How the firm handles personal data.

1. Data fiduciary

Labels and Lanes acts as a data fiduciary under the Digital Personal Data Protection Act 2023 in respect of personal data collected through this website, the Enquiry form, The Letter subscription interface (managed through Substack), and any direct correspondence with the firm.

2. Categories of personal data collected

The firm collects name, email address, entity or family-office affiliation (optional), role, decision horizon, a brief non-confidential description of the structural question, and acknowledgement responses through the Enquiry form. The firm collects subscription email address and engagement metrics through Substack in respect of The Letter. The firm collects standard server logs (IP address, user agent, referring URL, page requested, timestamp) in respect of ordinary website traffic.

3. Purpose of processing

Personal data submitted through the Enquiry form is processed solely for the purpose of reviewing the enquiry, conducting a scoping conversation where appropriate, and, if an engagement is created, administering the engagement. Subscription data for The Letter is processed for the purpose of delivering The Letter. Server logs are processed for security, integrity, and operational review of the website.

4. Lawful basis

Processing of enquiry and subscription data is carried out on the basis of consent obtained at the point of collection. Processing of server logs and operational data is carried out on the basis of legitimate interest in maintaining the security and integrity of the firm’s digital infrastructure. Where processing is required to comply with applicable law (including anti-money-laundering, tax, or regulatory reporting obligations), the lawful basis is legal obligation.

5. Sharing of personal data

The firm does not sell personal data. The firm shares personal data only with data processors engaged to operate the firm’s technical infrastructure (hosting provider, email infrastructure provider, Substack for newsletter delivery), each under contractual data-processing terms. The firm does not share personal data with legal, advertising, or marketing counterparties without explicit consent.

6. Cross-border transfers

Where personal data is processed by data processors located outside India (for example, Substack for The Letter), the transfer is made under contractual terms that require protection equivalent to the DPDP Act 2023. The firm does not transfer personal data to countries or territories restricted under notifications issued by the Central Government under the DPDP Act 2023.

7. Retention

Enquiry form submissions are retained for a period of eighteen months from the date of submission unless an engagement is created, in which case retention is governed by the engagement letter and applicable professional-conduct standards (typically seven years from engagement closure). Subscription data is retained for as long as the subscription is active and for a further ninety days after unsubscription. Server logs are retained for twelve months.

8. Data-subject rights

Under the DPDP Act 2023, data principals have the right to access personal data held by the firm, to seek correction or erasure of personal data, to nominate another individual to exercise rights on their behalf in the event of death or incapacity, and to withdraw consent. Requests in exercise of these rights may be submitted through the Enquiry form with “DPDP request” marked in the structural-question field, or through the published correspondence channel once operational.

9. Children’s data

The firm’s services are intended for principals engaging with the firm on a commercial basis. The firm does not knowingly collect personal data of children under the age of eighteen and takes reasonable steps to ensure that consent in respect of child data principals is obtained from a parent or lawful guardian where applicable.

10. Security

The firm applies technical and organisational measures commensurate with the sensitivity of the data processed. These measures include access controls, encryption in transit, secure storage of correspondence, and scoped access rights for those carrying the work. No system is immune from security risk, and readers are reminded that sensitive or confidential information should not be submitted through public channels.

11. Contact and grievance

Grievances concerning the processing of personal data may be raised through the Enquiry form or through the published correspondence channel once operational. Data principals have the right to register a complaint with the Data Protection Board of India constituted under the DPDP Act 2023 after exhausting the firm’s internal grievance process.

12. Updates

This notice is reviewed and updated periodically. The version date below is controlling. Readers engaging with the firm are encouraged to review the current version at the time of engagement.

Version date: 23 April 2026