Privacy
Policy.

1. Introduction

EmployLawAI Ltd ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and application (collectively, the "Service").

2. Information We Collect

2.1 Personal Information You Provide

• Account Information: Name, email address, password (hashed)
• Google Sign-In Data: If you sign in with Google, we receive your name, email address, and profile picture from your Google account (see Section 15 for details)
• Billing Information: Handled by Paddle (our payment processor). We do NOT store credit card details
• Case Data: Documents, emails, statements, notes you upload to organize your employment dispute

2.2 Automatically Collected Information

• Technical Data: IP address, browser type, device information, operating system
• Usage Data: Features accessed, AI queries made, time spent in application
• Cookies: Essential cookies for authentication and session management

2.3 Sensitive Personal Data

Employment dispute evidence may contain special category data under UK GDPR, including information about:

• Protected characteristics (race, gender, disability, religion, sexual orientation)
• Health information (if related to your case)
• Trade union membership

We process this data only to the extent necessary to provide our Service and with your explicit consent when you upload documents.

3. How We Use Your Information

3.1 Legal Basis for Processing

• Contract Performance: To provide the Service you've subscribed to
• Legitimate Interest: To improve our Service, prevent fraud, ensure security
• Consent: For AI processing of your case data, marketing communications (opt-in only)
• Legal Obligation: To comply with UK laws and respond to valid legal requests

3.2 Specific Uses

• Process your documents using AI (Anthropic Claude) to extract statements and detect patterns
• Generate timeline visualizations and case briefs
• Enable collaboration features (if you upgrade to Collaboration tier)
• Process payments via Paddle
• Send service-related emails (account updates, security alerts)
• Improve our Service through anonymized analytics

4. How We Share Your Information

4.1 Third-Party Service Providers

Data Processing Agreements (DPAs): We have DPAs in place with all third-party processors to ensure GDPR compliance.

4.2 We Do NOT Sell Your Data

We will never sell, rent, or trade your personal information to third parties for their marketing purposes.

4.3 AI Training Exclusion

Your case data is NEVER used to train AI models. Our agreement with Anthropic explicitly excludes your data from model training.

5. Data Storage and Security

5.1 Where We Store Your Data

All your data is stored exclusively in the United Kingdom. We have deliberately chosen UK-based infrastructure to ensure your employment dispute evidence remains under UK jurisdiction and UK GDPR protection.

Marketing Website Only: The marketing site (employlaw.ai) is hosted on Cloudflare Pages as a static website. It stores no user data whatsoever — no cookies, no analytics, no tracking. Waitlist email submissions are sent directly to our UK infrastructure.

5.2 Security Measures

• Encryption at Rest: AES-256 encryption for all stored data
• Encryption in Transit: TLS 1.3 for all data transmission (SSL certificates auto-renewed via Let's Encrypt)
• Access Controls: Role-based access control (RBAC), JWT authentication
• Multi-Tenancy Isolation: Your case data is isolated from other users at the database level
• Container Security: Non-root containers with security policies
• Network Security: Kubernetes network policies, Traefik ingress with DDoS protection
• Password Security: Hashed with bcrypt, support for 2FA/TOTP via FusionAuth
• Infrastructure as Code: All infrastructure managed via Pulumi with encrypted secrets

6. Your Data Rights (UK GDPR)

You have the right to:

• Access: Request a copy of all personal data we hold about you (Settings → Export Data)
• Rectification: Correct inaccurate or incomplete data (Edit directly in the app)
• Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data (Settings → Delete Account)
• Data Portability: Download your data in JSON format for transfer to another service
• Restrict Processing: Limit how we use your data (contact us)
• Object to Processing: Opt-out of marketing emails (unsubscribe link)
• Withdraw Consent: Revoke consent for AI processing (note: this may limit Service functionality)

To Exercise Your Rights:

• Use in-app tools (Settings page)
• Email us at: privacy@employlaw.ai
• Response time: Within 30 days

7. Data Retention

• Active Accounts: Data retained while your account is active
• Canceled Accounts: Data retained for 90 days after cancellation, then permanently deleted
• Backups: Retained for 30 days, then automatically deleted
• Legal Requirements: We may retain certain data longer if required by law (e.g., financial records for tax purposes)

8. Cookies and Tracking

8.1 Essential Cookies (Required)

• Authentication session cookies
• Security tokens (CSRF protection)
• User preferences (e.g., language, timezone)

8.2 Analytics Cookies (Optional)

We use privacy-friendly analytics (Cloudflare Web Analytics) that does NOT track individual users across websites. You can opt-out in your browser settings.

8.3 No Third-Party Marketing Cookies

We do NOT use cookies from Facebook, Google Ads, or other advertising platforms.

9. International Data Transfers

While our primary infrastructure is UK-based, some third-party services (e.g., Anthropic) may process data in the EU or US. In such cases:

• We use EU Standard Contractual Clauses (SCCs)
• We configure EU/UK data residency options where available
• All processors are GDPR-compliant

10. Children's Privacy

Our Service is not intended for individuals under 18. We do not knowingly collect data from children. If you are under 18, please do not use our Service. If we become aware of data collected from a child, we will delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be notified via email.

12. Your Right to Complain

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK supervisory authority:

13. Waitlist and Early Access

If you join our waitlist or early access program, we collect and process your data as follows:

13.1 Data Collected

• Email Address: Required to notify you of launch updates
• Name (optional): If provided during signup
• Referral Source: How you found us (for marketing analytics)

13.2 How We Use Waitlist Data

• Send launch announcements and early access invitations
• Share occasional product updates (no more than 2x per month)
• Offer early-bird pricing or exclusive features

13.3 Waitlist Data Retention

• Waitlist data retained until you convert to a user or unsubscribe
• Unsubscribe anytime via link in emails
• Inactive waitlist entries purged after 24 months

14. Google Sign-In and OAuth

EmployLaw.ai offers "Sign in with Google" as a convenient authentication option. This section describes how we handle data received from Google.

14.1 Data We Receive from Google

When you choose to sign in with Google, we request access to the following information from your Google account:

• Email Address: To create and identify your account
• Name: To personalize your experience
• Profile Picture: To display in the application (optional)

We only request the minimum scopes necessary for authentication. We do NOT request access to your Google Drive, Gmail, Calendar, or any other Google services.

14.2 How We Use Google Data

Data received from Google Sign-In is used solely for the following purposes:

• Account Creation: To create your EmployLaw.ai account
• Authentication: To verify your identity when you sign in
• Account Display: To show your name and profile picture in the app
• Communication: To send service-related emails to your verified email address

14.3 Google Data Storage and Retention

• Your Google email and name are stored in our UK-based database (Civo Cloud, London)
• Profile pictures are cached locally but may be refreshed from Google
• We retain this data for as long as your account is active
• Upon account deletion, all Google-derived data is permanently removed within 90 days

14.4 Google Data Sharing

We do NOT share, sell, or transfer your Google user data to any third parties, except:

• As required by law (e.g., valid court order)
• To prevent fraud or security threats

14.5 Revoking Google Access

You can revoke EmployLaw.ai's access to your Google account at any time:

• Visit Google Account Permissions
• Find "EmployLaw.ai" in the list of connected apps
• Click "Remove Access"

Note: Revoking access does not delete your EmployLaw.ai account. To delete your account and all associated data, use Settings → Delete Account in the app.

14.6 Google API Services User Data Policy

EmployLaw.ai's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

15. Contact Us

If you have questions about this Privacy Policy or our data practices: