Privacy policy

Last updated: December 13, 2024

Your privacy is important to us, and we want to explain how we handle your personal data. This privacy policy describes which personal data we collect and process and what we use the personal data for. It also explains your rights.

1. What is personal data?

Personal data is any information that can be directly or indirectly linked to a natural person, such as name, postal address, email address, IP address, and phone number.

2. Who is the data controller?

Juridisk ABC AS (Org. no. 994 995 634), Haakon VIIs gate 10, 0161 Oslo, is responsible for all processing of personal data where we determine the purpose of the processing and means employed for such processings.

As the data controller, we process your personal data in compliance with our obligations under applicable privacy laws, including The Personal Data Act and the EU General Data Protection Regulation ("GDPR").

3. Who do we process data about?

This privacy policy applies to our processing of personal data about the following individuals:

• Visitors to our websites or social media
• Users of our services
• Representatives of companies that are customers or suppliers
• Individuals we contact to provide information about services or assistance using services or fixing errors
• Individuals mentioned in data uploaded by users
• Job applicants

In some cases, uploaded content by users may also include personal data. We process this data as a data processor for our corporate clients, as we do not determine the purpose of the processing. You can read more about this in our standard data processor agreement.

4. What personal data do we process?

The personal data we collect and process can be categorized as follows:

Personal data provided directly by you when you order our services or communicate with us. This personal data is necessary for us to provide the service you have requested or to respond to your inquiries.

Personal data provided directly by you:

• Subscriber data: Name, date of birth, email address, phone number, username, and additional contact information; names of contact persons for corporate customers; employee names; and email addresses and usernames for individual users under corporate subscriptions.
• User content: Information uploaded by subscribers and users, such as data entered into input fields or the content of documents and other files. Personal data uploaded by subscribers or users is considered user content and will be transferred to data suppliers and processed when the service is used.
• Service history: Information we receive when you contact customer service, subscription details, or other data related to your use of the service.
• Payment information: Details about payment methods, including debit or credit card details, or other information necessary to process payments and transaction history.
• Communication content: Names, email address or other contact details, and additional communication exchanged between you and us.
• Social media: Name, username, and aggregated activity and analysis data from social media interactions.
• Additional information: Data collected when you participate in events or surveys or information received with your consent. You will be provided with specific information about what data is collected and how it will be used.
• Job applications: Data submitted in job applications, including CVs, references, and other information you provide.

Technical data collected automatically when you visit our websites or use our services. The information may depend on the type of device and its settings/browser configuration. This information is necessary for improving and developing the services we offer to you.

Data collected automatically:

• User Equipment: Information about the device (computer/mobile phone), operating system, device identifier, and browser used.
• Log Data: Information sent to us by your browser or device when you use our services (timezone, date and time, country, subscription type, IP addresses, connection type, etc.).
• The Use of Service: Information about the subscription type (e.g., business or personal), which data sources are accessed, functionalities, and how our services are used.

Data received from other sources may include:

• Name, postal address, payment information shared to process payments.
• Information from our partners to maintain security, prevent fraud, or other unwanted or illegal activities.
• Information received from third parties for the purpose of marketing, distribution, and sales of our services.
• Publicly available data from registers.

Sharing personal data with us is voluntary. However, certain data may be necessary to fulfill agreements, and billings. Certain data is necessary to improve and customize the services we provide, as well as to market and promote our services.

5. Why are we allowed to process personal data?

Our processing of personal data is based on one or more of the following legal grounds:

• To fulfill a contract (GDPR Article 6(1)(b))
• To comply with legal obligations (GDPR Article 6(1)(c))
• Legitimate interests (GDPR Article 6(1)(f))
• Consent (GDPR Article 6(1)(a))
• Explicit consent (GDPR Article 9(2)(1))

If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time.

6. Purposes and legal bases for processing personal data

We collect and process your personal data for different purposes, depending on your relationship with us and how we interact with you.

Below, you can read more about the personal data we process, the purposes for which we use them, and the legal basis for such processing.

We process personal data for the following purposes:

• Service delivery and maintenance: We process personal data to provide and maintain our services, such as establishing subscriptions, logging in and using the service, billing, and when you contact us for assistance with service use, troubleshooting, or other service-related inquiries. We also use data to provide you with the best possible user experience, including features like automatic login and customizing content display to your screen. The legal basis for this processing is GDPR Article 6(1)(b).
• Service improvement and development and new services and analysis: We process personal data to understand the needs of our customers and to improve and further develop our products and services. We have a legitimate interest in improving and developing our services to ensure that they meet the required quality. Generative artificial intelligence is a new technology, and it is important for us and our users that the output contains as few errors and "hallucinations" as possible. We do not use user content or outputs to train or develop the AI solution unless users choose to use the feedback function. If the content we receive feedback on contains personal data, the legal basis for our processing is GDPR Article 6(1)(f).
• Marketing and sales: We use personal data for marketing purposes in accordance with applicable laws. These activities include marketing products and services, creating target groups, customizing marketing to your needs, and sending newsletters and other information you have requested. The legal basis for processing is consent under GDPR Article 6(1)(a) or The Marketing Control Act 15(1)
• Security and misuse prevention: In some cases, we process personal data to ensure good security in all our services, to detect or prevent various types of fraud and misuse. The legal basis for processing is GDPR Article 6(1)(f).
• Legal compliance: We process personal data to fulfill our legal obligations, such as in connection with accounting and to provide information to competent authorities when required by applicable laws. The legal basis for processing is GDPR Article 6(1)(c).
• Job postings and employment: We use personal data to evaluate candidates applying for positions, whether unsolicited or in response to a job listing. The legal basis for processing is GDPR Article 6(1)(f) and GDPR Article 9(2)(a) if special categories of data are processed.
• Other purposes to which you have consented: We may process your personal data for any other purpose to which you have specifically consented.
• We use services on the Microsoft Azure OpenAI solution, which uses servers in Europe. User content entered in the "prompt" is sent as a request via an interface to Microsoft Azure OpenAI. You can read more about the data processed by Microsoft on their information page: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy.

7. How do we protect your personal data?

We have established procedures and measures to ensure that unauthorized persons do not have access to your personal data and that all processing of this data otherwise complies with applicable laws.

These measures include technical access control systems, technical systems, and physical access control systems to ensure information security, as well as routines to verify access and correction requests.

The service at lawai.com is provided as a SaaS solution on a server from our data supplier, DigitalOcean.

DigitalOcean uses various security technologies and measures to protect information from unauthorized access, use, or disclosure. The measures are designed to provide a security level appropriate to the risk of processing personal data.

You can read more about DigitalOcean's security procedures here:

• Data Processing Agreement (DPA)
• Certification Reports
• SOC 2 Type II (upon request to privacy@digitalocean.com)
• SOC 3 Type II

Our service uses an API to Microsoft Azure Open AI. You can read more about Microsoft's security procedures on their information page here:

• Microsoft Product and Services Data Protection Addendum (WW)
• Data, privacy, and security for Azure OpenAI Service

8. Who do we share personal data with?

In the following situations, we share personal data with third parties:

• Subcontractors: We may share personal data with data suppliers or subcontractors we use in our business or to deliver services to users or related services, to the extent necessary for the delivery. This may include cloud storage services, hosting services for user content, data warehouse services, security monitoring services, access control, logs, analytics, customer service, email communication, content services, web analytics services, social media platforms, payment and transaction providers, etc. Our subcontractors process your personal data on our behalf (as data processors) in accordance with our instructions. We enter into data processor agreements with our data processors to regulate how they can process the data they access and their obligations in this regard, including the purposes for which the personal data can be used.
• Subscription Administrator: If your subscription is established by a business or organization (corporate account), the administrator of the corporate account may access and control your personal user account. If you create an account using an email address belonging to your employer or organization, we may share information about your account, such as your email address, with your employer or the organization to which you are affiliated so that you are linked to the corporate account. In such cases, the processing of your personal data will typically be governed by the privacy policy of the company with the corporate account, and we will not typically enter into data processing agreements.
• Public Authorities: We may also share personal data with public authorities a) where there is a legal obligation to disclose or b) if we do so to pursue a legal claim for breaches of our terms of service or other legal obligations c) if we suspect fraud or other illegal activity, d) to protect the security of our services, employees, users, or the public, or e) where there is another legal basis for disclosure.
• Company group: We share personal data with other companies in our group entity for the same purposes for which the data was collected and as described in this privacy policy.
• Successors in Interest: If we transfer our rights or obligations to a third party in connection with a business transfer, reorganization, restructuring, bankruptcy, or similar event ("Transfer of Business"), your personal data will be transferred to the business that becomes our successor and affiliated companies. Personal data may also be made available as part of preparations for a Transfer of Business or a sale of the company's shares, such as a review of the company’s obligations (due diligence).

In some cases, third parties with whom we share your personal data may be data controllers (and not our data processors). This may occur where our subcontractor has a direct agreement with our users, e.g., for services used in conjunction with our services. Companies or organizations you are affiliated with (through a corporate account) may also be data controllers of your personal data. In such cases, we do not enter into data processor agreements because the recipient has an independent role as a data controller. Processing in such cases will be governed by the third party’s own privacy policy.

9. Do we transfer personal data abroad?

Our data center is located in the Netherlands, and some of the personal data we process is transferred to and processed in the Netherlands.

Information entered by users in the solution (user content) is transferred to and processed by our subcontractors. If users enter personal data, this personal data will be transferred to and processed by our subcontractors.

User content entered in the "prompt" is sent as a request via an interface to the Microsoft Azure OpenAI platform, which is located in Europe.

No personal data is transferred to countries outside the EEA.

10. How long do we store personal data?

We store your personal data for as long as necessary to fulfill the purposes mentioned above. The retention period will vary based on our needs and depends on the following relevant considerations:

• The purpose of processing (e.g., subscription data is stored as long as you have an active subscription)
• The amount, nature, and sensitivity of the data
• Potential harm caused by unauthorized use or disclosure of data
• Legal obligations, even if this means a longer retention period than the purpose suggests

This means, for example, that personal data we process based on your consent is deleted when consent is withdrawn. If the legal basis is our legitimate interest, the data will be deleted when such interest no longer exists. Data stored according to legal obligations will be deleted when the obligation expires.

Some data also depends on which features you use in the service. If you disable chat history storage, the information you provided in the chat function will not appear in the history and will be permanently deleted.

11. Your rights

Data protection laws give you various rights, including the right of access, correction, and deletion of the personal data we have stored about you.

We are committed to ensuring that the personal data we have stored about you is accurate and up to date. If you discover that the data we have stored about you is incorrect, we encourage you to contact us. This also applies if you wish to have the stored personal data deleted.

The deletion request does not apply to data necessary for us to provide a service you still want to access, or if the data must be retained for legal reasons.

You also have the right to data portability. This includes, among other things, the option to take your personal data with you in a machine-readable format.

You have the right to object to the processing of personal data and to object to profiling and automated decisions. This means you can require that your personal data not be analyzed to reveal your behavior, preferences, abilities, or needs. However, this does not apply if the processing is necessary to fulfill a contract you have entered into with us or if you have previously given explicit consent to the processing.

You also have the right to obtain a copy of the personal data we have recorded about you, as long as confidentiality does not prevent this. To ensure that personal data is disclosed to the correct person, we may require that access requests be made in writing and that your identity be verified.

In some situations, you can also ask us to restrict the processing of data about you.

If you believe we are not following what we inform you about in this privacy policy or applicable laws, you can file a complaint. You can also complain to the Data Protection Authority.

You can read more about your rights on the Data Protection Authority's website: www.datatilsynet.no.

12. How do we use cookies?

We use cookies and similar technologies on our website. You can choose to opt out of the use of cookies by changing your browser settings. However, this may result in certain features of the website being unavailable.

Lawai is the data controller for the collection and processing of personal data related to the operation and maintenance of lawai.com.

The purpose of collecting personal data via the website is to log the use of our websites for development and improvement purposes.

Depending on your browser settings, the following data may be collected:

• Your IP address, browser, and operating system
• Your location
• Time of visit
• Pages visited on lawai.com and duration of visits
• Any referring link to lawai.com
• What was clicked during the visit and any files downloaded
• Registered personal data on the website, such as name, phone number, email address, and workplace
• Data collected by third-party services you have agreed to allow us to use.

13. Changes to this privacy policy

Our services are continuously evolving.Therefore, we may update our privacy policy. If the privacy policy is updated, the revised version will be made available on our website https://www.lawai.com/.

14. Contact us

For questions about our data processing or to exercise your rights, email us at: post@juridiskabc.no