Privacy Policy

Fluxr Legal is operated by Fluxr Ltd, a company registered in England and Wales. Contact details: [TO BE COMPLETED BEFORE LAUNCH]. ICO registration: [PENDING — required before processing personal data, £40/year Tier 1].

We collect account information (name, email, role), firm details (name, address, SRA number), conversation content (messages sent to and received from the AI), generated documents, audit logs (actions, timestamps, IP addresses), and usage statistics (token counts, response times).

We practise data minimisation — we only collect what is necessary to provide the service. We do not collect any data beyond what is required for the platform to function.

We process data on the basis of legitimate interests (providing the AI workspace service) and explicit consent (Terms of Service acceptance at onboarding, cookie consent). This is under Article 6(1)(b) and 6(1)(f) of the UK GDPR.

We use your data to provide the AI workspace service, to generate documents with firm letterhead and context, to maintain audit trails for regulatory compliance, to detect privileged content and warn users, and to generate usage statistics for firm admins.

We do not use your data for advertising. We do not use your data to train AI models. Your data is used solely for the purpose of delivering the Fluxr Legal service to your firm.

Legal files are retained for a minimum of 6 years in accordance with SRA requirements. The retention period is configurable per firm by the admin. Conversations and documents past the retention period are automatically flagged for review. Generated documents inherit the matter's retention policy.

Audit logs are retained for a minimum of 6 years and cannot be deleted. This ensures a complete compliance record for regulatory purposes.

Under the UK GDPR, you have the following rights regarding your personal data.

Right of access (Article 15) — You may request a copy of all your personal data. Firm admins can export data via the Settings page.

Right to rectification (Article 16) — You may request correction of inaccurate personal data through your firm admin.

Right to erasure (Article 17) — You may request deletion of your data. Firm admins can trigger cascade deletion. The deletion event itself is retained in the audit log for compliance purposes.

Right to data portability (Article 20) — Your data can be exported as JSON for transfer to another service.

Right to object (Article 21) — You may contact us to object to the processing of your personal data.

We use essential authentication cookies only. No tracking cookies. No analytics cookies. No advertising cookies. The platform cannot function without the authentication cookie (it proves you are logged in). There are no optional cookies to accept or decline.

All data is transmitted over HTTPS. The database is encrypted at rest. Row Level Security ensures firm data is isolated — one firm cannot access another firm's data. File storage uses signed URLs that expire after 1 hour.

Security headers are applied to all responses, including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Data is stored in the UK (Supabase London region). AI processing via Anthropic may involve transfer to the US — this is covered by the UK-US Data Bridge adequacy decision and Anthropic's Standard Contractual Clauses.

The platform is for professional solicitors only. We do not knowingly collect data from anyone under 18. If you believe a minor has provided personal data through the platform, please contact us immediately.

We will notify firms of material changes to this privacy policy at least 14 days in advance via email to the admin contact. Continued use of the platform after the notice period constitutes acceptance of the updated policy.

For data protection queries, contact: [TO BE COMPLETED BEFORE LAUNCH].

For complaints, contact the Information Commissioner's Office (ICO) at ico.org.uk.