Privacy Policy
Last Updated: March 2026
Table of Contents
- Introduction
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing
- Data Sharing and Disclosure
- Sub-Processors
- International Data Transfers
- Data Security
- Data Retention
- Your Rights
- Cookies
- Changes to This Policy
- Contact Us
1. Introduction
Lawfair ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect information when you use the Lawfair platform.
Lawfair is an AI-assisted legal analysis tool for Scottish civil litigation. Given the sensitive nature of legal case data, we apply strict data minimisation and security controls.
2. Information We Collect
Account data:
- Name, email address, organisation/firm name, job title
- Account credentials (managed by Auth0 — we do not store passwords)
Case data:
- Factual narratives and documents you upload for analysis
- Analysis outputs generated by the Service
- Procedural posture, case references, and metadata you provide
Usage data:
- Features used, pages visited, time spent
- Pipeline step completion, analysis frequency
Technical data:
- IP address, browser type, operating system
- Access times, error logs
Cookie data: See Cookie Policy.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Providing the analysis service | Contract performance |
| Account management and authentication | Contract performance |
| Security monitoring and fraud prevention | Legitimate interests |
| Service improvement and debugging | Legitimate interests |
| Analytics (with consent) | Consent |
| Legal compliance and audit | Legal obligation |
Case data is used solely to generate the analysis you request. It is not used to train AI models, profile users, or shared with third parties for commercial purposes.
4. Legal Basis for Processing
We process personal data under UK GDPR on the following bases:
- Contract performance: Processing necessary to deliver the Service you have signed up for
- Legitimate interests: Security monitoring, service improvement, fraud prevention — where these do not override your rights
- Consent: Analytics cookies and associated tracking — only where you have explicitly consented
- Legal obligation: Retention of certain records as required by applicable law
5. Data Sharing and Disclosure
We do not sell your personal data. We share data only:
- With sub-processors necessary to deliver the Service (see Section 6)
- Where required by law, court order, or regulatory authority
- To protect the rights, property, or safety of Lawfair, our users, or the public
6. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS | Cloud infrastructure (compute, database, storage, task queue) | UK (eu-west-2) |
| Auth0 | Authentication and identity management | EU |
| Anthropic | AI analysis engine (zero-retention API) | USA (SCCs applied) |
| OpenAI | Text embeddings for RAG retrieval (zero-retention API) | USA (SCCs applied) |
| Google Analytics | Traffic analysis (consent-gated) | USA (SCCs applied) |
Anthropic and OpenAI zero-retention: We use these APIs with zero-retention / no-training configurations. Your case data is processed to generate a response and is not stored or used by these providers for model training.
7. International Data Transfers
Some sub-processors are based outside the UK/EEA (notably Anthropic and OpenAI in the USA). Where data is transferred internationally, we rely on:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Sub-processor commitments to equivalent data protection standards
8. Data Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit (TLS) and at rest (AES-256)
- Private network architecture — API and database in private subnets, not publicly accessible
- AWS WAF protecting against OWASP Top 10 threats
- Auth0 with mandatory MFA for all accounts
- Role-based access controls
- Regular security assessments
- Incident response procedures
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Case analyses | Until account deletion + 30 days |
| Usage data | Up to 2 years |
| Technical logs | Up to 2 years |
| Cookie consent records | 3 years (GDPR accountability) |
Following account deletion, personal data is deleted within 30 days except where retention is required by law.
10. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — restrict how we process your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise your rights, contact us at privacy@lawfair.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk
11. Cookies
See our Cookie Policy for full details of cookies used and how to manage your preferences.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification. The "Last Updated" date at the top reflects the most recent revision.
13. Contact Us
Data controller: Lawfair
Email: privacy@lawfair.uk
For general enquiries: legal@lawfair.uk