Legalica Privacy Policy & Data Protection
Table of Contents
- Introduction and Legal Framework
- Data Controller Information
- Categories of Personal Data Collected
- Collection Methods
- Legal Basis for Processing
- Purposes of Processing
- Role: Controller vs. Processor
- Google Cloud Infrastructure and Data Processing
- International Data Transfers
- Processing Details (Art. 28 GDPR)
- Processor Obligations
- AI Act Processor Obligations
- Data Breach Notification
- No-Training Covenant
- Subprocessors and Infrastructure Chain
- Standard Contractual Clauses
- Cookie Types and Purposes
- Consent Management
- First-Party vs. Third-Party Cookies
- Retention Schedule
- Deletion Procedures
- User Rights
- Banner Texts and Settings Panel
PART I — PRIVACY POLICY
1. INTRODUCTION AND LEGAL FRAMEWORK
[...] OÜ ("Legalica," "we," "us," or "our") processes personal data in accordance with this Master Privacy & Data Governance Policy ("Policy").
1.1 Applicable Legal Framework
This Policy complies with the following regulations and frameworks:
| Regulation | Reference | Scope |
|---|---|---|
| GDPR | Regulation (EU) 2016/679 | All EU data subjects |
| Estonian IKS | Isikuandmete kaitse seadus | Estonian-specific requirements |
| EU AI Act | Regulation (EU) 2024/1689 | AI-related data processing |
| UK GDPR | UK Data Protection Act 2018 | UK data subjects |
| CCPA/CPRA | Cal. Civ. Code § 1798.100 et seq. | California residents |
| LGPD | Lei 13.709/2018 | Brazilian data subjects |
| PIPEDA | S.C. 2000, c. 5 | Canadian data subjects |
| PDPA | Act 26 of 2012 | Singapore residents |
| POPIA | Act 4 of 2013 | South African data subjects |
| APPI | Act 57 of 2003 | Japanese data subjects |
| PIPL | Order No. 84 of the President of the PRC | Chinese data subjects |
| ePrivacy Directive | Directive 2002/58/EC | Electronic communications |
| Rome I | Regulation (EC) 593/2008 | Conflict of laws |
1.2 Scope Across 324 Jurisdictions
Legalica operates across 324 jurisdictions and 187+ languages. While this Policy is designed for global compliance, the GDPR serves as the baseline standard for all processing activities. Where local laws provide stronger protections, those stronger protections apply. Users in all Supported Jurisdictions retain the rights granted by their local data protection laws, even if such rights exceed those described herein.
2. DATA CONTROLLER INFORMATION
2.1 Controller Identity
| Name | [...] OÜ |
| Legal form | Private limited company (osaühing) |
| Registration number | [...] |
| VAT number | [...] |
| Address | [...], Tallinn, [...], Estonia |
2.2 Data Protection Officer
| Name | [...] |
| dpo@legalica.app | |
| Address | [...] OÜ, Attn: DPO, [...], Tallinn, Estonia |
2.3 Lead Supervisory Authority
| Authority | Andmekaitse Inspektsioon |
| Address | Tatari 39, Tallinn 10134, Estonia |
| info@aki.ee | |
| Website | aki.ee |
Rationale for Estonian Lead Authority: Legalica's main establishment is in Estonia. Under GDPR Article 56, the supervisory authority of the main establishment serves as the lead authority for cross-border processing. Data subjects in all EU Member States may lodge complaints with the Estonian DPA or their local supervisory authority.
2.4 Representative in the EU
For non-EU data subjects requiring an EU point of contact: [...] OÜ serves as the EU representative per GDPR Article 27.
3. CATEGORIES OF PERSONAL DATA COLLECTED
3.1 Account Information: Full name, email address, professional title, organization, phone number, country of residence, IP address, device information.
3.2 Payment Information: Billing address, payment method details (processed by Stripe — full card numbers NOT stored by Legalica), VAT ID, transaction history.
3.3 User Input Data: Queries, uploaded documents, corporate entity names, case descriptions, legal scenarios — any content voluntarily submitted to the Platform.
3.4 Usage Data: Log files, device information, IP address, approximate geolocation, session duration, activity patterns, error reports.
3.5 Google Workspace Data (if connected): File names and metadata from selected Google Drive folders, calendar event titles and dates, task lists. We do NOT access email content, contacts, or files outside selected folders.
3.6 Authentication Data: Processed by Firebase Authentication (Google LLC): email/password hashes, MFA tokens, session identifiers, OAuth tokens for Google sign-in.
3.7 Special Categories: Legalica does not intentionally collect special category data (Art. 9 GDPR) or criminal conviction data (Art. 10 GDPR). Such data may only appear if included in User Input. Users are responsible for ensuring lawful basis for processing such data.
4. COLLECTION METHODS
| Method | Description |
|---|---|
| Direct | Registration forms, Platform usage, support contacts, surveys |
| Automated | Server logs, cookies, analytics (privacy-respecting), error monitoring |
| Third-party | Stripe (payment confirmation), Google (OAuth profile), corporate registries (public data) |
5. LEGAL BASIS FOR PROCESSING
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Account registration and management | (b) Contractual necessity |
| Payment processing | (b) Contractual necessity |
| AI processing and response generation | (b) Contractual necessity |
| Authentication (Firebase) | (b) Contractual necessity |
| Security and fraud prevention | (f) Legitimate interest |
| Platform improvement (anonymized only) | (f) Legitimate interest |
| Marketing communications | (a) Consent (explicit opt-in) |
| Legal compliance (tax, accounting) | (c) Legal obligation |
| AI system validation (anonymized) | (f) Legitimate interest |
| Cookie placement (non-essential) | (a) Consent |
Legitimate Interests Assessment (LIA): Available upon request at dpo@legalica.app. We have conducted balancing tests ensuring our legitimate interests do not override your fundamental rights.
6. PURPOSES OF PROCESSING
6.1 Primary Purposes
- Platform Services: Authentication, query processing, AI response generation, document drafting, KYC/UBO tools, Google Workspace sync;
- Payment: Subscription fee processing, billing, invoicing, dispute handling;
- Security: Unauthorized access monitoring, fraud detection, integrity maintenance;
- Support: Inquiry response, troubleshooting, onboarding;
- Communication: Essential service notifications, marketing (with consent only);
- Legal Compliance: Tax/accounting records, legal request response, Terms enforcement;
- Platform Improvement: Anonymized usage pattern analysis only.
6.2 What We Do NOT Do
- ❌ Use your data to train any AI models (contractually prohibited);
- ❌ Sell your data to any third party;
- ❌ Use your data for advertising profiling;
- ❌ Share data with third parties for their marketing;
- ❌ Automated decision-making with legal effects.
7. ROLE: CONTROLLER VS. PROCESSOR
7.1 Legalica as Controller: For: account management, payment, usage analytics, communication, security, marketing.
7.2 Legalica as Processor (Art. 28): When processing User Input and AI Output on behalf of Workspace Owners. Legalica:
- Processes only on documented instructions;
- Ensures confidentiality obligations;
- Implements technical and organizational measures;
- Does not engage subprocessors without authorization;
- Deletes/returns data upon service termination.
7.3 Customer as Controller: Workspace Owners are Data Controllers for: User Input, AI Output, uploaded documents, corporate entity data, client Personal Data.
Workspace Owners are solely responsible for: obtaining consents, ensuring compliance, implementing policies, responding to client data subject requests.
8. GOOGLE CLOUD INFRASTRUCTURE AND DATA PROCESSING
8.1 Infrastructure Provider as Key Subprocessor: Google LLC is Legalica's primary Infrastructure Provider and subprocessor. All Customer Data is stored, processed, and transmitted through Google Cloud Platform services. The following Google services process Customer Data:
| Google Service | Processing Activity | Data Location | Legal Basis |
|---|---|---|---|
| Cloud Firestore | Primary database — all structured data | EU (europe-west3) | Art. 28 GDPR |
| Firebase Authentication | User authentication, MFA, sessions | EU (europe-west3) | Art. 28 GDPR |
| Cloud Storage for Firebase | Document file storage | EU (europe-west3) | Art. 28 GDPR |
| Cloud Functions | Background processing, triggers | EU (europe-west3) | Art. 28 GDPR |
| Cloud CDN | Content delivery (cached, encrypted) | Global edge | Art. 28 GDPR |
| Cloud Monitoring | Performance and error logging | EU (europe-west3) | Art. 28 GDPR |
| Vertex AI | AI model inference (where applicable) | EU (europe-west3) | Art. 28 GDPR |
8.2 Google's Role and Obligations: Google LLC processes Customer Data under the Google Cloud Data Processing Addendum (google.com/.../data-processing-addendum), which incorporates:
- EU Standard Contractual Clauses (2021/914), Modules Two and Three;
- GDPR Article 28 processor obligations;
- EU-US Data Privacy Framework certification;
- Subprocessor governance with 30-day notice for new subprocessors.
8.3 Data Flow Architecture
User → Legalica Platform (application layer)
↓
Google Cloud Platform (infrastructure layer)
↓
├─ Cloud Firestore (database)
├─ Firebase Auth (authentication)
├─ Cloud Storage (files)
├─ Cloud Functions (processing)
└─ Vertex AI / Third-Party LLMs (AI inference)8.4 Data Location and Residency:
- Primary data center: Google Cloud europe-west3 (Frankfurt, Germany)
- Backup/DR location: Google Cloud europe-west2 (London, UK)
- AI inference: Processed via a multi-provider AI Cascade (Google Gemini → Moonshot AI/Kimi → Groq/Meta Llama → Ollama). EU-based providers are preferred; US-based providers operate under SCC 2021/914 and zero-data retention agreements. Ollama runs locally within the application layer with no external data transfer.
- Users may request Swiss or US data residency for Enterprise accounts.
8.5 Google's Limitations: Per the Google Cloud Terms of Service: (a) Google has no obligation to assess Customer Data for legal compliance; (b) Google's notification of a Data Incident is not an acknowledgment of fault; (c) Google disclaims warranties and limits liability per its own terms; (d) Google may process data in any country where it maintains facilities unless a data location commitment is in place.
Legalica has configured all primary data storage and processing within the EU (europe-west3). However, certain Third-Party LLM API calls may route to US-based endpoints. Such transfers are protected by SCC 2021/914 and the EU-US Data Privacy Framework.
9. INTERNATIONAL DATA TRANSFERS
9.1 EU Transfers: All intra-EU transfers are permitted under GDPR Chapter V without additional safeguards.
9.2 Transfers to Third Countries (Non-EU): Transfers to the United States and other third countries are conducted via:
| Mechanism | Application | Status |
|---|---|---|
| EU-US Data Privacy Framework | Google LLC | ✅ Certified |
| SCC 2021/914 Module Two | Controller → Processor transfers | ✅ Executed |
| SCC 2021/914 Module Three | Processor → Subprocessor transfers | ✅ Executed |
| UK Addendum to SCCs | UK data transfers | ✅ Applied |
| Supplementary measures | Encryption (TLS 1.3, AES-256) | ✅ Implemented |
9.3 Transfer Impact Assessment (TIA): Legalica has conducted a TIA for all third-country transfers. A summary is available upon request at dpo@legalica.app.
9.4 Government Access: If Legalica or Google receives a government access request: (a) we will notify you unless prohibited by law; (b) we will challenge the request if grounds exist; (c) we will disclose only the minimum required by law.
PART II — DATA PROCESSING AGREEMENT
10. PROCESSING DETAILS (GDPR ARTICLE 28)
10.1 Subject Matter: Processing of Personal Data submitted by Controller and Authorized Users through the Platform.
10.2 Duration: Duration of Controller's Platform use plus applicable retention periods.
10.3 Nature and Purpose:
| Nature | Collection, storage, organization, use, disclosure by transmission, erasure |
| Purpose | Providing Platform services: AI legal research, document drafting, corporate intelligence |
| Data Subjects | Controller's clients, employees, counterparties, and other individuals in User Input |
| Categories | Names, contact info, professional titles, corporate affiliations, legal case details, financial information |
| Special Categories | Not intended; may occur if included in User Input by Authorized Users |
10.4 Controller Warranties: Controller warrants: (a) all necessary consents obtained; (b) appropriate notices provided to Data Subjects; (c) no violation of Applicable Law; (d) no submission of Personal Data in violation of data protection obligations.
11. PROCESSOR OBLIGATIONS
11.1 Documented Instructions: Legalica processes Personal Data only on documented instructions from the Controller, unless required by Union or Member State law.
11.2 Confidentiality: All persons authorized to process Personal Data are bound by confidentiality obligations.
11.3 Security Measures:
| Category | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 with Perfect Forward Secrecy |
| Encryption at rest | AES-256 (Google Cloud default encryption) |
| Key management | Google Cloud KMS; HSM-backed |
| Access controls | RBAC, MFA, least-privilege principles |
| Network security | Google Cloud VPC, Firewall Rules, Cloud Armor |
| Audit logging | Google Cloud Audit Logs, Cloud Monitoring |
| Authentication | Firebase Authentication with MFA support |
11.4 Subprocessor Engagement: Legalica may engage subprocessors per Section 15. At least 14 days' notice for new subprocessors. Remains fully liable for subprocessor performance.
11.5 Data Subject Rights Assistance: Legalica assists Controller in responding to Data Subject rights requests under GDPR Chapter III.
11.6 Compliance Assistance: Legalica assists Controller with: Art. 32 (security), Art. 33 (breach notification), Art. 34 (communication), Art. 35 (DPIA), Art. 36 (prior consultation).
11.7 Return or Deletion: Upon termination, Legalica will delete or return all Personal Data per Controller's choice, unless storage is required by law.
11.8 Audit Rights: (a) Once per calendar year upon 30 days' notice; (b) additional audits after a breach, material non-compliance, or supervisory authority order; (c) audit scope limited to systems relevant to Controller's data; (d) Legalica cooperates and provides access.
11.9 Documentation: Legalica makes available all information necessary to demonstrate compliance with Art. 28 GDPR.
12. AI ACT PROCESSOR OBLIGATIONS
Legalica ensures AI processing activities comply with:
- (a) Art. 50 (Transparency): Necessary documentation regarding AI system transparency provided;
- (b) Art. 52 (GPAI obligations): Compliance with applicable obligations for general-purpose AI models;
- (c) Art. 10 (Data governance): Appropriate data governance where high-risk AI systems are applicable;
- (d) Art. 14 (Human oversight): Meaningful human oversight maintained;
- (e) DPIA support: Documentation and assistance for DPIAs involving AI processing, including assessments of automated decision-making risks, algorithmic bias, and data subject rights.
13. DATA BREACH NOTIFICATION
13.1 Timeline: Legalica notifies the Controller within 36 hours of becoming aware of a Personal Data Breach.
13.2 Notification Content: (a) Nature of breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; (d) measures taken or proposed; (e) contact point.
13.3 Documentation: All breaches are documented with facts, effects, and remedial actions.
13.4 Infrastructure Provider Breaches: If a Data Breach originates from Google Cloud infrastructure, Firebase Authentication, or any other Infrastructure Provider: (a) Legalica will notify Controller within 36 hours of learning of the breach from the provider; (b) Legalica will pass through all information provided by the Infrastructure Provider; (c) Legalica's liability is subject to Section 9.3 of the Master Terms of Service; (d) Controller may also contact Google directly via support.google.com/cloud/contact/dpo.
14. NO-TRAINING COVENANT
14.1 Absolute Prohibition: Personal Data processed under this DPA shall NOT be used to train, fine-tune, or improve any machine learning models, AI systems, or algorithms. Personal Data shall not be included in training datasets for any purpose.
14.2 LLM Subprocessor Obligations: All LLM subprocessors are contractually bound to: (a) process solely for generating responses; (b) not retain beyond response generation; (c) not use for model training; (d) implement technical zero-retention measures.
14.3 Google-Specific AI Terms: Google Cloud's AI terms state: "Google will not use Customer Data to train or fine-tune any AI/ML models without Customer's prior permission or instruction." This applies to all Google Cloud AI services used by Legalica.
15. SUBPROCESSORS AND INFRASTRUCTURE CHAIN
15.1 Current Subprocessors:
| Subprocessor | Service | Location | Role | Transfer Mechanism |
|---|---|---|---|---|
| Google LLC | Cloud infrastructure, auth, storage, AI (Gemini) | EU / US | Key Infrastructure Provider & Primary LLM | SCC 2021/914, EU-US DPF, zero-retention |
| Moonshot AI (Beijing Moonshot AI Technology Co., Ltd.) | AI language model — Kimi (cascade fallback #2) | China / Global | LLM provider (fallback) | SCC 2021/914, zero-retention contractual obligation |
| Groq, Inc. / Meta Platforms (Llama) | AI language model — Llama 3 via Groq API (cascade fallback #3) | US | LLM provider (fallback) | SCC 2021/914, zero-retention |
| Ollama (self-hosted / local) | AI language model — Qwen local inference (cascade fallback #4) | Local (no external transfer) | Local LLM runtime (fallback) | No transfer — processed within application layer |
| Stripe, Inc. | Payment processing | US | Payment processor | SCC 2021/914 |
| Postmark / SendGrid | Email delivery | US | Communication | SCC 2021/914 |
| GLEIF | LEI data | International | Registry | Public data |
| OpenCorporates | Corporate registry | International | Registry | Public data |
15.2 Infrastructure Chain Disclosure
Full processing chain for a typical user query:
1. User submits query → Legalica application (Firebase Cloud Functions, us-central1) 2. Authentication check → Firebase Authentication (Google, EU) 3. Data retrieval → Cloud Firestore (Google, EU) 4. AI processing → AI Cascade: Gemini → Kimi/Moonshot → Groq/Llama → Ollama (local) Each provider queried sequentially; fallback on failure. Zero-data retention enforced. 5. Response storage → Cloud Firestore (Google, EU) 6. Document attachment → Cloud Storage (Google, EU) 7. Email notification → Postmark / SendGrid (US, if enabled)
15.3 Subprocessor Changes: At least 14 days' advance notice for new subprocessors (30 days for Infrastructure Provider changes). Objections may be raised to dpo@legalica.app. If unresolved, Controller may terminate with pro-rata refund.
16. STANDARD CONTRACTUAL CLAUSES
16.1 Incorporation: EU SCC 2021/914 are incorporated by reference:
- Module Two: Controller to Processor
- Module Three: Processor to Subprocessor
16.2 SCC Specifications:
| Clause | Selection |
|---|---|
| Clause 7 (Docking) | Included |
| Clause 9 (Subprocessors) | Option 2 — general written authorization |
| Clause 11 (Redress) | DPO as contact point |
| Clause 13 (Supervisory authority) | Andmekaitse Inspektsioon (Estonia) |
| Clause 17 (Governing law) | Law of Estonia |
| Clause 18 (Forum) | Courts of Estonia |
16.3 Annexes:
- Annex I.A (Parties): Data Exporter: [Customer]; Data Importer: [...] OÜ
- Annex I.B (Processing): As described in Section 10
- Annex I.C (Supervisory authority): Andmekaitse Inspektsioon
- Annex II (Security measures): As described in Section 11.3
- Annex III (Subprocessors): As described in Section 15
PART III — COOKIE POLICY
17. COOKIE TYPES AND PURPOSES
17.1 Strictly Necessary (Essential): Cannot be disabled. No consent required.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| legalica_session | Legalica | Session state | Session |
| legalica_csrf | Legalica | CSRF protection | Session |
| legalica_auth | Legalica | Authentication | 30 days |
| legalica_consent | Legalica | Consent preferences | 180 days |
17.2 Performance & Analytics: Consent required. Disabled by default.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics | User distinction | 2 years |
| ga* | Google Analytics | Session state | 2 years |
| _gid | Google Analytics | User distinction | 24 hours |
| legalica_perf | Legalica | Performance metrics | 30 days |
Note: Google Analytics runs with IP anonymization.
17.3 Functionality: Consent required. Disabled by default.
| Cookie | Purpose | Duration |
|---|---|---|
| legalica_lang | Language preference | 1 year |
| legalica_theme | Theme preference | 1 year |
| legalica_tz | Timezone | 1 year |
| legalica_layout | Dashboard layout | 90 days |
17.4 Targeting & Marketing: Consent required. Disabled by default.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta | Ad delivery | 90 days |
| _gcl_au | Google Ads | Conversion linker | 90 days |
| legalica_utm | Legalica | Attribution | 30 days |
18. CONSENT MANAGEMENT
18.1 Consent Banner: Upon first visit, a banner presents: (a) "Accept All" — all cookie categories enabled; (b) "Customize" — granular selection per category; (c) "Essential Only" — only necessary cookies.
18.2 Granular Control: The Cookie Settings panel allows independent toggling of: Performance & Analytics, Functionality, Targeting & Marketing. Essential cookies remain always active.
18.3 Consent Record: Consent preferences stored in legalica_consent cookie and linked to account (if logged in). May be modified at any time via Cookie Settings panel or by contacting dpo@legalica.app.
18.4 Withdrawal: Consent may be withdrawn at any time without affecting the lawfulness of processing before withdrawal. Non-essential cookies are immediately disabled upon withdrawal.
18.5 Browser Controls: Users may also control cookies via browser settings. Disabling cookies may affect Platform functionality.
19. FIRST-PARTY VS. THIRD-PARTY COOKIES
First-party: Set by Legalica — session management, security, consent, preferences;
Third-party: Set by partners — Google Analytics, Meta Pixel, Google Ads. Subject to respective privacy policies.
No behavioral profiling of sensitive categories (health, political opinions, religious beliefs, etc.).
PART IV — DATA RETENTION
20. RETENTION SCHEDULE
20.1 Account Information
| Data | Retention | Basis |
|---|---|---|
| Name, email, profile | Account duration + 2 years | Contract + legal obligation |
| Credentials | Account duration | Contract |
| Login history | 12 months | Security (legitimate interest) |
20.2 User Input and AI Output
| Data | Retention | Basis |
|---|---|---|
| Queries/search terms | Session only | No-training covenant |
| Uploaded documents | Account duration or user deletion | Contract |
| AI Output | Account duration or user deletion | Contract |
| Chat history | Account duration or user deletion | Contract |
20.3 Corporate Intelligence
| Data | Retention | Basis |
|---|---|---|
| KYC/UBO queries | Session only | Privacy-by-design |
| KYC reports | Account duration or user deletion | Contract |
| Risk assessments | Account + 3 years (if regulatory) | Legal obligation |
| Registry cache | 30 days | Technical necessity |
20.4 Google Workspace Data
All synced data retained only during active sync period. Deleted upon Google Workspace disconnect or account deletion.
20.5 Payment and Billing
| Data | Retention | Basis |
|---|---|---|
| Invoice records | 7 years | Estonian Accounting Act § 12 |
| Transaction history | 7 years | Estonian Accounting Act § 12 |
| Payment details | Active subscription + 1 year | Contract |
| VAT records | 7 years | VAT Directive |
20.6 Logs and Analytics
| Data | Retention | Basis |
|---|---|---|
| Server access logs | 12 months | Security |
| Error logs | 6 months | Stability |
| Security event logs | 24 months | Legal obligation |
| Aggregated analytics | Indefinite (anonymized) | Improvement |
21. DELETION PROCEDURES
21.1 User-Initiated Deletion: Individual documents and conversations deleted immediately upon user action.
21.2 Account Deletion:
| Phase | Timeline |
|---|---|
| Request verification | Within 7 days |
| Active data deletion | Within 30 days |
| Backup purge | Within 90 days |
| Deletion certificate | Upon request |
21.3 Automated Deletion: Session data: immediately after session ends; Cached data: per TTL (typically 30 days); Expired tokens: upon expiration; Orphaned files: 30 days after parent deletion.
21.4 Legal Holds: Data may be retained beyond standard periods for: litigation hold, court order, legal claims, regulatory audit.
22. USER RIGHTS
22.1 GDPR Rights:
| Right | Article | How to Exercise |
|---|---|---|
| Access | Art. 15 | Email dpo@legalica.app |
| Rectification | Art. 16 | Account settings or DPO email |
| Erasure | Art. 17 | DPO email or account deletion |
| Restriction | Art. 18 | DPO email |
| Portability | Art. 20 | DPO email |
| Objection | Art. 21 | DPO email |
| Withdraw consent | Art. 7(3) | Cookie Settings or DPO email |
| Lodge complaint | Art. 77 | Andmekaitse Inspektsioon or local DPA |
Response time: 30 days (extendable to 60 for complex requests). Identity verification required before processing.
22.2 Rights Under Other Jurisdictions:
| Jurisdiction | Key Additional Rights |
|---|---|
| California (CCPA/CPRA) | Right to know, delete, correct, opt-out, non-discrimination |
| Brazil (LGPD) | Right to explanation of automated decisions |
| Canada (PIPEDA) | Right to access, challenge accuracy |
| Singapore (PDPA) | Right to access, correction |
| South Africa (POPIA) | Right to access, correction, objection |
| Japan (APPI) | Right to disclosure, correction, cessation |
| China (PIPL) | Right to know, decide, limit, access, copy, correct, delete |
PART V — COOKIE CONSENT BANNER
23. BANNER TEXTS AND SETTINGS PANEL
23.1 Primary Banner (Default):
- Title: We Use Cookies
- Body: We use cookies to provide and improve our services, analyze usage, and enhance your experience. Essential cookies are always active. You can customize your preferences or accept all cookies.
- CTAs: [Accept All] [Customize] [Essential Only]
- Footer: [Cookie Policy] [Privacy Policy]
23.2 Detailed Banner (Alternative):
- Title: Your Privacy Matters
- Body: Legalica uses cookies for essential functions, analytics, preferences, and (with consent) marketing. You choose which categories you accept. Read our Cookie Policy for details.
- CTAs: [Accept All] [Customize Preferences] [Reject Non-Essential]
23.3 Settings Panel Title: Cookie Preferences — Manage your cookie consent preferences
23.4 Category Descriptions for Panel:
- Essential: "These cookies are necessary for the website to function and cannot be switched off. They are set in response to actions you take, such as logging in or setting privacy preferences." [Toggle: ON, disabled]
- Performance & Analytics: "These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. All information is aggregated." [Toggle: OFF by default]
- Functionality: "These cookies enable enhanced functionality and personalization, such as remembering your language preference and theme." [Toggle: OFF by default]
- Targeting & Marketing: "These cookies may be set by our advertising partners to build a profile of your interests and show you relevant ads on other sites." [Toggle: OFF by default]
23.5 Consent Confirmation Messages:
- Accept All: "Thank you! All cookies have been accepted. You can change your preferences at any time through Cookie Settings."
- Essential Only: "Your preferences have been saved. Only essential cookies are active. You can change this at any time."
- Custom Saved: "Your cookie preferences have been saved successfully."
23.6 DNT Response: "We have detected that your browser has 'Do Not Track' enabled. We respect this preference and have automatically disabled non-essential cookies. You can manually adjust below."
CHANGES TO THIS POLICY
We may update this Policy. Material changes: 30 days' notice via email and Platform notice. Continued use constitutes acceptance.