Last updated 26 April 2026
Privacy Policy
1. Introduction
1.1 This Privacy Policy explains how Themis ("Themis," "we," "our," or the "Service") handles personal data when you use our website, applications, and services.
1.2 Themis is an Indian-domiciled service that provides general legal-awareness information about Indian law. We are a "Data Fiduciary" within the meaning of the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of the personal data we process.
1.3 By using the Service, you confirm that you have read this Policy and the consent notice presented to you at sign-up. If you do not agree with how we handle personal data as described here, please do not use the Service.
2. Who This Policy Applies To
2.1 This Policy applies to all users of the Service. The Service is intended for use only by individuals who are at least 18 years of age and are physically present in India.
2.2 Consistent with Section 9 of the DPDP Act, we do not knowingly collect or process the personal data of children (individuals below 18 years of age). If we become aware that we have inadvertently collected such data, we will delete it without undue delay.
3. Personal Data We Collect
3.1 Account data. When you create an account, we collect identifiers such as your name (where you provide one), email address, and authentication identifiers issued by the sign-in provider you choose.
3.2 Usage data. We collect the questions, prompts, files, and other content you submit to the Service ("User Inputs"), and the responses generated by the Service. We may also collect timestamps and conversation identifiers necessary to deliver the Service.
3.3 Technical data. When you access the Service, we receive standard technical signals including IP address, browser type, device type, and operating system.
3.4 Payment data. If you purchase a paid plan, our payment processor collects the information necessary to complete the transaction (such as cardholder name, payment instrument identifiers, and billing details). We do not store full card numbers, CVV codes, or banking credentials on our servers.
3.5 Communications data. If you contact us by email or through any support channel, we retain that correspondence and any information you choose to share in it.
3.6 We may infer information from the data above (for example, the broad subject area of your queries) for the limited purposes set out in Section 4.
4. Purposes of Processing and Lawful Basis
4.1 We process your personal data for the following purposes, each of which is supported by a lawful basis under Section 4 of the DPDP Act (consent or certain legitimate uses):
| Purpose | Lawful basis |
|---|---|
| Creating and authenticating your account | Consent; performance of the user agreement |
| Delivering responses to your queries | Consent; performance of the user agreement |
| Maintaining conversation history within your account | Consent |
| Processing payments and managing subscriptions | Performance of the user agreement; legal obligations |
| Preventing fraud, abuse, and security incidents | Legitimate use under DPDP Section 7 |
| Complying with applicable Indian law and lawful requests from authorities | Legal obligation |
| Communicating service updates, billing notices, and policy changes | Performance of the user agreement |
| Aggregated, de-identified analytics to operate and improve the Service | Legitimate use; aggregated data is no longer personal data once de-identified |
4.2 We do not use your personal data for purposes incompatible with those set out above.
5. How We Do NOT Use Your Data
5.1 We do not train artificial-intelligence models on your User Inputs or on the responses generated for you. Your conversations are not used to retrain or fine-tune any model operated by us or by our service providers, and we have configured our service providers accordingly to the extent reasonably available.
5.2 We do not sell your personal data.
5.3 We do not share your personal data with advertising networks for behavioural-advertising purposes.
5.4 We do not use the contents of your conversations to make any decision that produces a legal or similarly significant effect on you, beyond the operation of the Service itself.
6. Service Providers (Subprocessors)
6.1 To operate the Service, we engage a small number of reputable service providers under written contracts that bind them to appropriate confidentiality and data-protection obligations. They fall into three categories: (a) infrastructure providers that host our application, databases, and supporting systems; (b) payment processing providers that securely handle subscription billing and related transactions; and (c) communications providers that help us deliver transactional emails and similar service communications. Account and usage data is shared with infrastructure providers; payment instrument data is shared only with the payment processing provider; account identifiers and email address are shared with communications providers for transactional messaging. Each provider receives only the personal data reasonably necessary for the function it performs and is contractually prohibited from using your personal data for its own unrelated purposes.
7. Cross-Border Transfers
7.1 Our infrastructure is operated primarily within India. Where any service provider stores or processes personal data outside India, such transfers are made only to jurisdictions that are not restricted by the Central Government under Section 16 of the DPDP Act, and in each case under contractual safeguards consistent with applicable Indian law.
8. Retention
8.1 We retain personal data for as long as is reasonably necessary to provide the Service to you, to comply with applicable Indian law, to resolve disputes, and to enforce our agreements.
8.2 When you delete your account or specific content, we initiate purging of the relevant personal data from our active production systems within thirty (30) days, subject to retention required by law (for example, tax and audit records relating to payments) and to a brief retention in encrypted backups that are overwritten in the ordinary course.
9. Security
9.1 We implement reasonable security practices and procedures consistent with Section 8 of the DPDP Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including encryption in transit, encryption at rest for production databases, access controls, audit logging, and periodic review.
9.2 No internet-based service can be made absolutely secure. While we endeavour to protect your data, you acknowledge that you transmit data to us at your own risk and that you are responsible for keeping your account credentials confidential.
10. Your Rights
10.1 Subject to the conditions and exceptions set out in the DPDP Act, you have the right to:
- Access the personal data we hold about you (DPDP Section 11);
- Correction and erasure of your personal data where it is inaccurate, incomplete, or no longer necessary (DPDP Section 12);
- Grievance redressal through the readily available mechanism described in Section 13 of this Policy (DPDP Section 13);
- Nominate another individual who may exercise these rights in the event of your death or incapacity (DPDP Section 14); and
- Withdraw consent at any time, with effect for processing carried out after withdrawal (DPDP Section 6(4)).
10.2 You may exercise these rights through your account settings (where available), or by writing to us at the address in Section 13. We may need to verify your identity before acting on a request and may decline a request to the extent permitted by law (for example, where the request is manifestly unfounded or excessive, or where granting it would prejudice the rights of others). We will endeavour to respond to verified rights requests within thirty (30) days, and may extend this period where the request is complex, with notice to you.
10.3 If you withdraw consent, we may no longer be able to provide some or all of the Service to you.
11. Cookies and Similar Technologies
11.1 We use a limited number of cookies and similar storage technologies that are strictly necessary to operate the Service (for example, to keep you signed in) and to support basic, privacy-respecting analytics about Service performance. We do not use third-party advertising cookies.
12. Automated Processing and AI Outputs
12.1 The Service uses artificial-intelligence systems to generate responses to your queries. These responses are general legal-awareness information only and are not legal advice (see Section 1 of our Terms of Use).
12.2 In compliance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules as amended in 2026 ("MeitY 2026 IT Amendment Rules"), AI-generated outputs delivered through the Service are labelled as Synthetically Generated Information.
12.3 You can decline to use AI-generated features by discontinuing use of the Service.
13. Contact
For any query — including grievances under the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, or the Digital Personal Data Protection Act, 2023 — write to contact.themis.ai@gmail.com. Mark grievances clearly in the subject line. Consistent with Rule 3(2) of the Intermediary Guidelines, we aim to acknowledge grievances within twenty-four (24) hours of receipt and resolve them within fifteen (15) days.
14. Changes to This Policy
14.1 We may update this Policy from time to time. Where a change is material, we will display an in-app notice for at least fifteen (15) days before the change takes effect, except where a shorter period is required to comply with law or to address a security risk.
14.2 The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Policy.
15. Governing Law and Jurisdiction
15.1 Any dispute arising out of or in connection with this Policy shall be governed by, and adjudicated in accordance with, Section 16 of our Terms of Use.