Last updated May 8, 2026
Lawcel Effective Date: 8 May 2026 Version 2.0
Lawcel ("we", "us") is the data controller for personal data processed as described in this Policy.
| Company | Lawcel |
| Registered address | Vesterbrogade 52a, 3250 Gilleleje, Denmark |
| General contact | hello@lawcel.com |
| Privacy contact | privacy@lawcel.com |
When we process personal data on behalf of a customer organisation (for example, content inside their pull requests or legal documents), we act as a processor under a separate Data Processing Agreement.
This Policy applies to visitors to lawcel.com, prospective customers, and authorised users of the Lawcel platform. The Service is directed at businesses; it is not intended for consumers.
It does not govern personal data we process on behalf of customers as their processor — for that, contact the customer directly.
From you or your organisation. Account details (name, email, profile image, role), organisation details (name, address, contact email, registration number, optional DPO contact), legal documents you upload or generate, comments you write on cases, notification preferences, and access requests if you submit one.
Automatically when you use the Service. Integration credentials (GitHub App installation IDs, OAuth tokens for Linear and Jira, API key hashes); content ingested via your connected integrations (PR and issue titles, descriptions, code diffs); IDE-integration chat history if you use it; technical request logs; LLM analysis records associated with compliance events; session metadata (last login, approximate IP-derived location).
From third parties. Public company-registry data (e.g. Danish CVR) used to pre-populate your organisation profile during onboarding; standard OAuth attributes (name, email, profile image) from Google, Microsoft Entra ID, or GitHub when you sign in.
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing the Service: authentication, processing your integrations, performing compliance analysis, generating proposed legal-document changes, maintaining version history | Contract — 6(1)(b) |
| Account and organisation management, including team membership and role assignment | Contract — 6(1)(b) |
| Sending magic-link sign-in and team-invite emails | Contract — 6(1)(b) |
| Security, abuse prevention, rate-limiting | Legitimate interests — 6(1)(f) |
| Reliability monitoring and debugging | Legitimate interests — 6(1)(f) |
| Capturing analysis traces and LLM usage for auditability and cost attribution | Legitimate interests — 6(1)(f) |
| Pre-sales communication when you submit an access request | Legitimate interests / pre-contractual steps — 6(1)(f) / 6(1)(b) |
| Compliance with our own legal obligations (e.g. responding to lawful requests) | Legal obligation — 6(1)(c) |
We do not currently rely on consent as a legal basis except for non-essential cookies (see Section 9). Where we rely on legitimate interests, we have conducted a balancing assessment; you may object as set out in Section 8.
Sub-processors. Third parties that process personal data on our behalf, under written processing agreements. The current list is published at app.lawcel.com/legal/lawcel/sub-processor-list — Anthropic (US, AI analysis), Hetzner (Germany, hosting), and Resend (US, email) at the Effective Date. We notify customers at least 30 days before adding or replacing a sub-processor.
Identity providers. Where you sign in with Google, Microsoft Entra ID, or GitHub, those providers act as independent controllers for the OAuth attributes they share with us; their own privacy notices apply.
Legal and regulatory disclosure. Where required by law, court order, or to establish or defend legal claims. We will notify the affected customer first where legally permissible.
Corporate transactions. In a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. Material changes will be notified under Section 13.
We do not sell personal data and do not share it for cross-context behavioural advertising.
We are established in Denmark and host the application in the EU (Hetzner, Germany). Some sub-processors — Anthropic, Resend, and the GitHub/Linear/Atlassian integration APIs — process data in the United States.
Transfers outside the EEA rely on the EU Standard Contractual Clauses (Module Two, Commission Decision 2021/914), supported by encryption in transit and at rest, contractual purpose-limitation on the processor, and a Transfer Impact Assessment per the Schrems II ruling and EDPB Recommendations 01/2020. For UK transfers, the UK International Data Transfer Addendum applies in addition.
A copy of the SCCs applicable to a specific sub-processor is available on request to privacy@lawcel.com.
| Category | Retention |
|---|---|
| Account and organisation data | Duration of the account; deleted within 30 days of contract termination, or on self-service account deletion |
| Legal documents and version history | Duration of the subscription; deleted within 30 days of termination |
| Workflow content (PRs, issues, diffs) | Duration of the subscription; deleted within 30 days of termination |
| IDE-integration chat history and memory | Duration of the subscription; deletable any time via the platform |
| Technical request logs | 90 days |
| Integration credentials and API key hashes | While the integration is active; hard-deleted within 90 days of disconnection |
| LLM analysis traces | Duration of the account; hard-deleted within 90 days of account deletion |
| LLM usage records (cost metering) | Retained while needed for billing; no fixed cut-off currently defined |
| Access request data | 12 months, or until conversion to an active account |
| Backups | Rolling 90-day window, then deleted |
Where Danish bookkeeping or tax law requires longer retention, we retain only what the law requires and only for the period required.
Account deletion is hard-delete: name, email, job title, and profile picture are removed immediately. Audit trail entries are anonymised to "Deleted User" so compliance history remains intact.
Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection to processing based on legitimate interests (Art. 21), and not to be subject to a decision based solely on automated processing with legal or similarly significant effects on you (Art. 22).
These rights apply to data we hold as controller. Where we hold data as processor for a customer organisation, address requests to that customer.
To exercise a right, email privacy@lawcel.com with your name, the email address linked to your account, and a description of what you're asking for. We respond within one calendar month, with up to two further months in exceptional circumstances. We may verify your identity before acting. Manifestly unfounded or excessive requests may be declined or charged a reasonable fee.
You also have the right to lodge a complaint with the supervisory authority. The Danish authority is Datatilsynet — Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk, www.datatilsynet.dk. You can also complain to the authority of your country of residence or workplace. We'd appreciate the chance to address your concerns first.
We use strictly necessary cookies for sign-in sessions, CSRF protection, sign-in redirects, and cookie-consent preference storage. We do not currently use analytics, marketing, advertising, or fingerprinting cookies. See our Cookie Policy for the current list and durations.
The Service is for businesses. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, contact privacy@lawcel.com and we will investigate and delete.
We apply technical and organisational measures appropriate to the risk under Article 32 GDPR, including:
No system is perfectly secure. Use strong credentials at your identity provider, sign out on shared devices, and report suspected vulnerabilities to security@lawcel.com.
We use Anthropic's Claude language model to:
Every AI output is reviewed by a human before any change is applied to a legal document. Risk scores and proposed updates are clearly identified as AI-generated in the interface; you can accept, modify, or reject any of them.
The regulatory-feed recommendation processing operates on an organisation's profile (jurisdiction, data categories, business model), not on individual data subjects, and you can change subscriptions at any time. Article 22 GDPR (decisions based solely on automated processing with legal or similarly significant effects on a person) does not apply, but we apply transparency and override controls anyway.
We share with Anthropic only the content needed for the analysis. Anthropic processes data as our sub-processor under a DPA and does not use it to train its models.
We may update this Policy. We notify registered users by email at least 14 days before a material change takes effect — for example, a new category of data, a new processing purpose, a new recipient, a change in retention, or a change affecting your rights. Minor corrections are reflected by updating the Effective Date.
Continued use after the effective date of an update means you accept the updated Policy; if you don't accept it, stop using the Service and contact us about deletion.
Privacy: privacy@lawcel.com General: hello@lawcel.com Address: Vesterbrogade 52a, 3250 Gilleleje, Denmark
Supervisory authority (Denmark): Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby — dt@datatilsynet.dk — www.datatilsynet.dk
Effective 8 May 2026. Supersedes all prior versions. Lawcel — Version 2.0