LawMateLawMate
PRIVACY POLICY

Privacy Policy

Last updated: June 1, 2026

This Privacy Policy covers LawMate's data practices across all regions including the EU, UK, United States (all applicable states), Canada, Australia, Brazil, Singapore, India, and the UAE.

1. Introduction and Scope

This Privacy Policy describes how LawMate collects, uses, protects, and discloses personal information in connection with our web, desktop, and mobile applications and the website lawmate.site. This Policy applies to all users worldwide. Where regional laws impose additional obligations, we describe those obligations in the jurisdiction-specific sections below.

2. AI Data Governance and Zero Retention Commitment

LawMate AI features, including document drafting, matter summarization, and intelligent insights, operate under a Zero Data Retention model. Content you submit to any AI feature is never used to train any AI model, whether our own or that of any third-party provider. All AI processing is session-bound and discarded when the session ends. This commitment is contractually enforced with our AI providers. All AI-generated outputs require human review before use. LawMate AI tools are assistive, not decisive. We will provide advance notice before making any change to this commitment.

3. Attorney-Client Privilege Preservation

LawMate is designed to preserve attorney-client privilege. We apply contractual, technical, and organizational controls to ensure that data stored within the platform retains its confidential character under applicable evidentiary rules. We do not voluntarily disclose privileged content to third parties. LawMate personnel have no routine access to client matter content. All matter-related data, including documents, time entries, notes, communications, and financial records, is treated as presumptively privileged and confidential. Attorneys remain responsible for compliance with applicable professional responsibility rules, including ABA Model Rule 1.6(c) for US-licensed practitioners.

4. EU AI Act Transparency Disclosure

LawMate AI features are designed as assistive tools for administrative and drafting tasks. They do not make autonomous legal decisions or replace attorney judgment. All outputs require a qualified human to review before any reliance is placed on them. We have designed these features to fall outside the high-risk classification under Annex III of the EU AI Act 2024/1689. We maintain technical documentation as required and will update this disclosure if the scope of AI functionality changes.

5. Data We Collect

  • Account and Contact. Name, email address, firm name, role, and login credentials.
  • Matter Content. Documents, time entries, invoices, e-signature records, notes, and client communications you upload or create within the platform.
  • Financial and Trust Accounting Data. IOLTA transaction records, trust ledger entries, billing information, and matter-linked financial data.
  • Usage and Technical. App interactions, feature usage patterns, device information, IP address, browser type, and crash logs.
  • Payments. Billing details processed by Stripe. We do not store full card numbers or CVV codes.
  • Support. Messages and attachments you send to our support team.
  • AI Session Data. Content submitted to AI features during a session. Deleted immediately when the session ends. Not retained for any other purpose.

6. IOLTA Trust Accounting Data Security

  • Trust account transaction data is encrypted at rest using AES-256 and in transit using TLS 1.3.
  • All trust ledger entries carry an immutable timestamp and are attributed to a specific user, matter, and client.
  • The platform enforces strict system-level segregation of operating funds and trust account data to prevent commingling.
  • Three-way reconciliation reports are available on demand and stored with full audit trails.
  • Trust accounting data is retained for seven years from the date of the last transaction on a matter, consistent with US state bar record-keeping requirements.

7. How We Use Data

  • To provide, maintain, and improve the Services.
  • To secure the platform, prevent fraud, and enforce our policies.
  • To send transactional emails including account security alerts, billing confirmations, and feature updates.
  • To comply with legal and contractual obligations.
  • To conduct anonymous, aggregated analytics to understand product usage, only with your consent.
  • We do not use your data for advertising. We do not sell personal information. We do not use matter content to train AI models.

9. Sharing and Sub-processors

We use a limited set of vetted sub-processors to operate the platform. All sub-processors are bound by data processing agreements and are prohibited from using your data for their own purposes. We do not sell personal information. We may disclose information if required by applicable law, to protect our legal rights, or in connection with a corporate transaction, with advance notice to you where practicable.

10. Cookies and Tracking

We use strictly necessary cookies for authentication, session management, and security. With your explicit consent, we also use analytics cookies to understand feature usage. You can manage your preferences through the cookie consent banner or your browser settings. Withdrawing analytics consent does not affect the functionality of the platform. We do not use cookies for advertising. We honor the Global Privacy Control (GPC) opt-out signal for users in jurisdictions where it is legally required.

11. Data Retention

  • Account Data: Retained for the duration of your subscription plus 90 days after termination.
  • Matter Documents and Content: Deleted within 30 days of account closure. Available for export before closure.
  • IOLTA and Financial Records: Retained for seven years to comply with US state bar rules and applicable tax law.
  • AI Session Data: Deleted immediately when the session ends.
  • Analytics Data: Anonymized and aggregated after 12 months.
  • Support Correspondence: Retained for three years for quality assurance.

12. Data Breach Notification

  • EU and EEA (GDPR Art. 33): Notification to the relevant supervisory authority within 72 hours of confirmed discovery. Affected users notified without undue delay.
  • UK (UK GDPR): Notification to the Information Commissioner's Office (ICO) within 72 hours.
  • Australia (Privacy Act 1988): Notification to the OAIC and affected individuals under the Notifiable Data Breaches scheme.
  • Singapore (PDPA): Notification to the Personal Data Protection Commission within three calendar days of discovery.
  • Canada (PIPEDA): Notification to the Office of the Privacy Commissioner and affected individuals where a real risk of significant harm exists.
  • US States: Notification to affected residents in accordance with applicable state breach notification laws.
  • Method: We will notify you via the email address on your account and post a notice on our Status page at lawmate.site/status.

13. Security

We implement technical and organizational measures including AES-256 encryption at rest, TLS 1.3 encryption in transit, multi-factor authentication, role-based access controls, immutable audit logs, and regular third-party security assessments. For architecture details, refer to our Security documentation.

14. Your Rights

  • Access and Portability: Request a copy of your personal data in a machine-readable format.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your data, subject to legal retention requirements such as seven-year IOLTA records.
  • Restriction and Objection: Object to or restrict certain processing activities.
  • Opt Out of Sale or Sharing (CCPA/CPRA and applicable US state laws): We do not sell personal information. California residents and residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Indiana, Kentucky, Rhode Island, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Nebraska, Iowa, and Delaware may formally exercise this right by emailing privacy@lawmate.site.
  • Global Privacy Control: We honor GPC opt-out signals for users in applicable jurisdictions.
  • Withdraw Consent: Withdraw consent at any time without penalty.
  • To exercise any right, contact privacy@lawmate.site. We respond within 30 days or within the shorter period required by your applicable law.

15. EU and EEA Users (GDPR)

The General Data Protection Regulation (GDPR) applies to the processing of personal data of individuals in the EU and EEA. The lawful bases for our processing are described in Section 8. You have the rights set out in Section 14. You also have the right to lodge a complaint with your national supervisory authority. A list of national DPAs is available at edpb.europa.eu. Where we transfer your data outside the EEA, we use European Commission Standard Contractual Clauses as a transfer mechanism.

16. UK Users (UK GDPR)

The UK General Data Protection Regulation and the Data Protection Act 2018 apply to personal data of individuals in the United Kingdom. LawMate processes UK personal data on the same lawful bases described in Section 8. UK users have the same rights described in Section 14. To lodge a complaint with the UK supervisory authority, contact the Information Commissioner's Office at ico.org.uk. Where we transfer your data outside the UK, we use the UK International Data Transfer Agreement or Addendum to SCCs as required.

18. US State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Indiana, Kentucky, Rhode Island, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Nebraska, Iowa, and Delaware have rights under their applicable state privacy laws, including the right to access, correct, delete, and opt out of the sale or sharing of personal information. We do not sell personal data. To submit a request, email privacy@lawmate.site. We will respond within the timeframe required by your state law. Connecticut residents: pursuant to the Connecticut Data Privacy Act, we disclose that our AI features use personal data such as document text and matter information solely to generate assistive outputs. No automated decision is made that produces a legal or similarly significant effect without human review.

19. Canada Users (PIPEDA and Quebec Law 25)

  • Our data practices are designed to align with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users.
  • For Quebec residents, our practices align with Act 25 (Loi 25), including consent and transparency requirements.
  • We collect only information necessary for the purposes described in this Policy.
  • You may withdraw consent at any time, subject to legal or contractual restrictions.
  • Complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
  • Quebec residents may contact the Commission d'acces a l'information at cai.gouv.qc.ca.
  • Privacy Officer: Jerome Emmanuel, privacy@lawmate.site.

20. Australia Users (Privacy Act 1988)

  • Our data practices are designed to align with the Privacy Act 1988 as amended by the Privacy and Other Legislation Amendment Act 2024.
  • You may request access to or correction of personal information we hold about you.
  • Complaints may be directed to the Office of the Australian Information Commissioner at oaic.gov.au.
  • Automated Decision-Making Disclosure (required by December 10, 2026): LawMate uses AI to assist with document drafting and matter summarization. These systems use content you provide within the platform, such as document text and matter notes. No significant decision affecting your legal rights or interests is made by automated means without a human reviewing the output first.
  • A statutory tort for serious invasions of privacy exists in Australia. We take this obligation seriously and apply the security and access controls described in Section 13 accordingly.

21. Brazil Users (LGPD)

  • Our data practices are designed to align with the Lei Geral de Protecao de Dados (LGPD) for users in Brazil.
  • The lawful hypotheses under which we process your data are contract performance, legal obligation, and consent.
  • You have the right to access, correct, delete, transfer, and revoke consent for your personal data.
  • Data Protection Officer (DPO): Jerome Emmanuel, privacy@lawmate.site.
  • Complaints may be directed to the Autoridade Nacional de Protecao de Dados at gov.br/anpd.

22. Singapore Users (PDPA)

  • Our data practices are designed to align with the Personal Data Protection Act 2012 as amended for users in Singapore.
  • We collect, use, and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances.
  • In the event of a data breach affecting Singapore users, we will notify the Personal Data Protection Commission within three calendar days of discovery.
  • You have the right to access and correct personal data we hold about you.
  • Complaints may be directed to the Personal Data Protection Commission at pdpc.gov.sg.

23. India Users (DPDPA 2023)

  • Our data practices are designed to align with the Digital Personal Data Protection Act, 2023 for users in India. Full enforcement applies from May 13, 2027.
  • We act as a Data Fiduciary for account and usage data and as a Data Processor for matter content uploaded by your firm.
  • We rely on consent as the primary lawful basis for processing personal data of Indian users.
  • You have the right to access, correct, erase, and nominate a representative for your personal data.
  • Breaches affecting Indian users will be reported to the Data Protection Board of India and to you without undue delay.
  • We do not process personal data of children under 18 without verifiable parental consent.

24. UAE Users (Federal PDPL and DIFC)

  • Our data practices are designed to align with UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) for users in the UAE.
  • For users operating within the Dubai International Financial Centre, our practices align with the DIFC Data Protection Law 2020.
  • We rely on contract performance or explicit consent as the lawful basis for processing personal data of UAE users. We do not rely on legitimate interests as a standalone basis for UAE users.
  • You have the right to access, correct, and request deletion of your personal data.
  • Complaints may be directed to the UAE Data Office at tdra.gov.ae.
  • Our practices are designed to align with Federal Decree-Law No. 26/2025 on Child Digital Safety for any processing involving users under 18.

25. International Data Transfers

LawMate processes data primarily in the United States. Where we transfer personal data internationally, we use the appropriate transfer mechanism required by the relevant law: European Commission Standard Contractual Clauses for EU and EEA data, and the UK International Data Transfer Agreement or Addendum for UK data. Transfer Impact Assessments are conducted where required. We do not transfer data to jurisdictions that do not provide an adequate level of protection without applying additional safeguards.

26. Children

Our Services are not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us at privacy@lawmate.site immediately and we will delete it.

27. Data Processing Addendum

Enterprise customers who require a formal Data Processing Addendum may request one by contacting us. The DPA covers controller-to-processor terms, confidentiality, sub-processor controls, data subject request assistance, and return or deletion of data at end of contract. The DPA is compliant with GDPR Article 28, UK GDPR, and the LGPD.

Request DPA

28. Changes to This Policy

We may update this Policy to reflect changes in our practices or applicable law. We will notify you of material changes by email to the address on your account at least 14 days before they take effect and will update the date below. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

29. Contact and Privacy Requests

For privacy requests, questions, or complaints, contact our Information Officer at privacy@lawmate.site or through the Contact page at lawmate.site/contact. We will respond to all requests within 30 days, or within the shorter period required by your applicable law.

Version History

  • June 1, 2026: Full global expansion. Added UK GDPR, multi-state US rights, EU AI Act transparency, Canada PIPEDA and Quebec Law 25, Australia Privacy Act 2024 ADM disclosure, Brazil LGPD, Singapore PDPA, India DPDPA, UAE PDPL and DIFC. Updated breach notification SLAs for all jurisdictions. Added international transfer mechanisms.
  • May 30, 2026: Added AI Zero Data Retention policy, Attorney-Client Privilege clause, IOLTA data security, and cookie consent framework.
  • October 2025: Initial policy.