Privacy Policy

Legal Labs ("we", "us", "our") operates the Legal Labs platform at legallabs.co. We are the data controller in respect of the personal data we collect about you through the Platform.

To contact us about data protection matters: hello@legallabs.co

2.1 Account Data. When you register, we collect: your full name, email address, password (stored in encrypted form only — we do not have access to your plain-text password), your SQE target (SQE1/SQE2/Both), and your professional status (law graduate, paralegal, etc). We use this data to create and manage your account and to personalise your experience.

Legal basis: performance of a contract (our Terms of Use).

2.2 Usage and Progress Data. When you use the Platform, we collect data about your activity: labs started and completed, answers given at each step (correct or incorrect), XP earned, rank achieved, accuracy rates by topic, streak days, and timestamps of activity. We use this data to operate the Platform, track your progress, display your dashboard, enforce the free-tier monthly limit, and improve our content.

Legal basis: performance of a contract; legitimate interests (platform improvement and fraud prevention).

2.3 Payment Data. If you purchase a Pro Subscription, payment is processed by our third-party payment processor (Stripe). We do not store your full card number or CVV. We retain records of transactions (amount, date, subscription status) for accounting and fraud-prevention purposes.

Legal basis: performance of a contract; legal obligation (financial record-keeping).

2.4 Communications Data. If you contact us by email, we retain the content of that correspondence. If you report an error in a lab or provide feedback, we retain that information to improve our content.

Legal basis: legitimate interests (responding to queries; improving our service).

2.5 Technical Data. We collect standard technical data including your IP address, browser type and version, operating system, referring URL, and pages visited. We use this for security monitoring, debugging, and aggregate usage analytics. We do not use this data to identify you as an individual unless required for security or fraud investigation.

Legal basis: legitimate interests (security and platform operation).

2.6 Cookies. We use essential cookies required for the Platform to function (authentication sessions, preferences). We may also use analytics cookies to understand how users move through the Platform. You may manage your cookie preferences through your browser settings. Disabling essential cookies will impair your ability to use the Platform.

We use your data to:

• create and maintain your account
• provide and personalise the Platform and Content
• process payments and manage subscriptions
• send you administrative emails (account confirmations, subscription receipts, Terms updates)
• enforce the free-tier monthly lab limit
• monitor and improve Platform performance
• detect, investigate, and prevent fraud and abuse
• comply with legal obligations
• respond to your queries and support requests

We will not use your data to send you marketing communications without your explicit consent. You may opt in to marketing communications during account registration or in your profile settings, and you may withdraw consent at any time.

We share personal data with the following categories of third parties, strictly for the purposes described:

4.1 Payment processor (Stripe) — to process subscription payments. Stripe is PCI-DSS compliant. Their privacy policy is at stripe.com/privacy.

4.2 Hosting and infrastructure providers — our Platform is hosted on third-party cloud infrastructure. These providers process data on our behalf and are bound by data processing agreements.

4.3 Analytics providers — we may use third-party analytics services (such as privacy-respecting analytics tools) to understand aggregate usage of the Platform. We do not share individually identifiable data with analytics providers.

4.4 Legal requirements — we may disclose personal data if required to do so by law, court order, or lawful request from a government or regulatory authority.

4.5 Business transfers — if Legal Labs is acquired, merged, or substantially all of our assets are transferred, your personal data may be transferred to the acquiring entity as part of the transaction. We will notify you by email if this occurs.

We do not sell your personal data to any third party.

Legal Labs operates internationally. Your personal data may be transferred to and stored on servers located outside your country of residence. Where we transfer data from the UK or EEA to a country not recognised as providing adequate protection, we rely on appropriate safeguards including standard contractual clauses approved by the UK Information Commissioner or equivalent.

Account and progress data: retained for the duration of your account plus 2 years after closure, to handle any post-closure queries or disputes.

Payment records: retained for 7 years from the date of the transaction, as required by applicable financial record-keeping laws.

Support correspondence: retained for 2 years from the date of the correspondence.

Technical logs: retained for up to 12 months.

When your data reaches the end of its retention period, we will delete or anonymise it.

Depending on your jurisdiction, you may have the following rights in respect of your personal data:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to request that we correct inaccurate or incomplete data.
• Right to erasure: to request that we delete your personal data in certain circumstances.
• Right to restriction: to request that we restrict processing of your data in certain circumstances.
• Right to data portability: to receive your data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time.

To exercise any of these rights, contact us at hello@legallabs.co with the subject line "DATA REQUEST". We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are based in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are based in another jurisdiction, you may have the right to complain to your local supervisory authority.

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include encrypted password storage, HTTPS encryption in transit, and access controls on our databases. However, no method of data transmission or storage is completely secure. You use the Platform at your own risk.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us at hello@legallabs.co and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address or by prominent notice on the Platform. Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acceptance of it.

For any data protection queries, requests, or complaints: hello@legallabs.co