Privacy Policy

How EuroLaw Hub processes personal data, the sub-processors actually used, the Article 6 GDPR legal bases per purpose, retention periods, your rights, and how to exercise them.

Last updated · 26 February 2026

1. Who we are

EuroLaw Hub (the "Service") is operated by EuroLaw Hub. For the purposes of this Policy, EuroLaw Hub acts as data controller for the personal data described here, except where we explicitly process data on a customer's behalf (e.g. documents you upload), in which case we act as processor under your instructions.

Contact and DPO: altay@eurolawhub.com

2. Categories of personal data we process

Category
Account
Fields
Email, name, hashed password, plan tier, role, must-reset-password flag
Source
You, at sign-up
Category
Sessions
Fields
JWT identifier, last-login timestamp, IP and user agent on login
Source
Generated by the platform
Category
Conversations
Fields
Your prompts and the model's replies to you
Source
You, in use
Category
Documents
Fields
PDFs, DOCX and TXT you upload + derived text chunks and vector embeddings
Source
You, in use
Category
Watches and alerts
Fields
Topics you track, alerts generated for you, read/dismissed state
Source
You + generated by the platform
Category
Billing
Fields
Plan key, subscription status, payment references from our payment processor
Source
You + our payment processor
Category
Support
Fields
Support-chat transcripts, email correspondence to altay@eurolawhub.com
Source
You
Category
Consent
Fields
Consent record (categories accepted, timestamp, version, IP, user agent)
Source
Generated when you interact with the cookie banner
Category
Analytics (if enabled)
Fields
Aggregated, non-identifying page views and feature-usage counts
Source
Only if you enable analytics cookies

3. Article 6 GDPR legal bases per purpose

Purpose
Operating the Service (auth, sessions, research, uploads, workspaces)
Data used
Account, sessions, conversations, documents, watches
Legal basis
Art. 6(1)(b) — performance of a contract
Purpose
Securing the Service (rate limiting, abuse detection, audit logs)
Data used
IP, user agent, route, timestamp
Legal basis
Art. 6(1)(f) — legitimate interest in keeping the service safe
Purpose
Billing
Data used
Plan, payment IDs
Legal basis
Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — accounting and tax obligations
Purpose
Customer support
Data used
Email, support-chat transcripts
Legal basis
Art. 6(1)(b) and Art. 6(1)(f)
Purpose
Optional analytics and preferences cookies
Data used
Aggregated usage signals
Legal basis
Art. 6(1)(a) — your consent
Purpose
Marketing (if you opt in)
Data used
Email, basic profile
Legal basis
Art. 6(1)(a) — your consent
Purpose
Legal claims and regulatory cooperation
Data used
Any of the above as strictly necessary
Legal basis
Art. 6(1)(c) and Art. 6(1)(f)

4. Sub-processors (the ones we actually use)

To deliver the Service we engage the following sub-processors. Each is bound by a Data Processing Addendum and, where transfers leave the EEA, by Standard Contractual Clauses or equivalent safeguards under Article 46 GDPR.

Sub-processor
Anthropic
Purpose
AI inference (Claude). NO TRAINING on customer content per the DPA.
Location
United States
Transfer safeguard
DPA + Standard Contractual Clauses (Art. 46)
Sub-processor
Payment processor (merchant of record)
Purpose
Subscription billing, invoicing, tax compliance
Location
United States / EU
Transfer safeguard
DPA + SCCs; the processor is the merchant of record for EU VAT
Sub-processor
Managed MongoDB hosting (EU region)
Purpose
Application database (users, conversations, documents, alerts, bulletins)
Location
European Union
Transfer safeguard
Intra-EEA processing under the GDPR
Sub-processor
Email-delivery provider
Purpose
Transactional email (password reset, billing receipts, support correspondence)
Location
EU / EEA
Transfer safeguard
Intra-EEA where possible; SCCs otherwise

We update this list when a sub-processor changes. Material changes will be notified by email or in-app banner.

Internal access. Account records (email, name, plan and verification/trial status, team seat allocation, sign-up date and last activity) are viewable by the platform administrator strictly for account management, billing support and abuse prevention. Administrator access to account listings and exports is itself recorded in our audit log.

5. International transfers

The primary database is hosted in the European Union. The only routine transfer outside the EEA today is to Anthropic for AI inference. That transfer is covered by Anthropic's DPA and Standard Contractual Clauses, supplemented by a documented Transfer Impact Assessment under EDPB Recommendations 01/2020. Anthropic does not train on customer content.

6. Retention

Category
Account record
Retention
For the life of your account, plus up to 90 days after deletion to honour reversal requests; permanently anonymised thereafter.
Category
Conversations
Retention
Until you delete them, or 24 months after your last login if your account remains inactive.
Category
Documents and embeddings
Retention
Until you delete them. Hard-deletion within 30 days.
Category
Watches and alerts
Retention
Until you dismiss them; dismissed alerts soft-archive after 6 months.
Category
Billing and tax records
Retention
Up to 10 years where required by EU/Member-State tax law.
Category
Security and audit logs
Retention
12 months.
Category
Consent records
Retention
5 years from the date of the consent decision, for accountability under Art. 7(1) GDPR.
Category
Aggregated analytics (if enabled)
Retention
Aggregated indefinitely; no individual-level identifiers.

7. Your rights (Articles 15–22 GDPR)

Right
Access
Article
Art. 15
How to exercise
Email altay@eurolawhub.com; we respond within 30 days.
Right
Rectification
Article
Art. 16
How to exercise
Update directly in /app/profile, or email us for fields you cannot edit.
Right
Erasure ('right to be forgotten')
Article
Art. 17
How to exercise
Delete your account from /app/profile, or email altay@eurolawhub.com. Documents can be deleted individually from the Research Assistant.
Right
Restriction
Article
Art. 18
How to exercise
Email altay@eurolawhub.com.
Right
Portability
Article
Art. 20
How to exercise
Email altay@eurolawhub.com — we provide a structured JSON/CSV export.
Right
Object
Article
Art. 21
How to exercise
Email altay@eurolawhub.com. We stop unless we can demonstrate compelling legitimate grounds.
Right
Not be subject to a solely-automated decision
Article
Art. 22
How to exercise
EuroLaw Hub does not take legal or significant decisions about you solely on the basis of automated processing.
Right
Withdraw consent
Article
Art. 7(3)
How to exercise
Use the Cookie Preferences link in the footer, or email us for consents given over email.

You also have the right to lodge a complaint with the supervisory authority in your Member State of habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).

8. Cookies and similar technologies

We use cookies and equivalent browser storage only where permitted. Strictly-necessary items load by default; everything else loads only after you consent. You can review and change your choices at any time via the link in the footer.

9. Changes to this Policy

We will update this Policy as the platform evolves. The "Last updated" date at the top reflects the current version. Material changes trigger a fresh consent request and an in-app banner.