Privacy policy
Introduction
This Privacy Policy (hereinafter "the Policy") is established by LegalOps SRL (hereinafter "We", "the Data Controller" or "LegalOps"), registered with the Crossroads Bank for Enterprises under number 1029.306.887 and having its registered office at Rue de Wansijn 53, 1180 Uccle.
LegalOps shall be understood as the Data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter, “GDPR”), insofar as it processes the personal data of users of the intelligent legal assistant Raoul (hereinafter, “the Tool” or “Raoul”).
Users are hereinafter also referred to as “data subjects,” “Users,” or “You.”
The purpose of this Policy is to transparently explain how your personal data is collected, processed, and stored by LegalOps in order to demonstrate the company's compliance with legal requirements.
For LegalOps, respect for privacy and data protection are indeed among the core values upheld by the company.
With regard to personal data entered directly by the user into Raoul, LegalOps is considered the processor of such personal data and the user is considered the data controller.
In this context, the relationship between the User and LegalOps is governed by a data processing agreement in accordance with the requirements of Article 28(3) of the GDPR.
This agreement is available as an annex to our Terms of Use.
Key concepts
Within the meaning of this Policy, "personal data" means any information that allows you to be identified, as a natural person, directly or indirectly.
For example: a surname, a first name, an email address.
"Processing of personal data" means any operation or set of operations, whether or not carried out by automated means, applied to data or sets of personal data.
For example: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing; in this case, LegalOps is the Data Controller.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
What personal data do we process? And by what means do we access it?
3.1. Categories of data processed
For the purposes of the processing activities listed below, LegalOps processes the following relevant and necessary categories of personal data:
- Personal identification data: last name and first name;
- Electronic identification data: IP address, professional email address, and password;
3.2. Special Categories of Data
As a rule, LegalOps does not process special categories of personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning your sex life or sexual orientation, without your explicit consent.
3.3. Non-personal data
LegalOps may also collect non-personal data.
This data is classified as non-personal data because it does not allow the direct or indirect identification of a specific individual. It may therefore be used for any purpose whatsoever. Accordingly, anonymized data used for aggregate analysis or market research purposes is not considered personal data.
However, where non-personal data is combined with personal data such that identification of data subjects becomes possible, such data shall be treated as personal data until it is no longer possible to link it to a specific individual.
3.4. Data Collection Method
Your personal data is collected directly from you, particularly when you create a user account on Raoul or when you contact us.
We may collect some of your personal data indirectly, in particular when a User links you to their account in order to grant you access to their environment.
3.5. Consequences of failure to provide such data
The provision of certain data mentioned above is necessary to access the services offered by Raoul, in particular the creation of a user account.
In the event that the Data Subject does not provide the personal data requested by the Data Controller, it is possible that the Data Subject may not be able to log in or access the services offered by the Tool.
Why do we collect your personal data? On what legal bases do we process your personal data?
We process your personal data for specific purposes based on the relevant legal bases, as set out in the following table:
| Legal basis | Purposes |
|---|---|
| Article 6(1)(a) GDPR: The user has given consent to the processing of their personal data. |
|
| Art. 6, 1., b) GDPR: Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. |
|
| Art. 6, 1., c) GDPR: Processing is necessary for compliance with LegalOps' legal obligations. |
|
| Art. 6, 1., f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by LegalOps. |
|
| Processing not yet envisaged | LegalOps may carry out processing operations not yet provided for in this Privacy Policy. In such cases, you will be contacted by us before any reuse of your personal data in order to inform you of the processing not yet envisaged and to give you the opportunity, where applicable, to refuse it. |
Who has access to your personal data?
5.1. Internal communication
Access to your personal data is strictly limited, within LegalOps, to authorized persons only, in particular for managing your communications with LegalOps in the event of contact or for managing your user account.
5.2. External communication
We do not sell or transfer your personal data to third parties in any way whatsoever.
Nevertheless, in the course of our activities, we may share your data with our trusted partners and sub-processors, acting in accordance with our instructions, namely:
- Scaleway (Scaleway SAS, France region) — hosting of the Tool;
- Platane (Platane SAS, RCS Poitiers 904 843 000, France) — development of the Tool;
- PostHog (PostHog Inc., EU hosting) — statistical analysis tool for website traffic and user behavior. The data collected is anonymized by default and only becomes personal with your explicit consent to analytical cookies;
- Slack (Salesforce Inc.) — used solely for the internal reception of contact requests submitted through the website form.
We may also share your Personal Data with the following categories of recipients:
- To any competent law enforcement body, regulator, government agency, court, or other third party, where we believe disclosure is necessary under applicable laws or regulations, to establish or defend our rights, or to protect your vital interests or those of any other person.
- To our auditors, advisors, legal representatives, and similar agents in connection with the advisory services they provide to us for legitimate business purposes and subject to a contractual prohibition on using the Personal Data for other purposes.
- To any other person where you have given your prior consent to the disclosure.
5.3. Data Storage and Transfer
The personal data collected by the Data Controller is stored and processed within the European Union.
In principle, none of your personal data is transferred to third countries outside the European Union or to international organizations.
Should this nevertheless become the case, we undertake to implement appropriate security measures to ensure a sufficient level of protection for your personal data.
How long do we keep your data?
We retain the Personal Data we collect from you where we have a legitimate business need (for example, to provide you with a service you have requested or to comply with applicable legal requirements).
Accordingly, we retain Personal Data for the following periods:
- For the creation and management of your user account: up to 2 years from the last activity.
- To respond to your requests: up to 2 years after the date of last contact.
When we no longer have a legitimate business need to process your personal data, we either anonymise it or delete it, or if the latter is not possible (for example, your personal data has been stored in backup archives), we securely store it and isolate it from any further processing until deletion is possible.
What security measures are in place to protect your data?
We prioritize the protection of your personal data and therefore actively work to ensure that your data is protected against loss, theft, misuse, alteration, disclosure, or unauthorized use. Accordingly, we take reasonably expected measures to ensure that your personal data is processed securely and in accordance with this Policy and the GDPR.
However, data transfers over the Internet and mobile networks can never be completely risk-free. It is therefore important that Data Subjects also take responsibility for ensuring that their data is properly protected, in particular by ensuring that their login credentials remain confidential.
If, despite these security measures, your data is destroyed, lost, altered, or disclosed, we undertake to act promptly to identify the cause of the problem and to take appropriate measures, in accordance with the legal requirements regarding the protection of personal data.
What are your rights?
As a Data Subject with regard to the processing of your personal data, you have a number of rights concerning the access to and control of your personal data, including:
- A right of access: by exercising this right, you can obtain, upon simple request and free of charge, a copy (including in electronic format) of your personal data. You can also request access to a range of information, including the purposes of the processing, the recipients, etc. Should you request additional copies, we may however charge a reasonable fee based on administrative costs.
- A right to rectification: by exercising this right, you may rectify, complete, or delete your personal data that may be inaccurate, incomplete, or irrelevant. Where we have made your data accessible to other entities, we are obligated to take all necessary steps to inform those entities of your rectification request.
- A right to erasure: subject to exceptions, you have the right to request that we erase your data. Where we have made your data accessible to other entities, we are obligated to take all necessary measures to inform those entities of your erasure request.
- A right to restriction of processing: in certain circumstances, you have the right to obtain the restriction of processing of your personal data. Where we have made your data accessible to other entities, we are obligated to take all necessary measures to inform those entities of your request for restriction of processing.
- A right to data portability: in certain circumstances, you may request to receive your personal data free of charge in a structured, commonly used, and machine-readable format, in particular for the purpose of transmitting it to another data controller.
- A right to object: when the processing of your data is carried out on the basis of our legitimate interest, you may at any time object to the use of your data for this purpose, unless we demonstrate that there are compelling legitimate grounds overriding your rights and interests.
- A right to withdraw your consent: you may withdraw your consent at any time, where consent is the legal basis for the processing of your data.
To exercise these rights or for any question and/or complaint relating to this Privacy Policy, please send a written request (including in electronic format), dated and signed, to the attention of LegalOps at the contact details set out below.
Your request must indicate the right(s) you wish to exercise. We may ask you to provide proof of your identity for security purposes, in order to prevent unauthorized disclosure or misuse of your personal data.
We will then have a period of one month from receipt of your request to respond. This period may be extended by 2 months, taking into account the complexity or the number of requests. Where applicable, this period may only be extended provided you have been informed and the reasons justifying the extension have been communicated to you.
In the event that we decide not to act on your request, we will inform you of the reasons for our refusal or inaction.
Questions, complaints, or grievances
If you wish to react to any of the practices described in this Policy, you are advised to first contact us at the following details: frederic@legalops.be
You may also lodge a complaint with the Belgian data protection authority:
Data Protection Authority
Rue de la Presse, 35
1000 Bruxelles
Tel. + 32 2 274 48 00
Fax. + 32 2 274 48 35
For further information on complaints and possible remedies, we invite you to consult the information available on the Data Protection Authority's website: https://www.autoriteprotectiondonnees.be
Finally, you have the option of filing a complaint before the competent national courts.
Changes to this policy
We reserve the right, at any time, to make changes or additions to this Privacy Policy.
The latest version of our Privacy Policy will always be available through the Tool's interface.