Privacy Policy

Attorly has two roles under the GDPR depending on the data type. For account information (name, email, billing details, usage logs, support messages), Getia AS acts as a data controller and determines the purposes and means of processing. For documents, drafts, and other content you upload to perform legal work ("Customer Content"), Getia AS acts as a data processor on behalf of you or your organization; a Data Processing Agreement governs that relationship and is available at /dpa.

We collect: (a) identifying and account data (name, email, password hash, organization, workspace roles, chosen language); (b) billing data (country, VAT number where applicable, subscription status, trial status, invoice history — full card details are held by Stripe, not Attorly); (c) Customer Content you upload (documents, drafts, notes, timeline events, research); (d) technical data necessary to operate the service (IP address, session cookies, audit logs of significant actions, country-level geolocation from Cloudflare for currency selection and fraud prevention); (e) communications you send to support. We do not collect sensitive special-category data unless it appears in Customer Content, in which case we process it solely as instructed by you.

We process your data to: (a) deliver the service (GDPR Art. 6(1)(b), contract); (b) meet legal obligations such as tax and accounting (Art. 6(1)(c)); (c) send transactional emails about your account, billing, and critical service updates (Art. 6(1)(b) and (f)); (d) secure the service and prevent abuse (Art. 6(1)(f), legitimate interest); (e) improve the service through aggregated, de-identified analytics (Art. 6(1)(f)); and (f) send marketing communications where we have your consent (Art. 6(1)(a)), which you can withdraw at any time. Customer Content is processed by our AI subprocessors (listed on the Subprocessors page) solely to deliver the output you request. We do not use Customer Content to train our own or any third-party AI models.

Account data is retained while your account is active. On account closure, we delete account and Customer Content within 30 days, except where longer retention is required by law or needed to resolve disputes. Invoices and payment records are retained for the minimum period required by the applicable tax and bookkeeping laws of your jurisdiction (typically 5–10 years; Getia AS as a Norwegian company must retain them for at least 5 years from the end of the financial year). Failed payment and fraud-prevention logs are retained for up to 12 months. Audit logs of administrative and admin-panel actions are retained for 2 years (Art. 32 security). Analytics data is retained in aggregated, de-identified form. Full retention schedule is published in our Data Processing Agreement.

We use industry-standard encryption and security controls. Customer Content and sensitive fields are encrypted at rest using authenticated encryption (AES-256-GCM); we support bring-your-own-key (BYOK) encryption on applicable plans. All network traffic is encrypted in transit with TLS 1.2 or higher. Access to production data is limited to named engineers, multi-factor-authenticated, and fully audited. We run continuous automated vulnerability scanning and follow responsible disclosure procedures; report security issues to security@attorly.ai.

We never sell your personal data. We share it only with subprocessors that are necessary to deliver the service, under written data processing agreements that mirror our commitments to you. The current list is published at /subprocessors and updated at least 30 days before any material change. Transfers to subprocessors outside the EEA are covered by Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework where applicable, or another lawful transfer mechanism, together with supplementary measures such as encryption and access controls (Schrems II).

Under the GDPR and comparable data-protection laws you have the right to access, rectify, delete, port, and restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw any consent you have given. You can exercise most of these rights directly from your account settings (export data, close account). For any other request, or if you are not satisfied with our response, contact privacy@attorly.ai — we respond within 30 days. You also have the right to lodge a complaint with the data protection authority in your country of residence (for example Datatilsynet in Norway, IMY in Sweden, Datatilsynet in Denmark, the ICO in the UK, CNIL in France, the BfDI in Germany, or the FTC for US residents). You can find your local authority via edpb.europa.eu or the relevant national portal.

We use strictly necessary cookies (authentication session, CSRF protection, cookie-consent preference) that do not require consent. We use optional analytics cookies only if you opt in through the cookie banner. You can manage your preferences at any time from the cookies settings link in the site footer.

Attorly is a B2B legal platform and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@attorly.ai and we will delete it.

We may update this privacy policy. For material changes we will notify you by email and in-product at least 30 days before the change takes effect. For clarifications, typos, or updates required by law, we may make the update immediately.

For privacy questions, contact privacy@attorly.ai. Controller: Getia AS, Oslo, Norway. We typically respond within 30 days. We have not appointed a Data Protection Officer as we are not required to do so under GDPR Art. 37, but privacy@attorly.ai reaches the person responsible for data protection at Getia AS.