Privacy Policy

The data controller responsible for your personal data is DeepBlueLegal, a company registered in England and Wales. For all privacy-related enquiries, please contact us at privacy@deepbluelegal.com.

We collect and process the following categories of personal data:

• Account data: name, email address, professional role, firm or chambers name, and password (stored as a cryptographic hash).
• Matter and client data: legal matter details, client names and contact information, and associated documents that you upload or create within the platform. This data is provided by you and remains your responsibility as the data controller for your clients.
• Usage data: IP address, browser type, pages visited, features used, timestamps, and session identifiers collected automatically when you use the Service.
• Communications: emails or support messages you send to us, including any personal data contained within them.
• Billing data: payment card details and billing address, processed securely via our payment processor and not stored on our servers.
• Waitlist data: first name, last name, email address, and country of location submitted via our pre-launch waitlist form.

We process personal data on the following legal bases and for the following purposes:

• Contract performance: to provide, maintain, and improve the Service you have subscribed to.
• Legitimate interests: to monitor platform security, prevent fraud, improve our product, and send service-related communications.
• Legal obligation: to comply with applicable laws, regulations, and lawful requests from public authorities.
• Consent: to send marketing communications where you have opted in. You may withdraw consent at any time.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

We use trusted third-party providers to operate the Service. Each provider processes data only as necessary to deliver their service and is bound by appropriate data processing agreements:

• Supabase: cloud database and authentication infrastructure. Data is stored on servers located in the European Union. Supabase acts as a data processor on our behalf.
• Anthropic: provider of the Claude AI models used for legal research assistance and drafting features. Content submitted to AI features may be processed by Anthropic’s infrastructure. We do not submit identifiable client personal data to AI models without your instruction.
• OpenAI: may be used for supplementary AI features. The same data minimisation principles apply as for Anthropic.
• Google: used for authentication (Google Sign-In) and optionally for Gmail integration where you enable it. We access only the scopes you explicitly authorise.
• Formspree: processes waitlist form submissions on our behalf.
• Vercel: cloud hosting and content delivery network provider for the platform.

Where any of these providers are located outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved under UK GDPR.

Much of the data entered into DeepBlueLegal relates to your clients and their legal matters. You are the data controller for your clients’ personal data; we act as your data processor. You are responsible for ensuring you have a lawful basis to input client data into the platform, and for complying with your professional duties of confidentiality and privilege.

We treat all matter data as strictly confidential. Our staff do not access matter content except where required to provide technical support at your explicit request, or where required by law.

We retain personal data for as long as your account is active or as necessary to provide the Service. Upon account termination:

• Account and matter data is retained for 30 days, after which it is permanently deleted.
• Billing records are retained for 7 years as required by UK tax and accounting law.
• Anonymised usage analytics may be retained indefinitely.

You may request earlier deletion of your data by contacting us at privacy@deepbluelegal.com.

You have the following rights in relation to your personal data:

• Right of access: to obtain a copy of the personal data we hold about you.
• Right to rectification: to have inaccurate data corrected.
• Right to erasure: to request deletion of your data in certain circumstances.
• Right to restriction: to request that we limit how we use your data.
• Right to portability: to receive your data in a structured, machine-readable format.
• Right to object: to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@deepbluelegal.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

We use cookies and similar tracking technologies to operate and improve the Service. The types of cookies we use are:

• Strictly necessary: session and authentication cookies required for the Service to function. These cannot be disabled.
• Preference: cookies that remember your settings such as theme preference.
• Analytics: anonymised usage analytics to help us understand how the platform is used. These are only set with your consent.

You can manage or disable non-essential cookies through your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include TLS encryption in transit, encryption at rest, access controls, and regular security reviews. However, no internet transmission is entirely secure; you acknowledge this inherent risk.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the platform at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact our Privacy team: