← Back to AI Advocate
AI ADVOCATE
AI Lawyer in your Pocket
Privacy Policy
AI Advocate is committed to protecting your privacy. This policy explains what data we collect, why, and your rights under UK-GDPR and EU-GDPR.
Data Controller: AI Advocate Ltd. (Company No. 16612244, registered in England & Wales) · ICO Registration Number: ZC158457 · Contact: support@aiadvocate.co.uk
What we collect
- Account data: email, name, password hash (bcrypt), country, language preference.
- Usage data: which features you use, error logs, anonymous product analytics (cookie-consent gated).
- Lex chat content: your messages and Lex's responses. Encrypted at rest in our database using Fernet (AES-128 + HMAC).
- Case files: titles, summaries, uploaded documents. Summaries encrypted at rest.
- Vault items: encrypted on YOUR device with your PIN. We cannot read them.
- Recording features: audio files you record are sent to OpenAI Whisper for transcription, then DELETED from our servers. Transcript text is kept in your case files.
- Payment data: handled entirely by Stripe (PCI-DSS Level 1) or by Apple / Google billing. We never see your card number.
- Device fingerprint: a pseudonymous, non-cryptographic identifier per browser / device, used solely to throttle abusive signups (max 2 free accounts per device per 24h). Not linked to your real identity. See Terms §16.
- Feedback & suggestions: any text you submit via "Missing a legal area?" or other feedback forms — including your email address (so we can reply) — is stored to help us improve the service. See Terms §15.
- SOS / location data: only when you actively trigger the Emergency SOS button. Live-tracking window is user-selected (max 24h) and the audit log is deleted after 30 days. See Terms §4d.
Why we collect it
- To provide the legal-information service you signed up for (lawful basis: contract, UK GDPR Article 6(1)(b)).
- To prevent fraud, abuse, and account farming (lawful basis: legitimate interest, UK GDPR Article 6(1)(f)).
- To improve the product through anonymised aggregate analytics (lawful basis: consent via cookie banner, UK GDPR Article 6(1)(a) and PECR Reg 6).
- For Emergency SOS (lawful basis: vital interests, UK GDPR Article 6(1)(d) — you have actively triggered it yourself).
- To comply with tax / billing record-keeping (lawful basis: legal obligation, retention 6 years).
Third parties we share with
- Anthropic (Claude) — your messages are sent to Claude for processing. Anthropic does NOT train on Universal-Key API traffic.
- OpenAI — Whisper for audio transcription, GPT-5.2 for Plus-tier Lex responses, GPT Image for image generation. Audio deleted after processing.
- Google — Gemini for vision / extraction of contracts & photos.
- Tavily — real-time legal web-search grounding (RAG) for Lex citations. Only your query text is shared, not your identity.
- Stripe — payment processing for web subscriptions and one-time Top-ups.
- Apple / Google — if you use their sign-in: name, email, sub identifier. If you subscribe via the App Store / Play Store, billing is processed entirely by them.
- MongoDB Atlas (UK / EU regions) — our managed database provider.
- PostHog (EU region) — anonymous product analytics, cookie-consent gated. Honours browser Do-Not-Track.
- Sentry (EU region) — error monitoring and crash reporting, used only to fix bugs.
- Resend (if enabled) — transactional emails (password reset, receipts, security alerts).
- We do NOT sell your data to advertisers or data brokers, ever.
Your rights under GDPR / UK-GDPR
- Access: request a copy of all your data (Settings → Export My Data).
- Erasure: delete your account and all personal data (Settings → Delete My Account).
- Rectification: edit your profile.
- Portability: export as JSON.
- Objection / restriction: email support@aiadvocate.co.uk.
- Complaint: lodge a complaint with the ICO at ico.org.uk.
Security
TLS 1.3 in transit. Bcrypt for passwords. Fernet (AES-128 + HMAC) for sensitive fields at rest. Vault uses client-side AES-GCM-256 with PIN-derived keys (PBKDF2 250k iterations).
Children
The App is not for users under 18.
Data retention
Active accounts: indefinitely while you remain a user. Deleted accounts: personal data permanently erased within 30 days (subscription / billing records anonymised after 6 years).
International transfers
Our servers are in the EU. LLM processing may be in the US under Standard Contractual Clauses.
Contact
For any privacy question: support@aiadvocate.co.uk
Data Protection Officer: dpo@aiadvocate.co.uk
Last updated: 2026-05-28 · v1.1.1 (added ICO registration number ZC158457 + data controller statement in header · all other changes from v1.1) · © AI Advocate