Legal

Privacy Policy

Last updated: 10 April 2026

This Privacy Policy explains how TheLegalAid ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to handling your data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

TheLegalAid is operated as a technology platform providing AI-assisted self-help tools for UK drivers challenging private parking charges. For data protection purposes, we act as the data controller for personal information collected through this platform.

Contact: privacy@thelegalaid.co.uk

ICO registration number: [TO BE INSERTED BY LEGAL TEAM]

2. Age Restriction

TheLegalAid is intended for use by individuals aged 18 and over. The platform involves civil legal proceedings and financial liability and is not suitable for minors. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us at privacy@thelegalaid.co.uk and we will delete it promptly.

3. What Data We Collect

Account information

• Full name and email address (required to create an account)
• Phone number (optional, used for SMS deadline reminders only)
• Home address (provided voluntarily, used for document generation)
• Password (stored as a secure hash — we never store your plain-text password)

Case information

• Uploaded documents including Parking Charge Notices and County Court claim forms (N1)
• Vehicle registration numbers, PCN and claim numbers, dates, charge amounts, and incident locations extracted from uploaded documents
• AI-generated case notes, audit results, strategy assessments, and drafted legal documents
• Conversation history with our AI assistants (Alex and Henry James AI Barrister)
• Case stage and progression data

Payment information

• Payment transactions are processed securely by Stripe. We do not store card numbers or payment credentials. We receive a transaction reference and payment status confirmation only.

Technical data

• IP address, browser type, and device information collected automatically when you use the platform
• Usage data including pages visited and features used, collected for rate limiting and platform improvement purposes

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing the service — to create and manage your account, process your documents, generate legal documents, and track your case deadlines
• AI processing — your document content and case details are transmitted to third-party AI providers to generate case analyses, legal documents, and AI assistant responses (see Section 6)
• Communications — to send deadline reminders by SMS (if you have provided a phone number and opted in) and service-related emails via our email provider
• Payment processing — to process one-time premium payments via Stripe
• Platform improvement — to understand how the platform is used and improve its accuracy and reliability
• Legal compliance — to comply with our legal obligations

5. Legal Basis for Processing

• Contract performance (Article 6(1)(b) UK GDPR) — processing necessary to provide the service you have registered for, including document processing, AI analysis, and document generation
• Legitimate interests (Article 6(1)(f) UK GDPR) — improving our platform, preventing fraud, and rate-limiting AI usage
• Consent (Article 6(1)(a) UK GDPR) — for optional SMS deadline reminders, where you have explicitly opted in
• Legal obligation (Article 6(1)(c) UK GDPR) — where required by law

6. Data Sharing and Third-Party Processors

We do not sell your personal data to any third party. We share data only with the following processors, each bound by a data processing agreement:

• Supabase — database, authentication, and file storage provider. Your account data, case data, and uploaded documents are stored on Supabase-hosted infrastructure. Supabase operates on Amazon Web Services infrastructure. Data is hosted in the EU (West Europe region). See Supabase Privacy Policy.
• Stripe — payment processing for premium purchases. Stripe processes payment card data on our behalf. We receive transaction references only. See Stripe Privacy Policy.
• Google (Gemini API) — AI processing for document OCR and AI chat responses. Document content, case details, and conversation messages are transmitted to Google for processing. Google is based in the United States; data transfers are made under Standard Contractual Clauses. See Google Privacy Policy.
• OpenAI (GPT-4.1 API) — AI processing for case audits, strategy analysis, and legal document drafting. Case details including extracted document content are transmitted to OpenAI for processing. OpenAI is based in the United States; data transfers are made under Standard Contractual Clauses. See OpenAI Privacy Policy.
• Twilio — SMS delivery for deadline reminders. Your phone number and message content are transmitted to Twilio if you have opted in to SMS notifications. See Twilio Privacy Policy.
• Resend — transactional email delivery, including account verification, OTP codes, and service notifications. Your email address and message content are transmitted to Resend for delivery. See Resend Privacy Policy.

7. International Data Transfers

Some of our third-party processors are based outside the United Kingdom. Where personal data is transferred to countries not covered by a UK adequacy decision, we ensure appropriate safeguards are in place — specifically, Standard Contractual Clauses (SCCs) approved under UK GDPR. This applies to data transmitted to Google (Gemini API) and OpenAI for AI processing purposes.

You can request further information about the specific transfer mechanisms in place by contacting us at privacy@thelegalaid.co.uk.

8. Automated Decision-Making and Profiling

TheLegalAid uses AI systems to automatically assess the strength of your case and generate a case strength score and recommended strategy. This constitutes automated profiling under Article 22 of the UK GDPR. The assessment is based on the content of documents you upload and the legal frameworks applicable to private parking disputes.

This automated assessment is used to inform the documents and guidance we generate for you. It does not produce any legally binding decision about your case — the outcome of any legal proceedings is determined solely by the court.

You have the right to request that any automated assessment of your case be reviewed. To do so, contact us at privacy@thelegalaid.co.uk.

9. Data Retention

We retain your personal data for the following periods:

• Account data — retained for the duration of your account and deleted within 30 days of account deletion
• Case data and uploaded documents — retained for 3 years from the date of last account activity, or until you request deletion, whichever is earlier
• Payment records — retained for 7 years in accordance with financial record-keeping obligations
• AI conversation history — retained for 12 months from the date of each conversation

You may request deletion of your account and personal data at any time by contacting privacy@thelegalaid.co.uk. We will action deletion requests within 30 days, except where retention is required by law.

10. Your Rights

Under UK GDPR, you have the following rights:

• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to request correction of inaccurate data
• Right to erasure — to request deletion of your personal data
• Right to restriction — to request that we limit how we use your data
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests
• Right not to be subject to solely automated decisions — to request human review of any automated case assessment
• Right to withdraw consent — where processing is based on consent (e.g. SMS reminders), you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@thelegalaid.co.uk. We will respond within one calendar month.

11. Cookies

TheLegalAid uses strictly necessary cookies for authentication and session management. We do not currently use advertising, analytics, or tracking cookies. If this changes, we will update this policy and seek your consent where required by applicable law.

12. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted data transmission (HTTPS), secure password hashing, row-level security controls on our database, and role-based access controls. However, no internet transmission is completely secure and we cannot guarantee absolute security.

13. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk · 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO — please reach out to us at privacy@thelegalaid.co.uk in the first instance.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email at least 14 days before they take effect. Continued use of the platform after any update constitutes your acceptance of the revised policy.