Privacy Policy | LawlinQ

1. Who We Are

LawlinQ is a legal technology platform operated by LawlinQ Pty Ltd (ABN pending), a Queensland-registered company. LawlinQ provides practice management tools for Queensland criminal lawyers, including court list matching, client management, calendar synchronisation, document generation, and a town agency network for coordinating town agency requests.

For the purposes of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), LawlinQ Pty Ltd is the entity responsible for handling your personal information through the LawlinQ platform.

This policy applies to all personal information collected through the LawlinQ platform, our website, and any related communications. It does not apply to third-party websites or services linked from our platform, which are governed by their own privacy policies.

If you have questions about this policy or your personal information, please see the Contact Us section below.

2. Information We Collect

We collect personal information that is reasonably necessary for us to provide the LawlinQ platform and related services. We collect information directly from you when you register, use the platform, or contact us.

Account Information

Name, title, email address, phone number
Law firm or chambers name and business address
Website (optional)
Password (stored as a salted hash, never in plain text)

Client & Matter Data

Client names, dates of birth, and contact details that you enter into the system
Court dates, charges, court locations, and matter reference numbers
Court events, task notes, and file attachments you upload

Town Agency Network Data

Agency requests, availability preferences, and town agency history
Outcome reports and agency correspondence
Messages exchanged with other practitioners through in-app chat
AI-generated content: If you opt in to AI features, we generate plain-English outcome summaries and pre-court briefings using your client names, charge descriptions, and court details. These summaries are stored alongside the corresponding outcome reports and requests.

Calendar Data

If you connect your Outlook or Google calendar, we access calendar events to synchronise court dates. We store OAuth tokens (encrypted) and calendar event mappings.

Data from Public Sources

Court list data published by Queensland courts, which may contain defendant names, charges, and court appearances. This data is used for court list matching and is sourced from publicly available government publications.

Derived Data

Smart match results generated by matching your client records against published court lists
Aggregated usage statistics and platform analytics derived from your activity

Technical & Usage Data

IP address, browser type, and device information (collected in access logs)
Session data including login times and activity timestamps
Notification preferences and platform settings

Payment Information

Subscription payments are processed by Stripe. We do not store your credit card number. Stripe handles all payment card data under their own privacy policy. We receive and store your Stripe customer ID and subscription status for account management purposes.

3. Legal Basis for Processing

Under the Australian Privacy Principles, we collect and process personal information on the following bases:

Contractual necessity: Processing your account information, client data, and subscription details is necessary to provide the Service under our Terms of Service (APPs 3 and 6).
Consent: Optional features — including calendar synchronisation, AI-powered summaries, and town agency participation — are activated only with your explicit consent. You may withdraw consent for any optional feature at any time without affecting core functionality.
Legitimate interest: We process technical and usage data to maintain platform security, prevent fraud, and improve the Service. This processing is proportionate and does not override your privacy rights.
Legal obligation: We may process and retain personal information where required by Australian law, including tax and financial reporting obligations and responses to lawful requests from regulatory authorities.

4. How We Use Your Information

We use your personal information for the following purposes:

Providing the service: Account authentication, court list matching, client management, calendar sync, task tracking, and document generation
Town agency network: Matching practitioners for town agency assistance based on location, availability, and preferences
AI-powered features (opt-in): If you enable AI features in your Town Agency preferences, client names and charge details from outcome reports and assistance requests are sent to Anthropic’s Claude API to generate plain-English summaries and pre-court briefings. These features are disabled by default and require your explicit consent. You can disable them at any time without losing access to any core functionality.
Communications: Sending transactional emails (verification codes, password resets, security notifications, agency updates) via our email service provider
Security: Protecting your account through two-factor authentication, session management, and monitoring for unauthorised access
Improving the platform: Aggregated, de-identified usage data to understand how the platform is used and where to improve
Legal obligations: Complying with applicable laws, regulations, or court orders

We will not use your personal information for direct marketing without your consent. We do not sell personal information to third parties. We do not use personal information for profiling, credit scoring, or automated decision-making that produces legal or similarly significant effects on you.

5. Disclosure of Your Information

We may disclose your personal information in the following circumstances:

Town agency network participants: When you use the town agency network, limited information (your name, firm, and relevant court date details) is shared with other practitioners to facilitate town agency arrangements. You control your visibility through your agency preferences.
Service providers: We use third-party services to operate the platform (see Cross-Border Data Transfers below). These providers process data on our behalf under contractual obligations to protect your information.
Legal requirements: We may disclose information where required or authorised by law, including to law enforcement agencies, courts, or regulators.
Business transfer: If LawlinQ Pty Ltd is acquired, merges with another entity, or sells all or substantially all of its assets, your personal information may be transferred to the successor entity. We will notify you of any such transfer and any changes to this policy.

We do not disclose your client data to other practitioners. Client and matter information you enter is visible only to you unless you explicitly share it through town agency requests. If you opt in to AI features, limited client data (names and charge descriptions) is processed by Anthropic’s Claude API to generate summaries and briefings — see Cross-Border Data Transfers for details.

6. Cross-Border Data Transfers

In accordance with APP 8, we disclose below the countries where your personal information may be processed by our service providers. We take reasonable steps to ensure these providers comply with the APPs or are subject to substantially similar privacy protections.

Service	Purpose	Data Location	Data Processed
MongoDB Atlas	Primary database	Sydney, Australia (ap-southeast-2)	All application data (accounts, clients, court dates, messages)
Application Hosting	Web application server	Australia	All data processed through the platform during active use
Brevo (SendinBlue)	Transactional email delivery	France / European Union	Email addresses, email content (verification codes, notifications, agency updates)
Stripe	Payment processing	United States	Name, email, payment card details, subscription status
Microsoft Azure	Outlook calendar sync (optional)	United States / Global	OAuth tokens, calendar event titles and dates (only if you connect your calendar)
Google Cloud	Google Calendar sync (optional)	United States / Global	OAuth tokens, calendar event titles and dates (only if you connect your calendar)
Anthropic (Claude API)	AI-powered summaries and briefings (optional)	United States	Client names, charge descriptions, court details, and outcome data (only if you enable AI features in Town Agency preferences)

Your primary application data (client records, court dates, messages, and account information) is stored in MongoDB Atlas in the Sydney, Australia region. Calendar synchronisation and AI features are optional and only activated when you explicitly enable them.

7. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

Encryption in transit: All data in transit is encrypted via TLS/HTTPS. Database connections use encrypted channels.
Encryption at rest: Database storage is encrypted at rest using AES-256 encryption provided by our database infrastructure.
Password security: Passwords are hashed using industry-standard algorithms (never stored in plain text). Strong password requirements enforce a minimum of 12 characters with mixed case, digits, and special characters.
Authentication: Optional two-factor authentication (TOTP) with backup codes. Configurable session timeouts.
Access controls: Role-based access ensures users only see their own data. Administrative functions are restricted to authorised personnel. All employees and contractors with access to personal information are bound by confidentiality obligations.
Session management: Sessions are stored securely with automatic expiry. Users can view active sessions and terminate them individually or all at once. Security events (password changes, new logins, 2FA changes) trigger email notifications.
Infrastructure: Security headers (Content-Security-Policy, HSTS, X-Frame-Options) are enforced on all responses. CSRF protection is enabled on all forms. Rate limiting is applied to authentication endpoints.

No system is completely secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. We encourage you to use a strong, unique password and to enable two-factor authentication.

8. Data Retention

We retain your personal information only for as long as is reasonably necessary for the purposes described in this policy, or as required by law. The following retention periods apply:

Data Type	Retention Period
Account information	Life of account + 90-day grace period after deactivation
Client & matter data	Life of account (deleted on account closure)
Chat messages & agency data (shared)	De-identified on account closure; retained for other participants
Access & security logs	90 days
Transactional email records	12 months
Payment & billing records	7 years (Australian tax requirements)
Verification codes	15 minutes (auto-expire)
OAuth tokens (calendar)	Until disconnected or account closure

When data is no longer required, it is permanently deleted or irreversibly anonymised so that it can no longer be used to identify you. Anonymised data may be retained indefinitely for statistical and analytical purposes.

9. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and no later than 30 days after becoming aware of the breach, in accordance with Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme)
Notify affected individuals as soon as practicable, providing a description of the breach, the types of information involved, and recommended steps to mitigate potential harm
Take reasonable steps to contain the breach and reduce any resulting harm

We maintain incident response procedures to ensure breaches are identified, assessed, and responded to promptly.

10. Your Rights

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

Access: You can view and download your personal information at any time through Settings > Security using the Download My Data feature, which exports your profile, clients, court dates, events, tasks, assistance requests, notifications, and activity history in a machine-readable format (JSON).
Correction: You can correct your profile information (name, email, phone, firm details) at any time through the Settings page. If you believe any other information we hold about you is inaccurate, contact us and we will take reasonable steps to correct it (APPs 12 and 13).
Data export: You can export all your data at any time while your account is active, and for 30 days following account deactivation.
Withdraw consent: You can disable optional features (calendar sync, AI summaries, town agency participation) at any time without affecting core functionality. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Account deletion: You can deactivate your account at any time through Settings > Security. See Account Deactivation for details on what happens to your data.
Complaint: You have the right to lodge a complaint with us or with the Office of the Australian Information Commissioner.

Formal Access Requests

If you require access to personal information not available through the platform, you may submit a written request to us. We will respond within 30 days. We may need to verify your identity before providing access. Access may be refused in limited circumstances permitted by the Privacy Act (e.g., legal professional privilege).

11. Account Deactivation

You can deactivate your account at any time through Settings > Security. We recommend downloading your data before deactivating.

What Happens When You Deactivate

Your account is immediately locked and you cannot log in
OAuth tokens, 2FA secrets, and active sessions are cleared
A security notification email is sent confirming the deactivation
Your data enters a 90-day grace period during which you can contact us to reactivate

After 90 Days

Sole-party data is permanently deleted: clients, court dates, court events, tasks, notifications, calendar mappings, smart matches, files, and subscription records
Shared data is de-identified: Town agency requests, outcome reports, agency emails, chat messages, and activity logs are retained with your personal details replaced by a "Deactivated User" placeholder to maintain data integrity for other participants
Your user account document is permanently deleted

This process runs automatically. Once completed, deletion is irreversible.

12. Cookies & Local Storage

LawlinQ uses cookies and browser storage strictly for platform functionality. We do not use tracking cookies, advertising cookies, or third-party analytics. We do not respond to "Do Not Track" browser signals because we do not engage in cross-site tracking.

Session cookie: A secure, HTTP-only cookie that identifies your authenticated session. Expires based on your configured session timeout (default 30 days).
CSRF token: A security token embedded in pages to prevent cross-site request forgery attacks. Generated per-session.
Trusted device token: If you enable "Trust this device" during 2FA login, a secure cookie is set to skip 2FA on that device for 30 days.
Local storage: Used for UI preferences such as sidebar state and notification settings. No personal information is stored in local storage.

13. Children's Privacy

The Service is designed for use by legal practitioners and is not directed at persons under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will provide at least 30 days' notice to registered users via email and update the effective date at the top of this page.

Minor changes (such as clarifications or formatting updates) may be made without notification. The current version of this policy is always available at /privacy.

15. Contact Us

If you have questions about this privacy policy, wish to make a complaint about our handling of your personal information, or want to exercise your rights under the Privacy Act, please contact us:

LawlinQ Pty Ltd

Privacy Officer

Address: [Address pending]

Email: privacy@lawlinq.com.au

Website: www.lawlinq.com.au

We aim to respond to all privacy enquiries within 14 days. If your enquiry involves a formal access or correction request, we will respond within 30 days as required by the Privacy Act.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).