Privacy Policy

Last updated: 13 March 2026

1. Data Controller

ChronoLaw Ltd is the data controller responsible for your personal data. We are registered in England and Wales and operate exclusively within the United Kingdom.

  • Data Protection Officer: privacy@chronolaw.co.uk
  • Postal address: ChronoLaw Ltd, 71-75 Shelton Street, London, WC2H 9JQ

This policy applies to all users of the ChronoLaw platform, including account holders, firm administrators, and any individual whose personal data is processed as part of uploaded case documents. It is drafted in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, firm name, and role. If your firm uses single sign-on (SSO), we receive your identity assertion from your identity provider. We also store authentication tokens and session identifiers necessary to keep you signed in securely.

2.2 Case Documents

You upload legal case documents (PDFs, DOCX, and XLSX files) to the platform for chronological extraction. These documents may contain special category data, including medical records, witness statements, police reports, and legal correspondence. We process these documents solely to provide the chronology extraction service you have contracted for. Documents are encrypted at rest and isolated per firm at the database level.

2.3 Usage and Technical Data

We collect usage metrics including pages processed, documents uploaded, export counts, and feature interactions. We also collect technical data such as browser type, IP address, and timestamps. This data is used to maintain service quality, prevent abuse, and generate aggregated analytics. We maintain append-only audit logs of all platform actions for security and compliance purposes.

2.4 Billing Data

Payment processing is handled by Stripe. We store your Stripe customer identifier, subscription status, and invoice history. We do not store credit card numbers, CVVs, or full payment card details on our infrastructure. Stripe is a PCI DSS Level 1 certified processor.

2.5 CMS Integration Data

If you choose to connect a case management system (such as Clio), we store encrypted OAuth tokens and synchronisation metadata. We only access CMS data that you explicitly authorise during the connection process.

3. Legal Bases for Processing

We process your personal data under the following legal bases as defined by Article 6 of the UK GDPR:

  • Performance of a contract (Article 6(1)(b)): Processing your account data and case documents is necessary to provide the chronology extraction service under your subscription agreement. This includes document upload, AI-powered extraction, chronology generation, and export.
  • Legitimate interests (Article 6(1)(f)): We process usage and technical data to maintain platform security, detect and prevent fraud, improve service reliability, and generate aggregated usage analytics. We have conducted a legitimate interest assessment and concluded that these interests do not override your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): We retain audit logs and certain transaction records to comply with applicable legal, regulatory, and professional obligations.
  • Consent (Article 6(1)(a)): Where we rely on consent (for example, optional CMS integrations or marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

3.1 Special Category Data

Case documents may contain special category data (health records, criminal offence data). We process this data under Article 9(2)(f) of the UK GDPR (establishment, exercise, or defence of legal claims) and under Schedule 1, Part 1, Paragraph 5 of the Data Protection Act 2018. Your firm, as the data controller of the underlying case files, is responsible for ensuring a lawful basis exists for uploading such data to the platform.

4. How We Use Artificial Intelligence

ChronoLaw uses AI (Anthropic Claude) to extract chronological facts from your documents. We are transparent about how this works:

  • Page-level extraction only: Documents are split into individual pages. Only the text content of a single page is sent to the AI model at a time. Full documents are never transmitted as a whole.
  • Extraction, not generation: The AI extracts dates, events, and source references that are explicitly stated in the document text. It does not generate legal advice, infer unstated facts, or fill gaps in the record.
  • No model training: Your data is never used to train, fine-tune, or improve any AI model. Anthropic's API terms confirm that data sent via their API is not used for model training.
  • Confidence scoring: Every extracted entry receives a confidence score. Entries below 30% confidence are automatically excluded. Entries between 30% and 84% are flagged for your manual review. This ensures human oversight of all AI outputs.
  • Local embeddings: For in-platform search and case Q&A, we generate text embeddings using locally hosted models (sentence-transformers). No document content leaves UK infrastructure for this purpose.
  • OCR processing: Optical character recognition is performed locally using Tesseract. For handwritten or degraded documents where local OCR confidence is below 50%, we use Azure Document Intelligence as a fallback, hosted exclusively in the UK South region.
  • Draft outputs: All AI-generated chronologies and documents are clearly marked as drafts for solicitor review. They are not intended to be used as final legal documents without professional oversight.

5. Data Storage and Security

We implement rigorous security measures to protect your data:

  • UK-only data residency: All data is stored on infrastructure located within the United Kingdom. We do not transfer personal data outside the UK at any point in the processing pipeline.
  • Encryption at rest: All uploaded documents and extracted data are encrypted using AES-256-GCM. Database backups are similarly encrypted.
  • Encryption in transit: All data transmitted between your browser and our servers is protected by TLS 1.3 with HSTS enforced. No unencrypted HTTP connections are accepted.
  • Row-Level Security: Our PostgreSQL database enforces row-level security policies, ensuring that each firm's data is isolated at the database level. No application-level bug can expose one firm's data to another.
  • CMS credential encryption: OAuth tokens for third-party CMS integrations are encrypted with AES-256-GCM before storage and decrypted only at the point of use.
  • Append-only audit logs: All user actions are recorded in immutable, append-only audit logs. These logs cannot be modified or deleted, ensuring a complete and tamper-resistant activity trail.
  • Session security: Sessions expire after 30 minutes of inactivity. Re-authentication is required for sensitive actions.

6. Third-Party Processors

We use the following third-party sub-processors. Data processing agreements are in place with each. We have verified that all processing occurs within the UK or under adequate safeguards:

ProcessorPurposeData Location
Hetzner Online GmbHInfrastructure hosting (VPS, file storage)UK region
Anthropic PBCAI extraction (page-level text only, no training)API processing (zero-retention policy)
Supabase IncAuthentication and identity managementEU/UK region
Stripe IncPayment processing and billingEEA (UK adequacy decision applies)
Microsoft Corporation (Azure)Handwriting OCR fallback onlyUK South region
Cloudflare IncDNS and DDoS protectionGlobal edge (metadata only)

Anthropic processes page-level text content solely for extraction purposes under their API terms, which prohibit use of customer data for model training. Anthropic does not retain API inputs or outputs beyond the duration needed to provide the service.

7. Data Retention

We retain your data for as long as is necessary to fulfil the purposes for which it was collected, subject to the following policies:

  • Case documents and chronologies: Retained for the duration you specify, configurable between 1 and 15 years from case closure. You may delete case data at any time through the platform.
  • Audit logs: Retained for a minimum of 2 years in append-only format. This is required for regulatory compliance and security investigations.
  • Account data: Retained for the duration of your subscription and for 90 days following account closure, after which it is permanently deleted.
  • Billing records: Retained for 7 years to comply with HMRC requirements.
  • Automated purging: We operate automated data purge processes that permanently delete expired data according to the retention periods above. Deletion is irreversible.

8. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@chronolaw.co.uk. We will respond within one calendar month.

  • Right of access (Article 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): You may request deletion of your personal data, subject to our legal obligations to retain certain records (such as audit logs and billing records).
  • Right to data portability (Article 20): You may request your data in a structured, commonly used, machine-readable format. Chronologies can be exported as DOCX, XLSX, or PDF at any time through the platform.
  • Right to restrict processing (Article 18): You may request that we limit the processing of your personal data in certain circumstances.
  • Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Article 22): Our AI extraction produces draft outputs for human review. No legally significant decisions are made solely by automated processing. All chronologies require solicitor verification before use.

9. Cookies

ChronoLaw uses only strictly necessary cookies. We do not use advertising, analytics, or tracking cookies.

  • Authentication cookies: Set by Supabase Auth to maintain your authenticated session. These are essential for the service to function and do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
  • Security cookies: Used for CSRF protection and session integrity. These are strictly necessary.

We do not display a cookie consent banner because we do not use any cookies that require consent. If we introduce non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. Where changes are material, we will notify you by email at least 30 days before the changes take effect. The "last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.

11. Contact and Complaints

If you have questions about this policy or wish to exercise your data protection rights, contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

  • Website: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so that we have the opportunity to address your concern directly.