Last updated February 28, 2025
Legora respects your privacy and is committed to securing and protecting any information we have about you. This policy (the “Privacy Policy”) covers our treatment of personal data about you whenever you access or use Legora products, services, features and technologies, including Legora’s website (the “Site”), platform and plug-ins exchanging information with Legora (“Services”). The Privacy Policy also covers other interactions you have with Legora and describes your rights and how you can exercise them. The Site and Services are collectively referred to as “Online Services”.
You accept this Privacy Policy by using the Online Services. If you have any questions or concerns about the Privacy Policy, please contact us.
Legora’s Services are offered to companies and/or other legal entities for professional use (our “Subscribers”). Our Subscriber agreements govern the delivery and use of the Services (“Subscriber Agreements”).
This Privacy Policy applies when Legora is the data controller responsible for processing personal data. It does not apply to any input submitted to, output generated by, or documents uploaded to our Services (“Content”). We process Content as a data processor on behalf of our Subscribers (the data controllers), and our processing of Content is governed by the relevant Subscriber Agreement. Any queries related to data that can be used to identify you (“personal data”) included in Content should be directed to our Subscribers. If we receive any rights requests concerning instances where we act as data processor, we will forward them to the relevant Subscriber.
Legora may maintain links to other websites and other websites may maintain links to the Online Services. This Privacy Policy only applies to legora.com, leya.law, app.legora.com and app.leya.law, and not to other websites accessible from Legora or websites that you use to access Legora.
Legora may use your personal data for the following purposes:
to provide, administer, maintain, and/or improve our Services;
to provide you with support services, resolve issues or reply to your queries;
to manage and remember your preferences and customize the Services;
to communicate with you, including to send you information or marketing about our Services and events;
to analyze and study the effectiveness of our Services and to develop new features and services;
to verify your identity, prevent fraud, criminal activity and to ensure the security of our IT systems, architecture, and networks;
to prevent misuse of the Services and enforce our legal terms;
to comply with legal obligations and legal processes, and;
to protect Legora’s rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.
The following disclosures are intended to provide additional information about the categories of Personal Information we collect (as defined above), the type of data, how we use each category of Personal Information. These disclosures do not limit our ability to use or disclose information as described above.
Purpose
Types of personal data
Legal basis
Data retention
In certain circumstances, we may share your Personal Information with third parties without further notice to you, unless legally required, including without limitation in the situations below:
Affiliates: Legora may share your personal data with other entities within the Legora corporate group (our “affiliates”). Legora’s affiliates will only use the personal data we share with them in a manner consistent with this Privacy Policy.
Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we may share your personal data with vendors and service providers, including providers of hosting services, cloud service providers, and other information technology services providers, event management services, email communication software and email newsletter services, advertising and marketing services, and web analytics services. Pursuant to our instructions, these parties will access, process, or store personal data in the course of performing their duties to us.
Third-party Websites and Services. Our Services may contain links to other websites not operated or controlled by Legora, including social media services (“third-party sites”). The information that you share with third-party sites will be governed by the specific privacy policies and terms of service of the third-party sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the third-party sites directly for information on their privacy practices and policies.
Other users: When you are using the collaboration features within Legora, certain actions you take may be visible to other users of our services.
Plug-Ins. When you are using third party applications and choose to connect your Legora account with such external third-party applications (for example to use our Microsoft Word plug-in) the providers of those services or products may receive information about you from Legora or others. Please be aware that when you use third-party sites or services, their own terms and privacy policies will govern your use of those sites or services. Please contact the supplier of such applications directly for information on their privacy practices and policies.
Business changes: If we are involved in strategic transactions, (such as sale, merger, reorganizations, liquidation, or transition of service to another provider), your personal data and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets.
Legal Requirements: Legora may also share your personal data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of users of the Services, or the public, or (v) protect against legal liability.
Legora always strives to process your personal data as close to you as possible. By using our Online Services however, you understand and acknowledge that your personal information will be transferred from your location to our facilities and servers in the EU/EEA.
In certain situations, such as when we share your information within the Legora corporate group or with a supplier or subcontractor, your personal data may be transferred outside EU/EEA. Legora always ensures that the same high level of protection applies to your personal data according to the relevant data protection laws, even when the data is internationally transferred. Your rights in respect to your personal data (described in detail in section 6), are not affected when data is internationally transferred. You will find more information about the recipients Legora shares your data with in section 4.
Safety measures Legora uses when conducting international transfers
Countries outside of the EU/EEA or your country of residence may have laws that allow public authorities to request access to personal data stored in the country for the purpose of combating crime or safeguarding national security. Regardless of whether we or any of our providers process your personal data, we will ensure that a high level of protection is guaranteed when transferring that data and that appropriate protection measures have been taken, in accordance with applicable data protection requirements (such as the GDPR).
Such appropriate safeguards include, but are not limited to:
Adequacy decisions. If the relevant authority (e.g. the EU Commission) has decided that the country to which your personal data are transferred has an adequate level of protection, which corresponds to the level of protection afforded by the relevant data protection laws. This means for example that the personal data is still protected from unauthorized disclosure, and that you may still exercise your rights with regard to your personal data,
Standard Contractual Clauses. The relevant authority’s standard clauses have been entered into between Legora and the recipient of the personal data. This means that the recipient guarantees that the level of protection for your personal data afforded by the relevant data protection laws still applies, and that your rights are still protected. In these cases, we also assess whether there are laws in the recipient country that affects the protection of your personal data. Where necessary, we take technical and organizational measures so that your data remain protected during the transfer to the relevant country.
Derogation. In limited circumstances, we may rely on an exception, or ‘derogation’ under the applicable data protection laws, to transfer your personal data to such country despite the absence of an adequacy decision or standard contractual clauses, such as relying on your explicit consent to that transfer or because it is necessary for the establishment, exercise or defence of legal claims (including regulatory, administrative or any out-of-court procedure, and seeking advice).
Data Privacy Framework. If the transfer is covered by a relevant data privacy framework, such as the EU-US Data Privacy Framework, which is an opt-in certification scheme for US companies, administered by the US Department of Commerce. Data privacy framework include sets of enforceable principles and requirements that must be certified to company, ensuring that your data is still being sufficiently protected.
You have several rights under the applicable data protection laws (including the GDPR) related to your control over your personal data and to receive information directly from us on how we process personal data about you. In the following you can read about your rights.
Right to information and access. You have the right to be informed of how we process your personal data. We do this through this Privacy Policy (6) and by answering your questions. You can request information regarding whether we are processing your personal data and ask to receive a copy of your personal data (“data extract”), so called data subject access. Through the data extract you will receive information about what personal data Legora holds about you and how we process it.
Right to rectification. If you believe that your personal data is inaccurate or incomplete, you have the right to ask for it to be corrected or completed.
Right to restriction. If you believe that your personal data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of such personal data. You also have the possibility to request that we stop processing your personal data while we assess your request. If you object to our processing per your right described directly below, you may also request us to restrict processing of that personal data while we make our assessment.
Right to object. You have the right to object to the processing of your personal data which is based on our legitimate interest (Article 6(1)(f) GDPR), by referencing your personal circumstances. If we cannot demonstrate compelling and legitimate grounds to continue processing the personal data, we must cease the processing. You can also always object to our processing of your personal data for direct marketing purposes. If you do so, we will turn off marketing for you, and stop sending it to you.
Right to be forgotten. In some cases, you have the right to have us delete personal data about you. For example, you can request us to delete personal data that we (i) no longer need for the purpose it was collected for, or (ii) process based on your consent and you revoke your consent. There are situations where Legora is unable to delete your data, for example, when the data is still necessary to process for the purpose for which the data was collected, Legora’s interest to process the data overrides your interest in having them deleted, or because we have a legal obligation to keep it.
Right to transfer your personal data (data portability). If we process your personal data to fulfill a contract or on the basis of your consent, you may, in certain cases, be able to obtain the personal data for use elsewhere, e.g. by obtaining a copy of it in a machine-readable format and transmitting it to another data controller.
Right to withdraw consent. In those cases where we process your personal data based on your consent, you have the right to withdraw your consent at any time. When you withdraw your consent, we will stop any processing of personal data which is based on your consent.
Right to lodge a complaint. If you have objections or concerns about how we process your personal data, you have the right to contact, or lodge a complaint with, the relevant authority for privacy protection, which is the supervisory authority for our personal data processing.
To exercise your rights, please contact us at any time. We reserve the right to limit our facilitating such requests to that which is required by applicable law.
In order to protect your personal data from unauthorized access or deletion, we may require you to verify your identity before we will process any request to know or delete personal data. If we cannot verify your identity (and, where applicable, proof of residency) to our satisfaction, we will not provide or delete your personal data. You may submit a request to exercise your rights through an authorized agent. Such an agent must present signed written authority to act on your behalf and must be able to verify your identity (and, where applicable, proof of residency) to our satisfaction.
Rest assured that we will not discriminate against you for making any such request. Your right to access and delete your personal data is important to us, and we will take reasonable steps to verify and process your request promptly.
Please be aware that even if we delete your personal data, certain residual data may still remain in our backups or archives for a limited period in accordance with our data retention policies and applicable laws.
If you have any questions or concerns about this process or our data deletion practices, please feel free to contact us.
We take significant and appropriate steps to protect your personal data in an effort toprevent loss, misuse, and unauthorized access, disclosure, alteration and destruction. We use appropriate technical and organizational measures to protect your personal information which may include: physical access controls, encryption, intrusion detection and network monitoring depending on the nature of the information and the scope of processing.
For more information regarding our security measures, please view our Security Policy.
Legora retains your personal information for as long as necessary to fulfill the purposes for which we collected it or longer if that is required under applicable law:
If you are a Legora user covered by a Subscription Agreement between your employer and Legora, we will delete your data in accordance with that Subscription Agreement.
Personal data that Legora is under a legal obligation to retain, for example under anti-money laundering or bookkeeping laws, is retained for the required periods under applicable laws (generally for 5 or 7 years).
Personal data which is not used for the purposes of a contractual relationship or where Legora does not have a legal obligation to retain the data is only retained as long as necessary to fulfil the respective purpose for our data processing (usually 3 months).
More information can be found in the table in Section 3.
In some limited cases, the personal data may need to be stored for a longer period in order for Legora to protect its legal rights. If we don’t have a legal obligation to retain the personal data, we instead have to make an assessment if we may require the personal data in order to protect Legora from legal claims.
Please note that just because we have a legal obligation to store your personal data, this does not mean that we are also permitted to use this data for any other purpose.
When we no longer need your personal data, we will delete it or anonymize it in accordance with our data retention policies and applicable laws, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
We may update this Privacy Policy from time to time. When the Privacy Policy is updated, we will post an updated version on this page, unless another type of notice is required by applicable law or contractual agreement. By continuing to use our Online Services or providing us with personal data after we have posted an updated Privacy Policy, or notified you by other means, you consent to the revised Privacy Policy.
If you have any questions about our Privacy Policy or any other privacy related issue, please contact us at privacy@legora.com or via mail.
Controller’s Contact Information:
Legora AB, 559338-6872
Box 7242
103 89 Stockholm
Sweden