Gdpr Compliance

LawyerGPT is committed to full compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This section outlines how we align with GDPR principles to protect user privacy, particularly for data subjects located in the European Union.

Key GDPR Principles We Follow

Principle
How We Comply

Lawfulness, Fairness, Transparency

All data processing is disclosed in our privacy policy and done only with a valid legal basis.

Purpose Limitation

We process data solely for clearly defined, legitimate purposes (e.g. API response generation).

Data Minimization

We only collect data necessary to fulfill the request. No PII is required to use the API.

Accuracy

Data stored (if any) is accurate and updated or deleted upon user request.

Storage Limitation

Transient data is discarded after request; logs (if enabled) are retained only for 7 days.

Integrity and Confidentiality

All data is encrypted in transit and at rest; access is limited to authorized personnel only.

Accountability

We maintain full documentation of compliance efforts and are ready for audits.

Data Subject Rights

As a data subject, under the GDPR, you have the right to:

  • Access your data

  • Rectify inaccurate data

  • Erase your data ("right to be forgotten")

  • Restrict or object to data processing

  • Port your data to another provider

  • Withdraw consent at any time if processing is based on consent

To exercise any of these rights, email us at [email protected] with your API key and relevant request.

Data Location & Transfers

  • All data is processed and temporarily stored in EU-compliant cloud regions

  • Cross-border transfers (e.g. EU ↔ US) are subject to Standard Contractual Clauses (SCCs) and/or adequacy decisions

Data Controller vs. Processor

Role
Description

You (Client)

Acts as the Data Controller—decides what data to send via the API

LawyerGPT

Acts as a Data Processor—processes your data strictly per your instructions

If you use our platform to process personal data, you may need a Data Processing Agreement (DPA) with us. You can request this by emailing [email protected].

Security Measures

We implement organizational and technical measures including:

  • TLS 1.3 encryption for all data in transit

  • AES-256 encryption for any logged data

  • Role-based access control (RBAC)

  • Regular security audits and penetration testing

  • Zero-trust architecture for production environments

Recordkeeping and Documentation

We maintain an internal Data Processing Register and conduct Data Protection Impact Assessments (DPIAs) where applicable.

For enterprise clients, audit logs and full compliance documentation are available upon request.

PreviousData HandlingNextPython example

Last updated