Data Policy

1. Data controller

The data controller is LawCrust Global Consulting Ltd (CIN U69100MH2023PLC413428), operating under the PlugLaw brand. Contact: inquiry@pluglaw.com.

2. Categories of data we hold

• Inquiry data, name, email, phone, firm name, location, message, region preference, and the page on the Site that the inquiry was submitted from.
• Engagement data, once a firm becomes a client, additional information shared in the course of delivering PlugLaw services (firm-strategy documents, candidate CVs, marketing-asset drafts, performance dashboards).
• Site usage data, page-view logs, referrer, browser type, approximate location derived from IP.
• Communication records, emails, scheduled call notes, weekly status documents.

3. Where data lives

PlugLaw uses the following infrastructure providers:

• Supabase (PostgreSQL database, hosted in the European Union region), for inquiry and lead data.
• Static hosting for the public website, no personal data stored here.
• Email infrastructure, for transactional and engagement-related communication; emails containing engagement data are not stored long-term outside operational mailboxes.
• Workspace tools for engagement delivery, managed under contractual confidentiality terms with each provider.

4. Who can access your data

• The PlugLaw operating team and the LawCrust Group support team.
• Authorised infrastructure-provider staff under the providers' standard access controls.
• Where required by law, regulators or law-enforcement bodies in the relevant jurisdiction.

Engagement data is restricted to the named team working on your engagement, plus the Engagement Lead. Cross-engagement access is logged.

5. Retention periods

• Inquiry data: up to 24 months after the last interaction, then anonymised or deleted.
• Engagement data: for the duration of the engagement plus the period required by accounting and tax law in the relevant jurisdiction (typically 7 years in India, varies elsewhere).
• Site usage logs: rolling 12 months, anonymised after 3 months.
• Communication records: per applicable record-keeping regulations; not less than 24 months for engagement-related communications.

6. Cross-border transfers

As a global service operating across India, the UAE, the UK, the US and Singapore, your data may be processed in jurisdictions other than the one you reside in. We rely on standard contractual clauses and equivalent safeguards to protect data during cross-border transfers.

7. Security measures

• Encryption in transit (TLS) for all data exchanges.
• Encryption at rest for the database and engagement-document storage.
• Role-based access control with audit logging on the database.
• Multi-factor authentication required for all staff accessing engagement data.
• Annual review of access lists and removal of dormant accounts.

8. Your rights and how to exercise them

Depending on your jurisdiction, you may have the right to:

• Access, request a copy of personal data we hold about you.
• Rectification, request correction of inaccurate data.
• Erasure, request deletion (subject to legal retention requirements).
• Restriction, request that we limit how we process your data.
• Portability, request your data in a machine-readable format.
• Objection, object to specific processing activities, including marketing.
• Withdraw consent, for processing previously based on your consent.

To exercise any of these, email inquiry@pluglaw.com with the subject "Data rights request". We respond within 30 days.

9. Breach notification

In the event of a personal-data breach that meets the threshold under applicable law, we will notify affected individuals and relevant supervisory authorities within the timeframes required (typically 72 hours for the authority and "without undue delay" for individuals).

10. Updates to this Data Policy

Material changes will be flagged on the Site and communicated to active clients. The "Last updated" date at the top reflects the most recent revision.