Privacy Policy
Last updated: April 2026
🔒 Our No-Log Promise
Your contract is analysed in-memory and never stored on our servers. We don't log, save, archive, or use your documents to train AI models. When the analysis completes, your text is destroyed.
1. Who we are
This Privacy Notice explains how legaldecoder ("legaldecoder", "we", "us", "our") handles personal data when you use the website at legaldecoder.io and the legaldecoder service (the "Service"). For the personal data described in this notice, legaldecoder acts as the data controller.
Contact for privacy questions: privacy@legaldecoder.io.
2. Personal data we collect and why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account data | Email, display name, hashed password, OAuth identifiers | Create and secure your account; provide the Service | Contract performance |
| Usage & telemetry | Pages visited, feature events, device type, browser, IP address, approximate location | Operate, secure, and improve the Service; prevent fraud and abuse | Legitimate interests |
| Analysis metadata | Number of analyses, document type, risk level (no document content) | Enforce plan quotas and improve product features | Contract performance / legitimate interests |
| Support messages | Contents of emails or support requests you send us | Respond to your inquiries | Legitimate interests |
| Billing reference data | Subscription status, plan, Paddle customer/subscription IDs | Provision paid features and manage your subscription | Contract performance / legal obligation |
| Marketing preferences | Email opt-in/opt-out status | Send product updates if you opt in | Consent |
Document content. The text of contracts you submit is processed only in-memory to generate your analysis and is not retained by us after the request completes. We do not use your documents to train AI models.
3. AI processing
To generate analyses, we send the relevant document text to third-party AI providers (such as OpenAI and Google) under data-processing terms that prohibit training on our customer content. The provider processes the text to return the analysis and purges it from its systems within their stated retention windows (typically up to 30 days for abuse monitoring). We never share account identifiers or other personal data with the AI provider beyond what is needed to fulfil the request.
4. Who we share data with
- Paddle.com Market Limited — our Merchant of Record and payment processor. When you purchase a subscription, Paddle collects and processes your payment details, billing address, and tax information directly. Paddle acts as an independent controller for that data. See Paddle's privacy notice at paddle.com/legal/privacy.
- Cloud and infrastructure providers (e.g. our hosting, database, and email-delivery vendors) acting as processors on our behalf to run the Service.
- AI providers (e.g. OpenAI, Google) acting as processors that generate the analysis output, under contracts that prohibit training on customer content.
- Analytics and security tooling used to detect abuse and improve the product, configured to minimise personal data.
- Professional advisers (legal, accounting) where reasonably needed.
- Authorities where required by law, court order, or to protect our rights and the safety of our users.
5. International transfers
Our providers may process personal data outside your country, including in the United States. Where data is transferred from the UK or the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or applicable adequacy decisions.
6. Data retention
- Document text: not retained — processed in memory only.
- Account data: retained while your account is active and for up to 12 months after deletion or prolonged inactivity, then deleted or anonymised.
- Analysis metadata (no content): retained for up to 24 months for quota enforcement and product analytics.
- Billing and tax records: retained for the period required by tax and accounting law (typically 6–10 years), held by Paddle as MoR and by us in summary form.
- Support messages: retained for up to 24 months after the issue is resolved.
- Server and security logs: retained for up to 90 days.
7. Your rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion of your data (right to erasure);
- request restriction of, or object to, certain processing;
- request a portable copy of data you provided to us;
- withdraw consent where we rely on it (without affecting prior processing); and
- lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@legaldecoder.io. We respond within one month and may need to verify your identity. Payment-data requests should be directed to Paddle at paddle.net.
8. Security
We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encryption at rest for stored data, role-based access controls, secrets management, principle-of-least-privilege access for personnel, audit logging, and regular review of subprocessors. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.
9. Cookies and similar technologies
We use a small number of strictly necessary cookies for authentication, session management, and security. We may also use privacy-friendly analytics to understand aggregate usage. Where required by law, we ask for your consent to non-essential cookies and provide controls to manage your preferences. You can also clear cookies through your browser settings.
10. Children
The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.
11. Changes to this notice
We may update this notice from time to time. The "Last updated" date at the top reflects the most recent version. Material changes will be notified by email or in-app.