PRIVACY POLICY

Last Updated: 1. 1. 2026

1. Controller and Contact Details

The controller of personal data processed in connection with the Service is:

Basad, s.r.o.

Registered seat: Kurzova 2222/16, Stodůlky, 155 00 Praha 5, Czech Republic

Company ID: 23091657

Registered in: Commercial Register – Municipal Court in Prague, Section C, Insert 421240

E-mail: management@basadstudios.com

Website: www.lawyerai.me

2. Scope of This Privacy Policy

This Privacy Policy explains how we process personal data in connection with:

  • your use of the Service and our websites,
  • your registration and account,
  • our communication with you (e.g. support, emails, marketing, if applicable).
It applies primarily to:
  • users and representatives of legal entities using the Service (B2B),
  • visitors to our website.

This Policy is based on Regulation (EU) 2016/679 (GDPR) and applicable Czech law (Act No. 110/2019 Coll., on the Processing of Personal Data), and is adapted for global users where relevant.

3. Categories of Personal Data We Process

We may process in particular the following categories of personal data:

3.1 Identification and contact data

  • name, surname;
  • e-mail address, phone number;
  • position, employer or organization;
  • login username.

3.2 Account and usage data

  • account ID, subscription plan, billing information;
  • logs of access and use of the Service (e.g. login time, IP address, device/browser information);
  • information about features used and settings.

3.3 Communication data

  • content of your communication with us (e-mails, support tickets, chat messages);
  • feedback, surveys, complaints.

3.4 User Content (inputs and outputs)

  • prompts, text and documents you upload or submit to the Service;
  • AI-generated outputs.

We generally process User Content as business data under the Agreement. To the extent it contains personal data, we process it as described in Section 5 (as processor or joint controller, depending on the model you set – typically as a processor, which can be further specified in a DPA).

3.5 Technical and cookie data

  • IP address, device identifiers, browser type and version, time zone, operating system;
  • information collected via cookies and similar technologies (see Cookie section below).

We do not intend to knowingly collect personal data of children.

4. Purposes and Legal Bases of Processing

We process personal data for the following purposes and on the following legal bases:

4.1 Provision of the Service and performance of contract

Legal basis:
  • to create and manage your account;
  • to provide you with access to the Service and its features;
  • to handle support requests and technical communication.
  • Article 6(1)(b) GDPR – performance of a contract (or steps prior to entering into a contract).

4.2 Billing and compliance

Legal basis:
  • to process payments (via providers such as Stripe), issue invoices and keep accounting records;
  • to comply with legal obligations (tax, accounting, etc.).
  • Article 6(1)(b) GDPR – performance of a contract;
  • Article 6(1)(c) GDPR – compliance with legal obligations.

4.3 Service operation, security and improvement

Legal basis:
  • to ensure the security and integrity of the Service;
  • to prevent abuse, fraud, or attacks;
  • to monitor performance and usage for service improvement and development.
  • Article 6(1)(f) GDPR – our legitimate interest in operating, securing and improving the Service.

4.4 Communication and relationship management

Legal basis:
  • to communicate with you about the Service (updates, technical notices, changes to Terms and this Policy);
  • to respond to your inquiries, requests and feedback.
  • Article 6(1)(b) GDPR – performance of a contract;
  • Article 6(1)(f) GDPR – legitimate interest in maintaining customer relationships.

4.5 Marketing (B2B)

to send you information about our Service, new features or similar services that may be relevant to you in a B2B context. Legal basis:
  • Article 6(1)(f) GDPR – legitimate interest in promoting our services (subject to e‑privacy rules);
  • or Article 6(1)(a) GDPR – your consent, where required.

You can opt-out of marketing communications at any time (for example by clicking the unsubscribe link).

4.6 Compliance and defense of legal claims

Legal basis:
  • to comply with legal obligations;
  • to establish, exercise or defend legal claims.
  • Article 6(1)(c) GDPR – legal obligation;
  • Article 6(1)(f) GDPR – legitimate interest in protecting our rights.

5. User Content and Role Allocation

5.1 User Content & No Training

User Content may contain personal data relating to you, your clients or third parties. We process User Content solely to provide the Service to you. We do NOT use User Content to train our general AI models or LLMs.

5.2 Controller vs. processor

Depending on your configuration and agreement:
  • for most B2B setups where you (as a law firm or company) determine the purposes of processing User Content, we act as a processor and you act as the controller;
  • for certain limited operations (e.g. account and billing data), we act as an independent controller.

Details of this relationship, including data processing instructions, can be further specified in a separate Data Processing Agreement (DPA).

6. Recipients & International Transfers

6.1 Sub-processors

To provide the Service, we use third-party sub-processors, including AI model providers (e.g., OpenAI, Anthropic) and cloud infrastructure providers (e.g., Vercel, AWS). A current list of sub-processors is available upon request or in our DPA.

6.2 International Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), specifically in the United States. We ensure that such transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the EU-U.S. Data Privacy Framework.

7. Retention Periods

We retain personal data only as long as necessary:
  • User Content: Stored for the duration of your account or until deleted by you. We do not retain data for model training.
  • Account Data: Retained for the duration of the Agreement + 3 years (statute of limitations).
  • Billing Data: Retained for 10 years as required by tax laws.

8. Cookies

We use cookies to improve our Service. For detailed information, please see our Cookie Policy.