Privacy Policy

This Privacy Policy ("Policy") governs the collection, processing, and protection of personal and sensitive data by Paradigm Confab ("Company", "we", "us", or "our") in connection with the provision of the myPeshkar digital legal workspace ("Platform").

This Policy applies to all subscribing legal entities ("Subscribers" or "Firms") and their authorized end-users ("Users"). By accessing or utilizing the Platform, Subscribers acknowledge and consent to the data practices outlined herein, designed to strictly uphold attorney-client privilege and confidentiality.

In accordance with applicable data protection regulations, including the Digital Personal Data Protection Act, 2023, the roles of the respective parties are defined as follows:

• Data Controller (Fiduciary): The Subscriber remains the sole Data Controller for all client, case, proprietary, and third-party data ("Tenant Data") uploaded to or generated within the Platform.
• Data Processor: The Company acts strictly as a Data Processor. We process Tenant Data exclusively pursuant to the documented instructions of the Subscriber for the sole purpose of rendering the Platform's services.

The Company processes the aforementioned data strictly for the following operational imperatives:

• Provisioning core Platform functionalities, including automated workflow execution and role-based access management.
• Enforcing security protocols, including session authentication and One-Time Password (OTP) verification.
• Executing technical support interventions upon the explicit request of the Subscriber.
• Maintaining infrastructure stability and deploying critical software updates.

The Company strictly prohibits the sale, monetization, or unauthorized secondary utilization of any Tenant Data or Administrative Data.

The Company employs rigorous technical and organizational safeguards to protect Tenant Data against unauthorized access, alteration, or disclosure:

• Cryptographic Standards All sensitive files, documents, and evidentiary materials are secured at rest utilizing AES-256 encryption.
• Logical Data Isolation The Platform utilizes strict tenant isolation architecture. Data is compartmentalized such that cross-tenant access or querying is structurally prohibited.
• Role-Based Access Control (RBAC) Intra-firm data access is deterministically governed by cryptographic permissions designated by the Subscriber's appointed Administrator.

The Company shall not disclose Tenant Data to third parties, except under the following narrow conditions:

• Authorized Sub-Processors: We may engage secure, vetted infrastructure providers (e.g., cloud hosting facilities, SMTP relays) necessary for Platform operation. Such entities are bound by stringent Non-Disclosure Agreements (NDAs) and compliance obligations.
• Statutory Compliance: In the event of a binding subpoena, court order, or lawful directive from a recognized judicial authority, the Company will promptly notify the Subscriber (Data Controller) prior to compliance, allowing the Subscriber the opportunity to assert legal privilege or seek a protective order, unless legally enjoined from providing such notice.

Tenant Data is retained exclusively for the duration of an active subscription agreement. Upon termination or expiration of the agreement, Subscribers are granted a predefined extraction period.

Upon the conclusion of this extraction period, the Company executes a mandated cryptographic purge, ensuring all Tenant Data—including encrypted documents, relational party details, and docket histories—is permanently and irretrievably destroyed from all active servers and backups.

Because the Company operates as a Data Processor, any inquiries regarding data access, rectification, or erasure from individuals (e.g., clients or opposing parties) must be directed to the respective Subscriber (the Data Controller). The Company will assist Subscribers in complying with their statutory obligations regarding such requests.

Notices, inquiries, or directives pertaining to this Privacy Policy, data governance, or security protocols shall be directed to the Company's designated compliance channel: