← Back to LAW-BUD

Privacy Policy

Effective 8 May 2026

1. Who we are

LAW-BUD ("we", "us", "our") is a UK legal information service operated by Pecuna Factorum Ltd. Contact: hello@law-bud.com. We are the data controller for the personal data described below.

2. What we collect

  • Account data — email address you provide at sign-up or checkout.
  • Billing data — handled by Stripe. We do not store your card details. We hold a Stripe customer ID and subscription status.
  • Conversation content — questions and documents you send to LAW-BUD, including any letters, contracts, or images you attach. Stored on your device by default; copied to our servers only when you save a chat or upload to your Vault / Knowledge Base.
  • Voice recordings — sent to OpenAI for transcription and discarded after the transcript returns.
  • Usage data — counts of questions asked per billing period, used to enforce plan limits.

3. Why we use it (lawful bases under UK GDPR)

  • Contract (Art. 6(1)(b)) — to provide the LAW-BUD service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — to keep the service working, prevent abuse, and improve answers.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requests.

4. Who we share it with

  • Stripe Payments UK Ltd — payment processing. Stripe's privacy policy.
  • Anthropic PBC and OpenAI LLC — to generate answers, transcribe voice, and run document search. These are processors; we sign data-processing agreements with them.
  • Supabase (hosted in EU/eu-west-1) — secure database for account and subscription state.
  • Vercel (hosted in EU) — application hosting.

We do not sell your data. We do not share it with advertisers or data brokers.

5. International transfers

Anthropic and OpenAI process some data in the United States. Transfers rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, supplemented by encryption in transit and at rest.

6. How long we keep it

  • Active account data — for as long as your account is active.
  • Cancelled accounts — 30 days, then deleted. Anonymised usage statistics retained.
  • Stripe billing records — 7 years (HMRC tax-record retention).
  • Conversations on your device — only as long as your local browser keeps them; you can clear at any time from Settings.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, object to, and port your personal data. Email privacy@law-bud.com to exercise any of these. We will respond within one calendar month. You also have the right to complain to the Information Commissioner's Office.

8. Cookies

We use only essential cookies (session and CSRF). We do not use tracking, advertising, or third-party analytics cookies.

9. Security

All traffic is encrypted via HTTPS. Data at rest in Supabase and Stripe is encrypted with AES-256. Access to production systems is limited to authorised personnel via SSO with hardware-token MFA.

10. Changes

We will notify subscribers by email at least 14 days before any material change. The current version of this policy always lives at /legal/privacy.