Privacy Policy

Effective Date: 1st September 2025
Company: We Are Spydr Ltd (registered in England and Wales, Company No. 11260347) (“Spydr”, “we”, “us”, or “our”), trading as 'LegalWonder'.

1. Introduction
   
   1. Spydr is committed to safeguarding the privacy and confidentiality of personal data and sensitive legal information entrusted to us. This Privacy Policy explains how we collect, use, store, and disclose personal data when providing our LegalWonder software-as-a-service platform (the “Services”).
   2. This Privacy Policy is issued in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and other applicable data protection laws.
   3. For the purposes of the UK GDPR, Spydr acts as a controller in respect of user account data and payment information, and as a processor in respect of case bundles and other documents uploaded by Customers.

2. Categories of Data Collected
   
   1. We may collect and process the following categories of personal data:
      
      1. Account Data: name, email address, login credentials, and optional profile information such as a bio.
      2. Payment Data: billing address, payment method details, and transaction history (processed by Stripe as our payment processor).
      3. Case Data: legal documents, case bundles, evidence, notes, and other materials uploaded by Customers (which may include highly confidential information and personal data of third parties).
      4. Usage Data: activity logs, analytics, device and browser information, and IP addresses.
      5. Support Data: communications with our support team.

3. Purposes and Legal Bases of Processing
   
   1. We process personal data for the following purposes:
      
      1. To provide, administer, and secure the Services (legal basis: performance of contract, Article 6(1)(b) UK GDPR).
      2. To process subscription fees and manage billing (legal basis: performance of contract, Article 6(1)(b)).
      3. To protect confidentiality of case bundles and comply with professional secrecy obligations (legal basis: legitimate interests and legal obligations, Articles 6(1)(c) and 6(1)(f)).
      4. To improve, monitor, and support the Services (legal basis: legitimate interests, Article 6(1)(f)).
      5. To comply with statutory or regulatory requirements (legal basis: legal obligation, Article 6(1)(c)).
      6. For marketing communications where permitted (legal basis: consent, Article 6(1)(a)).

4. Data Sharing and Sub-Processors
   
   1. We do not sell personal data.
   2. We may disclose personal data only to the following categories of recipients:
      
      1. Sub-processors: trusted service providers engaged to support delivery of the Services, including:
         
         1. Vercel
         2. Supabase
         3. Anthropic, OpenAI, AWS, Google Gemini
         4. Stripe

5. International Transfers
   
   1. Where personal data is transferred outside the UK (e.g. to sub-processors in the EU), we ensure adequate safeguards are in place, including:
      
      1. UK Addendum to the EU Standard Contractual Clauses; or
      2. other lawful transfer mechanisms under UK GDPR.

6. Data Retention
   
   1. Account and payment data are retained for as long as your subscription remains active and for a period of six (6) years thereafter, in line with tax and legal obligations.
   2. Case Data is retained only for as long as necessary to provide the Services. Upon termination or deletion of your Account, such data will be securely deleted within ninety (90) days, unless otherwise required by law.
   3. Support communications are retained for up to three (3) years.

7. Security
   
   1. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including encryption in transit and at rest, access controls, and monitoring.
   2. While we take security seriously, no system is entirely immune from breaches. In the event of a personal data breach, we will notify affected data subjects and the Information Commissioner’s Office (“ICO”) where required by law.

8. Data Subject Rights
   
   1. Under the UK GDPR, individuals have the following rights:
      
      1. Right of access – to request a copy of personal data held about you.
      2. Right to rectification – to correct inaccurate or incomplete data.
      3. Right to erasure – to request deletion of personal data where legally permissible.
      4. Right to restrict processing – to limit how we process your data in certain circumstances.
      5. Right to data portability – to receive a copy of your personal data in a structured, machine-readable format.
      6. Right to object – to processing based on legitimate interests or direct marketing.
      7. Right to withdraw consent – where processing is based on consent.

Requests should be submitted using the contact details in Section 11.

‍

9. Children’s Data
   
   1. Users of LegalWonder must be over the age of 18.

10. Contact Information
    
    1. For any queries, concerns, or to exercise your rights, please contact:
       
       1. Data Protection Officer: Tom Sproull
          We Are Spydr Ltd
          40 Berkeley Square, Clifton, BS8 1HP
          Email: team@legalwonder.co.uk
          

You also have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk).

‍

11. Changes to this Privacy Policy
    
    1. We reserve the right to update or amend this Privacy Policy at any time. Substantial changes will be notified to Customers by appropriate means.