Privacy Policy

LEGALFAB LTD Privacy Policy

Effective Date: 19 May 2026

1. Introduction and Data Controller Identity

1.1 This Privacy Policy explains how LEGALFAB LTD (company number 16983438) collects, uses, stores, shares, and protects your personal data when you visit our website, use our platform, or otherwise interact with us.

1.2 LEGALFAB LTD is the data controller responsible for your personal data. Our details are:

(a) Registered address: 128 City Road, London, EC1V 2NX, United Kingdom;

(b) Privacy contact: privacy@legalfab.com.

1.3 We have not appointed a Data Protection Officer. If you have any questions or concerns about how we handle your personal data, please contact us at privacy@legalfab.com.

1.4 We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and other applicable data protection laws including the California Consumer Privacy Act (CCPA).

1.5 Where we refer to "you" or "your" in this policy, we mean any individual whose personal data we process, including website visitors, registered platform users, and representatives of our business customers.

2. Information We Collect

2.1 We collect and process the following categories of personal data:

Account and Registration Data

2.2 When you create an account or register for our platform, we collect:

(a) your name, email address, and contact details;

(b) your job title, role, and the name of your organisation;

(c) billing and payment information (processed through our third-party payment provider);

(d) account credentials (passwords are stored in hashed form only)

Platform Usage Data

2.3 When you use our platform, we collect information about how you interact with it, including:

(a) features and tools you access;

(b) the frequency and duration of your sessions;

(c) workflow configurations and preferences;

(d) search queries and commands entered within the platform.

Document and Content Data

2.4 Our platform enables you to upload, create, and process documents. We collect and process:

(a) documents and files you upload to the platform;

(b) content generated through your use of AI-assisted features;

(c) metadata associated with your documents (such as file names, creation dates, and document types).

Conversational Data

2.5 Our platform allows you to interact through natural language dialogue. We collect:

(a) the text of your conversations and instructions provided to the platform;

(b) responses and outputs generated by the platform in response to your inputs;

(c) feedback you provide on platform outputs.

Technical and Device Data

2.6 When you visit our website or use our platform, we automatically collect:

(a) your IP address and approximate geographic location;

(b) browser type and version, operating system, and device information;

(c) referring website addresses and pages visited;

(d) server log data including timestamps, request URLs, and response codes.

Cookie Data

2.7 We use cookies and similar tracking technologies on our website. The types of data collected through cookies are described in Section 10 of this policy.

3. How We Use Your Information

3.1 We use your personal data for the following purposes:

To provide and operate our platform

3.2 We process your account data, platform usage data, document and content data, and conversational data to deliver the platform services you have requested, including AI-powered document analysis, natural language processing, and workflow automation. The lawful basis for this processing is the performance of our contract with you or your organisation.

To process your documents through AI

3.3 We transmit your document and content data and conversational data to third-party AI providers (as described in Section 4) in order to deliver the core functionality of our platform. The lawful basis for this processing is the performance of our contract with you.

To provide customer support

3.4 We use your account data, platform usage data, and conversational data to respond to your enquiries, troubleshoot issues, and provide technical assistance. The lawful basis is the performance of our contract with you.

To improve and develop our platform

3.5 We use aggregated and, where possible, anonymised platform usage data and technical data to analyse trends, improve our platform, and develop new features. Where we use personal data for this purpose, our lawful basis is our legitimate interest in improving our services. You have the right to object to this processing at any time.

To ensure security and prevent fraud

3.6 We use technical data and platform usage data to detect and prevent unauthorised access, security incidents, fraud, and abuse of our platform. The lawful basis is our legitimate interest in maintaining the security and integrity of our services.

To comply with legal obligations

3.7 We process personal data where necessary to comply with applicable laws, regulations, and legal processes, including responding to lawful requests from public authorities. The lawful basis is compliance with a legal obligation.

To send service communications

3.8 We use your account data to send essential service communications, including account confirmations, security alerts, maintenance notices, and changes to our terms or policies. The lawful basis is the performance of our contract with you.

To send marketing communications (with your consent)

3.9 Where you have given your consent, we may use your account data to send you information about new features, products, or services that may be of interest to you. You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@legalfab.com. The lawful basis is your consent.

4. Artificial Intelligence and Automated Processing

4.1 Our platform uses artificial intelligence as a core component of its functionality. This section explains how AI processes your data, which third-party AI providers we use, and your rights in relation to automated decision-making.

Third-Party AI Providers

4.2 We use the following third-party AI providers to deliver the AI-powered features of our platform:

(a) OpenAI;

(b) Anthropic;

(c) Google.

4.3 When you use AI-powered features, your inputs (including document content and conversational data) are transmitted to one or more of these providers for processing. Each provider processes data in accordance with their own data processing agreements with us, which include appropriate safeguards for the protection of your personal data.

Your Data Is Not Used to Train AI Models

4.4 We want to be clear: your personal data, documents, and conversational inputs are NOT used to train, fine-tune, or otherwise improve the AI models operated by our third-party AI providers or by LEGALFAB LTD. Your data is processed solely to generate responses and outputs for your use within the platform.

How AI Processes Your Data

4.5 AI processes your data in the following ways:

(a) Document analysis: AI reads and analyses documents you upload to extract information, identify clauses, assess risk, and provide recommendations;

(b) Natural language processing: AI interprets your conversational instructions and generates responses, outputs, and structured data;

(c) Automated recommendations: AI provides suggestions, summaries, and recommendations based on the content you provide and the workflows you configure;

(d) Agentic workflows: AI executes multi-step tasks on your behalf, including document review, comparison, and drafting, where each step may involve transmitting data to an AI provider and receiving a response that informs the next step.

Automated Decision-Making (GDPR Article 22)

4.6 Our platform makes automated recommendations and produces outputs that may inform your decisions. In most cases, the AI-generated outputs serve as decision-support tools, and the final decision remains with you.

4.7 Where the platform produces outputs that could have legal or similarly significant effects on individuals, you have the following rights under Article 22 of the UK GDPR and EU GDPR:

(a) the right to obtain human intervention from LEGALFAB LTD;

(b) the right to express your point of view regarding any automated output;

(c) the right to contest any automated decision or recommendation.

4.8 To exercise any of these rights, please contact us at privacy@legalfab.com. We will review your request and, where appropriate, arrange for a qualified human reviewer to assess the relevant output.

4.9 We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects on you without appropriate safeguards, including the opportunity for human review.

5. Legal Bases for Processing

5.1 The table below summarises the lawful bases we rely on for each category of processing activity under the UK GDPR and EU GDPR:

Processing Activity Lawful Basis
Providing platform services and AI features Performance of a contract (Article 6(1)(b))
Processing documents through third-party AI Performance of a contract (Article 6(1)(b))
Customer support Performance of a contract (Article 6(1)(b))
Platform improvement and analytics Legitimate interests (Article 6(1)(f))
Security and fraud prevention Legitimate interests (Article 6(1)(f))
Legal compliance Legal obligation (Article 6(1)(c))
Service communications Performance of a contract (Article 6(1)(b))
Marketing communications Consent (Article 6(1)(a))
Cookies (non-essential) Consent (Article 6(1)(a))

5.2 Where we rely on legitimate interests as a lawful basis, we have conducted a balancing assessment to ensure that your rights and freedoms do not override our legitimate interests. You may request a copy of our legitimate interest assessments by contacting us at privacy@legalfab.com.

6. Data Sharing and Third Parties

6.1 We do not sell your personal data. We share your personal data only in the following circumstances and with the following categories of recipients:

AI Service Providers

6.2 As described in Section 4, we share your document and content data and conversational data with our third-party AI providers (OpenAI, Anthropic, and Google) to deliver AI-powered platform features. These providers act as data processors on our behalf and are contractually required to process your data only for the purposes we specify.

Cloud Hosting Providers

6.3 Our platform is hosted on public cloud infrastructure. Our cloud hosting providers store and process your data on our behalf as data processors, subject to appropriate data processing agreements and security measures.

Professional Advisors

6.4 We may share your personal data with our professional advisors, including lawyers, auditors, and accountants, where necessary for the management of our business and compliance with legal obligations.

Law Enforcement and Regulatory Authorities

6.5 We may disclose your personal data to law enforcement agencies, regulatory authorities, courts, or other public bodies where we are legally required to do so, or where disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

6.6 In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to the processing of your data.

6.7 All third parties with whom we share personal data are required to implement appropriate technical and organisational measures to protect your data. Where they act as data processors, we enter into data processing agreements that comply with Article 28 of the UK GDPR.

7. International Data Transfers

7.1 LEGALFAB LTD is based in the United Kingdom. Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area (EEA), including the United States, in connection with the services provided by our third-party AI providers and cloud hosting providers.

Transfers between the UK and the EEA

7.2 The European Commission has recognised the United Kingdom as providing an adequate level of data protection. Transfers of personal data between the UK and EEA member states are therefore permitted without the need for additional safeguards.

Transfers to the United States and Other Third Countries

7.3 Where we transfer personal data to countries that have not been recognised as providing an adequate level of protection, we implement the following safeguards:

(a) the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office;

(b) the EU Standard Contractual Clauses (SCCs) adopted by the European Commission, for transfers subject to the EU GDPR;

(c) supplementary measures, including encryption and access controls, where necessary to ensure the transferred data receives a level of protection that is essentially equivalent to that guaranteed within the UK and the EEA.

7.4 You may request a copy of the relevant transfer mechanism by contacting us at privacy@legalfab.com.

EU Representative

7.5 Where required under Article 27 of the EU GDPR, we will appoint a representative in the European Union. Details of our EU representative will be published on our website once appointed. We are currently assessing our obligations under Article 27 of the EU GDPR. If an EU representative is required, their details will be published on this page.

8. Data Retention

8.1 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:

Data Category Retention Period
Account and registration data Duration of your account plus 6 years
Billing and payment data 6 years from the date of the relevant transaction (to comply with tax and accounting obligations)
Platform usage data Duration of your account plus 2 years
Document and content data Duration of your subscription plus 90 days (to allow you to retrieve your data after account closure)
Conversational data Duration of your subscription plus 90 days
Enquiry and correspondence data 2 years from the date of your last communication
Server logs and technical data 90 days
Cookie data As specified in our cookie settings (see Section 10)

8.2 At the end of the applicable retention period, we will securely delete or anonymise your personal data. Where deletion is not technically feasible (for example, data stored in backup archives), we will isolate the data and apply appropriate protections until deletion is possible.

8.3 You may request the deletion of your personal data at any time, subject to the exceptions set out in Section 9.

9. Your Rights

9.1 Depending on your location and the applicable data protection laws, you have the following rights in relation to your personal data.

Rights Under the UK GDPR and EU GDPR

9.2 If you are located in the United Kingdom or the European Economic Area, you have the following rights:

(a) Right of access: You may request a copy of the personal data we hold about you (a "subject access request");

(b) Right to rectification: You may request that we correct any inaccurate or incomplete personal data;

(c) Right to erasure: You may request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where we have no other lawful basis for processing it;

(d) Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances, including where you contest its accuracy or object to its processing;

(e) Right to data portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format, and that we transmit it to another controller where technically feasible;

(f) Right to object: You may object to the processing of your personal data where we rely on legitimate interests as the lawful basis, including processing for direct marketing purposes;

(g) Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you, and the right to obtain human intervention, express your point of view, and contest such decisions, as described in Section 4.

9.3 To exercise any of these rights, please contact us at privacy@legalfab.com. We will respond to your request within one month. This period may be extended by up to two further months where the request is complex or we receive a number of requests. We will inform you of any such extension within one month of receiving your request.

9.4 We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

Rights Under the California Consumer Privacy Act (CCPA)

9.5 If you are a California resident, you have the following additional rights under the CCPA:

(a) Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it;

(b) Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions;

(c) Right to opt-out of the sale of personal information: LEGALFAB LTD does not sell your personal information. Accordingly, there is no need to opt out, but we include this disclosure for transparency;

(d) Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

9.6 To submit a CCPA request, please contact us at privacy@legalfab.com. We will verify your identity before processing your request and will respond within 45 days as required by the CCPA.

10. Cookies and Tracking Technologies

10.1 Our website uses cookies and similar tracking technologies to enhance your experience, analyse website performance, and support our services.

Types of Cookies We Use

10.2 We use the following categories of cookies:

(a) Essential cookies: These are necessary for the website and platform to function and cannot be switched off. They include cookies for authentication, security, and session management;

(b) Functional cookies: These enable enhanced functionality and personalisation, such as remembering your preferences and settings. If you disable these cookies, some features may not function as intended;

Analytics cookies: These help us understand how visitors use our website by collecting information about pages visited, time spent on the site, and any errors encountered. We use this data to improve our website and platform.

Cookie Consent

10.3 When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You may change your cookie preferences at any time through the cookie settings link on our website.

10.4 Essential cookies are placed without consent as they are strictly necessary for the operation of our website. Non-essential cookies (functional and analytics) are only placed after you have given your consent.

Managing Cookies

10.5 In addition to our cookie consent mechanism, you can control and delete cookies through your browser settings. Please note that disabling cookies may affect the functionality of our website and platform. For more information on managing cookies, visit www.allaboutcookies.org.

11. Data Security

11.1 We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.

11.2 Our security measures include:

(a) Encryption: Data is encrypted in transit using TLS (Transport Layer Security) and at rest using industry-standard encryption protocols;

(b) Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and multi-factor authentication;

(c) Regular security assessments: We conduct regular vulnerability assessments and penetration testing of our platform and infrastructure;

(d) Incident response: We maintain an incident response plan to detect, investigate, and respond to data security incidents promptly. In the event of a personal data breach, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law;

(e) Third-party security: We require all third-party service providers to implement appropriate security measures and conduct due diligence before engaging any new provider;

(f) Employee training: Our staff receive regular training on data protection and information security practices.

11.3 While we take all reasonable steps to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we are committed to maintaining the highest practicable standards of security.

12. Children's Privacy

12.1 Our platform is designed for professional use by law firms and legal professionals. It is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children under 16.

12.2 If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data as soon as reasonably practicable. If you believe we may have collected data from a child under 16, please contact us at privacy@legalfab.com.

13. Legal Professional Privilege

13.1 We recognise that our users are primarily law firms and legal professionals who may process client data that is subject to legal professional privilege (also known as legal advice privilege or litigation privilege).

13.2 LEGALFAB LTD acts as a data processor when processing documents and data uploaded by law firm users on behalf of their clients. We do not access, review, or make use of the content of privileged communications for any purpose other than providing the platform services you have requested.

13.3 Our platform processes documents through automated means (including AI) to deliver the functionality you have requested. This processing is conducted under your instruction as the data controller, and we do not exercise independent judgement over the content of privileged materials.

13.4 We implement the following safeguards with respect to privileged data:

(a) access to your document and content data is strictly limited and controlled;

(b) our staff do not access the content of your documents unless specifically authorised by you for support purposes;

(c) we maintain strict confidentiality obligations for all personnel who may have access to the platform infrastructure;

(d) as stated in Section 4.4, your data is not used to train AI models, which means privileged content is not incorporated into any model or dataset accessible to other users.

13.5 Nothing in this Privacy Policy is intended to waive, limit, or prejudice any legal professional privilege. We recommend that law firm users conduct their own assessment of the implications of using cloud-based and AI-powered services for the processing of privileged data and obtain appropriate client consents where necessary.

14. Changes to This Policy

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.2 Where we make material changes to this policy, we will notify you by:

(a) posting the updated policy on our website with a revised effective date;

(b) sending a notification to the email address associated with your account (for registered users);

(c) displaying a prominent notice on our platform.

14.3 We encourage you to review this Privacy Policy periodically. Your continued use of our website or platform after the posting of changes constitutes your acknowledgement of those changes.

15. Contact Us

15.1 If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

(a) Email: privacy@legalfab.com;

(b) Post: LEGALFAB LTD, 128 City Road, London, EC1V 2NX, United Kingdom.

Supervisory Authorities

15.2 You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.

15.3 In the United Kingdom, the relevant supervisory authority is the Information Commissioner's Office (ICO):

(a) Website: www.ico.org.uk;

(b) Telephone: 0303 123 1113;

(c) Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

15.4 If you are located in the European Economic Area, you may contact your local data protection supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

15.5 We would appreciate the opportunity to address your concerns before you approach a supervisory authority, and we invite you to contact us in the first instance.

16. Effective Date

16.1 This Privacy Policy is effective as of 19 May 2026.

16.2 This policy was last reviewed on 19 May 2026.