← LegalisAI

Privacy Policy

Provider: LEGALISAI ANDREJS SMOĻAKS Website: https://legalisai.eu Effective date: 2026-04-10 Version: 1.1

1. Overview

We aim to minimise personal data. The Service is designed to generate document drafts from organisational/technical inputs and includes filters intended to prevent entering personal data.

2. What data we process

We may process:

  • Account data (e.g., email, organisation name, role)
  • Billing data: we store invoice records (amount, date, service description) for tax compliance purposes. Card and payment instrument data is processed exclusively by Stripe and is not stored on our systems.
  • Technical and security logs (e.g., IP address, timestamps, device/browser info)
  • Support communications (if you contact us)
  • Consent records (timestamps and version numbers when you give consent to generate a document)

We do not intend to collect personal data in document inputs. If you submit personal data despite the filters, you are responsible for having a lawful basis. Our Terms of Service explicitly prohibit entering personal data of third parties into document inputs without a valid legal basis.

3. Purposes and legal bases

  • Provide the Service and support (contract performance — Art. 6(1)(b) GDPR)
  • Security, fraud prevention, logging (legitimate interests — Art. 6(1)(f) GDPR)
  • Billing, accounting, tax compliance (legal obligation — Art. 6(1)(c) GDPR)
  • Consent audit trail for generated documents (legitimate interests — Art. 6(1)(f) GDPR; we have a legitimate interest in maintaining evidence of user consent to document generation)

4. Processors and sub-processors

We engage the following categories of sub-processor to operate the Service:

  • AI inference provider (USA) — generation of compliance document drafts; safeguards: SCCs + EU-US Data Privacy Framework
  • Infrastructure provider (EU — Germany) — VPS hosting and infrastructure services; no international transfer
  • Cloud database provider (EU data region — Frankfurt) — database, authentication, storage; safeguards: SCCs
  • Payment processor (EU — Ireland) — payment processing, invoicing; safeguards: SCCs + EU-US Data Privacy Framework
  • Transactional email provider (USA) — delivery of documents and notifications; safeguards: SCCs + EU-US Data Privacy Framework
  • CDN and network security provider (global) — content delivery, DNS, DDoS protection, SSL termination; safeguards: SCCs + EU-US Data Privacy Framework

5. International transfers

Some providers may process data outside the EEA. Where applicable, transfer safeguards (Standard Contractual Clauses + EU-US Data Privacy Framework) are used. See the sub-processor list for transfer mechanisms per vendor.

6. Retention

  • Account data: for the contract term and as required by law (minimum 5 years per Polish accounting law).
  • Billing and invoice records: 5 years per Art. 74 of the Polish Accounting Act (Ustawa o rachunkowości).
  • Security logs: 90 days.
  • Consent records: 7 years (audit trail for commercial contracts).
  • Support communications: 2 years from resolution of the request.

7. Your rights

Depending on your situation, you may have the following rights under GDPR:

  • Access (Art. 15) — request a copy of your data
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure (Art. 17) — request deletion where applicable
  • Restriction (Art. 18) — restrict processing in certain cases
  • Objection (Art. 21) — object to processing based on legitimate interests
  • Portability (Art. 20) — receive your data in machine-readable format

To exercise these rights, contact: [email protected]

You also have the right to lodge a complaint with the Polish supervisory authority: UODO (Urząd Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl.

8. Data Protection Officer

We have not appointed a Data Protection Officer (DPO) as we do not meet the thresholds in Art. 37 GDPR. For all privacy inquiries, contact: [email protected]

9. Contact

Privacy: [email protected]

Legal: [email protected]