1. Who we are
EuroLaw Hub (the "Service") is operated by EuroLaw Hub. For the purposes of this Policy, EuroLaw Hub acts as data controller for the personal data described here, except where we explicitly process data on a customer's behalf (e.g. documents you upload), in which case we act as processor under your instructions.
Contact and DPO: altay@eurolawhub.com
2. Categories of personal data we process
| Category | Fields | Source |
|---|---|---|
| Account | Email, name, hashed password, plan tier, role, must-reset-password flag | You, at sign-up |
| Sessions | JWT identifier, last-login timestamp, IP and user agent on login | Generated by the platform |
| Conversations | Your prompts and the model's replies to you | You, in use |
| Documents | PDFs, DOCX and TXT you upload + derived text chunks and vector embeddings | You, in use |
| Watches and alerts | Topics you track, alerts generated for you, read/dismissed state | You + generated by the platform |
| Billing | Plan key, subscription status, payment references from our payment processor | You + our payment processor |
| Support | Support-chat transcripts, email correspondence to altay@eurolawhub.com | You |
| Consent | Consent record (categories accepted, timestamp, version, IP, user agent) | Generated when you interact with the cookie banner |
| Analytics (if enabled) | Aggregated, non-identifying page views and feature-usage counts | Only if you enable analytics cookies |
3. Article 6 GDPR legal bases per purpose
| Purpose | Data used | Legal basis |
|---|---|---|
| Operating the Service (auth, sessions, research, uploads, workspaces) | Account, sessions, conversations, documents, watches | Art. 6(1)(b) — performance of a contract |
| Securing the Service (rate limiting, abuse detection, audit logs) | IP, user agent, route, timestamp | Art. 6(1)(f) — legitimate interest in keeping the service safe |
| Billing | Plan, payment IDs | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — accounting and tax obligations |
| Customer support | Email, support-chat transcripts | Art. 6(1)(b) and Art. 6(1)(f) |
| Optional analytics and preferences cookies | Aggregated usage signals | Art. 6(1)(a) — your consent |
| Marketing (if you opt in) | Email, basic profile | Art. 6(1)(a) — your consent |
| Legal claims and regulatory cooperation | Any of the above as strictly necessary | Art. 6(1)(c) and Art. 6(1)(f) |
4. Sub-processors (the ones we actually use)
To deliver the Service we engage the following sub-processors. Each is bound by a Data Processing Addendum and, where transfers leave the EEA, by Standard Contractual Clauses or equivalent safeguards under Article 46 GDPR.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Anthropic | AI inference (Claude). NO TRAINING on customer content per the DPA. | United States | DPA + Standard Contractual Clauses (Art. 46) |
| Payment processor (merchant of record) | Subscription billing, invoicing, tax compliance | United States / EU | DPA + SCCs; the processor is the merchant of record for EU VAT |
| Managed MongoDB hosting (EU region) | Application database (users, conversations, documents, alerts, bulletins) | European Union | Intra-EEA processing under the GDPR |
| Email-delivery provider | Transactional email (password reset, billing receipts, support correspondence) | EU / EEA | Intra-EEA where possible; SCCs otherwise |
We update this list when a sub-processor changes. Material changes will be notified by email or in-app banner.
Internal access. Account records (email, name, plan and verification/trial status, team seat allocation, sign-up date and last activity) are viewable by the platform administrator strictly for account management, billing support and abuse prevention. Administrator access to account listings and exports is itself recorded in our audit log.
5. International transfers
The primary database is hosted in the European Union. The only routine transfer outside the EEA today is to Anthropic for AI inference. That transfer is covered by Anthropic's DPA and Standard Contractual Clauses, supplemented by a documented Transfer Impact Assessment under EDPB Recommendations 01/2020. Anthropic does not train on customer content.
6. Retention
| Category | Retention |
|---|---|
| Account record | For the life of your account, plus up to 90 days after deletion to honour reversal requests; permanently anonymised thereafter. |
| Conversations | Until you delete them, or 24 months after your last login if your account remains inactive. |
| Documents and embeddings | Until you delete them. Hard-deletion within 30 days. |
| Watches and alerts | Until you dismiss them; dismissed alerts soft-archive after 6 months. |
| Billing and tax records | Up to 10 years where required by EU/Member-State tax law. |
| Security and audit logs | 12 months. |
| Consent records | 5 years from the date of the consent decision, for accountability under Art. 7(1) GDPR. |
| Aggregated analytics (if enabled) | Aggregated indefinitely; no individual-level identifiers. |
7. Your rights (Articles 15–22 GDPR)
| Right | Article | How to exercise |
|---|---|---|
| Access | Art. 15 | Email altay@eurolawhub.com; we respond within 30 days. |
| Rectification | Art. 16 | Update directly in /app/profile, or email us for fields you cannot edit. |
| Erasure ('right to be forgotten') | Art. 17 | Delete your account from /app/profile, or email altay@eurolawhub.com. Documents can be deleted individually from the Research Assistant. |
| Restriction | Art. 18 | Email altay@eurolawhub.com. |
| Portability | Art. 20 | Email altay@eurolawhub.com — we provide a structured JSON/CSV export. |
| Object | Art. 21 | Email altay@eurolawhub.com. We stop unless we can demonstrate compelling legitimate grounds. |
| Not be subject to a solely-automated decision | Art. 22 | EuroLaw Hub does not take legal or significant decisions about you solely on the basis of automated processing. |
| Withdraw consent | Art. 7(3) | Use the Cookie Preferences link in the footer, or email us for consents given over email. |
You also have the right to lodge a complaint with the supervisory authority in your Member State of habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).
8. Cookies and similar technologies
We use cookies and equivalent browser storage only where permitted. Strictly-necessary items load by default; everything else loads only after you consent. You can review and change your choices at any time via the link in the footer.
9. Changes to this Policy
We will update this Policy as the platform evolves. The "Last updated" date at the top reflects the current version. Material changes trigger a fresh consent request and an in-app banner.