legal · privacy

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Manch (operated by the Manch Online Dispute Resolution platform) collects, uses, shares, and retains personal data when you use the platform to participate in arbitration or mediation proceedings. It is issued under the Digital Personal Data Protection Act, 2023 (DPDPA) and the Digital Personal Data Protection Rules, 2025 (Rules), which took effect in March 2025.

Manch is the Data Fiduciary for the personal data described below. You — the individual the data relates to — are the Data Principal. Where Manch processes data only on behalf of an institution or a tribunal (for example, when an institution administers a case on the platform), Manch acts as a Data Processor and the institution is the Data Fiduciary.

1. Notice to Data Principals

In plain language: this page is the notice the DPDPA requires us to give you. It tells you what we collect, why, how long we keep it, who we share it with, and how you can exercise your rights. You can read the policy at any time and we will tell you when it changes in any material way.

Where consent is the lawful basis (see Section 4 below), you will see a separate consent prompt before processing begins. That prompt links back to this notice. You can withdraw consent at any time without affecting processing already lawfully carried out.

2. Categories of personal data

  • Party data — name, address, mobile number, email, government-issued ID details where verification is required, and the authorised representative through whom you act.
  • Case data — pleadings, statements of claim and defence, evidence, exhibits, hearing transcripts and recordings, orders, awards, and tribunal-to-party correspondence.
  • Arbitrator and neutral data — CV, panel registration, disclosures, declarations of independence under Section 12 of the Arbitration and Conciliation Act, 1996, fee scales, and sitting history.
  • Financial data — invoices, payment instructions, tax identifiers, and bank account details used for fees, deposits, and award payouts.
  • Technical data — authentication tokens (JWT), IP address, device and browser metadata, access logs, and audit trails of actions taken inside the platform.

3. Purposes of processing

  • Institutional arbitration administration — case intake, notice service, hearing scheduling, arbitrator allotment, secretariat functions, document filing, and award delivery.
  • Conduct of dispute resolution under the Arbitration and Conciliation Act, 1996, the mediation regime under the Mediation Act, 2023, and the applicable institutional rules.
  • Regulatory and audit compliance — including responses to court orders, statutory authority requests, and institutional audits.
  • Service operation, security, fraud and abuse prevention, and the integrity of the platform's audit trail.
  • Internal analytics, in aggregate, to improve the platform — never to profile a Data Principal for advertising.

4. Lawful basis for processing

  • Consent — for parties to a matter. You give consent at the point of registration on the platform and again at the case-onboarding step. Consent can be withdrawn through the Grievance Officer (see Section 9).
  • Legitimate use under Section 7 DPDPA — for arbitrators, mediators, panel members, and case officers carrying out functions of the tribunal or institution. Personal data of neutrals is processed to operate the dispute-resolution function for which they were appointed.
  • Legal obligation — where data is processed to comply with a court order, a regulator's direction, or an obligation under the Arbitration and Conciliation Act, 1996, the Mediation Act, 2023, the Companies Act, 2013 (in connection with statutory audits), or the Income-tax Act, 1961.

5. Your rights as a Data Principal

  • Right to information and access — to a summary of the personal data being processed and the processing activities undertaken.
  • Right to correction, completion and updating — to have inaccurate or incomplete data corrected.
  • Right to erasure — where the lawful basis no longer applies and retention is not otherwise required by law (see Section 6).
  • Right to withdraw consent — at any time, with the same ease with which it was given. Withdrawal does not affect prior lawful processing.
  • Right to grievance redressal — to raise a complaint with the Grievance Officer below. If unresolved, you may approach the Data Protection Board of India.
  • Right to nominate — to nominate another individual to exercise these rights in the event of your death or incapacity.

6. Retention periods

We retain personal data only for as long as the purpose requires or for as long as the law requires us to. Specifically:

  • Case data — retained for the limitation periods for challenge under Section 34 and enforcement under Section 36 of the Arbitration and Conciliation Act, 1996, and for three (3) years thereafter, in line with typical institutional practice post-award.
  • Institutional records — registers, panel registers, and procedural records kept by the institution (including under the Indian Council of Arbitration framework) are retained for the longer periods required by those rules.
  • Financial data — retained for eight (8) years in line with the Companies Act, 2013 and tax requirements.
  • Authentication and access logs — twelve (12) months, unless flagged for an ongoing security investigation or a regulatory enquiry.
  • Marketing or consent-only contact data — until consent is withdrawn, and then deleted without delay.

7. Sharing and disclosure

  • With the tribunal — arbitrators, mediators, and case officers assigned to your matter.
  • With counterparties and their authorised advocates as required for the proceedings.
  • With sub-processors engaged under written contract with confidentiality and data-protection obligations (hosting, email, telephony, identity verification, payments).
  • With courts, regulators, and statutory authorities where compelled by lawful order or for the enforcement of an award.

We do not sell personal data and we do not use it for advertising.

8. Storage locations and transfer

We host the platform on Amazon Web Services in the Mumbai (ap-south-1) region. Production data resides in India. Email and productivity services run on Microsoft 365, which processes data through European Union data centres under Microsoft's standard contractual terms.

Where transfer of data outside India is involved, transfers are made only to jurisdictions and on terms permitted under Section 16 of the DPDPA and the Rules. We do not transfer personal data to jurisdictions notified by the Central Government as restricted.

9. Grievance Officer and DPO

Grievance Officer / Data Protection Officer (placeholder): privacy@manch.live.
Address: Manch Online Dispute Resolution, India.

We acknowledge grievances within seven (7) days and aim to resolve them within thirty (30) days. If you are not satisfied, you may escalate to the Data Protection Board of India.

10. Children's data

The platform is not directed to children. Arbitration and commercial mediation on Manch are between adult parties and their authorised representatives. We do not knowingly collect personal data of any person under 18, and we do not process data of any person with disability acting through a lawful guardian without verifiable consent of that guardian, as required by Section 9 of the DPDPA. If we learn that data of a child has been collected, we will delete it without delay.

11. Significant Data Fiduciary status

Manch has not been notified as a Significant Data Fiduciary by the Central Government as of the date above. If notified, we will comply with the additional obligations under Section 10 of the DPDPA — including appointing a Data Protection Officer based in India, appointing an independent data auditor, and undertaking periodic Data Protection Impact Assessments — and update this policy accordingly.

12. Cookies and analytics

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies. We use first-party, privacy-respecting analytics in aggregate form to understand usage of the platform. You can manage cookies through your browser at any time; disabling strictly necessary cookies will sign you out.

13. Personal data breach notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals without delay, and in any event within seventy-two (72) hours of becoming aware of the breach, in line with the Rules. The notification will describe the nature of the breach, the categories and approximate number of Data Principals affected, the likely consequences, and the mitigation measures we have taken.

14. Security

We use TLS for data in transit, encryption at rest for production stores, role-based access controls, audit logging of access to case data, and periodic third-party security review. No system can be guaranteed perfectly secure; we follow industry-standard practices and review them.

15. Effective date and changes

This policy is effective from the date shown above. We may update it from time to time. Material changes will be communicated to registered users by email or in-product notice at least seven (7) days before they take effect. The version history is preserved and earlier versions are available on request.

16. Contact

Privacy and grievance: privacy@manch.live.
General queries: info@manch.live.

← Back to sign in