1. Who we are
LegalOS is a product of Azenteq Ltd (company number pending), registered in England and Wales. Our registered address is London, United Kingdom. Contact: privacy@azenteq.com
For the purposes of UK GDPR, Azenteq is the data processor. Each law firm using LegalOS is the data controller for their clients' personal data.
2. What data we process
We process data on behalf of law firms who use LegalOS to manage their client matters. This includes:
- Client data: names, addresses, contact details, dates of birth, National Insurance numbers, financial information (source of funds, property values)
- Matter data: case details, documents, correspondence, workflow status, key dates
- KYC/AML data: identity verification results, sanctions screening, PEP checks
- Staff data: names, email addresses, roles, time entries, activity logs
- Usage data: login times, feature usage, audit trail entries
3. Legal basis for processing
- Contract performance: processing necessary to provide the LegalOS service to subscribing firms
- Legal obligation: SRA compliance, anti-money laundering regulations, audit requirements
- Legitimate interest: service improvement, security monitoring, fraud prevention
- Consent: optional AI-assisted features, marketing communications
4. How we protect your data
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Multi-tenant isolation at database level (Row-Level Security policies)
- Audit logging on all sensitive operations
- Role-based access control across all portals
- Data hosted on Supabase (AWS eu-west-2, London) — UK data residency
- Regular security assessments and penetration testing
5. Data retention
Law firms set their own retention periods in accordance with SRA guidance:
- Conveyancing files: 15 years from completion
- Wills and probate: indefinitely (or 12 years from death of testator)
- Litigation: 7 years from close
- Employment: 7 years from close
- KYC/AML records: 5 years from end of business relationship
Firms can configure per-matter retention dates. After expiry, data is flagged for review and deletion by the firm administrator.
6. Third-party sub-processors
- Supabase (Supabase Inc): database and file storage — UK region
- Vercel (Vercel Inc): application hosting — edge network
- Clerk (Clerk Inc): authentication — US-based, EU SCCs in place
- Resend: transactional email delivery
- Sentry: error monitoring (no PII in error reports)
- DocuSign: electronic signatures (when enabled by the firm)
- Legl / SmartSearch / Thirdfort: KYC/AML verification (when enabled)
- Identity resolution provider: B2B website visitor identification on marketing pages only (matches IP/browser data to company records)
7. Your rights under UK GDPR
If you are a client of a law firm using LegalOS, your rights are exercised through your law firm (the data controller). You have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Erasure ("right to be forgotten") — subject to legal hold obligations
- Restrict processing
- Data portability
- Object to processing
Contact your law firm directly, or email privacy@azenteq.com if you need assistance.
8. AI features
LegalOS includes optional AI-assisted features (document drafting, search analysis, workflow automation). When enabled:
- AI processing is controlled by the law firm (opt-in per tenant)
- All AI outputs require human review before use
- AI usage is metered and logged per tenant
- No client data is used to train AI models
- Firms can disable AI features at any time
9. Cookies and website tracking
LegalOS uses strictly necessary cookies for authentication session management within the application.
On our marketing website (azenteq.com and legalos.azenteq.com), we use identity resolution technology to understand which organisations visit our site. This technology:
- Matches IP addresses and browser metadata to publicly available business records to identify the company or organisation visiting our site
- May use cookies, device fingerprinting, and pixel tags to facilitate this matching
- Is used for B2B marketing purposes only — to understand which law firms and organisations are interested in our products
- Does not identify individual consumers browsing in a personal capacity
Legal basis: Legitimate interest (Article 6(1)(f) UK GDPR). We have a legitimate interest in understanding which businesses visit our website to improve our marketing and sales outreach. We have conducted a Legitimate Interest Assessment and concluded that this processing does not override the rights of data subjects, as:
- Only business/organisational data is processed (company name, industry, size)
- Individual-level data, where resolved, is limited to professional context (business email, job title)
- No special category data is processed
- Data subjects can opt out at any time (see below)
Opt-out: If you do not wish your visits to be tracked, you can:
- Use your browser's "Do Not Track" setting — we honour DNT signals
- Use a VPN or privacy-focused browser
- Email privacy@azenteq.com to request exclusion from our tracking