Privacy Policy
Last Updated: May 2026
1. Introduction
YourLegalLadder is operated by YourLegalLadder Technologies - FZCO, a free-zone company registered at IFZA Business Park, Dubai Digital Park, PO Box 342001, Dubai Silicon Oasis, Dubai, United Arab Emirates ("we", "us", "our") (as defined in the Terms of Service). We are the data controller for personal information collected through the Service.
We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.
By using the Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, you must not use the Service.
We process personal data of UK and EEA users in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the Data Protection Act 2018, as applicable.
2. Information We Collect
2.1 Information You Provide
We collect information that you provide directly to us. The list below is illustrative and non-exhaustive — we may collect other information you actively choose to give us in connection with a Service feature:
- Account Information: Email address, password (hashed), and account preferences (which may include marketing-communication preferences if and when you opt in)
- Profile Information: Writing samples, legal interests, and practice area preferences
- Application Data: Evidence items, application questions, firm selections, and tracker information
- Payment Information: Payment method details (processed securely through Stripe), billing address, and transaction history
- Communication Data: Messages sent through the Service, support requests, and feedback
2.2 Automatically Collected Information
When you use the Service, we automatically collect certain information, including:
- Usage Data: Pages visited, features used, time spent on the Service, and interaction patterns
- Device Information: IP address, approximate location (derived from IP address), time-zone setting, browser type and version, operating system, device identifiers, and screen resolution
- Log Data: Access times, error logs, and system performance data
- Cookies and Tracking Technologies: See Section 6 for details
2.3 Information from Third Parties
We may receive information about you from third-party services, including:
- Payment Processors: Stripe provides payment status and transaction details
- Analytics Services: Google Analytics 4 provides aggregated usage analytics (only when you have given analytics consent)
- Referral Programs: FirstPromoter provides referral tracking information (only when you have given marketing consent)
3. How we use your information and our legal basis
Under UK GDPR Articles 13 and 14 we have to tell you, for each thing we do with your personal data, (i) the purpose, (ii) the categories of personal data involved, and (iii) the lawful basis we rely on. The legal bases we can rely on are set out in UK GDPR Article 6:
- Contractual necessity (Art. 6(1)(b)) — processing necessary to perform our contract with you, or to take steps at your request before entering into a contract.
- Legitimate interests (Art. 6(1)(f)) — processing necessary for our legitimate interests, except where overridden by your interests or fundamental rights and freedoms. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Consent (Art. 6(1)(a)) — processing based on your explicit opt-in, which you can withdraw at any time.
- Legal obligation (Art. 6(1)(c)) — processing necessary for us to comply with the law.
The table below maps each of our processing purposes to the categories of personal data involved and the legal basis we rely on. The list is illustrative and non-exhaustive; we will update it when we add or materially change a feature that processes your personal data.
| Purpose | Data we use | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Creating and managing your account, providing the AI-powered tools (TC Application Copilot, TC Rejection Reviewer, SQE study features), processing payments and subscriptions, delivering firm intelligence, enabling application tracking, and personalising your experience based on your saved preferences. | Account information, profile information, application data, payment information, usage data. | Contractual necessity — performing our contract with you. |
| Mentoring sessions and document reviews when you book a mentor, including in-app messaging and the transfer of files you upload to the mentor you have engaged. | Account information, profile information, mentor messages, uploaded documents. | Contractual necessity — performing the mentoring service you booked. |
| AI processing of your application content to generate outlines, rejection-reviewer feedback, and L.U.M.P. tutor responses. This involves profiling within the meaning of UK GDPR Art. 4(4) but does not produce solely-automated decisions that have legal or similarly significant effects on you within the meaning of Art. 22 — you review, edit, and submit any output yourself. Full details of what is sent to AI providers and the safeguards we apply are in our AI Transparency Statement. | Application data, profile information, communication data with the L.U.M.P. AI tutor. | Contractual necessity — you actively request the AI feature each time. |
| Sending you service notifications (e.g. payment receipts, mentoring booking confirmations, security alerts, password resets) and responding to your support requests. | Account information, communication data. | Contractual necessity. |
| Sending you marketing emails, our weekly digest, and product-update or feedback-request emails outside the soft opt-in for similar products under PECR Reg 22(3). | Account information, marketing-communication preferences. | Consent — only with your explicit opt-in; you can withdraw at any time without affecting prior lawfulness. |
| Improving the Service, analysing aggregated usage patterns, developing new features, monitoring service performance, and abuse-monitoring. | Usage data, log data, device information. | Legitimate interests — subject to the balancing test set out above. |
| Preventing fraud, securing the Service, investigating breaches of these Terms or the Mentoring Terms, and protecting our rights, our users, and our staff. | Any of the categories above, as relevant to the matter under investigation. | Legitimate interests and, where applicable, legal obligation. |
| Complying with applicable laws, regulations, court orders, and lawful requests from regulators (including responses to data subject requests, ICO enquiries, and tax authorities). | Any of the categories above, as relevant. | Legal obligation. |
Where we rely on consent (for example, marketing communications), you can withdraw that consent at any time through your account settings or by contacting us. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.
4. Information Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
4.1 Service Providers
We share information with sub-processors (as defined in our sub-processors page) who help us operate the Service, including payment processing, cloud hosting, AI generation, file storage, transactional email, analytics (consent-gated), and referral tracking (consent-gated).
A current and detailed list, with the data categories, country of processing, transfer mechanism, and link to each provider's privacy notice, is maintained on our Sub-processors page. We keep that list separate from this Privacy Policy so that adding or replacing a sub-processor does not require you to re-accept this policy.
Sub-processors are contractually obligated under data-processing addenda to protect your information, use it only for the purposes we specify, and apply appropriate safeguards (such as EU Standard Contractual Clauses or the UK IDTA) for international transfers.
4.2 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
4.3 Legal Requirements
We may disclose your information if required by law or in response to valid legal requests, including:
- Court orders, subpoenas, or other legal processes
- Government or regulatory requests
- To protect our rights, property, or safety
- To prevent fraud or abuse
4.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so. In particular, when you book a mentor through the platform you give us your explicit consent to share with that mentor the personal data necessary for them to provide the mentoring service you have booked (including your name, email, application content you have shared, and any documents you upload for review).
5. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing (bcrypt)
- Regular security assessments and updates
- Access controls and authentication
- Secure hosting infrastructure
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (including local and session storage) to collect and store information about your use of the Service. Strictly necessary cookies run by default; analytics and marketing cookies are only set if you give consent via our cookie banner.
For a full list of the cookies we use, including their names, providers, purposes, and durations, and to manage your preferences at any time, please see our Cookie Policy.
7. Data Retention
We retain your personal information for as long as necessary to:
- Provide the Service to you
- Comply with legal obligations
- Resolve disputes and enforce agreements
- Maintain security and prevent fraud
When you delete your account, we will delete or anonymise your personal information within 30 days from the date termination takes effect, except where we are required to retain it for legal or legitimate business purposes.
8. Your Rights (UK GDPR)
Under UK GDPR, you have the following rights regarding your personal data:
8.1 Right of Access
You have the right to request a copy of the personal information we hold about you.
8.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete information, though we may need to verify the accuracy of the new data you provide to us.
8.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal information where there is no good reason for us continuing to process it, subject to certain exceptions (e.g., legal obligations). You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see 8.6 below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
8.4 Right to Restrict Processing
You have the right to ask us to restrict the use of your personal information in any of the following circumstances (under UK GDPR Article 18):
- You contest the accuracy of the data — we restrict use while we verify it;
- The processing is unlawful but you do not want the data erased (you ask for restriction instead);
- We no longer need the data, but you need us to keep it for a legal claim; or
- You have objected to processing under section 8.6 below, pending verification of whether our compelling legitimate grounds override your objection.
8.5 Right to Data Portability
You have the right to receive your personal information in a structured, commonly used format and to transmit it to another service. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
8.6 Right to Object
You have the right to object to processing of your personal information for direct marketing purposes or where we are relying on legitimate interests as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
8.7 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have violated your data protection rights. Visit ico.org.uk for more information. However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint.
To lodge a complaint with us, please contact us at help@yourlegalladder.com. We will respond within one month.
9. International Data Transfers
Your information may be transferred to and processed in countries outside the UK and European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as:
- The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the European Commission’s Standard Contractual Clauses, depending on the sub-processor. To obtain a copy of these contractual safeguards, please contact us at help@yourlegalladder.com.
- Adequacy decisions by the UK government, where the recipient country has been recognised as providing an adequate level of protection.
- Other legally recognised transfer mechanisms.
10. UK Representative (UK GDPR Article 27)
Because YourLegalLadder Technologies - FZCO is established outside the UK but offers services to data subjects in the UK, we have appointed a UK Representative under Article 27 of the UK GDPR. The UK Representative is the contact point in the UK for the Information Commissioner's Office and for data subjects on all matters relating to the processing of personal data described in this Privacy Policy.
UK Representative: Hollie Gould
Email: help@yourlegalladder.com (please mark your message for the attention of the UK Representative)
Postal address: available on written request to the email address above.
You can contact the UK Representative directly using these details, or you can continue to contact us using the contact details in section 13 below; we will route your enquiry appropriately.
11. Age requirement and children's privacy
The Service is intended for individuals aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from someone under 18, please contact us immediately at help@yourlegalladder.com and we will delete it.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or through a prominent notice on the platform. The "Last Updated" date at the top of this page indicates when the Privacy Policy was last revised.
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
13. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Data Controller: YourLegalLadder Technologies - FZCO
Registered Address: IFZA Business Park, Dubai Digital Park, PO Box 342001, Dubai Silicon Oasis, Dubai, United Arab Emirates
Email: help@yourlegalladder.com
Data Protection Queries: help@yourlegalladder.com
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.