Privacy Policy
Last updated: 7 July 2026 · Effective date: 7 July 2026
1. Introduction and scope
This Privacy Policy ("Policy") explains how https://www.thelegwork.ai ("Legwork", "we", "us", "our") collects, uses, shares, transfers, stores, protects and otherwise processes personal data in connection with:
- our website at thelegwork.ai and any sub-domains (the "Website");
- our legal-workflow software platform, applications, APIs and related services (the "Platform"); and
- our sales, demo, onboarding, support and other business interactions (together with the Website and Platform, the "Services").
This Policy applies to prospects, visitors, and the individuals at customer organisations who administer or use the Services. It also explains how we handle the content our customers process through the Platform. It does not apply to third-party products or to our own employees and contractors (covered by separate notices).
We aim to meet a high, globally-consistent standard of data protection, and to comply with the data-protection laws that apply to us, including India's Digital Personal Data Protection Act, 2023 and Rules, 2025 ("DPDP"), the EU/UK General Data Protection Regulation ("GDPR"/"UK GDPR"), and applicable US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA ("CCPA"). Where a regional supplement grants you additional or different rights, that supplement prevails for you.
By using the Services or providing us personal data, you acknowledge this Policy. Where a law requires consent, we obtain it separately.
2. Who we are and how to contact us
3. The two roles we play
Our obligations depend on which role we are acting in.
3.1 When we are the controller / Data Fiduciary
We decide the purposes and means of processing, and are therefore the controller (a "Data Fiduciary" under DPDP), for personal data about:
- website visitors and prospects (people who request a demo, WhatsApp or call the founder, or subscribe to the blog);
- the individuals at our customer organisations who register for, administer, are billed for, or support the Services (partners, admins, billing contacts, authorised users); and
- our vendors and applicants (under separate notices).
The core of this Policy governs that processing.
3.2 When we are a processor / Data Processor
When a law firm or other organisation ("Customer") uses the Platform to run its matters, it uploads or generates case files, client details, correspondence, filings, docketing entries and precedents ("Customer Content") that may contain personal data of the Customer's own clients and third parties.
For Customer Content, the Customer is the controller/Data Fiduciary and Legwork is a processor/Data Processor. We process it only on the Customer's documented instructions to provide the Services, and the Customer's own privacy notice, not this Policy, governs its relationship with those individuals. If you are a client of a Customer firm, please direct requests about your data to that firm; we will support it as its processor.
4. Key terms
- Personal data / personal information, information relating to an identified or identifiable individual.
- Processing, any operation performed on personal data (collection, use, storage, disclosure, erasure, etc.).
- Controller / Data Fiduciary, the party that determines the purposes and means of processing.
- Processor / Data Processor, a party that processes personal data on a controller's behalf.
- Data subject / Data Principal / Consumer, the individual the data relates to.
- Sensitive / special-category data, data such as health, biometric, financial, government-ID or similar data that receives heightened protection under applicable law.
- Sub-processor, a third party we engage to process personal data.
5. Personal data we collect
We practise data minimisation and collect only what we need for the purposes in Section 7.
5.1 Prospect and enquiry data (Website / demo)
Name, job title/role, firm or organisation name, email, phone/WhatsApp number, the content of your enquiry (practice area, requirements), and demo/call scheduling details.
5.2 Customer account and administration data
Account credentials and authentication data (including multi-factor factors where used), role and access-permission settings, and support/correspondence records for the individuals who administer or use an account.
5.3 Billing and transaction data
Billing contact details, plan and subscription information, invoices and payment records. We do not store full payment-card numbers; card payments (if any) are handled by our payment processor.
5.4 Customer Content (processed as a processor)
Personal data of the Customer's clients and third parties contained in matter files, correspondence, filings and similar material, processed only on the Customer's instructions (Section 3.2).
5.5 Technical and usage data
IP address, device/browser type, operating system, language, pages viewed, features used, actions taken, timestamps, diagnostic and security logs, and cookie/similar identifiers (Section 9).
5.6 Communications data
Records of your interactions with us across email, WhatsApp, calls, support tickets and forms.
5.7 What we ask you not to send
Please do not send sensitive or unnecessary personal data through general channels (email, WhatsApp). Confidential client-matter data belongs inside the Platform under your firm's account and our data-processing terms.
6. Where we get it from
- Directly from you, when you contact us, register, configure or use the Services, or reach support.
- From your organisation, when a colleague or administrator provisions your access or uploads Customer Content.
- Automatically, via cookies, logs and similar technologies (Section 9).
- From third parties, our analytics, communications, scheduling and payment providers, and limited publicly available professional information, where lawfully permitted.
7. Why we use personal data, and our legal bases
We only process personal data where we have a valid basis to do so. The available bases differ by law (see the regional supplements), but map broadly as follows: consent; performance of a contract; compliance with a legal obligation; legitimate interests (GDPR) / certain legitimate uses (DPDP); and protection of vital interests or public interest where relevant.
Where we rely on legitimate interests, we balance them against your rights and only proceed where they are not overridden; you can ask us about that assessment. If we ever process your data for a new, incompatible purpose, we will update this Policy and, where required, obtain fresh consent.
8. Artificial intelligence and automated decision-making
Legwork uses AI/ML to power intake, research, drafting, docketing analysis and follow-through. Because we handle confidential legal work, we commit that:
- Customer client data never trains shared models. Customer Content is not used to train, fine-tune or improve any model made available to other customers. What your firm files stays inside your firm's boundary.
- Customer Content is isolated per Customer and processed only to serve that Customer, on its instructions.
- Where we improve our own general models or the Platform, we rely on aggregated, de-identified or synthetic data, or data we are otherwise lawfully permitted to use, never on identifiable client-matter data without an appropriate lawful basis.
Human oversight. AI outputs are drafts and analyses for a qualified professional to review, not legal advice. The Platform is designed to advance a matter and pause where professional judgment is required. We do not use the Services to make decisions producing legal or similarly significant effects about individuals based solely on automated processing without a lawful basis and, where required, suitable safeguards and a right to human review (see Supplement B).
9. Cookies, analytics and tracking technologies
The Website uses cookies and similar technologies to make the site work, remember preferences, keep it secure, and understand usage. Categories include strictly-necessary cookies and, where you consent, analytics/performance and (if used) marketing cookies.
You can control non-essential cookies through our cookie banner (where shown) or browser settings; disabling some may affect functionality. Where required, we obtain consent before setting non-essential cookies. We honour recognised opt-out preference signals (such as Global Privacy Control) where applicable law requires (see Supplement C).
10. How and with whom we share personal data
We do not sell personal data, and we do not share it for cross-context behavioural advertising. We disclose it only as follows:
- Sub-processors / service providers, vetted vendors acting on our behalf under written terms requiring confidentiality, security and privacy obligations at least as protective as this Policy: cloud hosting/storage, communications (email/WhatsApp/calling), analytics, scheduling, payments, and support tooling. Current list at [link / on request] (Annexure I).
- Within your organisation, Customer Content and account activity are visible to authorised users of your account per the role-based access your firm configures.
- Professional advisers, auditors, lawyers, accountants and insurers, under confidentiality obligations.
- Legal, regulatory and safety disclosures, where required by law, court order or lawful request, or to protect our or others' rights, safety and property, or the integrity of the Services.
- Corporate transactions, in a merger, acquisition, financing or asset sale, subject to this Policy and applicable law.
We disclose Customer Content only on the Customer's instructions or as required by law.
11. International data transfers
We aim to store and process personal data, including Customer Content, within India (data residency in India), consistent with our security commitments.
Where personal data is transferred across borders (for example, to a sub-processor abroad), we implement a lawful transfer mechanism appropriate to the destination and the applicable law, which may include: transfer only to jurisdictions not restricted by the Indian Government under DPDP; adequacy decisions; the EU Standard Contractual Clauses and the UK International Data Transfer Addendum; and supplementary technical and organisational measures such as encryption. You can request information about the safeguards we use.
12. How long we keep personal data
We keep personal data only as long as necessary for the purposes in Section 7, to meet legal, tax, accounting and regulatory obligations, and to establish or defend legal claims. Indicative periods:
- Prospect/enquiry data, 24 months from last interaction, or until erasure is requested.
- Account and billing data, the subscription term plus 8 years for financial/legal record-keeping.
- Customer Content, the term of the customer agreement; returned or deleted on termination per that agreement and the Customer's instructions.
- Technical/audit logs, 12 to 24 months for security, diagnostics and audit.
When data is no longer needed, we erase or irreversibly de-identify it. Where the DPDP Rules apply, we give at least 48 hours' notice before erasing data due to inactivity. Some records may be retained for a minimum period where the law requires.
13. How we protect personal data
We maintain security safeguards appropriate to the sensitivity of the data, built to a law firm's standard of confidentiality, including:
- encryption in transit and at rest;
- role-based, least-privilege access control and strong authentication;
- a full audit trail on Platform activity;
- tenant isolation segregating each Customer's data;
- network, application and infrastructure controls, logging and monitoring;
- vendor due diligence and contractual security obligations on sub-processors;
- backup, disaster-recovery and business-continuity measures; and
- staff confidentiality obligations, access controls and security training.
No system is perfectly secure, but we work continuously to protect data and to detect and respond to incidents.
14. Data breach handling
If a personal data breach occurs, we will act promptly to contain and remediate it, assess the risk, and meet our notification obligations under applicable law, which may include notifying the relevant supervisory authority (for example, the Data Protection Board of India under DPDP, or a GDPR supervisory authority within 72 hours where feasible) and affected individuals without undue delay in plain language, describing the nature and likely consequences of the breach, the measures taken, and steps you can take to protect yourself. Where we act as a processor, we will promptly notify the affected Customer so it can meet its own obligations.
15. Your privacy rights (universal)
Regardless of where you live, and subject to applicable law and verification of your identity, you can ask us to:
- Access / know, obtain confirmation of, and information about, the personal data we process about you.
- Correct, fix inaccurate or incomplete data.
- Delete / erase, delete your personal data where no longer needed and retention isn't legally required.
- Withdraw consent, where processing relies on consent, at any time (without affecting prior lawful processing).
- Object / restrict, object to or limit certain processing (see Supplement B).
- Portability, receive certain data in a portable format (see Supplements A and B).
- Complain, raise a complaint with us and, if unresolved, with a regulator.
- Nominate, appoint someone to exercise your rights on your behalf (see Supplement A).
How to exercise your rights: contact us using Section 20. We respond within the timeframe required by law, free of charge for reasonable requests, and will not discriminate against you for exercising your rights. Additional or differing rights are set out in the regional supplements. If you are a client of a Customer firm, please contact that firm as the controller.
16. Marketing and communications
We send marketing only where permitted, with your consent where required. Every marketing message includes an easy way to opt out, and you can also contact us to unsubscribe. We will still send necessary service and transactional messages about your account and the Services.
17. Children's data
The Services are intended for legal professionals and are not directed to children (individuals under the age of majority under applicable law, 18 under DPDP). We do not knowingly collect children's personal data through the Website or for account creation, and we do not undertake tracking or targeted advertising directed at children. Where required, we obtain verifiable parental/guardian consent before processing a child's data. Children's data appearing within Customer Content is handled by us only as a processor, on the Customer's instructions.
18. Third-party links and services
The Services may link to or integrate with third-party sites and services (e.g., WhatsApp, scheduling, payments). Their processing is governed by their privacy policies, which we encourage you to review. We are not responsible for third-party practices.
19. Changes to this policy
We may update this Policy to reflect changes in our practices, technology or legal requirements. Material changes will be signalled by updating the "Last updated" date and, where appropriate, by notice through the Services or other reasonable means. Your continued use after an update indicates awareness of the revised Policy.
20. Contact, complaints and escalation
We will acknowledge and respond to your query or complaint within the period required by applicable law. If you are unsatisfied, you may escalate to the relevant regulator: the Data Protection Board of India; an EEA/UK supervisory authority; or the applicable US state authority, as set out in the supplements below.
India (DPDP Act, 2023 & DPDP Rules, 2025)
This supplement applies to Data Principals in India and adds to the core Policy.
- Roles. We are a Data Fiduciary for the data in Section 3.1 and a Data Processor for Customer Content (Section 3.2).
- Legal bases. We process on the basis of your consent or certain legitimate uses permitted by the DPDP Act (for example, data you voluntarily provide for a specified purpose, or processing required to comply with law).
- Consent. Where we rely on consent, we ask through a clear, standalone, plain-language request. Consent is free, specific, informed, unconditional and unambiguous, by clear affirmative action. You may withdraw it as easily as you gave it, via account settings, unsubscribe links, or our Grievance Officer. Once operational, you may also use a Board-registered Consent Manager.
- Your rights. Access to a summary of your data and processing; correction, completion and updating; erasure; grievance redressal; and the right to nominate another person to exercise your rights on death or incapacity.
- Your duties. You must not file false or frivolous complaints and must provide accurate information.
- Erasure notice. Where applicable we give at least 48 hours' notice before erasing data due to inactivity.
- Breach. We will intimate the Data Protection Board of India and notify affected Data Principals as required.
- Grievance & escalation. Contact our Grievance Officer (Section 20). If unresolved, you may complain to the Data Protection Board of India; appeals lie to the TDSAT.
- Phased timelines. DPDP obligations apply in phases, with core substantive duties from 13 May 2027; we are building to comply ahead of these dates.
EEA and United Kingdom (GDPR / UK GDPR)
This supplement applies where the GDPR or UK GDPR governs our processing, and adds to the core Policy.
- Controller & representative. Controller details are in Section 2. Our EU/UK representative (if appointed) and DPO are listed in Sections 2 and 20.
- Legal bases. We rely on: consent (Art. 6(1)(a)); contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); and legitimate interests (Art. 6(1)(f)), such as securing and improving the Services, running our business, and direct communications, balanced against your rights.
- Your rights. In addition to the universal rights: object to processing based on legitimate interests or direct marketing; restrict processing; data portability; and the right not to be subject to solely automated decisions producing legal or similarly significant effects without safeguards including human review (see Section 8). You may withdraw consent at any time.
- International transfers. Where we transfer data outside the EEA/UK, we use an approved mechanism such as an adequacy decision, the EU Standard Contractual Clauses, or the UK IDTA/Addendum, plus supplementary measures.
- Complaints. You may lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office), though we ask that you contact us first.
United States (California CCPA/CPRA and other states)
This supplement applies to residents of California and, where noted, other US states with comprehensive privacy laws, and adds to the core Policy.
- Categories collected. In the past 12 months we may have collected: identifiers; professional/employment information; commercial information; internet/usage activity; and audio/electronic information (communications). See Section 5 for detail; sources are in Section 6 and purposes in Section 7.
- No sale or sharing. We do not sell personal information and do not share it for cross-context behavioural advertising, and have not done so in the preceding 12 months.
- Sensitive personal information. We do not use or disclose sensitive personal information beyond the purposes permitted by the CCPA.
- Your rights. Right to know/access, delete, correct, and to opt out of any sale/sharing (not applicable, as we do neither) and of certain uses of sensitive information; and the right to non-discrimination for exercising rights. We honour the Global Privacy Control signal where required.
- Authorised agents. You may use an authorised agent to submit requests, subject to verification.
- How to exercise. Use the contact details in Section 20. We will verify your request and respond within statutory timeframes.
- Other states. Residents of other US states with comprehensive privacy laws may have similar rights (access, correction, deletion, portability, and opt-outs); we honour these where applicable. Contact us to exercise them.
Questions in the meantime go straight to the founder: WhatsApp Arnuv or call +91 76785 36387.