LawfirmAIBack to Home

Privacy Policy

Last updated: October 22, 2025

🏢 Company Information: LawfirmAI is a brand operated by Konye Consultants Limited, a company registered in the Republic of Kenya. All data processing, storage, and payment handling are managed by Konye Consultants Limited in accordance with this Privacy Policy.

⚠️ Important Notice: This privacy policy accurately describes our current data handling practices. We are committed to transparency about what data is encrypted and what is not.

Jurisdiction Compliance: This Privacy Policy complies with:

  • • GDPR (European Union General Data Protection Regulation)
  • • CCPA (California Consumer Privacy Act)
  • • PIPEDA (Canada Personal Information Protection and Electronic Documents Act)
  • • UK Data Protection Act 2018
  • • Kenya Data Protection Act 2019
  • • Australia Privacy Act 1988

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

🔒 Data Encryption Disclosure

We want to be transparent about our encryption practices:

  • ✅ Encrypted: User passwords (bcrypt hashing), data in transit (HTTPS/TLS), uploaded files (optional client-side E2E encryption with AES-256-GCM)
  • ⚠️ Not Encrypted: AI-generated documents and templates stored in our database (required for AI processing, search, and editing features)
  • 🔐 Optional Encryption: You can use our E2E encryption feature for sensitive uploaded documents where you control the encryption password

Why templates aren't encrypted: Our AI needs access to template content to generate documents. For maximum security with sensitive matters, use our optional E2E encryption feature for uploaded files.

Personal Information

  • Name and email address
  • Firm information and contact details
  • Account credentials and preferences
  • Payment and billing information

Usage Information

  • Document generation requests and content
  • Template usage and customization
  • Case law search queries and results
  • Platform usage statistics and analytics

2. How We Use Your Information

Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our services as agreed in our Terms of Service
  • Legitimate Interests: To improve our services, prevent fraud, and ensure security
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: For marketing communications and optional features (you may withdraw consent at any time)

Purposes of Processing

We use the information we collect to:

  • Provide, maintain, and improve our AI-powered document generation services
  • Process transactions on behalf of Konye Consultants Limited via our payment processor (IntaSend)
  • Generate legal documents using AI technology (OpenAI, Anthropic, or other providers)
  • Send technical notices, security alerts, updates, and support messages
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage patterns, trends, and service performance
  • Detect, prevent, and address technical issues, fraud, and security vulnerabilities

⚠️ AI Processing Disclosure

Important: When you use our AI document generation features, your document content and prompts are processed by third-party AI providers (OpenAI, Anthropic Claude, etc.). While we encrypt data in transit and at rest, these providers process the content to generate documents. We use enterprise agreements with data processing addendums (DPAs) to ensure compliance. You should not include highly sensitive information in AI prompts if you're uncomfortable with third-party processing.

3. Information Sharing and Disclosure

We do NOT sell your personal information. We share your information only in the following circumstances:

Third-Party Service Providers (Data Processors)

We work with the following categories of third-party processors who handle your data on our behalf under strict data processing agreements:

  • AI Providers: OpenAI (GPT models), Anthropic (Claude) - for document generation (data processing agreements in place)
  • Payment Processor: IntaSend - for subscription and payment processing on behalf of Konye Consultants Limited (PCI-DSS compliant)
  • Cloud Infrastructure: Railway, Vercel - for hosting and application delivery
  • Database Services: MongoDB Atlas - for secure data storage with encryption at rest
  • Storage Providers: OneDrive, Google Drive, Dropbox (optional, user-configured integrations)
  • Email Services: For transactional emails and notifications

Data Processing Agreements

All third-party processors are bound by data processing agreements (DPAs) that ensure they process your data only as instructed, maintain appropriate security measures, and comply with applicable data protection laws. We conduct regular reviews of our processors' security and compliance practices.

Legal Disclosures

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, search warrants)
  • Government or regulatory requests
  • Requests to protect the safety of any person
  • To protect our rights, property, or safety
  • To prevent fraud or security threats

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice on our service of any change in ownership or uses of your personal information.

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure.

🛡️ Security Measures We Implement

We protect your data through multiple security layers:

  • Transport Security: All data transmitted between your device and our servers uses HTTPS/TLS encryption
  • Password Security: User passwords are hashed using bcrypt with salt (never stored in plain text)
  • Database Security: MongoDB Atlas with encryption at rest and network isolation
  • Access Control: Role-based access control (RBAC) and tenant data isolation
  • Optional E2E Encryption: Available for uploaded documents using AES-256-GCM encryption
  • Audit Logging: Comprehensive activity tracking for compliance and security monitoring
  • Regular Backups: Automated database backups with point-in-time recovery

Professional Responsibility: While we implement strong security measures, you remain responsible for protecting client confidentiality and should use appropriate judgment when handling highly sensitive matters.

5. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Retention Periods

  • Account Data: Retained while your account is active, deleted 30 days after account closure unless legally required to retain longer
  • Generated Documents: Retained as long as you maintain your account; you can delete documents at any time
  • Templates: Retained as long as your account is active
  • Billing Records: Retained for 7 years for tax and accounting purposes (legal requirement)
  • Audit Logs: Retained for 2 years for security and compliance purposes
  • Support Tickets: Retained for 3 years for quality assurance and legal purposes

Upon account deletion, you may request immediate data deletion. However, we may retain certain information as required by law or for legitimate business purposes (fraud prevention, resolving disputes, enforcing agreements).

6. Your Rights and Choices

You have the right to:

  • Access and update your personal information
  • Request deletion of your personal information
  • Opt out of certain communications
  • Request data portability
  • Object to processing of your personal information

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. You can control cookie settings through your browser preferences.

8. Third-Party Services

Our service may integrate with third-party services such as cloud storage providers (OneDrive, Google Drive, Dropbox) and AI providers. These services have their own privacy policies, and we encourage you to review them.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your personal information in accordance with this Privacy Policy.

10. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Legal Entity: Konye Consultants Limited
Trading As: LawfirmAI
Email: privacy@lawfirm-ai.co.ke
Support Email: support@lawfirm-ai.co.ke
Website: https://lawfirm-ai.co.ke
Data Protection Officer: dpo@lawfirm-ai.co.ke
Registered Location: Republic of Kenya
Data Controller: Konye Consultants Limited

For data protection inquiries under Kenya Data Protection Act 2019, please contact our Data Protection Officer at dpo@lawfirm-ai.co.ke. Konye Consultants Limited acts as the data controller for all personal information processed through the LawfirmAI platform.