Afifa Legal Aid
High Court Advocate & Legal Practitioner
(Protecting Your Privacy Rights with Utmost Diligence)
(Protecting Your Privacy Rights with Utmost Diligence)
Afifa Legal Aid — Your Privacy Rights and Our Data Protection Practices
Afifa Legal Aid ("we," "our," "us," "the Firm," or "Legal Practice"), operating as a registered High Court legal practice under the Advocates Act, 1961, and regulated by the Bar Council of India, is fundamentally committed to protecting the privacy, confidentiality, and security of all client information and personal data. This Comprehensive Privacy Policy is formulated in strict compliance with the Information Technology Act, 2000 (as amended), the Indian Evidence Act, 1872 (particularly Section 126 which safeguards attorney-client communications), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Bar Council of India Rules on Professional Standards, and relevant provisions of the Constitution of India regarding privacy rights as affirmed by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017).
As a legal practice, we are bound by professional confidentiality obligations and take the protection of personal and sensitive information with the utmost seriousness. This policy reflects our dedication to transparency and data protection in compliance with applicable laws, including the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Site or provide us with any personal information.
Attorney-Client Privilege Notice: This Privacy Policy supplements but does not supersede the sacred attorney-client privilege relationship governed by Section 126 of the Indian Evidence Act, 1872. All communications, consultations, and information shared within our professional relationship enjoy absolute confidentiality protection under Indian law. No information disclosed in furtherance of legal representation shall be disclosed to any third party except with your explicit consent or under compulsion of law. The privilege survives the termination of our engagement and continues indefinitely.
This policy applies comprehensively to all personal data processed by Afifa Legal Aid in the following contexts: (a) when you access our digital platforms including our primary website (afifalegalaid.durrany.com), any associated subdomains, mobile applications, or online portals; (b) when you engage our legal services as a client through formal retainer agreements, consultation agreements, or legal service contracts; (c) when you submit inquiries via contact forms, email communications, telephone consultations, or in-person meetings; (d) when you schedule consultations through our online scheduling system, telephone appointments, or direct email coordination; (e) when you participate in legal proceedings where we act as your legal counsel in courts, tribunals, arbitration proceedings, or alternative dispute resolution mechanisms; and (f) when you interact with our services including document submissions, evidence sharing, witness coordination, or legal research collaborations.
We collect and process personal data across multiple categories to provide comprehensive, effective, and legally compliant legal services. The following table describes the categories of information we collect, specific data elements, the purpose of collection, and our standard retention periods:
| Data Category | Specific Data Elements Collected | Collection Purpose & Legal Basis | Retention Period |
|---|---|---|---|
| Core Identity Information | Complete legal name (as per official documents), date of birth, gender identification, recent photograph, specimen signature, PAN number (Permanent Account Number), Aadhaar number (collected only with explicit written consent), passport details, voter ID, driving license, ration card, GSTIN (if applicable) | Client verification per KYC norms mandated by Bar Council of India, court document preparation, identity verification for legal proceedings, compliance with anti-money laundering regulations under PMLA, 2002 | 7 years post-case closure or as mandated by specific statutes |
| Contact & Communication Data | Current residential address (proof required for records), permanent address, email addresses (primary and secondary), mobile numbers (primary and secondary), landline numbers, emergency contact details, preferred communication methods, time zone for coordination | Case communication, document delivery, hearing notifications, emergency contact during legal proceedings, service delivery coordination, court notice service | Active case period + 7 years |
| Case-Specific Legal Information | Complete case history, legal documents (pleadings, affidavits, contracts, wills, agreements), court filings, witness statements, evidence documentation, medical records (with explicit consent), financial records related to cases, property documents, contractual agreements, correspondence with opposing parties, arbitration materials | Legal representation, case strategy development, court submissions, evidence preparation, legal research, client counseling, and fulfillment of fiduciary duties | Minimum 7 years post-case closure; longer for specific case types involving minors or perpetual injunctions |
| Financial & Billing Information | Bank account details (for refunds/payments), payment history, billing addresses, invoice records, tax identification numbers, retainer agreement details, fee structure agreements, payment method preferences, credit/debit card details (encrypted and never stored in plain text) | Financial transactions, accounting compliance under Income Tax Act, 1961, tax reporting, fee collection, payment processing, financial dispute resolution | 10 years as per Income Tax Act, 1961 requirements |
| Technical & Digital Footprint | IP addresses, browser type & version, device information (make, model, operating system), operating system details, time zone settings, location data (with consent), website usage patterns, cookie identifiers, login timestamps, referring URLs, pages viewed, time spent on pages | Website security, service improvement, analytics, fraud prevention, system optimization, user experience enhancement, and detection of malicious activity | 26 months for analytics data; session-based for security logs |
In accordance with Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we recognize the following as Sensitive Personal Data or Information (SPDI). Such data receives enhanced protection and is processed only under strict conditions:
When relevant to legal proceedings (personal injury cases, medical negligence claims, disability benefits, mental health proceedings, or insurance disputes), we may process: complete medical diagnosis and treatment records, hospital admission and discharge summaries, prescription histories and medication records, psychological evaluation reports, disability certification and assessment reports, genetic data and hereditary information (with explicit written consent), and laboratory test results.
For fee collection and financial transactions, we process: bank account passwords (encrypted at rest and in transit using AES-256), credit/debit card CVV numbers (never stored in plain text; transmitted directly to payment gateways), financial transaction PINs and security codes (zero-knowledge architecture), digital signature certificates and cryptographic keys (stored in hardware security modules where applicable).
In specific circumstances requiring identity verification (such as court-ordered identification or execution of certain legal documents), we may process: fingerprint data (for verification purposes with informed consent), facial recognition data (with explicit consent and only when legally required), voice recognition patterns (for recorded statements or testimony verification), and other biometric identifiers as mandated by law.
Special Processing Notice for Sensitive Data: Sensitive Personal Data is processed only with your explicit, informed, written consent, except where processing is necessary for the establishment, exercise, or defense of legal claims, or where processing is necessary for reasons of substantial public interest (such as prevention of serious threat to health or safety). You have the absolute right to withdraw consent for processing of sensitive data at any time, subject to legal obligations that may require continued retention.
All data processing activities conducted by Afifa Legal Aid are grounded in one or more of the following legal bases, as recognized under Indian law and consistent with global data protection principles:
Processing is necessary for the performance of our legal services contract with you, including execution of retainer agreements and legal service contracts, provision of legal advice and representation services, case preparation and court representation activities, document preparation and legal filing requirements, and communication regarding case developments and legal strategies.
Processing is necessary for compliance with our legal obligations under the Advocates Act, 1961 and Bar Council regulations, Income Tax Act, 1961 for financial record keeping, court rules and procedural requirements, anti-money laundering and KYC regulations (PMLA, 2002), and evidence preservation requirements for ongoing or anticipated litigation.
Processing is necessary for the purposes of our legitimate interests, including practice management and administrative operations, client relationship management and service improvement, professional development and legal research, network and information security protection, prevention of fraud and unauthorized access, and internal business analytics.
Processing based on your freely given, specific, informed, and unambiguous consent for marketing communications and legal updates, processing of sensitive personal data categories beyond legal requirements, data sharing with third parties beyond what is legally mandated, and participation in legal research, case studies, or publications (with anonymization where possible).
Case Analysis & Strategy Development: We conduct comprehensive legal analysis, precedent research across Indian courts, and strategy formulation based on the specific facts and evidence you provide. This includes reviewing case laws from the Supreme Court of India, various High Courts, and specialized tribunals to build the strongest possible legal position for your matter.
Document Preparation & Management: Our practice involves drafting legal documents including plaints, written statements, petitions, affidavits, rejoinders, contracts, legal notices, and correspondence with opposing counsel. All documents are prepared with strict confidentiality and reviewed for accuracy before filing.
Court Representation & Advocacy: We prepare for court appearances, hearing representation before judges and magistrates, legal argument development, cross-examination preparation, and submission of written notes. Your data enables us to effectively advocate on your behalf.
Legal Research & Analysis: Our team conducts jurisprudential research, statutory interpretation, case law analysis, and legal database searches to support your case. This includes reviewing recent judgments, amendments to statutes, and legal commentaries.
Client Counseling & Advice: We provide legal opinions, risk assessment reports, strategy recommendations, and regular updates on case progress based on your specific situation and legal needs.
Regular Case Updates: We provide timely communication regarding case developments, hearing dates, filing deadlines, court orders, and next steps. You will receive updates via your preferred communication method.
Document Exchange Management: Secure transmission and receipt of legal documents, evidence, and correspondence through encrypted channels, physical delivery with tracking, or secure client portals.
Appointment Scheduling: Coordination of meetings, consultations, court appearances, deposition schedules, and client conferences to ensure efficient case management.
Emergency Contact Procedures: Critical communication during urgent legal developments, emergency hearings, or time-sensitive matters requiring immediate client input or action.
Attorney-Client Privilege Protection: Our primary duty is to protect your confidential information. We only disclose information when absolutely necessary for your legal representation, when required by law, or when you provide explicit written consent. We never sell, rent, or trade your personal information for commercial purposes.
We may be legally obligated to disclose your information to the following entities under specific circumstances:
We may share information with trusted service providers under strict confidentiality agreements, including: court filing services, process servers, transcription services, expert witnesses (with your consent), IT service providers, cloud storage providers (using encrypted storage), payment processors (PCI DSS compliant), and legal research database providers (anonymized where possible).
We implement industry-leading technical security measures to protect your data: Enterprise-grade encryption using AES-256 for data at rest and TLS 1.3 protocol for data in transit; Next-generation firewalls with intrusion detection/prevention systems (IDS/IPS); Distributed Denial of Service (DDoS) protection; Role-based access control (RBAC) ensuring that only authorized personnel access specific data; Multi-factor authentication (MFA) for all system access; Privileged access management with session recording; Regular security assessments including quarterly vulnerability scans, annual penetration testing by certified third-party security firms, and continuous security monitoring through SIEM (Security Information and Event Management) systems.
All staff members undergo mandatory data protection and confidentiality training upon hiring and annually thereafter. We maintain written information security policies, incident response procedures, and data breach notification protocols. Access to client data is granted on a strict need-to-know basis, and all access is logged and audited regularly. We enforce clean desk policies and secure disposal of physical documents through cross-cut shredding.
| Data Category | Standard Retention Period | Extended Retention Circumstances | Destruction Protocol |
|---|---|---|---|
| Active Case Files | Duration of legal proceedings + 7 years | Appeal periods (additional 90 days), minor clients (until age 25), perpetual injunctions or ongoing court monitoring, pending fee disputes | Secure shredding for physical documents; cryptographic erasure (NIST 800-88 compliant) for digital data |
| Financial Records | 10 years from financial year end | Tax audits under Section 153 of Income Tax Act, pending investigations by tax authorities, disputed transactions under litigation | Certified destruction with detailed audit trail maintained |
| Consultation Inquiries (non-client) | 3 years from last contact | Ongoing communication, potential future engagement, conflict check requirements | Secure deletion or anonymization |
| Website Analytics & Cookies | 26 months maximum | Legal hold for ongoing investigations | Automatic deletion or aggregation |
After the retention period expires, personal data is securely deleted, anonymized, or destroyed in accordance with applicable laws and industry best practices. You may request early deletion of your data where legally permissible.
Under Section 11(1) of the Information Technology Act, 2000, and the SPDI Rules, 2011, you have the right to: (a) obtain confirmation of whether we process your personal data; (b) access your personal data in a structured, commonly used, and machine-readable format; (c) receive information about processing purposes, categories of data, and recipients; (d) know the source of data if not collected directly from you; (e) request correction of inaccurate or incomplete data; and (f) withdraw consent for processing where consent is the legal basis.
If you are a resident of the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR): Right to Access (Article 15), Right to Rectification (Article 16), Right to Erasure (Article 17 - "Right to be Forgotten") under specified conditions, Right to Restrict Processing (Article 18), Right to Data Portability (Article 20), Right to Object to processing based on legitimate interests (Article 21), and Right to Withdraw Consent at any time (Article 7). To exercise any GDPR right, contact our Data Protection Officer using the information in Section 14.
California residents have rights under the California Consumer Privacy Act (CCPA), as amended by CPRA: Right to Know what personal information we collect, use, share, and sell (we do not sell your information); Right to Delete personal information subject to exceptions; Right to Opt-Out of the sale of personal information; Right to Correct inaccurate personal information; Right to Limit Use of Sensitive Personal Information; and Right to Non-Discrimination for exercising any privacy rights.
To exercise any of your privacy rights: Please submit a verifiable request to afifa@durrany.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request. There is no fee for exercising your rights, though reasonable charges may apply for manifestly unfounded or excessive requests.
We use cookies and similar tracking technologies (web beacons, pixels, local storage, and session storage) to enhance your browsing experience, analyze site traffic, and understand user behavior. Cookies are small text files placed on your device when you visit our website.
| Cookie Type | Purpose | Duration | User Control |
|---|---|---|---|
| Essential/Strictly Necessary Cookies | Required for basic website functionality, security, authentication, language preference storage, and session management. Cannot be disabled without affecting site operation. | Session / Persistent (up to 1 year) | Automatic; cannot opt out |
| Analytics/Performance Cookies | Help us understand how visitors interact with our website (e.g., Google Analytics, heatmaps). Collect anonymous usage data. | Up to 2 years | Browser settings or opt-out tools |
| Functional Cookies | Remember your preferences, settings, form inputs, and language choices to enhance user experience and save you time. | Up to 1 year | Browser settings |
| Marketing/Targeting Cookies | Used to deliver relevant advertisements, track advertising performance, and limit ad repetition. Set by third-party ad networks like Google AdSense. | Up to 90 days | Opt-out via Google Ads Settings or NAI opt-out page |
We may use Google AdSense to display advertisements on our Site. Google, as a third-party vendor, uses cookies to serve ads based on a user's prior visits to our website and other websites. Google's use of the DART cookie enables it and its partners to serve ads to our users based on their visit to our Site and/or other sites on the Internet. You may opt out of personalized advertising by visiting Google's Ads Settings at https://www.google.com/settings/ads or the Network Advertising Initiative opt-out page at https://www.aboutads.info/choices/. For more information on how Google uses data, please review Google's Privacy Policy at https://policies.google.com/privacy.
Most web browsers allow you to control cookies through their settings preferences. You can typically: view and delete cookies stored on your device; block third-party cookies; block all cookies entirely; and receive notifications when cookies are being set. However, if you limit or disable cookies, you may worsen your overall user experience and/or lose functionality of certain parts of the Site, such as language preference persistence.
Our Services are not directed to children under the age of 18 years. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal information without your consent, please contact us immediately. If we become aware that we have collected personal information from children under 18 without verification of parental consent, we will take steps to remove that information from our servers within 72 hours. In matters involving minor clients, we collect information only through their legal guardians or parents, and all processing is done with explicit parental consent and in accordance with applicable laws regarding representation of minors.
In the event of a data breach (unauthorized access, acquisition, disclosure, or loss of personal data), we have established a comprehensive breach response protocol: (1) Immediate containment to prevent further unauthorized access; (2) Internal investigation by our incident response team within 24 hours; (3) Assessment of breach scope, affected data categories, and number of affected individuals; (4) Notification to affected individuals without undue delay (typically within 72 hours) describing the nature of the breach, types of information involved, and recommended protective measures; (5) Notification to relevant regulatory authorities (including CERT-In and IT Ministry) as required under the Information Technology Act and SPDI Rules; (6) Engagement of forensic experts to determine cause and prevent recurrence; (7) Implementation of additional security measures to remediate vulnerabilities; and (8) Offering credit monitoring or identity protection services where appropriate and required by law.
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, operational needs, or technological advancements. Material changes will be notified by: (a) posting the new Privacy Policy on this page with an updated "Last Updated" date; (b) sending an email notification to registered users (where contact information is available); and/or (c) displaying a prominent notice on our website homepage for 30 days. The version history is maintained, and previous versions are available upon request. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Your continued use of our services after any modifications indicates acceptance of the updated terms.
Any disputes, claims, or causes of action arising out of or related to this Privacy Policy, your use of our website, or our data processing activities shall be governed by and construed in accordance with the laws of India, without regard to its conflict of laws principles. The exclusive jurisdiction and venue for any legal proceedings relating to this Privacy Policy shall be the competent courts located in Indore, Madhya Pradesh, India. You agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claims. In the event of any dispute, we encourage you to first contact us to seek an informal resolution. If informal resolution fails, the dispute shall be resolved through binding arbitration under the Arbitration and Conciliation Act, 1996, conducted in Indore in the English language, before a single arbitrator mutually agreed upon by both parties.
Afifa Legal Aid
Name: Advocate Afifa Durrany
Designation: Principal Advocate & Grievance Officer
Email: afifa@durrany.com (Primary) | privacy@afifalegalaid.com (Dedicated Privacy Channel)
Office: +91-898-912-5126 (Monday-Friday, 10:00 AM - 6:00 PM IST)
Chamber Address: 123, M G Road, Indore, Madhya Pradesh - 452001, India
Website: https://afifalegalaid.durrany.com
Response Commitment: Acknowledgement within 24 hours (1 business day) | Resolution within 15 working days from receipt of complete complaint
To file a grievance: Please send a written complaint via email with the subject line "PRIVACY GRIEVANCE - [Your Name]". Include your full name, contact information, a detailed description of your concern, and any supporting documentation. You will receive an acknowledgement within 24 hours and a unique tracking number.
Emergency Protocol: For urgent privacy breaches or security incidents requiring immediate attention (such as active unauthorized access to your data), please mark your communication as "URGENT - PRIVACY INCIDENT" in the subject line and call our emergency line +91-898-912-5126 during business hours. After hours, please send an email marked "HIGH PRIORITY" and we will respond within 4 hours.