Privacy Policy

Last Updated: August 18, 2025

1. Introduction and Applicability

1.1. Our Commitment to Your Privacy

Escribai Solutions S.L. ("eScribAI", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our AI-assisted legal platform.

1.2. Scope — Controller vs. Processor Distinction

This policy covers two distinct relationships:

  • Service Data: eScribAI is Data Controller for data you provide during registration and account management (name, email, billing information, usage metrics).
  • Customer Content: For documents and data you upload to the platform, the Customer is the Data Controller and eScribAI acts as Data Processor, processing data only on your instructions.

2. Personal Data We Collect

We adhere to the principle of data minimization — we only collect what is necessary to provide our services.

2.1. Information You Provide Directly

  • Account registration data (name, email address, company name)
  • Billing and payment information
  • Communications with our support team
  • Feedback and survey responses

2.2. Information We Collect Automatically

  • Service Usage Data: Features used, pages visited, frequency, and performance data
  • Log Data and Device Information: IP address, browser type, operating system, device identifiers, and error data
  • Cookies and Similar Technologies: We use essential cookies for platform functionality. Non-essential analytics and marketing cookies are only placed with your explicit opt-in consent in compliance with GDPR and the ePrivacy Directive.

2.3. Information from Other Sources

  • If you log in via Google or Microsoft SSO, we receive basic profile information from those services
  • Marketing and analytics partners may provide aggregated insights

3. How and Why We Use Your Data

We process your data only where we have a lawful basis to do so:

  • Provide and operate our services — Performance of Contract
  • Communicate about your account and transactions — Performance of Contract
  • Customer support — Performance of Contract
  • Improve the platform and conduct analytics — Legitimate Interests (using anonymized/aggregated data only)
  • Security and fraud prevention — Legitimate Interests
  • Marketing communications — Consent (you can withdraw at any time)
  • Legal compliance — Legal Obligation

4. How We Share and Disclose Personal Data

We do not sell your personal data. We may share data with:

  • Service providers who assist in operating our platform (under strict data processing agreements)
  • Professional advisers (lawyers, accountants) bound by confidentiality obligations
  • Authorities when required by law
  • Business partners in the event of a merger or acquisition

All third-party processors are contractually bound to process data only as instructed and in compliance with GDPR.

5. Data Security

We implement comprehensive technical and organizational security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication
  • Role-based access controls
  • Regular security audits and penetration testing

6. International Data Transfers

All personal data is stored and processed exclusively within the European Union. We do not transfer your data outside the EEA. Our infrastructure is hosted on EU-based servers to ensure full compliance with GDPR data residency requirements.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. Account data is retained for the duration of your subscription plus a reasonable period to resolve disputes or fulfill legal requirements. You may request deletion of your data at any time, subject to legal retention obligations.

8. Your Data Protection Rights under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate data
  • Right to Erasure — Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Data Portability — Receive your data in a machine-readable format
  • Right to Object — Object to processing based on legitimate interests
  • Right to Withdraw Consent — Withdraw consent for consent-based processing at any time

To exercise any of these rights, please contact us at privacy@escribai.com.

9. Information for EEA, UK, and Switzerland Individuals

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the data protection laws of your region may give you additional rights. eScribAI is committed to full compliance with GDPR and applicable national data protection laws.

10. Children's Data

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal information, we will take steps to delete it promptly.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by posting a prominent notice on our website prior to the changes becoming effective.

12. How to Contact Us

For privacy-related inquiries or to exercise your data protection rights:

  • Email: privacy@escribai.com
  • Mailing Address: Escribai Solutions S.L., Plaza Doctor Letamendi, 7a, 3o, Barcelona, Spain

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data in accordance with applicable law.