We keep your data secure
Legal matters involve some of life's most sensitive information. We take that responsibility seriously.
Your story is not AI training data
Our AI services are governed by commercial terms and data-processing agreements. Model providers are contractually barred from using your content to train their models.
We minimise what we send and use provider retention controls and contractual safeguards.
Encrypted at every step
Everything you share travels over TLS and is stored encrypted (AES-256). Uploaded documents live in private storage that is only reachable through signed, expiring links.
Passwords are hashed, never stored in plain text, and checked against known breaches using k-anonymity, so neither your password nor your identity is shared.
You control who sees what
Access is role-based and limited to people who need it to support your matter. Administrative access is restricted and logged.
You can remove invited members from a matter. Partner and Remedy staff access is limited by role and purpose.
Where we stand
UK GDPR
We are UK-based and handle personal data under UK GDPR, with the ICO as our regulator.
ICO registered
Registered with the Information Commissioner's Office, registration reference ZC031343.
Cyber Essentials
Independently assessed and certified under the NCSC's Cyber Essentials scheme.
CASA Tier 2
Independently security-assessed to Google's CASA Tier 2 standard for handling connected-email data.
Our sub-processors
It takes a village to provide a world-class service. Here's ours, last updated 15 July 2026.
| Provider | What they do | Where |
|---|---|---|
| AI model provider | United States | |
| AI model provider | EU where available | |
| File storage | Google Cloud, private bucket | |
| Database | United Kingdom (AWS London) | |
| Email access, only if you connect an inbox | Global (Google) | |
| Address autocomplete | Global (Google) | |
| SMS and WhatsApp messaging | United States | |
| Transactional email | United States | |
| Web search | United States | |
| Web browsing for research | United States | |
| Product analytics | EU (Frankfurt) | |
| Bot and abuse prevention | Global edge network | |
| API hosting | EU (Netherlands) | |
| Website and app hosting | Global edge network | |
| Invoicing and payments | United States / EU | |
| Scheduling calls | United States | |
| Internal operations alerts | United States |
Signing in with Google or Apple
When you use social sign-in, Google or Apple confirm who you are and share your name and email with us. They act under their own terms, not as our processors.
Partner organisations
When you choose to involve a partner, such as a law firm taking on your case, they receive the relevant matter content under a data-sharing agreement and handle it under their own regulatory duties.
Breached-password checks
Passwords are checked against known breaches using k-anonymity (HaveIBeenPwned): only the first five characters of a hash leave our systems, never your password and never who you are.
Most account, matter, document, and conversation data is kept while your account is active and deleted through our erasure process when you close it. Encrypted backups are overwritten on a rolling cycle, and some records may be kept longer where the law requires.
Request account deletion from the app settings, or email legal@remedylegal.ai. When we action the request, we erase your account and its associated records through our erasure process; some data may remain briefly in encrypted backups or be retained where the law requires.
You can access much of your data within the app. For a formal copy, email legal@remedylegal.ai and we'll respond within one calendar month, normally free of charge.
Our primary database is hosted in the United Kingdom. Some providers process data in the EU or United States; where they do, a UK transfer safeguard is in place. The public register above lists our sub-processors and their processing locations.
We never sell personal data or allow AI providers to train models on it. If you arrive through one of our ads and create an account, we may send that platform its own click ID, the conversion time, and an opaque deduplication reference; we never send your contact details or matter content for advertising measurement. Where a claim is offered to a partner law firm, we obtain consent where required.
The full pack: our DPIA, retention schedule, appropriate policy document, sub-processor register, and security architecture. Email legal@remedylegal.ai and we will send it over.
Seen something that doesn't look right?
Security researchers, users, and anyone else: if you have a concern about how we handle data, or want to disclose a vulnerability, we want to hear it. Every message to this address is read.
