Lawzana Flow

Privacy Policy

How we collect, use, and protect your information.

Last updated: January 13, 2026

Introduction

Lawzana Ltd ("Lawzana," "we," "us," or "our") operates the Lawzana Flow platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and the confidentiality of client data entrusted to legal professionals. Please read this policy carefully to understand our practices regarding your personal data.

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Organization name and details
  • Role within your organization
  • Password (stored in hashed form only)
  • Profile information you choose to provide

Content You Upload

To provide our services, we store content you upload, including:

  • Documents (PDFs, Word files, and other file types)
  • Matter and case information
  • Contact and client records
  • Notes, tasks, and communications within the platform

Usage Information

We automatically collect certain information when you use the Service:

  • Log data (IP address, browser type, access times)
  • Device information (device type, operating system)
  • Feature usage patterns (to improve our Service)
  • Error reports and performance data (anonymized)

Payment Information

Payment processing is handled by Stripe. We do not store your full credit card number. We receive only limited information from Stripe necessary for billing (last four digits, card type, expiration date).

How We Use Your Information

We use your information for the following purposes:

  • Provide the Service: To operate and maintain Lawzana Flow, including document storage, matter management, and AI-powered features
  • AI Processing: To process your documents and queries through our AI features (see AI Privacy section below)
  • Account Management: To manage your account, process payments, and communicate with you about your subscription
  • Security: To detect, prevent, and respond to security incidents
  • Improvement: To analyze usage patterns and improve our Service (using aggregated, anonymized data)
  • Legal Compliance: To comply with applicable laws and regulations

AI Privacy

We understand the critical importance of confidentiality for legal professionals. Our AI features are powered by Google Vertex AI with the following privacy protections:

  • Zero Data Retention: Your content sent to AI is processed in real-time and immediately discarded. It is not stored, cached, or logged by our AI provider.
  • No Model Training: Your data is never used to train or improve AI models. This is contractually guaranteed by our infrastructure provider.
  • Human Review Required: All AI-generated output is presented for human review—AI assists but never acts autonomously on your behalf.

Data Storage and Security

Data Residency

You choose where your data is stored when creating your organization:

  • United States: Google Cloud, Iowa
  • European Union: Google Cloud, Belgium
  • Asia Pacific: Google Cloud, Singapore

Data residency selection is permanent for your organization to ensure compliance requirements are consistently met.

Security Measures

We implement industry-standard security measures including:

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls
  • Audit logging of key actions
  • Regular security updates and monitoring
  • Daily automated backups

For more details, see our Security page.

Data Sharing and Disclosure

We do not sell your personal information or client data. We may share information only in the following circumstances:

Service Providers (Subprocessors)

We use trusted third-party service providers to operate our Service:

  • Google Cloud Platform: Infrastructure, storage, and AI processing
  • Stripe: Payment processing
  • Resend: Transactional emails
  • Sentry: Error monitoring (anonymized data only)

These providers are contractually bound to protect your data and use it only for the services they provide to us.

Legal Requirements

We may disclose information if required by law, such as in response to a valid subpoena, court order, or government request. We will notify you of such requests where legally permitted.

Business Transfers

If Lawzana is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Portability: Request your data in a machine-readable format
  • Objection: Object to certain processing of your personal data
  • Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at [email protected].

For EEA and UK Users (GDPR)

If you are in the European Economic Area or United Kingdom, the following applies:

  • Data Controller: Lawzana Ltd is the data controller for personal data collected through the Service
  • Legal Basis: We process your data based on: (a) contract performance, (b) legitimate interests, (c) consent where applicable, and (d) legal obligations
  • Data Transfers: Where you select non-EU data residency, appropriate safeguards are in place (Standard Contractual Clauses)
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

Data Processing Agreements (DPAs) are available upon request for organizations that require them.

For California Users (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected
  • Right to Delete: You can request deletion of personal information we have collected
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • No Sale of Personal Information: We do not sell personal information as defined by the CCPA

Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion:

  • Your documents and case data are permanently deleted within 30 days
  • Backups containing your data are purged within 90 days
  • Anonymized, aggregated analytics data may be retained indefinitely
  • Certain records may be retained longer if required by law

Cookies and Tracking

We use essential cookies required for the Service to function (authentication, session management). We do not use third-party advertising or tracking cookies.

Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (such as email notification).

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Questions?

We're happy to answer any questions about how we handle your data.

[email protected]