Privacy Policy

1. Data Controller

1.1 Controller: Lisa Legal AI, London, United Kingdom. Contact: [email protected].

1.2 Data Protection Officer (DPO): The organisation does not currently meet the threshold requiring the appointment of a DPO under Article 37(1) UK GDPR (i.e., the organisation does not carry out large-scale systematic monitoring of individuals or process special category data on a large scale). Data protection enquiries should be directed to the contact above.

1.3 Contact for data protection enquiries: [email protected].

1.4 ICO registration number: [pending registration]. Data controllers must be registered with the Information Commissioner’s Office under the DPA 2018, s.29, unless exempt.

2. Personal Data We Collect

2.1 Account data (Article 6(1)(b) UK GDPR — contractual necessity): Full name, email address, password (hashed and salted).

2.2 Technical data (Article 6(1)(f) UK GDPR — legitimate interests): IP address, browser type and version, operating system, referrer URL, date and time of access, pages visited, device information.

2.3 Content data: Search queries, chat transcripts, uploaded documents, generated documents.

2.4 Payment data (if applicable): Not stored directly. Payments are processed by PCI DSS-compliant third-party payment processors (e.g., Stripe). We store only a transaction reference.

2.5 Special category data (Article 9 UK GDPR): We do not intentionally collect special category data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation). Users are advised not to include such data in their queries.

2.6 Criminal offence data (Article 10 UK GDPR, DPA 2018, s.10 and Schedule 1): We do not intentionally process criminal offence data. Users who input such information do so at their own risk.

3. Lawful Bases for Processing

3.1 Consent (Article 6(1)(a) UK GDPR): Where you have given clear, affirmative consent (e.g., marketing emails, non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal (Article 7(3)).

3.2 Contractual necessity (Article 6(1)(b)): Processing necessary to perform our contract with you (providing the service, managing your account).

3.3 Legal obligation (Article 6(1)(c)): Processing necessary to comply with UK legal obligations (e.g., tax record-keeping under the Taxes Management Act 1970, Companies Act 2006).

3.4 Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include: security and fraud prevention, service improvement and analytics, and enforcing our Terms of Service. We have conducted a Legitimate Interests Assessment (LIA) for each such processing activity.

The lawful basis is stated for each processing activity.

4. Purposes of Processing

4.1 Providing and operating the platform.

4.2 Responding to user queries using AI.

4.3 Improving the service and AI models (using anonymised or pseudonymised data only).

4.4 Security, fraud prevention, and abuse detection.

4.5 Compliance with legal obligations (e.g., HMRC record-keeping requirements: 6 years under the Taxes Management Act 1970; Companies Act 2006 record-keeping).

4.6 Communicating with users (service emails, security notifications — not direct marketing unless separately consented to under the Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 22).

5. Cookies and Tracking Technologies

5.1 Strictly necessary cookies: Session cookies, authentication cookies. No consent required (PECR, Regulation 6(4)(b) — necessary for the provision of a service requested by the user).

5.2 Analytics cookies: Only with your explicit, informed, freely given, specific, and unambiguous consent (PECR, Regulation 6(1); UK GDPR, Article 6(1)(a)). We do not use pre-ticked boxes or implied consent.

5.3 Cookie consent mechanism: Consent is obtained via a clear, prominent cookie banner. You may change your preferences at any time.

5.4 Cookie schedule: A complete list of cookies used is available upon request, including: name, provider, purpose, duration, and type (session/persistent).

5.5 LISA does not use advertising or behavioural tracking cookies.

5.6 Do Not Track (DNT): We honour browser DNT signals where technically feasible.

6. Your Rights Under UK GDPR (Articles 15–22)

6.1 Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy free of charge within one month.

6.2 Right to rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay.

6.3 Right to erasure / “right to be forgotten” (Article 17): You have the right to request deletion of your personal data where: it is no longer necessary for the purpose for which it was collected; you withdraw consent; you object and there are no overriding legitimate grounds; the data has been unlawfully processed.
Exceptions: legal obligations, establishment, exercise, or defence of legal claims.

6.4 Right to restriction of processing (Article 18): You may request restriction where: accuracy is contested; processing is unlawful but you oppose erasure; we no longer need the data but you require it for legal claims; you have objected under Article 21 pending verification of legitimate grounds.

6.5 Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) where processing is based on consent or contract and carried out by automated means.

6.6 Right to object (Article 21): You may object to processing based on legitimate interests (Article 6(1)(f)). We must cease processing unless we demonstrate compelling legitimate grounds that override your interests. For direct marketing: you have an absolute right to object at any time.

6.7 Rights related to automated decision-making and profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. LISA does not currently make such decisions.

6.8 Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6.9 Right to lodge a complaint with the ICO: If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• Online: https://ico.org.uk/make-a-complaint/
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The ICO is the UK’s independent supervisory authority for data protection under the DPA 2018.

6.10 For Scotland: You may also contact the Scottish Information Commissioner for matters relating to freedom of information, though data protection complaints should go to the ICO.

6.11 How to exercise your rights: Contact us at [email protected] or by post. We may ask for proof of identity. We will respond within one month (extendable by two further months for complex requests, with notification — Article 12(3)).

7. Disclosure of Data to Third Parties

7.1 Data processors (Article 28 UK GDPR): Hosting providers, AI service providers (e.g., Abacus.AI for LLM processing), payment processors. Data processing agreements (DPAs) compliant with Article 28 are in place with all processors.

7.2 We do not sell, rent, or trade your personal data to third parties.

7.3 We do not share personal data for direct marketing purposes of third parties.

7.4 Disclosure to law enforcement or regulatory bodies: Only where required by law or lawful request (e.g., court order, regulatory requirement from the ICO, FCA, or other competent authority).

8. International Data Transfers

8.1 Your data may be transferred to countries outside the United Kingdom (e.g., the United States for AI processing).

8.2 Post-Brexit framework: The UK has its own adequacy regime under UK GDPR, Article 45. Data may be transferred to countries with UK adequacy regulations (currently the EEA/EU, and other countries recognised as adequate by the Secretary of State under the Data Protection (Adequacy) (United States of America) Regulations 2023 — the UK Extension to the EU-US Data Privacy Framework).

8.3 Where no adequacy decision applies: We use the International Data Transfer Agreement (IDTA) or the EU SCCs with the UK Addendum (as approved by the ICO under section 119A DPA 2018, laid before Parliament on 2 February 2022).

8.4 We conduct Transfer Risk Assessments (TRAs) for all international transfers to assess the laws and practices of the destination country, in line with ICO guidance.

8.5 Additional safeguards: Encryption in transit and at rest, pseudonymisation, and contractual commitments by the data importer.

9. Data Security

9.1 Technical measures: TLS/SSL encryption, password hashing (bcrypt), encrypted databases, regular vulnerability assessments.

9.2 Organisational measures: Access controls on a need-to-know basis, staff training, information security policies, incident response procedures.

9.3 Measures taken in accordance with Article 32 UK GDPR, having regard to the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to data subjects.

10. Data Retention

10.1 Account data: Retained until account deletion, plus any legally required retention period.

10.2 Chat transcripts: 90 days after last interaction (automatic deletion), unless legal retention obligations apply.

10.3 Log data: 30 days (for security analysis).

10.4 Financial records: 6 years (Taxes Management Act 1970, s.34; Limitation Act 1980, s.5 for contractual claims).

10.5 After expiry of the retention period: Secure deletion or full anonymisation (rendering the data no longer personal data within the meaning of UK GDPR, Recital 26).

11. Children’s Data

11.1 LISA is not directed at children under the age of 13. We adopt the age of 13 as the UK GDPR permits the UK to set the age of digital consent between 13 and 16, and the UK has set it at 13 under DPA 2018, s.9.

11.2 For children aged 13 to 17: Parental or guardian consent is recommended but not required under UK law for information society services.

11.3 If we discover that we have collected personal data from a child under 13 without appropriate consent, we will delete it promptly.

11.4 We have regard to the ICO’s Age Appropriate Design Code (Children’s Code) in the design and operation of our service.

12. Personal Data Breaches

12.1 In the event of a personal data breach, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33 UK GDPR).

12.2 Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Article 34 UK GDPR), providing: the nature of the breach, contact details of the DPO or other contact point, likely consequences, and measures taken or proposed.

12.3 We maintain a breach register documenting all breaches, their effects, and remedial action taken (Article 33(5)).

13. Changes to This Privacy Policy

13.1 We may update this Privacy Policy from time to time (e.g., to reflect changes in law or our processing activities).

13.2 Material changes will be notified by email or by prominent notice on the platform.

13.3 The date of last update is always shown at the top of this page.

13.4 We encourage you to review this Privacy Policy periodically.

14. Contact

14.1 Data protection enquiries: [email protected]

14.2 General enquiries: [email protected]

14.3 Postal address: Lisa Legal AI, London, United Kingdom

14.4 ICO: https://ico.org.uk/ — 0303 123 1113