This Privacy Policy describes the manner in which MSME Prime (the “Firm”, “we”, “our”, “us”) collects, uses, stores, transfers, discloses and otherwise processes personal data relating to visitors and clients of the website msmeprime.com (the “Website”) and the legal advisory and digital products offered through it (the “Services”).
We are committed to handling your personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all applicable rules and regulations made thereunder.
1. Scope & Applicability
This Policy applies to (a) all visitors to the Website, (b) all clients who engage the Firm for any advisory or representation service, and (c) all purchasers of digital products (forms, kits, reports and other documents) offered through the Website. By accessing the Website or availing any Service, you consent to the collection and use of your personal data in accordance with this Policy.
The Firm acts as a Data Fiduciary within the meaning of the DPDP Act in relation to personal data collected from clients and visitors.
2. Information We Collect
2.1 Personal Information You Provide
- Identity and contact information: full name, postal address, mobile number, e-mail address, designation, company name, PAN (where required for billing).
- Tax information: GSTIN (where claimed for input tax credit on invoices issued).
- Case-related information: details of the matter on which advice is sought, including names of counterparties, CIN of the corporate debtor or company, NCLT bench, IBC section, hearing dates, financial figures, and any documents you upload or share (NCLT orders, contracts, emails, financial statements, photographs of evidence, etc.).
- Payment-related information: we do not store complete card or bank-account details. Payment instrument information is collected and processed directly by our payment gateway partner, Razorpay Software Private Limited, on its PCI DSS-compliant infrastructure. We receive only a transaction reference and status from Razorpay.
2.2 Information Collected Automatically
- Internet Protocol (IP) address, browser type and version, device identifiers, operating system, referring URL, pages viewed and time of access.
- Cookies and similar tracking technologies (see Section 7).
2.3 Information Received from Third Parties
We may receive limited information about you from (a) Razorpay (transaction status, last 4 digits of payment instrument where relevant for fraud-prevention), (b) panel professionals working on your matter (advocates, Chartered Accountants, IBBI-registered Insolvency Professionals), and (c) public sources such as MCA21, NCLT cause lists, IBBI records and the BAP cause-list, when verifying case context.
3. How We Use Your Information
We use your personal data only for legitimate professional and business purposes, including:
- Service delivery: to provide legal consultation, draft documents, represent you before NCLT/NCLAT, deliver digital products you have purchased.
- Communications: to respond to enquiries, schedule consultations, provide case updates, send hearing reminders, share filed documents and orders.
- Billing and accounting: to generate GST-compliant invoices, maintain client account ledgers, and discharge our tax and statutory record-keeping obligations.
- Regulatory and legal compliance: to comply with directions of NCLT, NCLAT, IBBI, the Bar Council of India, applicable tax authorities, and any law-enforcement agency in response to a lawful demand.
- Quality assurance and training: internal reviews of work product, never identifying your matter externally.
- Security and fraud prevention: to detect, prevent and address fraud, unauthorised access, abuse of Services, and to protect the rights, property or safety of the Firm, our clients and the public.
We do not sell, rent, trade or otherwise transfer your personal data to third parties for marketing or advertising purposes.
4. Advocate-Client Confidentiality & Privilege
Communications between you and any advocate of the Firm engaged for representation are protected by professional privilege under Section 126 of the Indian Evidence Act, 1872, and by the standards of professional conduct prescribed by the Bar Council of India. Such communications are not disclosed to any third party except with your express consent, in furtherance of the engagement, or where disclosure is mandated by law or by an order of a competent court or tribunal.
Information shared during preliminary consultations — including the initial paid consultation — is also treated as confidential and is not used or disclosed for any purpose unrelated to the prospective engagement.
5. Disclosure to Third Parties
We may share your personal data only with the following categories of recipients, and only to the extent necessary for the relevant purpose:
- Panel professionals — senior advocates, IBBI-registered Insolvency Professionals, Chartered Accountants and Company Secretaries assigned to work on your matter, all of whom are bound by the same standards of professional confidentiality.
- Service providers — hosting and infrastructure providers, payment gateway (Razorpay), e-mail and communication providers, cloud-backup providers. All such providers are engaged under contractual obligations of confidentiality.
- AI processing partners — for case-management drafting, content of your matter file may be processed via the API of an enterprise AI provider operating under a contractual undertaking that your data will not be used to train any model. See our Case Management page for further detail.
- Regulatory and judicial authorities — where disclosure is required by an order of NCLT, NCLAT, a Civil or Criminal Court, IBBI, the Bar Council, tax authorities, or any other authority exercising statutory powers.
- Successors — in the event of any reorganisation, merger, or sale of the Firm’s business, your data may be transferred as part of the relevant assets, subject to equivalent privacy protections.
6. Data Security
We have implemented reasonable security practices and procedures consistent with the IT (Reasonable Security Practices) Rules, 2011 and with industry standards. These include:
- Encryption of data in transit using TLS/SSL (256-bit).
- Access controls restricting personal data to authorised personnel only.
- Segregation of client matter files — no co-mingling between matters.
- Regular review of security practices, software patches and incident-response procedures.
- PCI DSS Level 1-certified payment processing by Razorpay; no card data is held on our systems.
Notwithstanding the above, no system can be guaranteed absolutely secure. In the event of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board and affected Data Principals as required under the DPDP Act.
7. Cookies & Tracking Technologies
The Website uses the following categories of cookies:
- Strictly necessary cookies — for site functionality, session management and security.
- Analytics cookies — to understand site usage and improve the Website (e.g., aggregated page-view statistics). These cookies do not identify you individually.
- Payment-flow cookies — set by Razorpay during checkout to maintain transaction integrity.
You may disable cookies through your browser settings. Doing so may impair certain Website functionality, including the ability to complete a purchase.
8. Data Retention
We retain personal data only for as long as is reasonably necessary for the purpose for which it was collected, unless a longer retention period is required by law:
- Client matter files — retained for the duration of the engagement and for at least seven (7) years after closure, in line with the limitation period for professional-negligence claims and standard guidance for legal records.
- Tax and billing records — retained for at least eight (8) years from the relevant financial year, in compliance with the Income-tax Act, 1961 and the GST Acts.
- Marketing enquiry data — retained for two (2) years from last interaction, unless you withdraw consent earlier.
- Website analytics — retained in aggregated form for up to twenty-six (26) months.
On expiry of the retention period (or earlier on your validated request, subject to legal exceptions), your personal data will be deleted or anonymised.
9. Your Rights under the DPDP Act, 2023
As a Data Principal, you have the following rights in respect of your personal data:
- Right to information — to obtain a summary of the personal data we hold and how it is being processed.
- Right to correction and erasure — to request correction of inaccurate data, or erasure of data that is no longer necessary, subject to our legal and contractual record-keeping obligations.
- Right to grievance redressal — to raise complaints with our Grievance Officer (see Section 12).
- Right to nominate — to nominate any other individual to exercise these rights in the event of your death or incapacity.
- Right to withdraw consent — in respect of any processing that is based solely on consent. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal, nor processing necessary for compliance with law or in connection with an ongoing engagement.
To exercise any of these rights, please write to our Grievance Officer at the address in Section 12.
10. Minors
Our Services are not directed to individuals below the age of eighteen (18) years. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact our Grievance Officer immediately so that we may take appropriate steps to delete such data.
11. Changes to this Policy
We may amend this Policy from time to time to reflect changes in our practices, legal requirements, or Service offerings. The “Last updated” date at the top of this Policy will indicate when the latest changes took effect. Material changes will be notified by e-mail to active clients and by a prominent notice on the Website. Your continued use of the Services after such notice constitutes acceptance of the amended Policy.
12. Grievance Officer
For any general enquiry that is not a privacy grievance, please write to admin@msmeprime.com.
Cross-references:
Please also read our
Terms of Service and
Refund Policy, which together with this Privacy Policy govern your use of the Website and the Services.