Skip to main content

Privacy Policy

Lexfolks Pvt. Ltd.

Last updated: 18 April 2026
Effective date: 18 April 2026
Version: 1.0

Table of Contents

  1. 1. Introduction
  2. 2. Who We Are (Data Fiduciary / Controller)
  3. 3. Scope of this Policy
  4. 4. Personal Data We Collect
  5. 5. How We Use Your Personal Data
  6. 6. Legal Bases for Processing
  7. 7. Sharing and Disclosure
  8. 8. International Data Transfers
  9. 9. Cookies and Similar Technologies
  10. 10. Data Retention
  11. 11. Your Rights
  12. 12. Do Not Sell or Share & Opt-Out
  13. 13. Children’s Data
  14. 14. Security
  15. 15. Changes to this Policy
  16. 16. Grievance Officer & Contact

1 Introduction

Lexfolks Pvt. Ltd. (“Lexfolks,” “we,” “us,” or “our”) operates the website located at lexfolks.com and its subdomains (together, the “Website”), along with associated newsletters (including LexTests), blogs, reviews, and any paid or free services, tools, or subscriptions we offer (collectively, the “Services”).

We take your privacy seriously. This Privacy Policy (“Policy”) explains what personal data we collect about you, how we use it, the lawful bases on which we rely, with whom we share it, how we keep it secure, how long we retain it, your rights, and how you can exercise them.

This Policy is published in compliance with, among other laws:

  • The Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) of India;
  • The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 of India;
  • The EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK General Data Protection Regulation (“UK GDPR”), where applicable;
  • The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, “CCPA/CPRA”), and related regulations effective 1 January 2026.

If you do not agree with this Policy, please do not use the Website or Services.

2 Who we are (Data Fiduciary / Controller)

Data Fiduciary (under DPDP Act) / Controller (under GDPR/UK GDPR) / Business (under CCPA/CPRA):

Lexfolks Pvt. Ltd.
A company incorporated in India under the Companies Act, 2013
Registered office: B1 – 2nd Floor, Peermuchalla Rd., above Okiru Coffee Roasters, Zirakpur, Punjab 140603, India
Email: info@lexfolks.com

For all privacy-related questions, requests, or complaints, please contact our Grievance Officer (see Section 16).

3 Scope of this Policy

This Policy applies to personal data we collect:

  • when you visit the Website;
  • when you subscribe to any of our newsletters or publications;
  • when you submit a contact form, inquiry, or message;
  • when you create an account, purchase a subscription, or pay for any Service;
  • when you interact with us on social media, by email, or at events;
  • when we receive information about you from third-party sources (for example, payment processors, analytics providers, or publicly available sources).

This Policy does not apply to third-party websites, products, or services that are linked from the Website. Those third parties have their own privacy policies, and we encourage you to review them.

4 Personal data we collect

We collect the following categories of personal data. We have tried to itemise these clearly, as required by the DPDP Act and GDPR.

4.1 Information you provide to us

  • Identity and contact data: name, email address, phone number (optional), professional title, organisation, country, and similar details you submit via forms, newsletter signups, or account registration.
  • Account and subscription data: username, password (hashed), preferences, and subscription history.
  • Payment data: billing name, billing address, last four digits of payment card, transaction ID, and payment status. We do not store full card numbers, CVV, or UPI PINs — these are handled directly by our payment processors (see Section 7).
  • Communications: the content of emails, contact form submissions, survey responses, and any other correspondence you send to us.
  • User-generated content: comments, submissions, tool suggestions, replies, or other content you voluntarily post or send.

4.2 Information we collect automatically

  • Device and technical data: IP address, browser type and version, operating system, device identifiers, language settings, and approximate location (city/country derived from IP).
  • Usage data: pages viewed, time on page, referring/exit pages, click paths, search queries on the Website, newsletter open and click events, and similar analytics.
  • Cookies and similar technologies: described in Section 9 and our separate Cookie Notice.

4.3 Information we receive from third parties

  • Payment processors (e.g., Razorpay, Stripe, Substack’s payment partners): transaction status and anti-fraud signals.
  • Email and newsletter platforms (e.g., Substack, ConvertKit, Mailchimp, or equivalents): subscription status, open/click events, bounce and unsubscribe data.
  • Analytics and attribution providers (e.g., Google Analytics 4, Plausible, Fathom, or equivalents): aggregated traffic and behavioural data.
  • Social media platforms, where you choose to interact with our content or click links from LinkedIn, X, Instagram, and similar platforms.

4.4 Sensitive personal data

We do not intentionally collect sensitive personal data (as defined under the DPDP Act, GDPR, or CCPA/CPRA), including data about racial or ethnic origin, religious beliefs, political opinions, trade union membership, health, sexual orientation, biometrics, precise geolocation, or government IDs. Please do not submit such information to us through the Website.

5 How we use your personal data (purposes of processing)

We use your personal data for the following purposes:

  • To operate the Website and Services, including hosting content, displaying articles and reviews, and enabling core site functionality.
  • To deliver newsletters and publications you have subscribed to, including LexTests and any related editorial content.
  • To respond to inquiries submitted through contact forms, email, or other channels.
  • To provide paid Services, including subscription activation, billing, invoicing, access control, and customer support.
  • To personalise your experience, for example by remembering preferences or recommending relevant content.
  • To measure and improve our Services, through analytics, A/B testing, and feedback.
  • To send transactional communications, such as confirmations, receipts, security alerts, and policy updates.
  • To send marketing communications, only where you have opted in or where permitted by applicable law, with a clear unsubscribe option in every message.
  • To detect, prevent, and investigate fraud, abuse, or security incidents, and to protect the rights and safety of Lexfolks, our users, and the public.
  • To comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.
  • For research and editorial purposes, including aggregated or de-identified analysis of how readers engage with our reviews.

6 Legal bases for processing

6.1 Under the DPDP Act (India)

  • Consent: for newsletter subscriptions, non-essential cookies, marketing communications, and any processing for which the DPDP Act requires consent.
  • Legitimate uses under Section 7 of the DPDP Act: including where you voluntarily provide personal data for a specified purpose, for compliance with a legal obligation, or for responding to a medical or public-order emergency (rare in our context).

6.2 Under the GDPR / UK GDPR (EEA, UK)

  • Consent (Art. 6(1)(a)) — for newsletter subscriptions, non-essential cookies, and direct marketing.
  • Performance of a contract (Art. 6(1)(b)) — to provide paid Services you have purchased.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, consumer-protection, and similar laws.
  • Legitimate interests (Art. 6(1)(f)) — to operate and secure our Website, measure audience engagement, prevent fraud, and respond to inquiries, balanced against your rights and freedoms.

Where we rely on legitimate interests, you have the right to object (see Section 11).

6.3 Under the CCPA/CPRA (California)

We process personal information for the business purposes listed in Section 5. We do not sell personal information for money. Where our use of analytics or advertising cookies constitutes “sharing” or “selling” under CCPA/CPRA as interpreted by the California Privacy Protection Agency, you have the right to opt out — see Section 12 and the “Do Not Sell or Share My Personal Information” link in our Website footer.

7 Sharing and disclosure

We do not sell your personal data in the ordinary sense of the word. We share personal data only with:

  • Data Processors / Sub-processors who process personal data on our behalf under written contracts and on our instructions, including:
    • Hosting and infrastructure providers (e.g., AWS, Cloudflare, Vercel, or equivalents);
    • Newsletter and email platforms (e.g., Substack, ConvertKit, Mailchimp, Beehiiv, or equivalents);
    • Payment processors (e.g., Razorpay, Stripe, or equivalents);
    • Analytics providers (e.g., Google Analytics 4, Plausible, Fathom, or equivalents);
    • Customer-support, CRM, and productivity tools (e.g., Google Workspace, Notion, HubSpot, or equivalents);
    • Security and anti-abuse vendors (e.g., Cloudflare Turnstile, reCAPTCHA).
  • Professional advisors, such as lawyers, accountants, and auditors, bound by duties of confidentiality.
  • Authorities and third parties, where required by law, court order, or regulatory request, or where reasonably necessary to protect our rights, your safety, or the safety of others.
  • Successors in interest, in connection with a corporate transaction such as a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

We require all processors to apply appropriate technical and organisational measures and to process personal data only for the purposes we specify.

8 International data transfers

Lexfolks is based in India, and our service providers may be located in India, the United States, the European Economic Area, the United Kingdom, and other jurisdictions. This means your personal data may be transferred to, stored in, and processed in countries other than your own.

Where we transfer personal data:

  • From the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), adequacy decisions, or other lawful transfer mechanisms.
  • From India, we only transfer personal data to countries that are not restricted by a notification from the Central Government under the DPDP Act. We keep a current record of such restrictions.
  • Under CCPA/CPRA, we require service providers and contractors to offer at least the level of privacy protection required by California law.

You can request a copy of the safeguards we use by contacting us at info@lexfolks.com.

9 Cookies and similar technologies

We use cookies and similar technologies to operate the Website, remember your preferences, measure performance, and (where you consent) deliver relevant content.

We classify cookies as:

  • Strictly necessary cookies — required for core functionality (e.g., login sessions, security, CSRF protection). These are set without consent.
  • Functional cookies — remember preferences such as language or theme.
  • Analytics cookies — measure traffic and usage patterns.
  • Marketing / advertising cookies — used to personalise content or measure the effectiveness of our own marketing; we do not run third-party behavioural advertising on the Website at present.

For non-essential cookies, we obtain your consent via a cookie banner before setting them, and you can change your choices at any time through the “Cookie Preferences” link in our Website footer.

We honour the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing under CCPA/CPRA and treat it as a withdrawal of consent to non-essential cookies where technically feasible.

For details of the specific cookies we use, please see our [Cookie Notice] (to be linked from the Website footer).

10 Data retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, including any legal, accounting, tax, or reporting requirements.

Indicative retention periods:

  • Newsletter subscriber data: until you unsubscribe, plus a short suppression list to honour your opt-out.
  • Contact form / inquiry data: up to 24 months after our last interaction, unless a longer period is needed to resolve a dispute.
  • Account data: for the life of your account, plus up to 12 months after closure (longer where required by law).
  • Payment and invoicing data: up to 8 years, as required by Indian income tax, GST, and Companies Act record-keeping rules.
  • Server logs and analytics: typically 14 to 26 months, in aggregated or pseudonymised form where possible.
  • Cookie consent records: at least 18 months, to evidence consent.

When personal data is no longer needed, we securely delete or anonymise it.

11 Your rights

Subject to applicable law and certain exceptions, you have the following rights:

11.1 Under the DPDP Act (India)

  • Right to access information about personal data we process about you;
  • Right to correction, completion, updating, and erasure of your personal data;
  • Right to grievance redressal through our Grievance Officer;
  • Right to nominate another individual to exercise your rights in the event of your death or incapacity;
  • Right to withdraw consent at any time (which does not affect the lawfulness of processing before withdrawal).

11.2 Under the GDPR / UK GDPR

  • Right of access (Article 15);
  • Right to rectification (Article 16);
  • Right to erasure / “right to be forgotten” (Article 17);
  • Right to restriction of processing (Article 18);
  • Right to data portability (Article 20);
  • Right to object, including to direct marketing and processing based on legitimate interests (Article 21);
  • Right not to be subject to solely automated decisions with legal or similarly significant effects (Article 22) — we do not currently carry out such decision-making;
  • Right to lodge a complaint with a supervisory authority (e.g., your local Data Protection Authority).

11.3 Under the CCPA/CPRA (California)

  • Right to know what personal information we collect, use, disclose, share, or sell;
  • Right to delete personal information we have collected from you;
  • Right to correct inaccurate personal information;
  • Right to opt out of the sale or sharing of personal information;
  • Right to limit the use and disclosure of sensitive personal information;
  • Right to non-discrimination for exercising your rights.

As of 1 January 2026, we will display a visible confirmation signal (such as an “Opt-Out Request Honoured” badge or toggle) once your opt-out has been processed.

11.4 How to exercise your rights

To exercise any of these rights, email info@lexfolks.com with the subject line “Privacy Request” and describe your request. We may need to verify your identity before responding. We will respond within the timelines required by applicable law — typically 30 days under the GDPR, 45 days under CCPA/CPRA (extendable as permitted by law), and as prescribed under the DPDP Rules.

Authorised agents (under CCPA/CPRA) may submit requests on behalf of California residents with valid proof of authorisation.

12 “Do Not Sell or Share” and opt-out signals

Although we do not sell personal information for money, certain uses of cookies and online identifiers may constitute “sharing” under CCPA/CPRA. To opt out:

  • Click the “Do Not Sell or Share My Personal Information” link in our Website footer, or
  • Enable Global Privacy Control (GPC) in a compatible browser or extension. We will honour a validly received GPC signal as an opt-out of sale and sharing.

Opt-out requests apply to the browser and device on which they are made. Clearing cookies may require you to re-submit your request.

13 Children’s data

Our Services are intended for users who are 18 years of age or older.

  • India (DPDP Act): A “child” means an individual under 18. We do not knowingly process the personal data of children without verifiable parental consent as required under Section 9 of the DPDP Act, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
  • EU/UK (GDPR/UK GDPR): We do not knowingly direct Services to children under 16 (or the age of digital consent in the relevant Member State).
  • US (COPPA): We do not knowingly collect personal information from children under 13.

If you believe we have inadvertently collected personal data from a child, please contact info@lexfolks.com and we will delete it promptly.

14 Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, disclosure, and destruction, including:

  • TLS/SSL encryption in transit;
  • Encryption at rest for databases storing sensitive fields;
  • Access controls and role-based permissions;
  • Multi-factor authentication on administrative accounts;
  • Logging, monitoring, and vendor security reviews;
  • Periodic backups and disaster-recovery procedures.

No method of transmission or storage is perfectly secure. You are responsible for keeping your account credentials confidential.

Breach notification

In the event of a personal data breach, we will notify:

  • Affected data principals and the Data Protection Board of India as required by the DPDP Act and DPDP Rules;
  • Affected individuals and the relevant supervisory authority within 72 hours where required under the GDPR/UK GDPR;
  • Affected California residents and, where required, the California Attorney General.

15 Changes to this Policy

We may update this Policy from time to time to reflect changes in our Services, technology, or legal obligations. When we make material changes, we will update the “Last updated” and “Version” fields at the top of this page and, where appropriate, notify you by email or a prominent notice on the Website. Continued use of the Services after the effective date of any change constitutes acceptance of the revised Policy.

A version history is available on request.

16 Grievance Officer and contact details

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us

In accordance with the DPDP Act, DPDP Rules, and Rule 3(11) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the details of our Grievance Officer are:

Grievance Officer

  • Company: Lexfolks Pvt. Ltd.
  • Email: info@lexfolks.com
  • Phone: +91-9158524065
  • Address: B1 – 2nd Floor, Peermuchalla Rd., above Okiru Coffee Roasters, Zirakpur, Punjab 140603, India
  • Subject line: Grievance — Privacy
  • Response time: within the timelines prescribed under the DPDP Rules (typically within 30 days of receipt).

You may also raise a complaint with:

  • The Data Protection Board of India (DPB), once operational — via the procedures notified under the DPDP Rules;
  • Your local EU/UK Data Protection Authority, if you are in the EEA or the UK;
  • The California Privacy Protection Agency (CPPA) or the California Attorney General, if you are a California resident.

For all other privacy-related inquiries, write to info@lexfolks.com.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Lexfolks Pvt. Ltd. recommends users consult their own counsel about their rights and obligations.