Privacy Notice
How legal.avantwerk.co.uk processes personal data. UK GDPR Art. 13 + Art. 14 information obligation. Data Protection Act 2018.
1. Who is the controller?
The controller of personal data processed in connection with the Avantwerk Legal AI service is:
Bennovate spółka z ograniczoną odpowiedzialnością
ul. Christiana Andersena 25, 94-118 Łódź, Poland
KRS: 0000597272 · NIP: 7272799328 · REGON: 363700466
Registered at the District Court for Łódź-Śródmieście, XX Commercial Division of the National Court Register
Date of registration: 10 February 2016
Share capital: PLN 5,000, fully paid
Operating in the United Kingdom under the trading name Avantwerk Legal AI.
Email: legal@avantwerk.com · Phone: +44 7728 420038
(the "Controller", "we", "us", "our")
2. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who can be contacted on any matter relating to the processing of personal data or the exercise of data-subject rights:
Email: dpo@avantwerk.com
Contacting the DPO is not a prerequisite for exercising your data-subject rights. Rights requests may be made directly using the procedure in Section 11.
3. Who does this notice apply to?
This Privacy Notice, given in accordance with UK GDPR Art. 13 (information provided at the time personal data are collected) and Art. 14 (information provided where personal data are not obtained directly from the data subject), applies to personal data relating to:
- Firm contacts — individuals who register a trial account, subscribe to the Service, or are named billing or technical contacts for a subscribing firm;
- Fee-earners and solicitors — individuals at a subscribing firm who use the Service under a seat licence;
- Enquirers — individuals who contact us through our website, email or phone with a query or for information about the Service; and
- Prospective customers — individuals who receive marketing communications from us about the Service.
What this notice does not cover. The processing of client data and Matter Content by the Customer in the course of the Customer's legal practice is the Customer's own responsibility as controller. Matter Content stays on the Customer's own device and disk (Local-First Architecture). We are not a controller or processor of Matter Content or of the end-clients of the subscribing firm.
4. What personal data do we process?
We process only the personal data we need to operate the Service and to fulfil our legal and contractual obligations. We do not process Matter Content (see Section 10).
| Category | Examples | Source |
|---|---|---|
| Account identity | First and last name, professional title, SRA number, firm name | Provided by you at sign-up |
| Contact details | Work email, phone, postal address | Provided by you at sign-up or correspondence |
| Billing data | Billing contact name, invoice address, payment confirmation records (card data processed by payment processor) | Provided at subscription |
| Service-usage data | Login timestamps, feature interactions, audit-trail events | Generated automatically |
| Technical data | IP address, browser, device, operating system | Generated automatically |
| Communications | Emails, support tickets, correspondence | Provided by you |
| Marketing preferences | Opt-in or opt-out status for marketing emails | Provided by you |
We do not process special-category data (UK GDPR Art. 9) as part of the Service unless you voluntarily disclose such data in a support message, in which case we process it only to the extent necessary to respond.
5. Why do we process your data and on what legal basis?
5.1 Performance of contract — UK GDPR Art. 6(1)(b)
We process account identity, contact details, billing data and service-usage data to: (a) set up and manage your account; (b) provide access to the Service under the subscription; (c) issue invoices and collect payment; (d) provide customer support.
Retention: Duration of subscription + 6 years (Limitation Act 1980 s.5).
5.2 Compliance with a legal obligation — UK GDPR Art. 6(1)(c)
We process invoicing data, transaction records and certain security logs to comply with: (a) accounting and tax obligations under applicable law (UK and Polish); (b) anti-money-laundering obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017; (c) obligations to assist data subjects and the ICO.
Retention: Financial and tax records — 6 years from the end of the relevant financial year. Security logs — 90 days routine; longer if related to a confirmed incident.
5.3 Legitimate interests — UK GDPR Art. 6(1)(f)
We process technical data (IP addresses, browser information) and service-usage data for legitimate interests: (a) maintaining security, integrity and availability of the Service; (b) detecting and preventing fraud and unauthorised access; (c) improving the Service through anonymised aggregated usage analysis. We have carried out a Legitimate Interests Assessment (LIA).
Retention: Technical data — 90 days, except where retained longer for active security investigation.
5.4 Consent — UK GDPR Art. 6(1)(a)
Where you have given consent, we process: (a) your email address for marketing communications (subject to the PECR reg. 22(3) soft opt-in for existing business contacts); (b) any additional personal data you voluntarily provide in surveys or feedback.
Consent can be withdrawn at any time via the unsubscribe link or by writing to dpo@avantwerk.com.
Retention of consent records: 3 years from consent or withdrawal.
6. Cookies and tracking technologies
Our use of cookies is governed by PECR reg. 6 and UK GDPR Art. 6. Full details in our Cookies Policy. Strictly necessary cookies do not require consent. All other cookies require prior, freely given, specific and informed consent.
7. Who receives your personal data?
We share personal data only where necessary and on an appropriate legal basis. Transfers to third parties are subject to written data-processing agreements as required by UK GDPR Art. 28.
| Recipient | Role | Jurisdiction | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | VPS hosting (web application) | Germany (EU/EEA) | UK adequacy regulations |
| CRM provider (category) | Customer relationship management | USA | UK Addendum / IDTA |
| Payment processor | Subscription payments | USA | UK Addendum / IDTA |
| Transactional email provider | Account / invoice emails | USA | UK Addendum / IDTA |
| Self-hosted e-signing platform | Engagement letters & DPAs at onboarding | Germany (our VPS) | Not a third-party transfer |
| ICO | Supervisory authority | UK | N/A (domestic) |
We may also disclose personal data to: courts, regulators and law-enforcement authorities where required by law; and to professional advisers under duties of confidentiality.
Note on the AI Provider. We do not receive, transmit or process Matter Content on the Customer's behalf. When the Customer activates the bring-your-own-key (BYOK) feature and submits matter extracts to their chosen AI Provider, that processing takes place under the Customer's own relationship with the AI Provider. The AI Provider is the Customer's own processor — not Bennovate's sub-processor. See the AI Addendum at the end of this Privacy Notice.
8. International transfers
Where we transfer personal data to countries outside the United Kingdom, we do so under one of the following mechanisms recognised under UK GDPR Chapter V:
- Adequacy regulations — transfers to EEA countries and other adequate countries (UK GDPR Art. 45);
- International Data Transfer Agreement (IDTA) — the UK's own standard contractual clauses mechanism, published by the ICO and approved under s.119A of the Data Protection Act 2018, used for transfers to the USA;
- UK Addendum to EU Standard Contractual Clauses — the UK International Data Transfer Addendum issued by the ICO where the counterparty has existing EU SCCs.
9. Retention — summary table
| Category | Retention period | Legal basis |
|---|---|---|
| Account and contract data | Subscription + 6 years | Limitation Act 1980 s.5; Art. 6(1)(b) + (c) |
| Invoicing and financial records | 6 years from end of relevant financial year | HMRC; Art. 6(1)(c) |
| Security logs (routine) | 90 days | Legitimate interests; Art. 6(1)(f) |
| Security logs (incident-related) | Until incident closed + claim period | Legitimate interests |
| Marketing consent records | 3 years from consent or withdrawal | Accountability; Art. 5(2) |
| Trial data (non-converting) | 30 days from Trial expiry | Art. 6(1)(b) |
10. Our local-first architecture — what we do not hold
The Service is designed so that Matter Content (client files, privileged documents, correspondence, court papers and other legal work product) remains on the Customer's own device and disk. Matter Content does not pass through Bennovate's servers. Accordingly:
- we are not a controller or processor of Matter Content;
- the Data Processing Agreement does not cover Matter Content because we never have possession of it;
- the Customer holds any personal data within Matter Content as controller, subject to its own professional and data-protection obligations; and
- loss of or unauthorised access to Matter Content is outside Bennovate's data-protection responsibility — the Customer is responsible for security on the Customer's own device and storage.
This is a structural privacy-by-design measure under UK GDPR Art. 25.
11. Your data-subject rights
Under UK GDPR Chapter III you have the following rights:
| Right | Statutory basis | What it means |
|---|---|---|
| Right of access | Art. 15 | Request a copy of your personal data. Response within one month. |
| Right to rectification | Art. 16 | Correct inaccurate personal data. |
| Right to erasure | Art. 17 | Delete your data where no lawful basis for continued processing (subject to legal retention). |
| Right to restriction | Art. 18 | Restrict processing in certain circumstances. |
| Right to data portability | Art. 20 | Receive your data in a structured, commonly used, machine-readable format. |
| Right to object | Art. 21 | Object to processing based on legitimate interests. |
| Rights re: automated decision-making | Art. 22 | We do not use solely automated decision-making with legal effects. AI outputs always require HITL review. |
| Right to withdraw consent | Art. 7(3) | Withdraw consent at any time; does not affect prior lawfulness. |
How to exercise your rights: Submit a written request to dpo@avantwerk.com. We respond within one calendar month. We may need to verify your identity. No charge for a first request within a 12-month period.
12. Right to complain to the ICO
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (UK GDPR Art. 77):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk
You also have the right to an effective judicial remedy under UK GDPR Art. 79.
We would welcome the opportunity to address any concern before you contact the ICO — please contact us first at dpo@avantwerk.com.
13. Security
We implement technical and organisational measures to protect personal data under UK GDPR Art. 32:
- TLS 1.2/1.3 encryption in transit; HSTS preloading;
- BYOK key encryption at rest in browser IndexedDB;
- Server-side access controls and audit logging on account data;
- fail2ban brute-force protection;
- Regular dependency auditing and vulnerability scanning.
14. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Material changes will be notified to registered users by email at least 30 days before they take effect.
AI Addendum — BYOK Architecture
A.1 The BYOK model
Avantwerk Legal AI is built on a "Bring Your Own Key" (BYOK) architecture. When the Customer enables AI-assisted analysis, the Customer provides their own API key to a third-party AI provider of their choice. That key is encrypted in the Customer's browser and is never transmitted to or stored on Bennovate's servers. Token usage under the Customer's key is billed to the Customer directly by their chosen AI Provider under the Customer's own agreement; it is not billed, marked up or intermediated by Bennovate.
A.2 Who processes matter content when AI is enabled?
When the Customer submits matter extracts to their chosen AI Provider:
- the Customer acts as controller of the personal data contained in the submission;
- the AI Provider acts as the Customer's own processor under the Customer's own agreement with that AI Provider;
- Bennovate is not a controller or processor of that matter-content submission — we never receive it;
- the Customer's UK GDPR obligations in respect of that processing are the Customer's sole responsibility.
A.3 Egress gate
The Service includes a technical egress gate that anonymises content before it leaves the Customer's browser. The completeness of that anonymisation depends on the matter content. The Customer must not rely on the egress gate as a substitute for the Customer's own professional judgment.
A.4 Customer's data-protection checklist for BYOK
Before enabling BYOK, the Customer should: (a) review the AI Provider's data-processing terms; (b) ensure a written controller-processor agreement is in place with the AI Provider; (c) assess whether the use requires a DPIA under UK GDPR Art. 35; (d) consider whether client consent or notification is required under professional obligations; (e) assess cross-border transfer implications.
A.5 No Bennovate sub-processor relationship for AI
Because matter content never passes through Bennovate's infrastructure, the AI Provider is not listed as a Bennovate sub-processor in our sub-processor register. The AI Provider relationship is the Customer's own.
A.6 AI outputs and the lawyer-model
Every AI-generated output produced by the Service is a draft that requires HITL review by a qualified, SRA-admitted solicitor before use. The Customer must not treat any AI-generated output as authoritative legal analysis. Consistent with SRA guidance on AI in legal practice, the decision-making role remains with the qualified human professional at all times.