top of page
Privacy Policy
Last Updated: March 29, 2026

IMPORTANT NOTICE

This Privacy Policy constitutes a legally binding agreement between you and Ovviously. By accessing or using our Platform after checking the consent checkbox presented at registration or login, you confirm that you have read, understood, and agreed to the terms herein. If you do not agree, you must immediately cease use of the Platform. Your continued use after any updates constitutes renewed acceptance.

1. About Ovviously


Ovviously is an AI-powered legal research and drafting platform incorporated under the laws of India. Our registered services are accessible at https://www.ovviously.com and https://www.ovviously.in (collectively, the 'Platform').

Ovviously provides AI-assisted tools for legal professionals including research, precedent finding, contract review, document drafting, and argument generation. We do not provide legal advice, legal representation, or act as a law firm under any applicable statute or bar regulation in any jurisdiction.

For the avoidance of doubt: outputs generated by Ovviously are AI-assisted suggestions only. They do not constitute legal advice and should not be relied upon as such. Users are solely responsible for reviewing, verifying, and taking accountability for any legal work product produced using this Platform.

 

2. Scope and Jurisdiction

 

This Policy applies to all users of the Platform globally, including users based in India, the United Kingdom, the United States of America, Canada, and all other jurisdictions. Where applicable, Ovviously complies with:

  • India: Information Technology Act, 2000; IT (Amendment) Act, 2008; Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (`SPDI Rules`); and the Digital Personal Data Protection Act, 2023 (`DPDPA`) as and when notified.

  • United Kingdom: UK General Data Protection Regulation ('UK GDPR') and the Data Protection Act 2018.

  • European Union / EEA: General Data Protection Regulation (EU) 2016/679 ('GDPR') where applicable.

  • United States: California Consumer Privacy Act ('CCPA') / California Privacy Rights Act ('CPRA') for California residents; and other applicable state and federal privacy laws.

  • Canada: Personal Information Protection and Electronic Documents Act ('PIPEDA') and applicable provincial privacy legislation.

To the extent any local law grants users additional rights beyond those described here, Ovviously will honour those rights to the extent reasonably practicable.

 

3. Data We Collect

 

3.1 Account and Identity Information

When you register or use the Platform, we collect:

  • Full name and email address.

  • Organization or law firm name (optional).

  • Phone number (if provided).

  • Account login credentials (stored in encrypted form).
     

3.2 Legal Queries, Prompts, and Uploaded Documents

When you interact with the Platform's AI features, we collect and process:

  • Legal queries, case descriptions, and prompts entered by you.

  • Documents uploaded for review, drafting, or analysis (which may include contracts, legal filings, correspondence, and other sensitive legal materials).

  • AI-generated outputs and your edits or annotations thereof.
     

Critical Notice: Documents and queries you submit may contain confidential, privileged, or sensitive legal information. You are solely responsible for ensuring you have appropriate authority and client consent before uploading any such material to the Platform. Ovviously processes this data solely to deliver the requested service and does not use it to train AI models without your explicit consent.
 

3.3 Payment Information

For paid plans, payment data (including card details, billing address, and transaction history) is processed exclusively by our third-party payment gateways (including Razorpay, Stripe, and/or PayPal). Ovviously does not store raw card numbers or CVV/CVCs on its own servers. Payment data is subject to PCI-DSS compliance standards maintained by the respective gateway.
 

3.4 Automatically Collected Technical Data

We automatically collect:

  • IP address, approximate geographic location, browser type, and operating system.

  • Device identifiers and session tokens.

  • Pages visited, features used, click patterns, and session duration.

  • Referral URLs and onboarding source.

  • Error logs and performance diagnostics.
     

3.5 Cookies and Tracking Technologies

We use strictly necessary cookies for Platform functionality, and optional analytics cookies to understand usage. You may manage cookie preferences through your browser settings or our cookie preference panel. Disabling certain cookies may affect Platform functionality.
 

3.6 Communications

We collect content of support requests, feedback submissions, and any other communications you send us.
 

3.7 What We Do Not Collect

  • We do not knowingly collect data from individuals under 18 years of age.

  • We do not collect biometric data, government ID numbers, or financial account credentials.

  • We do not purchase or import third-party data to enrich your profile without disclosure.

 

4. Legal Bases for Processing

 

Depending on your jurisdiction, we process your personal data on the following legal bases:

  • Contractual Necessity: Processing required to perform the service you have contracted with us, including account management, AI-assisted research and drafting, and payment processing.

  • Legitimate Interests: Analytics, fraud prevention, security, and product improvement where such interests are not overridden by your fundamental rights.

  • Legal Obligation: Where we are required by law, regulation, court order, or regulatory authority.

  • Consent: For optional data uses such as marketing communications, analytics cookies, and AI model improvement. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

 

5. How We Use Your Data

 

We use collected data strictly for the following purposes:

  • To operate, maintain, secure, and improve the Platform.

  • To provide, personalize, and enhance AI-powered legal research and drafting features.

  • To manage your account and process payments.

  • To communicate service updates, security alerts, and support responses.

  • To detect, investigate, and prevent fraud, unauthorized access, abuse, or illegal activity

  • To comply with applicabl.e legal and regulatory obligations.

  • To conduct internal analytics and aggregate research for product improvement (using de-identified data wherever possible).
     

We will not use your legal queries, uploaded documents, or AI outputs to train machine learning models without your explicit, informed, and separately recorded consent.

 

6. Data Sharing and Disclosure


Ovviously does not sell, rent, or trade your personal data to any third party. We disclose data only as described below.
 

6.1 Trusted Service Providers

We engage third-party processors under binding data processing agreements that require confidentiality and limit their use of data to the contracted service:

  • Cloud Hosting & Infrastructure: AWS, Google Cloud, or equivalent for data storage, processing, and platform reliability.

  • AI / LLM Providers: Including Anthropic, OpenAI, or similar licensed providers who process user queries to generate legal research and drafting outputs. These providers operate under strict data processing terms and zero-retention policies where available.

  • Payment Gateways: Razorpay, Stripe, PayPal for secure payment processing under PCI-DSS standards.

  • Analytics Providers: Google Analytics, Mixpanel, or Plausible for aggregated usage analytics under applicable data processing agreements.

  • Customer Support Tools: Intercom, Freshdesk, or similar for managing support communications.
     

6.2 Legal and Regulatory Disclosure


We may disclose data when required to:

  • Comply with applicable law, statute, regulation, court order, subpoena, or government direction.

  • Protect the rights, safety, or property of Ovviously, its users, or the public.

  • Investigate or respond to suspected fraud, security incidents, or violations of this Policy or our Terms.
     

Where legally permitted, we will notify you before disclosing your data in response to a government request.
 

6.3 Business Transfers

In the event of a merger, acquisition, asset sale, restructuring, or insolvency proceeding, your data may be transferred to a successor entity. We will notify you via email or prominent notice on the Platform at least 30 days in advance, and any successor will be bound to honour the protections in this Policy or provide notice of material changes with an opportunity to object.
 

6.4 International Data Transfers

As a global platform incorporated in India, your data may be processed in jurisdictions other than your own. We ensure such transfers are governed by appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO for transfers from the UK/EEA.

  • Adequacy decisions or equivalent mechanisms under applicable law.

  • Data processing agreements with our third-party processors requiring equivalent protection.

 

7. Data Retention


We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, and no longer than required or permitted by applicable law. Our general retention periods are:

  • Account data: Duration of your account, plus up to 3 years post-closure for legal and dispute resolution purposes.

  • Legal queries and uploaded documents: For the duration of your active subscription. Upon account closure, documents are deleted within 90 days unless you request earlier deletion.

  • Payment records: Up to 7 years as required under Indian financial and tax laws.

  • Analytics and logs: Up to 24 months in aggregated/de-identified form.
     

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised. Anonymised or aggregated data not attributable to any individual may be retained indefinitely for research and product improvement purposes.

 

8. Data Security

Ovviously implements industry-standard technical and organisational security measures, including:

  • AES-256 encryption for data at rest.

  • TLS 1.2+ encryption for data in transit.

  • Role-based access controls limiting internal data access on a need-to-know basis.

  • Regular security assessments and penetration testing.

  • Multi-factor authentication options for user accounts.

  • Incident response and breach notification protocols.
     

Despite these measures, no internet-based system can guarantee absolute security. In the event of a data breach that poses a material risk to your rights, we will notify affected users and relevant regulatory authorities within the timeframes required by applicable law (72 hours under GDPR/UK GDPR; as required under DPDPA and applicable US state laws).

You are responsible for maintaining the confidentiality of your login credentials. Notify us immediately at our feedback portal if you suspect unauthorized access to your account.

 

9. Your Rights


Depending on your jurisdiction, you have the following rights regarding your personal data:
 

9.1 Rights Available to All Users

  • Right to Access: Request a copy of the personal data we hold about you.

  • Right to Correction: Request correction of inaccurate or incomplete data.

  • Right to Deletion: Request erasure of your personal data, subject to our legal retention obligations.

  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without penalty.

  • Right to Data Portability: Receive your data in a structured, machine-readable format.

  • Right to Object: Object to processing based on legitimate interests.

  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
     

9.2 Additional Rights for UK/EEA Users (GDPR/UK GDPR)

  • Right not to be subject to solely automated decision-making with significant legal effect.

  • Right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, relevant EU DPA).
     

9.3 Additional Rights for California Residents (CCPA/CPRA)

  • Right to Know: Categories and specific pieces of personal information collected and shared.

  • Right to Opt-Out of Sale or Sharing: Ovviously does not sell personal data. However, you may exercise this right at any time.

  • Right to Limit Use of Sensitive Personal Information.

  • Right to Non-Discrimination: You will not be penalised for exercising your privacy rights.
     

9.4 Additional Rights for Canadian Users (PIPEDA)

  • Right to access and challenge the accuracy of your personal information.

  • Right to withdraw consent for non-essential processing.
     

9.5 How to Exercise Your Rights

Submit a request via our feedback portal at https://www.ovviously.in/feedback. We will verify your identity before processing the request and respond within the timeframe required by applicable law (30 days under GDPR; 45 days under CCPA; 30 days under PIPEDA). We may extend this period in complex cases and will notify you accordingly.

 

10. Platform Limitations and Legal Disclaimers


Users acknowledge and agree to the following:

  • No Legal Advice: Ovviously is a technology platform. Nothing on the Platform constitutes legal advice, legal representation, or an attorney-client relationship. Users should not rely on AI-generated outputs as substitutes for qualified legal counsel.

  • User Responsibility: Users are solely responsible for verifying the accuracy, currency, and applicability of any legal research, draft, or argument produced by the Platform before use in any legal proceeding, submission, or client matter.

  • Confidentiality: Users who upload client documents or confidential legal materials do so at their own risk and discretion. Ovviously is not responsible for breaches resulting from a user's failure to follow appropriate security practices (e.g., uploading materials from unsecured networks).

  • Jurisdictional Compliance: Users are responsible for ensuring their use of the Platform complies with applicable laws and professional conduct rules in their jurisdiction, including any bar association regulations governing the use of AI in legal practice.

  • No Guarantee of Accuracy: AI-generated legal content may contain errors, omissions, or outdated information. Ovviously makes no warranty, express or implied, regarding the accuracy or completeness of any output.

 

11. Children's Privacy


The Platform is strictly intended for professional use by individuals aged 18 years and above. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly. If you believe such data has been collected, contact us immediately via https://www.ovviously.in/feedback.

 

12. Third-Party Links and Services


The Platform may contain links to external websites, legal databases, or tools (including LexisNexis, Indian Kanoon, legislation.gov.uk, and others). Ovviously is not responsible for the privacy practices, content, accuracy, or security of any third-party site. We recommend reviewing the privacy policy of any third-party service before interacting with it.

 

13. Cookies Policy


We use the following categories of cookies:

  • Strictly Necessary: Essential for Platform functionality and security. Cannot be disabled.

  • Analytics: Help us understand how users interact with the Platform (e.g., Google Analytics). May be disabled without affecting core functionality.

  • Preference: Remember your settings and customisations.
     

You may manage cookie settings through your browser preferences or any cookie preference tool we make available. Note that disabling analytics or preference cookies may affect your user experience.

 

14. Grievance Redressal


In accordance with the Information Technology Act, 2000, and the SPDI Rules, Ovviously has designated a Grievance Officer for data protection matters. Any user who has a complaint or concern regarding our privacy practices may contact us through:

Users in the UK or EEA who are not satisfied with our response have the right to lodge a complaint with their local data protection supervisory authority (e.g., the UK Information Commissioner's Office).

 

15. Governing Law and Dispute Resolution


This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, without regard to its conflict of law provisions.
 

Any dispute arising out of or relating to this Policy shall first be subject to good-faith negotiation. If unresolved, disputes shall be submitted to binding arbitration under the Arbitration and Conciliation Act, 1996, conducted in English in Bengaluru, India. Nothing in this clause prevents either party from seeking urgent injunctive or equitable relief from a competent court.
 

For users in the UK, EU, or other jurisdictions with mandatory local jurisdiction provisions, statutory rights under applicable law are not affected.

 

16. Policy Updates

Ovviously reserves the right to update this Privacy Policy at any time. Where changes are material, we will update the 'Last Updated' date at the top of this Policy.
 

Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy. If you do not agree with any update, you must discontinue use and may request deletion of your account and data.


 

Ovviously

AI-Powered Legal Research & Drafting Platform

https://www.ovviously.com  |  https://www.ovviously.in

Incorporated in India

Contact: https://www.ovviously.in/feedback

bottom of page