Privacy Policy

This Privacy Policy describes how Lawly ("we," "our," or "us") collects, uses, and protects your personal information when you use our services. We are committed to protecting your privacy and complying with South Africa's Protection of Personal Information Act (POPIA).

1. Information We Collect

We collect the following types of information:

• Personal Information: Name, email address, and optional company name when you use our document generation services.
• Document Information: Data you provide to generate business documents, such as business details, contract terms, and other relevant information.
• Usage Information: Information about how you interact with our website, including pages visited and features used.
• Verification Information: One-time password (OTP) codes used to verify your identity when accessing your document history.

2. How We Use Your Information

We use your information for the following purposes:

• To provide and maintain our document generation services.
• To generate the business documents you request based on your inputs.
• To communicate with you regarding your document requests and service updates.
• To verify your identity when you access your document history via OTP codes.
• To track your document submission history and provide you with easy access to previously generated documents.
• To improve our services and develop new features.
• To comply with legal obligations, including financial record retention requirements.

3. Use of Artificial Intelligence (AI) Technology

Our service utilizes AI technology to generate business documents. Please be aware of the following:

• AI Processing: The document content you provide is processed using AI services to generate your requested business documents based on South African legal frameworks.
• Data Separation: Your contact information (name, email, company) is kept separate from the data processed by AI services.
• AI Data Handling: Information processed by our AI technology may be subject to the privacy policies of our AI service providers.

4. Data Storage and Security

We implement appropriate security measures to protect your personal information:

• All data is encrypted during transmission using SSL technology.
• We store your information on secure servers with restricted access and use industry-standard security measures.
• We regularly review our information collection, storage, and processing practices.
• Access to personal information is restricted to authorized personnel only.
• Centralized Customer Database: Your contact information (name, email, company) is stored in a secure, centralized customer database to improve service delivery, prevent duplicate records, and provide you with unified access to your document history.
• Audit Trail: Changes to your customer information are logged with timestamps for compliance and data integrity purposes. Audit logs use hash-based validation to minimize long-term storage of personally identifiable information.
• Transaction Integrity: All database operations involving your customer information and document submissions use atomic transactions to ensure data consistency and prevent partial or corrupted records.

5. POPIA Compliance

We comply with South Africa's Protection of Personal Information Act (POPIA):

• We only collect information for legitimate purposes related to our services.
• We process your information lawfully and in a manner compatible with the purpose for which it was collected.
• We implement data minimization practices, storing only the information necessary to provide our services and meet legal obligations.
• We maintain data quality and accuracy through audit trails and customer verification processes.
• You have the right to access, correct, or request deletion (anonymization) of your personal information we hold.
• We implement appropriate safeguards to protect your information from loss, unauthorized access, or disclosure.

6. Data Retention Policy

We retain your personal information in accordance with legal requirements and business needs:

• Customer Information: Your contact details (name, email, company) and document submission history are retained for 7 years from your last activity with our service. This retention period complies with South African Revenue Service (SARS) requirements for financial record retention and enables us to provide you with access to your historical documents.
• Audit Logs: Detailed change history (audit logs) containing personally identifiable information is retained for 90 days. After this period, identifying details are automatically removed while retaining validation hashes for compliance purposes. This approach balances our need to maintain data integrity with POPIA's data minimization principle.
• Automatic Anonymization: After 7 years of inactivity, customer records are automatically anonymized. This means your personal details (name, email, phone, company) are replaced with anonymous identifiers (e.g., "deleted_[ID]@lawly.anonymized") while preserving our legal obligation to maintain financial transaction records for compliance purposes.
• Document Records: Generated documents and associated metadata are retained as part of your customer history for the duration specified above. After anonymization, documents remain accessible by submission ID but are no longer linked to your personal identity.
• OTP Verification Codes: One-time password codes used for accessing your document history expire after 10 minutes and are immediately invalidated after use.

These retention periods ensure we can provide you with access to your document history while complying with South African legal requirements, including SARS financial record retention mandates and POPIA data minimization principles.

7. Data Sharing and Third Parties

We may share your information with:

• Service Providers: Third-party companies that provide services on our behalf, such as AI processing, data storage, and email delivery.
• Payment Processors: Payment gateway providers (PayFast) to process your document generation payments securely.
• Legal Requirements: When required by law or to protect our rights, the rights of others, or to comply with legal processes.

We do not sell your personal information to third parties. All third-party service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed.

8. Your Rights Under POPIA

Under the Protection of Personal Information Act (POPIA), you have the following rights:

• Right to Access: You may request access to the personal information we hold about you, including your customer profile, document submission history, and any audit logs containing your information.
• Right to Correction: You may request correction of inaccurate, incomplete, or outdated personal information. We maintain an audit trail of corrections for compliance purposes.
• Right to Erasure (Deletion): You may request deletion of your personal information at any time. Important: Due to legal requirements under South African law (including SARS 7-year financial record retention mandates), we cannot physically delete all records. Instead, we will anonymize your information by:
  • Replacing your name, email, phone, and company name with anonymous identifiers
  • Removing all personally identifiable information from audit logs while retaining validation hashes
  • Preserving financial transaction records and document metadata as required by law
  Anonymization ensures your personal information is no longer identifiable while maintaining our legal compliance obligations. Your documents will remain accessible by submission ID but will no longer be linked to your personal identity.
• Right to Object: You may object to the processing of your information for specific purposes. Note that objecting to processing necessary for service delivery may prevent us from providing our document generation services to you.
• Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Regulator if you believe your privacy rights have been violated.

To exercise any of these rights, including requesting anonymization of your data, please contact us at privacy@lawly.co.za. We will respond to your request within 30 days as required by POPIA.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience and analyze website traffic. We use the following types of cookies:

• Essential Cookies: Required for the website to function properly, including session management for document submission workflows.
• Analytics Cookies: Help us understand how visitors interact with our website to improve user experience.

You can manage your cookie preferences through your browser settings. Note that disabling essential cookies may affect your ability to use certain features of our website.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. Significant changes include:

• Changes to data retention periods
• New types of personal information collected
• Changes to third-party service providers
• Changes to your rights under this policy

We will notify you of significant changes by posting a notice on our website and updating the "Last Updated" date below. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.

11. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your rights under POPIA, please contact us at:

12. Information Regulator Contact Details

If you wish to lodge a complaint regarding our handling of your personal information, you may contact the Information Regulator (South Africa):