Skip to main content
LawFuzeICO registered
For SolicitorsMethodologyTrustPricing
Sign inRequest access→

Privacy Policy

How we handle your data

LawFuze AI Systems Limited (company number 16800372, registered office: 4 Enriqueta Rylands Close, Stretford, Manchester, M32 0NW) is the controller of personal data described in this policy. ICO-registered. This is the actual data flow under UK GDPR — not the aspirational version. Data-subject requests: legal@lawfuze.com. DPO: dpo@lawfuze.com.

Last updated: 17 May 2026·Next review: 17 November 2026

1. Who we are

LawFuze AI Systems Limited ("LawFuze", "we", "us"). ICO controller registration confirmed May 2026 — registration number published on the Trust Center. Our DPO can be reached at dpo@lawfuze.com.

2. What we collect

  • Account data: name, email, firm name, SRA number, role, login metadata.
  • Matter data: documents and notes you upload, prompts you submit, AI outputs we generate for you, audit log entries.
  • Usage telemetry: pages viewed, features used, performance metrics. PII is scrubbed from product analytics before it leaves our infrastructure.
  • Billing data (Phase 2): Stripe processes card payments; we receive masked card metadata only. Direct debit via GoCardless follows the same model.

3. Lawful bases (UK GDPR Article 6)

  • Contract: providing the LawFuze service you have asked us to provide.
  • Legitimate interests: security, fraud prevention, product analytics. A Legitimate Interests Assessment is on file for each use and is available on request.
  • Legal obligation: audit log retention under SRA guidance, anti-money-laundering checks, tax records.
  • Consent: marketing emails and any special-category processing.

4. Where your data lives

Primary hosting: Microsoft Azure UK South (London). We do not use AWS. Encryption at rest is AES-256 via Azure Key Vault; TLS 1.3 in transit. Daily encrypted Postgres backups to Azure Blob with 30-day retention; quarterly restore tests. Security measures meet UK GDPR Article 32.

AI inference uses sub-processors that may be located in the EEA or US. The full live list is at /privacy/sub-processors. Where data leaves the UK or EEA we rely on the ICO International Data Transfer Agreement (IDTA) supported by a published Transfer Risk Assessment.

5. AI processing

  • We do not train any model on customer data, prompts, or outputs.
  • Anthropic and OpenAI API endpoints operate under no-training paid tiers with zero-retention configured where available.
  • Every AI output is logged for audit purposes in your firm's immutable audit log.

6. Retention

  • Account data: while your account is active, plus 6 years for tax records.
  • Audit log entries: 6 years (SRA Indicative Behaviour).
  • Matter content: as configured by your firm, default 7 years.
  • Marketing list: until you unsubscribe.

7. Your rights (UK GDPR Articles 12–21 + DUAA 2025 Articles 22A–D)

  • Access (Art 15) — request a copy of your personal data.
  • Rectification (Art 16) — correct inaccurate data.
  • Erasure (Art 17) — delete data we no longer need to keep.
  • Restriction (Art 18) — limit processing while a dispute is open.
  • Portability (Art 20) — export your data in JSON+ZIP.
  • Objection (Art 21) — object to legitimate-interests processing.
  • Meaningful human involvement in significant decisions (DUAA 2025 s.80, inserting UK GDPR Articles 22A–D) — request a review by a qualified solicitor of any AI-assisted output you intend to rely on. The Data (Use and Access) Act 2025 replaced the previous Article 22 framework on 1 January 2026; LawFuze's supervisor-review queue is the implementation pathway.

Email legal@lawfuze.com. We respond within 30 days. Inside the product, the /settings/privacy page exposes one-click export and erasure flows.

8. Cookies

See our Cookies Policy. Strictly necessary cookies only by default; analytics and marketing cookies require consent.

9. Complaints

Data-protection complaints go to dpo@lawfuze.com first; we acknowledge within 3 working days and give a substantive response within 30 days (UK GDPR Art 12). The full route map, including product, billing, security and accessibility complaints, is at /complaints. If we don't resolve a data-protection complaint to your satisfaction you may complain to the ICO at ico.org.uk.

10. Changes

We will email all account holders at least 30 days before any material change to this policy. The current version is always at /privacy with a last-updated date at the top.

Related

  • Sub-processors
  • DPA template
  • DPO disclosure
  • Cookies
  • Trust Center
LawFuze

An AI co-worker for UK solicitors — research and drafting support, supervised by the solicitor on the file. Hosted in Microsoft Azure UK South.

Product

  • Chat AI
  • Document Intelligence
  • Matter Management
  • Time & Billing
  • Compliance & Audit
  • Security
  • Legal Research (Phase 2)
  • Judge Intelligence (Phase 2)
  • War Room (Phase 2)
  • Methodology

Company

  • About
  • For Solicitors
  • Request beta access
  • Contact

Trust & Legal

  • Trust Center
  • Privacy Policy
  • Sub-processors
  • Terms of Service
  • Acceptable Use
  • DPA Template
  • Beta Agreement
  • Complaints
  • Cookies
  • Accessibility
  • DPO
  • Disclaimers
AI Disclaimer

LawFuze provides AI tools that support qualified legal professionals with research and drafting. AI outputs are not legal advice. Every AI output carries a confidence indicator and source citations, and must be reviewed by a qualified solicitor before reliance. The supervising solicitor — not the AI — remains responsible to the client under the SRA Code of Conduct.

Regulatory Notice

LawFuze is a technology platform and is not a law firm. We do not provide legal advice or legal services. Solicitors using LawFuze remain individually responsible for compliance with the SRA Standards and Regulations and the SRA Code of Conduct. Use of AI tools does not diminish a solicitor's duty to their clients or professional obligations.

Data Protection

LawFuze processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Customer data is stored in the UK on Microsoft Azure (UK South region). AI inference uses named sub-processors in the EU and US; where data flows outside the UK/EEA we rely on ICO International Data Transfer Agreements (IDTAs) supported by published Transfer Risk Assessments — treat IDTA execution as an in-progress control until each is signed and filed. The current sub-processor list and IDTA status of each is published on our sub-processor register. For data subject rights including access, rectification, erasure, and portability, contact legal@lawfuze.com.

Security & Compliance Roadmap
ICO controller registration· LiveUK GDPR aligned· LiveDPIA + ROPA published· Livelegislation.gov.uk + TNA Find Case Law (OGL v3.0, read use)· LiveCyber Essentials Plus· In progressComputational Analysis Licence (case law AI/vector use)· In progressPII / Cyber / D&O insurance· In progressISO 27001· On roadmapSOC 2 Type II· On roadmap

Certifications in progress or on the roadmap are not current attestations. We publish certificate references only once an accredited body has issued them.

© 2026 LawFuze Ltd. All rights reserved.

Registered in England & Wales • Company No. 16800372 • Registered Office: 4 Enriqueta Rylands Close, Stretford, Manchester, M32 0NW

Founded by Sake Nagarjuna Naidu — built in Manchester for UK solicitors.

ICO controller registration ZC147676 (14 May 2026 — 13 May 2027) — listed on the Trust Center. VAT registration in progress; reference will be added on receipt.

Data Protection Officer: dpo@lawfuze.com · Security: security@lawfuze.com · Complaints: /complaints