As required under Rule 4 of the Privacy Rules, this policy explains the following:
- Clear statements of our practices and policies
- Type of personal and sensitive personal information collected
- Purpose of collection and usage of such information
- Disclosure of information
- Reasonable security practices and procedures followed
What personal information or sensitive personal information we may collect and store
The information you provide us or authorise us to possess, including:
- Name, Email Address, Phone Number of the user
- User Passwords and login credentials required to access our services
- Digital Signature Certificate information including Name, Address, Date of Birth, Parent’s/Spouse’s Name, Photo received after successful Certificate Generation
- GPS coordinates or Live Face Capture, if provided while eSigning by the user
- Stamp Form related information
- Any other kinds of information the user may provide to access our services after agreeing to our Terms of Service.
The information we collect
- We may use first party cookies to ascertain the Public IP Address of the user, the type of browser, the type of device used to access any of our products or services, and the actions performed on our products.
- The information you provide us or authorise us to possess, including:
What personal and sensitive personal information we may collect and will NOT store
To avail of our services, the users might be required to provide us with some sensitive information including OTPs, financial information for payments, secret keys and access keys for document sharing etc. However, we make it a point to not store any such critical information or data and delete it from all our servers and technical environments after the processing of the same.
- We do not store any kind of sensitive personal information (as defined under Rule 3 of Privacy Rules) apart from user passwords. Passwords are stored, only if required to access our products and services and are only stored in an undecipherable hashed format.
- We do not store any kind of biometric information/OTP used for authentication for an Aadhaar eKYC or Aadhaar eSign Transaction. Biometrics required for Aadhaar authentication are captured directly by the Certifying Authority- NSDL, are encrypted right at the time when they are obtained and are processed only for the particular transactions for which they are collected. Strict guidelines laid down by UIDAI for biometric authentication are followed by Certifying Authority- NSDL . The compliance of our products with governmental guidelines, as mandatory, is regularly audited by independent third party information security auditors appointed by CERT-IN, MEITY, Govt. of India.
- We do not store any kind of financial information
- We do not store some kinds of authorization passwords, secret codes etc. where they are aimed to increase user control over their files and documents.
How information is stored
All kinds of information collected is stored in a completely secure method following practices such as instance isolation, one way hashing algorithms, symmetric and asymmetric encryption techniques with master keys in some cases being saved on FIPS-140-2 Level 2 compliant hardware security modules. Different Levels of protection and security is followed depending on the nature of information being protected.
How personal information is processed or used
Personal information is processed or used solely for the purpose for which the information is collected and as the user was informed at the time of collection of information. Information is only used for processing of user transactions and requests on our platforms and products.
How and when is personal information disclosed
No personal or sensitive personal information that we collect is shared with third parties except for the information specifically collected to be shared with third parties, with prior consent from the user.
- All Aadhaar eKYC and eSign related transaction is processed by the Government Appointed Aadhaar eSign Certifying Authority/eSign Service Provider.
- We may also use Google Analytics to analyse user behaviour on our products (More about Google Analytics privacy can be found here: https://support.google.com/analytics/answer/6004245?hl=en).
- We may be required to disclose information to Government agencies for law enforcement, if required, in compliance with Rule 6 of the Privacy Rules.
Reasonable Security Practices followed
We follow ISO/IEC 27001 Information Security Management System Standard to handle and secure the information dealt by us. Compliance with the same is regularly audited by an independent third party information security auditor appointed by CERT-IN, MEITY, Govt. of India. Within the contours of our ISO 27001 compliant Information Security Policies, we follow a strict internal access control policy which is highly controlled and heavily monitored. Any kind of access to any employee is only provided after the necessary approvals and on a strict ‘need to know’ basis.
Changes to this policy
Leegality reserves the right to amend, update and change this Policy without any prior intimation to any of our users. However, any personal information or data collected at the time of applicability of this policy, will be used as per this policy only. If any user refuses to agree or objects to any amendments, changes or updates in the policy, we reserve the right to not serve such users.