-1) region. Databases (Amazon RDS / Aurora PostgreSQL) are encrypted at rest using AWS KMS customer-managed keys. Object storage (S3) is encrypted with KMS and access-controlled per tenant.

In-transit traffic uses TLS 1.2+. Internal service-to-service traffic stays within private VPC subnets; nothing customer-identifiable is sent over the public internet unencrypted.

04

Retention

Matter datais retained for the period specified in your firm's Master Services Agreement, and is deleted or returned on request and on termination per that MSA.

Account data is retained for up to 36 months after account termination, unless a shorter period is required by law or a longer period is required to defend a legal claim.

Usage logs are retained in aggregated, de-identified form for product and security analytics. [TODO: user to confirm retention window — default 13 months.]

05

Your rights under DPDP

As a Data Principal under the DPDP Act, 2023, you have the right to:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate or incomplete data.
Erasure — request deletion of personal data we no longer have a lawful basis to retain.
Grievance redressal — escalate any concern to our Grievance Officer.
Nominate — nominate another individual to exercise your rights in the event of your death or incapacity.

Requests from end-users of customer firms are routed through the firm in the first instance. Direct requests can be sent to privacy@trygotham.io.

06

Grievance Officer

In line with Section 8(9) of the DPDP Act, 2023 and Rule 5 of the Information Technology (Reasonable Security Practices) Rules, our Grievance Officer is:

Name: [TODO: user to confirm]
Email: [TODO: user to confirm]
Address: Gotham Technologies Pvt. Ltd., Bengaluru, Karnataka, India.

We acknowledge grievances within 7 working days and aim to resolve them within 30 days.

07

Updates to this policy

We'll update this policy as the product, our subprocessors, or the law change. Material changes will be notified to customer firms at least 30 days in advance via email to the registered admin contact. The current version is always available at this URL.