This Privacy Policy explains how Battery Bhaiya Green Solutions Private Limited ("Company", "we", "us") collects, uses, stores, shares, and protects your personal data when you use the following services:
Clauseo at clauseo.chat (the "Main App"), an AI-powered legal research platform; and
CompetitionSearch at competition.clauseo.chat (the "CCI Search Engine"), a specialised search platform for Competition Commission of India cases.
These services are collectively referred to as the "Services".
This Privacy Policy should be read together with our Terms of Use, which govern your access to and use of the Services.
This Policy covers personal data that we process about:
(a) registered users and account holders;
(b) visitors to our websites and applications;
(c) billing contacts; and
(d) individuals who contact us for support or enquiries.
This Policy also applies to personal data contained in materials that you upload to the Services, such as legal documents, case files, or other files, to the extent that such materials contain personal data and we process or store that data in order to provide the Services.
This Policy does not apply to:
(a) publicly available legal information such as court judgments, CCI orders, or statutes accessed through the Services; or
(b) third-party services that may be linked from the Services. Those services operate under their own privacy policies.
3. Data We Collect
3.1 Account & Identity Data
Data
Source
Both Apps
Email address
You (at registration)
✓
Name / display name
You or OAuth provider
✓
Phone number
You (if phone auth used)
✓
LinkedIn profile URL
You (at registration, Main App)
Main App
Authentication method and sign-in history
Clerk (auth provider)
✓
Clerk user identifier
Clerk
✓
Access status (approved / waitlisted)
Us (internal)
Main App
Invite codes issued and used
Us (internal)
Main App
3.2 Content Data
Main App:
Chat messages and research queries you type
AI-generated research output (case analysis, citations, summaries, generated documents)
Files you upload (PDFs, images, text documents) — stored as part of conversation history
Conversation branches (when you edit a prior message to explore alternative research paths)
Tool call details and per-message cost breakdowns
CCI Search Engine:
Search queries and applied filters
Saved list names, descriptions, and case selections
Notes you add to saved cases
Search history records (query, filters, result count, timestamp)
3.3 Billing & Transaction Data
Credit purchase amounts and timestamps
Razorpay payment and order identifiers
Credit balance and consumption records
GST details (if provided)
We do not store your payment card details, bank account numbers, or UPI IDs. These are processed directly by Razorpay and never reach our servers.
3.4 Usage & Device Data
IP address and approximate geolocation
Browser type, operating system, device information
Pages visited, features used, and interaction patterns
Session duration and navigation paths
Error logs and performance diagnostics
Analytics identifiers (Vercel Analytics, PostHog)
3.5 Support & Communications Data
Support emails, feedback, and feature requests
Session metadata shared for troubleshooting
4. How We Collect Data
Directly from you: When you create an account, use the chat, upload files, make purchases, submit support requests, or adjust settings.
From authentication providers: Clerk provides us with your user identifier, email, name, and authentication metadata when you sign in (including via Google OAuth).
From payment processors: Razorpay provides transaction confirmations, order IDs, and payment status. We do not receive your payment instrument details.
Automatically: Our servers, analytics tools, and infrastructure providers collect usage and device data when you access the Services.
5. Why We Process Your Data
Purpose
Data Used
Legal Basis
Provide, maintain, and improve the Services — account creation, authentication, AI research, case search, document analysis, file storage, credit management, monitoring performance, identifying issues, and understanding feature usage through analytics tools (PostHog, Vercel Analytics)
Account, Content, Billing, Usage, Device
Consent provided by you for processing of personal data for the specified purposes under Section 6(1) of the Digital Personal Data Protection Act, 2023
Legitimate uses for fraud prevention and information security under Section 7 of the Digital Personal Data Protection Act, 2023, and compliance with applicable legal obligations
Communications — service announcements, security alerts, product updates
Account (email)
Voluntarily provided; your consent for non-essential communications
PostHog and Vercel Analytics tracking — toggle off to stop analytics data collection while continuing to use the Service
Marketing communications
Non-essential emails (off by default)
6.2 Withdrawing Consent
You may withdraw consent for analytics or marketing at any time from account settings. Withdrawal takes effect promptly.
If you withdraw consent for core data processing (by requesting account deletion), we will deactivate your account, as we cannot provide the Services without processing your data. You bear the consequences of withdrawal (Digital Personal Data Protection Act, 2023, Section 6(5)).
Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
We maintain auditable records of all consent actions — including grants, withdrawals, and modifications — with timestamps and the Policy version in effect at the time. These records are retained for as long as required to demonstrate compliance with applicable law.
7. No Model Training
We do not use your personal data, chat messages, uploaded files, research queries, or AI-generated output to train, fine-tune, or improve any AI foundation models (whether ours or third-party), unless you provide explicit, separate written consent.
What we may use: Anonymised, aggregated, de-identified usage data that cannot identify any individual — such as aggregate query volume, feature usage rates, and error frequency — may be used to improve the Services. This data does not contain your personal data or User Content.
8. Sharing & Sub-Processors
We share personal data only with the sub-processors necessary to operate the Services, and only under appropriate contractual and security safeguards. We do not sell your personal data.
8.1 Main App Sub-Processors
Sub-Processor
Purpose
Location
Anthropic (via Google Vertex AI)
Primary AI model (Claude) for legal research and analysis
Global (Vertex AI)
Google (via Vertex AI)
AI model (Gemini) for conversation title generation
Global (Vertex AI)
Neon (on AWS)
PostgreSQL database — stores conversations, user data, uploaded files
Legal case database — judgments, statutes, citation data
India
Tavily
Web search and URL content extraction for legal research
United States
Vercel Analytics
Web analytics
United States
PostHog
Product analytics and feature usage tracking
United States
8.2 CCI Search Engine Sub-Processors
Sub-Processor
Purpose
Location
Neon (on AWS)
PostgreSQL database — CCI case data, user data (saved lists, search history)
Singapore
Typesense Cloud (on AWS)
Full-text search engine for CCI cases
Mumbai, India
Cloudflare R2
Object storage for CCI/NCLAT PDF documents
Automatic (nearest region)
Clerk
Authentication and user identity management
United States
PostHog
Product analytics and feature usage tracking
United States
Razorpay
Payment processing (for future paid features)
India
8.3 Other Disclosures
We may disclose personal data:
To comply with applicable law, regulation, court order, or government directive;
To enforce our Terms of Use or protect our rights, property, or safety;
In connection with a merger, acquisition, or sale of assets (with notice to you);
To professional advisers (lawyers, auditors) under confidentiality obligations.
8.4 Third-Party Privacy Policies
Anthropic:
Google Cloud:
Clerk:
Razorpay:
Vercel:
PostHog:
Cloudflare:
9. Cross-Border Data Transfers
Your data is processed across multiple jurisdictions. The following table shows where each category of data is stored and processed:
Data Category
Primary Location
Provider
Conversations, user accounts, uploaded files
Singapore (AWS ap-southeast-1)
Neon
AI model inference and chat processing
Mumbai, India
Google Cloud Run
CCI search index
Mumbai, India (AWS ap-south-1)
Typesense
Frontend application
United States
Vercel
Caching and stream management
United States
Upstash
Authentication credentials
United States
Clerk
Email delivery
United States
Resend
Analytics events
United States
Vercel Analytics, PostHog
Payment transactions
India
Razorpay
AI model processing
Global
Anthropic / Google Vertex AI
CCI/NCLAT PDF documents
Global (nearest edge)
Cloudflare R2
Legal framework for cross-border transfers:
The Digital Personal Data Protection Act, 2023 permits cross-border data transfers unless the Central Government restricts transfers to specific countries by notification (Section 16). As of the date of this Policy, no country restrictions have been notified.
Until the DPDP Act's cross-border provisions become enforceable (May 13, 2027), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 apply to transfers of sensitive personal data.
We maintain Data Processing Agreements with sub-processors that include appropriate security, confidentiality, and data protection obligations.
We monitor government notifications under Section 16 of the DPDP Act and will adjust data processing arrangements if any jurisdiction relevant to our operations is restricted.
10. Data Retention & Deletion
Data Category
Retention Period
Trigger for Deletion
Conversations, chat history, uploaded files
Life of account
Account deletion or your request
Saved lists, search history (CCI)
Life of account
Your deletion via UI, or account deletion
Account and profile data
Life of account + as required by law
Account deletion
Billing and transaction records
As required by Indian tax/accounting law (typically 7–8 years after the financial year)
Statutory period expiry
Credit purchase and usage records
As required by tax law and audit requirements
Statutory period expiry
Server logs and diagnostics
90–180 days
Automatic rotation
Analytics data (PostHog, Vercel Analytics)
Per provider retention settings (typically ≤1 year)
Automatic expiry
Consent records
Duration of relationship + 3 years (or as required for compliance)
Statutory period expiry
Automated backups
30 days from creation
Automatic rotation
On account deletion:
Your conversations, uploaded files, saved lists, search history, and account data are deleted from the production database within 30 days.
Automated backups containing your data are purged within 30 days of the backup cycle.
Billing records are retained as required by tax law.
Anonymised, aggregated data that cannot identify you may be retained indefinitely.
11. Your Rights
Under applicable Indian law (including the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, as and when enforceable), you have the following rights:
Right
Description
How to Exercise
Access
Obtain a summary of your personal data and how it is processed, including identities of parties it has been shared with
Email us or use account settings
Correction
Correct inaccurate or incomplete personal data
Update via account settings or email us
Erasure
Request deletion of your personal data (subject to legal retention requirements)
Account deletion via UI or email us
Consent withdrawal
Withdraw consent for any processing activity at any time
Account settings → Privacy & Data
Grievance redressal
File a complaint about our data processing practices
Contact Grievance Officer (see Section 16)
Nomination
Nominate another individual to exercise your rights in case of death or incapacity
Email us (process will be implemented per DPDP Rules)
How we respond:
We will acknowledge your request within 24 hours.
We will act on your request within the timelines prescribed by applicable law (currently 15 days for grievances under the IT Rules; specific timelines under the DPDP Rules will be followed once enforceable).
We may ask you to verify your identity before processing a request.
If we cannot fulfil a request (e.g., due to legal retention obligations), we will explain why.
Before approaching the Data Protection Board of India, you must first exhaust the grievance mechanism provided here (Digital Personal Data Protection Act, 2023, Section 13(3)).
12. Data Security
We implement reasonable security safeguards appropriate to the nature, scope, and sensitivity of the personal data we process, including:
Encryption in transit (TLS) for all data communications
Encryption at rest for database storage
Database-level access isolation — each user can only access their own data
Access controls with authentication required for all user data operations
Secure authentication via Clerk (passwords are never stored on our servers)
Regular security reviews of infrastructure and access policies
Incident response procedures for data breaches
No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security against all threats.
13. Children's Data
The Services are designed for legal professionals and are not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.
If you believe a child has provided personal data to us, please contact our Grievance Officer immediately at . We will take steps to delete the data promptly.
14. Breach Notification
In the event of a personal data breach:
We will notify the Data Protection Board of India and each affected Data Principal without unreasonable delay, in the form and manner prescribed by applicable law.
Under current CERT-In requirements, specified cyber incidents are reported within 6 hours.
Under the Digital Personal Data Protection Act, 2023 and DPDP Rules 2025, breach notification to the Board will be provided with an initial intimation without delay and a detailed report within 72 hours, once these provisions are enforceable.
Notifications to affected users will be in plain language and will explain: what happened, what data was affected, the likely impact, and the steps we have taken and recommend you take.
We will acknowledge your grievance within 24 hours of receipt.
We will endeavour to resolve your grievance within 15 days, in accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended).
If you are unsatisfied with our resolution, you may appeal to the Grievance Appellate Committee constituted under Rule 3A of the IT Rules, or approach the Data Protection Board of India (after exhausting the grievance mechanism here).
16. Changes to This Policy
We may update this Policy from time to time. When we make changes:
Material changes (changes to data collection, processing purposes, sub-processors, cross-border transfers, or your rights) will be notified at least 15 days before the effective date, via email and/or in-product notification.
Non-material changes (clarifications, formatting, correcting errors) take effect upon posting.
The "Last updated" date and version number at the top of this Policy will always reflect the current version.
Your continued use of the Services after the effective date of changes constitutes acceptance of the updated Policy.
Prior versions are available upon request at .
17. Additional Information
Applicable law. This Policy is governed by the laws of India, including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025.
Third-party services. If you connect third-party services or access third-party content through the Services, those third parties' own privacy policies govern their processing of your data. We are not responsible for their practices.
Contact us. For any questions about this Policy or our data practices, email .