LawPal logo

Privacy Policy

Effective Date: 1 September 2025

Last Updated: 6 January 2026

This policy explains what personal data LawPal collects, how it is used, and how it is protected for UK users. It is written to support internal governance, vendor due diligence, and UK GDPR transparency requirements.

This Privacy Policy explains how LawPal collects, uses, discloses, and protects personal data when you use our websites, applications, products, and services. It also explains your rights under UK GDPR and the Data Protection Act 2018, as well as related European privacy laws where applicable. LawPal is committed to safeguarding personal data with care, transparency, and accountability.

For security controls, see the Security overview. For data processing terms, see the DPA. For contractual terms of use, see the Terms.

1. Who we are

Identifies when LawPal acts as controller versus processor, depending on the activity. This distinction helps customers document responsibilities for contract review workflows.

LawPal acts as the controller for personal data that we collect and determine the purposes and means of processing. For certain activities where we process data on your instruction, for example where you upload documents for analysis, we act as a processor. If you have questions about how we handle your information, use contact us.

2. Scope

This Privacy Policy applies to visitors, registered users, enterprise clients, and prospective customers who engage with LawPal online or offline. It covers all personal data processed through our Services including our website, applications, customer support, sales interactions, marketing programs, and beta features. It does not apply to third party services that have their own privacy notices.

3. Key definitions

  • Personal data means any information that relates to an identified or identifiable person.
  • Processing means any operation performed on personal data such as collection, storage, use, disclosure, or deletion.
  • Controller means the entity that determines the purposes and means of processing personal data.
  • Processor means the entity that processes personal data on behalf of a controller.
  • Special category data means sensitive categories such as health, biometric templates, and information about beliefs or union membership.
  • Services means LawPal websites, applications, features, and related offerings.

4. Categories of personal data we collect

Summarises what data is collected from accounts, support, and usage, including content you upload for analysis. Being explicit about categories supports trust and compliance.

We collect personal data that you provide directly, that we receive automatically through your use of the Services, and that we obtain from third parties.

4.1 Data you provide to us

  • Account data such as name, email address, password, and organisation.
  • Profile data such as job title, department, location, and preferences.
  • Content data contained in documents you upload for analysis. Do not upload files that contain personal data unless you have a lawful basis and permission to do so.
  • Support data such as messages, feedback, and troubleshooting information.
  • Marketing data such as communication preferences and event registrations.

4.2 Data we collect automatically

  • Device and usage data including browser type, device identifiers, operating system, app version, pages viewed, time spent, referral source, and interactions with features.
  • Log data including IP address, timestamps, error reports, performance metrics, and diagnostic event information.
  • Cookies and similar technologies as described in the cookies section of this Privacy Policy.

4.3 Data we receive from third parties

  • Business contact data from service providers and public sources.
  • Analytics and attribution data that helps us understand product usage and measure campaigns.
  • Payment status data from our payment processors. LawPal does not store full payment card numbers.

5. Special category data and children

LawPal does not seek to collect special category data. You should not upload documents that contain this information unless it is strictly necessary and lawful. We do not knowingly collect personal data from anyone under the age of 18. If you believe that a child has provided personal data to us, use contact us so that we can take appropriate action.

6. Purposes and lawful bases

Explains why LawPal processes personal data and the lawful bases used under UK GDPR. This section supports procurement reviews and internal privacy assessments.

We will only process personal data where we have a lawful basis under UK GDPR. The primary lawful bases we use are contract, legitimate interests, consent, and compliance with legal obligations.

  • To provide and operate the Services. Basis: contract and legitimate interests in delivering core functionality and ensuring service continuity.
  • To create and manage accounts, authenticate users, and secure access. Basis: contract and legitimate interests in preventing fraud and abuse.
  • To process documents that you upload and to generate outputs. Basis: contract where we provide the Services and processor obligations where we act on your instruction.
  • To provide support, respond to requests, and resolve issues. Basis: contract and legitimate interests in service quality.
  • To improve the Services, develop new features, and conduct analytics. Basis: legitimate interests in product development and performance.
  • To send service communications such as updates and security notices. Basis: legitimate interests and legal obligation where applicable.
  • To send marketing communications where permitted. Basis: consent or soft opt in under applicable eprivacy rules with the ability to opt out at any time.
  • To protect the rights, property, and safety of LawPal, users, and the public. Basis: legitimate interests and legal obligations.
  • To comply with law, enforce our terms, and manage claims. Basis: legal obligation and legitimate interests in establishing and defending legal rights.

7. Automated processing and profiling

LawPal uses automated systems to analyse documents and to provide suggested summaries and risk indicators. These features assist human users and do not make final decisions about individuals. We do not carry out automated decision making that produces legal effects concerning a person or significantly affects a person without appropriate human involvement.

8. Cookies and similar technologies

Describes how cookies and similar tools are used for essential functionality and analytics. Cookie controls help users manage optional tracking.

We use cookies, local storage, and similar technologies to provide, secure, and improve the Services. You can control certain cookies through your browser settings and by using our cookie controls where available.

8.1 Categories of cookies

  • Strictly necessary cookies for login, navigation, and core functions. These are required for the Services to operate.
  • Functional cookies that remember preferences and enhance features.
  • Performance and analytics cookies that measure usage and help us improve quality and reliability.
  • Advertising cookies for measuring the reach and performance of our campaigns where used. We do not sell personal data.

8.2 Cookie choices

You can accept, reject, or manage cookies at any time using the cookie banner or settings where provided. If you disable some cookies, certain features may not function as intended.

9. How we share information

Explains when LawPal shares personal data with service providers, advisers, or authorities. Sub-processor transparency supports vendor due diligence.

We share personal data with others only as described in this Privacy Policy or with your consent.

  • Service providers who perform functions on our behalf such as hosting, storage, analytics, communications, customer support, and payment processing. These providers only process personal data under our instructions and subject to appropriate safeguards.
  • Professional advisers such as lawyers and accountants for compliance and audit purposes.
  • Authorities, regulators, and law enforcement where required by law or to protect rights, property, and safety.
  • Business transferees in connection with a merger, acquisition, or reorganisation. We will continue to protect personal data consistent with this Privacy Policy.

Subprocessor information is available via Support. Enterprise customers may request change notifications.

10. International data transfers

Explains when transfers outside the UK or EEA may occur and the safeguards used. Customers can request details for their compliance records.

LawPal may transfer personal data to countries outside the UK and the European Economic Area. Where we do so, we implement appropriate safeguards such as adequacy regulations, standard contractual clauses, and technical measures that include encryption in transit and at rest. Details are available upon request through contact us.

11. Security

Summarises administrative, technical, and organisational measures used to protect personal data. For a control overview used in procurement, see the Security overview.

We maintain administrative, technical, and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. Measures include access controls, encryption, network protection, logging, and employee training. No system can be guaranteed to be fully secure. We encourage you to use strong passwords and to enable multi factor authentication where available.

12. Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. Where retention periods differ by data type we apply a schedule as follows.

  • Account and profile data kept for the life of the account and then for up to two years for record keeping, security, and legal purposes.
  • Content that you upload kept for the period you select or until you delete it, with limited additional retention in backups for up to ninety days.
  • Support correspondence kept for up to six years to evidence service quality and to manage legal claims.
  • Marketing preference records kept until you opt out plus a short period to ensure preferences are respected.
  • Technical logs and analytics records kept for up to two years unless a longer period is required for security and fraud prevention.

13. Your rights

Lists key UK GDPR rights and how to exercise them through LawPal. Identity verification and statutory timeframes apply to protect data and prevent abuse.

Subject to conditions and exemptions under UK GDPR, you have the following rights.

  • Right of access to obtain a copy of your personal data and information about how it is processed.
  • Right to rectification to correct inaccurate or incomplete personal data.
  • Right to erasure in certain circumstances where there is no longer a lawful basis for processing.
  • Right to restriction of processing in specific cases.
  • Right to data portability to receive your personal data in a structured commonly used format and to transmit it to another controller.
  • Right to object to processing based on legitimate interests and to object to direct marketing at any time.
  • Right to withdraw consent where processing is based on consent.

To exercise your rights, use contact us. We may need to verify your identity and your relationship with LawPal before acting on your request. We respond within one month unless the request is complex or numerous. We do not charge a fee unless requests are manifestly unfounded or excessive.

14. Choices and controls

  • Account settings allow you to update profile information and certain privacy preferences.
  • Cookie controls allow you to manage preferences for optional cookies.
  • Email settings allow you to opt out of marketing communications at any time. Service communications will still be sent where necessary.

15. Acting as a processor for enterprise customers

Where LawPal processes personal data as a processor, we act on the documented instructions of the controller and implement security and confidentiality measures. Our Data Processing Addendum is available for enterprise customers and includes standard contractual clauses where relevant. You can request a copy through contact us.

16. Data protection impact assessments and records

LawPal maintains records of processing activities and conducts data protection impact assessments where required for high risk processing. We review risk periodically and in response to significant changes in our Services or processing.

17. Third party sites and services

Our Services may contain links to third party sites and services that we do not control. Their privacy practices are governed by their own notices. We encourage you to review their policies before providing personal data.

18. Changes to this Privacy Policy

We review and update this Privacy Policy to reflect changes in our practices, technologies, and legal requirements. For material updates we will provide a clear notice within the Services or by email. The Effective Date at the top shows when this Privacy Policy last changed.

19. Complaints and contact

Explains how to raise concerns with LawPal and how to escalate to the UK regulator if needed. Clear contact routes reduce friction for rights requests and complaints.

If you have questions or concerns about this Privacy Policy or our handling of personal data, use contact us. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) or with your local supervisory authority if you live in the European Economic Area.

20. Additional information for specific regions

20.1 United Kingdom

Processing of personal data is subject to UK GDPR and the Data Protection Act 2018. If there is any conflict between this Privacy Policy and mandatory UK law, the law will prevail to the extent of the conflict.

20.2 European Economic Area and Switzerland

Where LawPal offers Services in the European Economic Area or Switzerland, processing will align with local requirements. Transfers outside these regions include appropriate safeguards as described in the International data transfers section.

20.3 California

For interactions that fall under California privacy rules, we provide additional disclosures on request. We do not sell personal data and we do not share personal data for cross context behavioural advertising as those terms are defined in California privacy law.

21. How to reach us

You can reach LawPal for privacy queries, rights requests, or questions about this Privacy Policy through contact us. If you are an enterprise customer, you may also reach your account team for support with data processing terms.

Privacy FAQ

High intent answers about residency, retention, rights requests, and regulator escalation. These are for guidance and do not override the full policy text.

How does LawPal handle UK GDPR data residency?

LawPal is designed for UK-first workflows. Processing locations and any UK-only residency controls depend on your plan and configuration, so confirm residency requirements with Support before upload.

How long does LawPal retain personal data and uploaded content?

Retention depends on data type and purpose. Account data is kept for the life of the account and then for a limited period for security and legal purposes, while uploaded content can be deleted by you and may persist in backups for a short period.

How do I make a data subject rights request?

Submit your request via Support or email privacy@lawpal.co.uk. We may need to verify identity and respond within statutory timelines, subject to UK GDPR exemptions.

How do I complain to the UK regulator?

If you have concerns, you can contact LawPal first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

This Privacy Policy is intended to provide clear and comprehensive information about how LawPal processes personal data. If you need it in an alternative format, please use contact us.