← Lawcel Legal Documents

Privacy Policy

Last updated April 6, 2026

Privacy Policy

Lawcel Effective Date: 30 March 2026 Version 1.0

Table of Contents

  1. Introduction and Data Controller
  2. Scope and Application
  3. Data We Collect
  4. How We Use Your Data
  5. Legal Basis for Processing
  6. Data Sharing and Disclosure
  7. International Data Transfers
  8. Data Retention
  9. Your Rights
  10. Cookies and Tracking Technologies
  11. Children's Privacy
  12. Security
  13. Automated Decision-Making and AI Processing
  14. Changes to This Policy
  15. Contact Us

1. Introduction and Data Controller

Lawcel ("Lawcel," "we," "us," or "our") operates a continuous compliance platform designed for businesses engaged in software development. This Privacy Policy explains how Lawcel collects, uses, stores, shares, and otherwise processes personal data in connection with our platform, website, and associated services (collectively, the "Services").

Lawcel acts as the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") with respect to personal data processed as described in this Privacy Policy. Where Lawcel processes personal data on behalf of its customers (for example, personal data contained within code diffs, pull request descriptions, or legal documents uploaded by a customer), Lawcel acts as a data processor and processes such data pursuant to a separate Data Processing Agreement ("DPA") entered into with that customer.

Data Controller Details:

Detail Value
Company name Lawcel
Registered address Vesterbrogade 52a, 3250 Gilleleje, Denmark
General contact email hello@lawcel.com
Privacy contact email privacy@lawcel.com

If you have questions about how Lawcel processes your personal data, or wish to exercise any of the rights described in Section 9 of this Policy, please contact us at the privacy contact email address above.

This Policy is effective as of 30 March 2026.

2. Scope and Application

This Privacy Policy applies to:

  • Visitors to the Lawcel website;
  • Prospective customers who submit access requests or otherwise express interest in the Services;
  • Users of the Lawcel platform, including individuals who register for accounts on behalf of their organisations;
  • Administrators and team members of organisations that have subscribed to the Services.

This Policy does not govern the personal data that Lawcel processes as a data processor on behalf of its business customers. If you are an employee, contractor, or end user of a Lawcel customer and have questions about how that customer handles your personal data within Lawcel-powered workflows, please contact that customer directly.

Lawcel's Services are directed exclusively at businesses and professionals. The Services are not directed at, or intended for use by, consumers acting in a personal capacity.

3. Data We Collect

Lawcel collects personal data through three primary means: information you or your organisation provides directly, information collected automatically through your use of the Services, and information received from third-party services you connect to Lawcel.

3.1 Information You Provide Directly

Account Registration and User Authentication

When an individual creates an account on behalf of their organisation, or is invited to join an existing organisation account, Lawcel collects:

  • First and last name
  • Email address
  • Profile image (where provided via a connected identity provider)
  • Assigned platform role (one of: admin, developer, or legal), stored on the membership record and determining the scope of the user's access to platform features

Organisation Onboarding and Compliance Management

When an organisation establishes its compliance profile within the platform, Lawcel collects:

  • Organisation name
  • Organisation address
  • Organisation contact email address
  • Data Protection Officer (DPO) name (where applicable)
  • DPO email address (where applicable)
  • Company registration number

This information is used to populate the organisation's legal compliance profile and to inform the compliance analysis engine.

Legal Document Management

When an organisation imports, creates, or manages legal documents through the Services — including via the website scanner or by direct upload — Lawcel collects and stores:

  • The full text of legal documents (such as Privacy Policies, Terms of Service, and related instruments)
  • Version history of those legal documents, including all successive drafts and approved changes

Access Requests and Product Interest

When a prospective customer submits an access request or otherwise expresses interest in the Services, Lawcel collects:

  • Email address
  • Company name

Case Comments

Where users submit comments in connection with compliance cases or internal documentation within the platform, Lawcel collects the text of those comments.

3.2 Information Collected Automatically

Platform Integration Credentials

When a user connects third-party development tools to the Lawcel platform, the following technical identifiers are collected and stored:

  • GitHub App installation IDs
  • Linear OAuth access tokens
  • Linear OAuth refresh tokens
  • Linear OAuth token expiry timestamps
  • Public API keys (stored exclusively as SHA-256 hashes; the underlying key values are not retained)

Linear OAuth credentials (access tokens, refresh tokens, and token expiry timestamps) are used to authenticate with the Linear API and to perform automatic token refresh where required to maintain the integration.

Development Workflow Content

When Lawcel's integration with GitHub or Linear is active, the following content is ingested via webhooks in order to perform compliance analysis:

  • Pull request diffs (code changes)
  • Pull request titles and descriptions
  • Linear issue titles and descriptions

AI Agent Interaction Data

When a user interacts with the Lawcel AI compliance agent (including via the IDE integration for Cursor, Claude Code, or Windsurf), Lawcel collects and stores:

  • The full text of agent chat conversation history
  • LLM-generated memory summaries created to preserve conversation context across sessions

Technical and Operational Logs

Lawcel's infrastructure automatically generates logs that include:

  • HTTP method used in each request
  • Request path (URL endpoint)
  • HTTP status code returned
  • Response duration (in milliseconds)

These logs do not include request or response bodies containing user content and are used solely for system monitoring, performance analytics, and debugging.

LLM Analysis Traces

For each compliance analysis event (including pull requests, Linear issues, and API-submitted changes), Lawcel automatically captures and stores a full LLM analysis trace, including:

  • LLM system prompts
  • LLM user prompts (with legal document content replaced by slug placeholders prior to storage)
  • LLM model responses
  • Token counts (input and output per step)
  • LLM call duration metrics
  • Triage and analysis decision labels

These traces are stored persistently in the events table and are used for analysis pipeline observability and debugging and auditability of compliance analysis. Access to analysis traces within the platform is restricted to super_admin users.

Session Data

  • Session cookies are used to manage authenticated user sessions. See Section 10 for further details.

3.3 Information Received from Third Parties

Where you authenticate with the Services using a third-party identity provider, Lawcel receives the following data from that provider via the OAuth protocol:

  • Google: Name, email address, profile image, OAuth flow data
  • Microsoft Entra ID: Name, email address, profile image, OAuth flow data
  • GitHub (OAuth): Name, email address, profile image, OAuth flow data

No additional data beyond what is listed above is requested from or provided by these identity providers.

4. How We Use Your Data

Lawcel processes personal data for the following purposes:

4.1 Providing and Maintaining the Services

We use account data (name, email, organisation details, integration credentials) and development workflow content (PR diffs, issue titles and descriptions) to:

  • Authenticate users and maintain secure sessions;
  • Enable the monitoring of connected development tools via webhooks;
  • Perform compliance impact analysis on code and workflow changes;
  • Generate risk scores (on a 0–10 scale) for individual changes;
  • Propose specific legal clause updates for review by authorised users;
  • Apply approved changes to legal documents with full version history;
  • Operate the website scanner to import and profile existing legal documents;
  • Provide the IDE integration via MCP server for Cursor, Claude Code, and Windsurf.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR) — this processing is necessary to deliver the Services pursuant to the agreement between Lawcel and the customer organisation.

4.2 Account and Organisation Management

We use name, email address, organisation details, and DPO information to:

  • Create and maintain user accounts;
  • Manage organisation-level compliance profiles;
  • Communicate with account holders regarding account status, security notices, and service-related updates;
  • Enable multi-user access and role-based permission management within a customer organisation. The platform enforces a three-role permission model: (i) admin, which has full access except to connection logs, and may manage team membership, member roles, and organisation settings; (ii) developer, which has access to connection and development workflow features but not to the legal profile, risk assessments, or scan functionality, and has read-only access to compliance cases; and (iii) legal, which has full access to cases, legal documents, legal profile, risk assessments, and scan functionality, but not to connection features. Roles are stored on the membership record. The admin and developer and legal roles are assigned at the point of invitation; admins may subsequently change member roles, remove members, and revoke outstanding invites.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

4.3 AI-Powered Compliance Analysis and Document Generation

We use development workflow content (PR diffs, issue titles and descriptions, legal document text, and the organisation's legal profile) together with conversation history and LLM-generated memory summaries to:

  • Analyse proposed code and product changes for legal and regulatory compliance impact;
  • Generate proposed updates to legal clauses for human review;
  • Maintain context across AI agent sessions to improve analysis quality.

This processing involves sharing data with Anthropic (Claude) as a sub-processor. See Section 6 and Section 13 for further detail.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

4.4 Authentication via Third-Party Identity Providers

We use OAuth flow data, name, email address, and profile image received from Google, Microsoft Entra ID, and GitHub to:

  • Authenticate users without requiring a separate password;
  • Associate the authenticated identity with the correct Lawcel account.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR); and, where applicable, legitimate interests (Article 6(1)(f) GDPR) in providing secure, frictionless authentication methods.

We use email addresses to:

  • Generate and deliver one-time authentication links via Resend;
  • Enable passwordless login for users who do not use a federated identity provider.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

4.6 Security, Fraud Prevention, and Integrity

We use technical log data (HTTP method, request path, status code, response duration), session cookies, and API key hashes to:

  • Detect and investigate unauthorised access attempts, abuse, and security incidents;
  • Monitor the integrity and availability of the Services;
  • Enforce rate limits and access controls.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — Lawcel has a legitimate interest in protecting its platform, its customers, and the security of data processed through the Services. This interest is not overridden by data subjects' interests given the limited nature of the data processed for this purpose and the technical controls applied.

4.7 Performance Monitoring and Debugging

We use technical log data (HTTP method, request path, status code, response duration) to:

  • Monitor system uptime and performance;
  • Diagnose and resolve technical errors;
  • Optimise platform performance.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — Lawcel has a legitimate interest in maintaining a reliable and performant service. Log data processed for this purpose does not include user content and is subject to defined retention limits.

4.8 Access Request Processing and Pre-Sales Communications

We use the email address and company name provided by prospective customers to:

  • Process access requests;
  • Respond to product enquiries;
  • Communicate information about the Services to interested parties.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — Lawcel has a legitimate interest in responding to organisations that have actively expressed interest in its Services. Where applicable, processing may also be based on steps taken at the data subject's request prior to entering into a contract (Article 6(1)(b) GDPR).

We may process any category of personal data where necessary to:

  • Comply with applicable laws, regulations, and regulatory guidance;
  • Respond to valid legal process, court orders, or lawful requests from competent authorities;
  • Establish, exercise, or defend legal claims.

Legal basis: Legal obligation (Article 6(1)(c) GDPR); or legitimate interests (Article 6(1)(f) GDPR) where processing is necessary to establish, exercise, or defend legal claims.

The following table summarises the mapping between processing purposes, data categories, and the applicable legal basis under Article 6 GDPR:

Processing Purpose Data Categories Legal Basis (Art. 6 GDPR)
Service delivery and core platform functionality Account data, organisation data, integration credentials, workflow content, legal documents Art. 6(1)(b) — contractual necessity
Account and organisation management Name, email, organisation details, DPO data, assigned platform role, membership record data Art. 6(1)(b) — contractual necessity
AI compliance analysis and document generation Workflow content, legal documents, legal profile, conversation history Art. 6(1)(b) — contractual necessity
Third-party OAuth authentication OAuth flow data, name, email, profile image Art. 6(1)(b) — contractual necessity
Email magic link authentication Email address Art. 6(1)(b) — contractual necessity
Security and fraud prevention Log data, session cookies, API key hashes Art. 6(1)(f) — legitimate interests (platform security)
Performance monitoring and debugging Log data Art. 6(1)(f) — legitimate interests (service reliability)
LLM analysis trace capture (prompts, responses, token counts, durations, decision labels) LLM analysis trace data Art. 6(1)(f) — legitimate interests (analysis pipeline observability and auditability of compliance analysis)
Access request and pre-sales communications Email address, company name Art. 6(1)(f) — legitimate interests (responding to expressed interest); Art. 6(1)(b) — pre-contractual steps
Legal compliance and regulatory obligations Any relevant data Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests (legal claims)

5.1 Legitimate Interests Assessment

Where Lawcel relies on legitimate interests as the legal basis for processing, we have conducted a balancing assessment. In each such case, the processing:

  • Pursues a genuine and specific interest as identified in Section 4;
  • Is limited to what is necessary for that purpose and does not involve data that is particularly sensitive in nature;
  • Is unlikely to create a material adverse impact on the rights and freedoms of the data subjects concerned, given that the Services are directed at professionals acting in a business capacity.

Data subjects retain the right to object to processing carried out on the basis of legitimate interests. See Section 9.6.

Lawcel does not currently rely on consent as the legal basis for any processing activity described in this Policy (other than the use of non-essential cookies, as described in Section 10). Where Lawcel relies on consent in the future, it will update this Policy accordingly and provide appropriate mechanisms for obtaining and withdrawing consent.

6. Data Sharing and Disclosure

Lawcel does not sell personal data. Lawcel does not share personal data for cross-context behavioural advertising purposes.

Personal data is disclosed only to the following categories of recipients, and only to the extent necessary for the stated purpose:

6.1 Sub-Processors and Service Providers

Lawcel engages the following third-party service providers who process personal data on Lawcel's behalf:

Provider Purpose Data Shared Location
Anthropic (Claude) Compliance analysis, legal document generation, AI chat agent functionality Code diffs, PR/issue titles and descriptions, legal document text, legal profile data United States
Hetzner Cloud Infrastructure and hosting (servers, databases, storage) All application data European Union (Germany)
Resend Email-based magic link authentication User email addresses, verification tokens United States
GitHub API (Octokit) Platform integration with GitHub PR metadata, code diffs, analysis results, PR comments United States
Linear API Platform integration with Linear Issue metadata, analysis results, issue comments United States
GitHub Actions + GitHub Container Registry CI/CD deployment pipeline Docker images (application code; not user data) United States

Each sub-processor is engaged pursuant to a written data processing agreement that imposes obligations consistent with the GDPR and this Policy.

6.2 Identity Providers (Controller-to-Controller)

The following providers operate as independent data controllers when processing data in connection with the OAuth authentication flow. Lawcel receives only the limited set of user attributes described in Section 3.3 from these providers:

  • Google — governed by Google's Privacy Policy
  • Microsoft (Entra ID) — governed by Microsoft's Privacy Policy
  • GitHub (OAuth) — governed by GitHub's Privacy Policy

Users who authenticate via these providers are subject to those providers' terms and privacy policies in respect of data processed by those providers.

Lawcel may disclose personal data to competent courts, law enforcement agencies, regulatory authorities, or other public bodies where required to do so by applicable law, court order, or other binding legal process, or where Lawcel determines in good faith that disclosure is necessary to:

  • Comply with a legal obligation to which Lawcel is subject;
  • Protect the vital interests of a natural person;
  • Establish, exercise, or defend legal claims.

Lawcel will, where legally permissible, notify the affected customer prior to any such disclosure and limit the disclosure to the minimum data necessary.

6.4 Corporate Transactions

In the event that Lawcel undergoes a merger, acquisition, restructuring, sale of assets, or similar corporate transaction, personal data may be transferred to the acquiring entity or successor organisation as part of that transaction. If such a transfer would result in a material change to how personal data is processed, Lawcel will notify affected users in accordance with Section 14 of this Policy.

7. International Data Transfers

Lawcel is established in Denmark and processes data primarily within the European Economic Area (""EEA") through its primary hosting infrastructure on Hetzner Cloud (located in Germany). However, certain sub-processors — specifically Anthropic, Resend, GitHub, and Linear — are established in and process data in the United States, which is a country outside the EEA.

Transfers of personal data to these processors are carried out on the basis of one or more of the following safeguards:

Recipient Transfer Mechanism
Anthropic EU Standard Contractual Clauses (European Commission Decision 2021/914)
Resend EU Standard Contractual Clauses
GitHub API EU Standard Contractual Clauses
Linear API EU Standard Contractual Clauses
GitHub Actions + GitHub Container Registry EU Standard Contractual Clauses

In addition to relying on Standard Contractual Clauses, Lawcel takes the following supplementary technical and organisational measures to protect data transferred to third countries, in accordance with the guidance of the European Data Protection Board:

  • Minimisation of data shared with sub-processors (only data strictly necessary for the relevant purpose is transmitted);
  • Use of encrypted transport (TLS 1.2 or higher) for all data in transit;
  • Contractual restrictions on sub-processors' ability to process transferred data for their own purposes.

Copies of the Standard Contractual Clauses applicable to transfers to any specific sub-processor are available upon request. Please contact us at the privacy contact email address set out in Section 15.

8. Data Retention

Lawcel retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Data Category Retention Period
Account data (name, email, profile image) Retained for the duration of the active account. Following account deletion or contract termination, deleted within 30 days, except where retention is required to comply with legal obligations.
Organisation profile data (organisation name, address, contact email, DPO details, registration number) Retained for the duration of the active subscription. Deleted within 30 days of contract termination, except where retention is required for legal compliance.
Legal documents and version history Retained for the duration of the active subscription and deleted within 30 days of contract termination, unless the customer requests earlier deletion.
Development workflow content (PR diffs, titles, descriptions, Linear issue data) Retained for the duration of the active subscription. Deleted within 30 days of contract termination.
AI agent conversation history and LLM-generated memory summaries Retained for the duration of the active subscription. Deleted within 30 days of contract termination. Customers may delete individual conversations or memory entries at any time through the platform interface.
Technical log data (HTTP method, request path, status code, response duration) Retained for 90 days from the date of generation, after which logs are permanently deleted or aggregated in anonymised form.
Integration credentials (GitHub App installation IDs, Linear OAuth access tokens, Linear OAuth refresh tokens, Linear OAuth token expiry timestamps, hashed API keys) Retained for as long as the relevant integration remains active. Upon disconnection of the integration or termination of the account, credentials are soft-deleted and permanently and irreversibly hard-deleted within 90 days of that soft deletion.
Access request data (email, company name) Retained for 12 months from the date of submission, or until the prospective customer converts to an active account, whichever is earlier, after which the data is permanently deleted.
Session cookies Expire at the end of each authenticated session or upon logout. See Section 10.
Case comments Retained for the duration of the active subscription. Deleted within 30 days of contract termination.
LLM analysis traces (system prompts, user prompts with redacted document content, model responses, token counts, duration metrics, decision labels) Retained for the duration of the active account. Following account deletion or contract termination, permanently and irreversibly hard-deleted within 90 days of the initial soft deletion.

Where retention beyond the periods set out above is required by applicable law (including Danish bookkeeping law or tax legislation), data will be retained for the minimum period required by such law and deleted promptly upon expiry of that obligation.

Upon expiry of the applicable retention period, personal data is permanently deleted or irreversibly anonymised in a manner that prevents re-identification.

9. Your Rights

As an individual whose personal data is processed by Lawcel, you have the following rights under the GDPR. These rights apply to personal data for which Lawcel acts as a data controller (see Section 1 and Section 2). If Lawcel processes your data as a data processor on behalf of a customer organisation, please direct your request to that organisation.

9.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation of whether Lawcel processes personal data about you and, if so, to receive a copy of that data together with information about the purposes, categories, recipients, retention periods, and your rights in connection with the processing.

9.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data held by Lawcel.

9.3 Right to Erasure (Article 17 GDPR)

You have the right to request deletion of your personal data where:

  • The data is no longer necessary for the purposes for which it was collected;
  • You have withdrawn consent (where processing was based on consent) and there is no other legal basis for processing;
  • You have objected to processing based on legitimate interests and there are no overriding legitimate grounds;
  • The data has been unlawfully processed;
  • Deletion is required to comply with a legal obligation.

This right does not apply where processing is necessary for compliance with a legal obligation or the establishment, exercise, or defence of legal claims.

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that Lawcel restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or have objected to processing pending verification of whether Lawcel's legitimate grounds override your interests.

9.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted directly to another controller where technically feasible.

9.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to processing of your personal data carried out on the basis of legitimate interests (Article 6(1)(f) GDPR). Lawcel will cease processing unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

9.7 Right Not to Be Subject to Solely Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects concerning you. Please see Section 13 for Lawcel's approach to automated processing and AI.

9.8 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to Lawcel's privacy contact email address set out in Section 15. Your request should include:

  • Your full name;
  • The email address associated with your Lawcel account or submission;
  • A description of the right you wish to exercise and the specific data concerned.

Lawcel will respond to your request within one calendar month of receipt. In exceptional circumstances, this period may be extended by a further two months, in which case Lawcel will notify you of the extension and the reasons for it within the initial one-month period.

Lawcel may request additional information to verify your identity before processing a request. This is necessary to protect the security of personal data and to ensure that requests are fulfilled only for the correct data subject.

Where requests are manifestly unfounded or excessive (particularly where they are repetitive in nature), Lawcel may charge a reasonable fee or decline to act on the request, and will notify you accordingly.

9.9 Right to Lodge a Complaint

If you believe that Lawcel has processed your personal data in a manner inconsistent with the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Denmark, the competent supervisory authority is:

Datatilsynet (The Danish Data Protection Agency) Carl Jacobsens Vej 35 2500 Valby Denmark Telephone: +45 33 19 32 00 Email: dt@datatilsynet.dk Website: www.datatilsynet.dk

You also have the right to lodge a complaint with the supervisory authority of the EU Member State in which you reside, work, or in which the alleged infringement took place.

Lawcel encourages you to contact us directly in the first instance so that we may address your concerns before you escalate to the supervisory authority.

10. Cookies and Tracking Technologies

10.1 Cookies Used by Lawcel

Lawcel uses a limited set of cookies in connection with the Services:

Cookie Type Purpose Duration
Strictly necessary — session cookies Used to maintain an authenticated user session following login. These cookies are essential to the operation of the Services and cannot be disabled without preventing access. Session (expires on logout or browser close)

Lawcel does not currently use:

  • Analytics or performance cookies placed by third-party analytics platforms;
  • Advertising or tracking cookies;
  • Persistent fingerprinting technologies.

10.2 Third-Party Scripts and Tracking

Lawcel does not currently embed third-party advertising scripts or tracking pixels on its platform. If this changes, this Policy and the cookie notice will be updated accordingly.

Because Lawcel uses only strictly necessary session cookies, no consent is required for their use under Article 5(3) of the ePrivacy Directive as implemented in Danish law. These cookies cannot be disabled through a cookie preference centre without preventing access to the authenticated portions of the Services.

Users may delete session cookies via their browser settings at any time. Doing so will terminate the active session and require re-authentication.

10.4 No Sale or Sharing via Cookies

Lawcel does not use cookies to enable the sale or sharing of personal data with third parties for advertising or cross-context behavioural tracking purposes.

11. Children's Privacy

The Services are directed exclusively at businesses and professionals and are not intended for, or directed at, individuals under the age of 18.

Lawcel does not knowingly collect personal data from individuals under 18 years of age. If you believe that a person under 18 has provided personal data to Lawcel without appropriate authorisation, please notify us at the privacy contact email address in Section 15. We will promptly investigate and, where confirmed, delete such data.

Under Article 8 of the GDPR, where an information society service is directed at a child, the processing of a child's personal data is only lawful where the child is at least 13 years of age (in Denmark), and where the child is under 16 years of age, processing is only lawful if consent is given or authorised by the holder of parental responsibility. As the Services are not directed at children, these provisions do not apply in practice; however, Lawcel is committed to compliance with these requirements in the event of inadvertent collection.

12. Security

Lawcel implements a range of technical and organisational security measures appropriate to the risk presented by the processing activities described in this Policy, in accordance with Article 32 of the GDPR.

These measures include, but are not limited to:

  • Encryption in transit: All data transmitted between users' browsers or IDE integrations and Lawcel's servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Sensitive data stored in Lawcel's databases and file storage is encrypted at rest.
  • Access controls: Access to production systems and personal data is restricted on a need-to-know basis. Privileged access is subject to additional controls.
  • API key hashing: Public API keys submitted to the platform are stored exclusively as SHA-256 hashes; the original key values are not retained.
  • Authentication controls: The platform supports OAuth-based and magic link authentication to reduce reliance on static passwords.
  • Infrastructure security: Lawcel's infrastructure is hosted on Hetzner Cloud within the EU and is subject to network-level controls including firewalls and intrusion detection.
  • Secure development practices: Lawcel's development workflows incorporate security review processes. The platform itself monitors code changes for compliance risk as part of its core functionality.
  • Incident response: Lawcel maintains an internal process for identifying, assessing, and responding to personal data breaches in accordance with Articles 33 and 34 of the GDPR.

No security system is entirely impenetrable. While Lawcel takes its security obligations seriously, we cannot guarantee the absolute security of data transmitted over the internet or stored in any system. Users are encouraged to:

  • Use strong, unique credentials for identity provider accounts connected to Lawcel;
  • Log out of the Services when using shared or public devices;
  • Report any suspected security vulnerabilities or incidents to the privacy contact email in Section 15.

13. Automated Decision-Making and AI Processing

13.1 Nature of AI Processing in Lawcel

Lawcel's core functionality involves the use of artificial intelligence — specifically Anthropic's Claude language model — to:

  • Analyse pull request diffs, PR/issue titles, and descriptions for legal and regulatory compliance impact;
  • Classify the compliance risk of a given change on a scored scale of 0–10;
  • Generate proposed updates to specific legal clauses (such as Privacy Policy provisions or Terms of Service clauses).

This AI processing is performed for the benefit of and under the control of the customer organisation, and all outputs — risk scores and proposed clause changes — are presented to authorised users for human review and approval before any change is applied to a legal document. No change is applied to a legal document automatically without human intervention.

13.2 Assessment Under Article 22 GDPR

Article 22 of the GDPR provides that data subjects shall not be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning them.

Lawcel's AI processing does not produce decisions with legal or similarly significant effects concerning individual data subjects. The processing is directed at assessing the compliance implications of software product changes at an organisational level, and all outputs require human approval before action is taken. Accordingly, Article 22 GDPR does not apply to Lawcel's AI processing activities.

13.3 Transparency About AI Outputs

Lawcel is committed to transparency about the role of AI in its Services:

  • Risk scores and proposed clause updates generated by the AI are clearly identified as AI-generated outputs within the platform interface.
  • Users retain full discretion to accept, modify, or reject any AI-generated proposal.
  • Lawcel does not use AI outputs to make decisions about individual users or employees without human review.

13.4 Data Minimisation in AI Processing

Lawcel applies data minimisation principles when sharing data with Anthropic. Only the content necessary to perform the specific analysis task — such as the relevant code diff, PR description, and legal profile context — is transmitted. Anthropic processes this data as a sub-processor pursuant to a data processing agreement, and the data is not used to train Anthropic's models (subject to applicable API terms agreed between Lawcel and Anthropic).

14. Changes to This Policy

Lawcel reserves the right to update or modify this Privacy Policy at any time. Changes will be effective upon posting of the revised Policy on the Lawcel website, unless a later effective date is specified.

14.1 Notification of Changes

  • Material changes — changes that significantly affect how personal data is collected, used, shared, or retained, or that affect data subjects' rights — will be communicated to registered users via email to the address associated with their account at least 14 days prior to the change taking effect.
  • Minor changes — corrections, clarifications, and changes that do not materially affect data processing practices — will be reflected in the updated Policy posted on the website, with the revised effective date noted at the top of the document.

14.2 What Constitutes a Material Change

For the purposes of this Policy, a material change includes, without limitation:

  • The introduction of new categories of personal data collected;
  • New purposes for which personal data is used that require a different legal basis;
  • New categories of third-party recipients with whom personal data is shared;
  • A change in the data controller identity (e.g., following a corporate transaction);
  • Significant changes to data retention periods;
  • Changes that affect the rights available to data subjects.

14.3 Continued Use

Following notification of a material change, your continued use of the Services after the stated effective date of the revised Policy constitutes your acknowledgement of the updated Policy. If you do not agree to the updated Policy, you should cease using the Services and contact us to request deletion of your personal data.

We encourage you to review this Policy periodically to stay informed of how Lawcel processes personal data.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or to Lawcel's processing of your personal data, please contact us using the details below:

Lawcel Denmark

Privacy contact email: [privacy contact email not yet designated]

Right to complain to the supervisory authority:

If you are not satisfied with Lawcel's response to a privacy request or concern, you have the right to lodge a complaint with the competent data protection authority. The lead supervisory authority for Lawcel, as a Danish-established company, is:

Datatilsynet (The Danish Data Protection Agency) Carl Jacobsens Vej 35 2500 Valby Denmark Telephone: +45 33 19 32 00 Email: dt@datatilsynet.dk Website: www.datatilsynet.dk

This Privacy Policy was last updated on 30 March 2026 and supersedes all prior versions.

Lawcel — Version 1.0