Legalify shield logoLegalify
Sign up

Legalify — Y-tunnus: 3610308-7

Privacy Policy

Last updated: 26 February 2026

1. Controller

Legalify (Finnish sole trader / toiminimi, Y-tunnus 3610308-7) is the data controller for account, billing, and platform operations data processed in Legalify.

Registered address: c/o Muuvlaw Oy, Junakatu 9, 20100 Turku, Finland.

Contact: privacy@uselegalify.com

2. Data We Collect

Legalify processes the following data categories:

  • Account data: email address, role, account creation/update timestamps.
  • Authentication data: password hash, active sessions, login state metadata.
  • Billing data: token transactions, Stripe event references, purchase metadata.
  • Scan metadata: scan ID, mode, risk level, confidence (if available), tokens used, model used, character count, created timestamp.
  • Hashed scan reference: SHA-256 hash of submitted scan text.

3. Scan Content Storage

Legalify does not store submitted marketing copy in full. Scan history records contain derived data: a SHA-256 hash of the submitted text, the risk level, flagged sentences, and rewrite suggestions produced by the analysis. These fragments of submitted text are retained as part of scan history for account reporting and auditability.

AI-mode scans transmit submitted text to the OpenAI API for analysis. OpenAI's infrastructure is US-based. This transfer relies on Standard Contractual Clauses as the Article 46 GDPR safeguard. Heuristic scans are processed entirely server-side and do not transmit submitted text to any third party.

4. Purpose and Legal Basis (GDPR Art. 6)

  • Service delivery (account, authentication, scan execution, token accounting): Art. 6(1)(b), contract performance.
  • Security, abuse prevention, and service integrity: Art. 6(1)(f), legitimate interests.
  • Billing, accounting, and tax obligations: Art. 6(1)(c), legal obligation, and Art. 6(1)(b), contract.

5. Sub-processors

Legalify uses the following infrastructure and service providers:

  • Vercel Inc. (hosting and deployment infrastructure; US-based; SCCs apply).
  • Stripe Inc. (payment processing and billing events; US-based; SCCs apply).
  • OpenAI Inc. (AI-mode scan processing; US-based; SCCs apply).
  • Resend Inc. (transactional email delivery; US-based; SCCs apply).
  • Upstash Inc. (rate-limiting infrastructure; US-based; SCCs apply).
  • Neon Technologies Inc. (database hosting; US-based; SCCs apply).
  • Google LLC (business email via Google Workspace; US-based; SCCs apply).

6. International Transfers

Some providers may process data outside the EEA. Where required, Legalify relies on lawful transfer safeguards such as Standard Contractual Clauses (SCCs).

7. Retention

  • Account and authentication data: retained for the duration of the account and deleted within 90 days of account closure.
  • Scan metadata and hashed scan references: retained for the duration of the account and deleted within 90 days of account closure.
  • Billing and transaction records: retained for 7 years as required under Finnish accounting law (Kirjanpitolaki).
  • Security and access logs: retained for up to 12 months.

8. Data Subject Rights

You may request access, rectification, erasure, restriction, portability, or objection under GDPR.

Submit requests to privacy@uselegalify.com.

9. Security Measures

Legalify applies technical and organizational security measures including authenticated access controls, secure password hashing, server-side authorization and billing logic, and transport security for API traffic.

10. Data Breach Notification

In the event of a personal data breach, Legalify will notify the Finnish Data Protection Ombudsman (tietosuojavaltuutettu) within 72 hours of becoming aware of the breach, where required under GDPR Art. 33. Affected users will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34.

11. Contact

Privacy: privacy@uselegalify.com

Legal: legal@uselegalify.com