Privacy Policy
This policy explains what personal data Juris (the "Service") processes, how we use it, who we share it with, and what rights you have.
Data controller
Controller of lawyer (user) data:
- Legal name: Individual Entrepreneur Aleksei Eliseev
- Identification number: 326127221
- Registering authority: LEPL National Agency of Public Registry (Ministry of Justice of Georgia), 03.10.2022
- Legal address: Georgia, City Borjomi, Meskheti Street, N 31g, floor 0, office space N3
- DPO: dpo@juris.ink
- General questions: hello@juris.ink
- Website: juris.ink
Controller of lawyer's clients' data: the lawyer (or their legal entity) using the Service. Juris acts as a processor under the offer agreement.
What we collect
A. About the lawyer (our user)
- Email and name — at registration
- Payment data — handled by PayPal; we store only the subscription identifier
- Google OAuth tokens (Drive, Gmail, Calendar) — encrypted with Fernet AES-128
- Activity logs — IP address, login time, features used
- Notes and drafts created in the Service
B. About the lawyer's clients and their cases
The lawyer uploads case materials. This may include:
- Names, tax IDs of parties to the case
- Texts of statements of claim, defence pleadings, court rulings
- Audio recordings and transcripts of court hearings
- Gmail correspondence linked to a case
- Scans and photographs of documents
- Metadata: case number, court, judge, hearing dates
C. About visitors of the client portal (via share-link)
When a lawyer shares a unique read-only link with a client, we record:
- IP address of the visitor
- User-Agent of the browser
- Time of each view and download
- Which documents were opened
This data is used solely for audit purposes and is accessible only to the lawyer who issued the link.
Purposes of processing
- Providing Service functionality (case management, AI assistant, client share links)
- Processing payments and maintaining subscriptions
- Fraud prevention and abuse protection (rate-limiting, brute-force protection)
- Security (access logs, incident analysis)
- Notifications to the lawyer (email, Telegram) about case events
- Product improvement based on anonymised aggregated statistics
- Compliance with legal requirements (regulator requests, tax reporting)
Legal basis
| Jurisdiction | Applicable law | Basis |
|---|---|---|
| Georgia (primary) | Personal Data Protection Law of Georgia №5669-RS of 28.12.2011 | Consent; contract performance; legitimate interest |
| EU/EEA | GDPR Art. 6 | Consent; contract; legitimate interest |
| UK | UK GDPR + Data Protection Act 2018 | Same as EU |
| Other CIS (KZ, UZ, AM, etc.) | Local data protection law + offer contract | Consent; contract performance |
| Russia | — | Service does not currently serve RF residents (see notice above). |
AI processing and third parties
We use the following AI providers:
- Anthropic (Claude API) — primary reasoning engine. Per Commercial Terms, Anthropic does not use our data to train models and deletes it after processing.
- Google (NotebookLM) — RAG engine for working with large legal corpora. Data is processed per Google Privacy Policy.
- OpenAI (Whisper) — transcription of hearing audio. Per API Data Usage, OpenAI does not use API data for training.
Personal data is sent to these services only at explicit user action (uploading a document, AI query, transcription). We do not share data via batch exports.
Sub-processors
| Processor | Purpose | Jurisdiction |
|---|---|---|
| Hetzner Online GmbH | Server and database hosting | Germany (Falkenstein) |
| Anthropic, PBC | AI reasoning | USA |
| Google LLC | NotebookLM, OAuth, Drive/Gmail/Calendar API | USA + global |
| OpenAI, L.L.C. | Whisper transcription | USA |
| PayPal (Europe) S.à r.l. | Billing | Luxembourg |
| Telegram FZ-LLC | Push notifications via @juris_ink_bot | UAE |
DPAs (Data Processing Agreements) are or will be in place with all processors before production launch.
Storage & retention
- Active account: data retained for the duration of the subscription
- After cancellation: 30-day grace period for renewal, then soft-delete (access closed, data preserved)
- Full deletion: 365 days after soft-delete or immediately on user request
- Access logs: 365 days hot, then anonymised and archived
- Backups: 30 days (then rotated)
- Financial records: per accounting law (Russia 5 years, EU 10 years)
Security
Technical and organisational measures we apply:
- Database: Row Level Security in PostgreSQL with mandatory app-layer guard (dual control)
- OAuth tokens: Fernet AES-128 encryption; key stored separately from the database
- Share tokens: stored as SHA-256 hash; the lawyer sees the plain token only at creation
- Transport: TLS 1.3 for all connections, HSTS
- Infrastructure access: SSH keys + IP whitelist, no password auth
- Monitoring: Loki + Grafana with alerts on anomalous activity
- Backups: daily encrypted pg_dump; off-site replication (planned)
- Staff: least-privilege access
Your rights
Depending on your jurisdiction, you have the right to:
- Get a copy of your personal data (right of access)
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing
- Receive data in a machine-readable format (data portability)
- Withdraw consent
- Object to processing based on legitimate interest
- File a complaint with the relevant supervisory authority (Roskomnadzor for Russia, Office of Personal Data Protection for Georgia, the relevant DPA for EU)
Send requests to dpo@juris.ink. We respond within 30 days.
Cookies and analytics
We use a minimum of cookies:
- Session: for maintaining login session (required)
- Preferences: theme, interface language (required for functionality)
- Analytics: anonymised traffic via self-hosted Plausible. We do NOT use Google Analytics, Yandex Metrica, or Facebook Pixel
- Advertising: none
Minors
The Service is not intended for persons under 18. We do not knowingly collect data from minors. If you become aware that a minor has provided us data, contact the DPO for immediate deletion.
Cross-border transfers
Data is stored at Hetzner's data centre in Germany. AI processing occurs in the USA (Anthropic, OpenAI) and globally (Google).
Transfer to the USA is based on:
- EU-US Data Privacy Framework (for EU users)
- Standard Contractual Clauses (other jurisdictions)
- Explicit user consent at registration (other jurisdictions)
Client share links
When a lawyer shares a unique link (`juris.ink/share/case/...`):
- The client gets access to case materials without registration
- The lawyer controls which sections of the case the client sees
- Each visit and download is recorded in the audit log
- The lawyer can revoke the link at any time
- Link expiry is set by the lawyer (default — 30 days)
- The portal page and printouts include a watermark with the client's email and the time the link was issued
The lawyer issuing the link is responsible for:
- Obtaining client consent to data transfer through the Service
- Sharing the link only with the legitimate recipient (leak protection)
- Timely revocation when circumstances change
Details in ADR-0006 in our documentation repository.
Changes to this policy
We may update this policy. Material changes are announced 30 days in advance via email and an in-Service banner. Minor changes (typos, structural edits) — without notice but with the version date in the header.
Archive of past versions — by request to the DPO.
Contacts
- DPO / Privacy: dpo@juris.ink
- Legal queries: legal@juris.ink
- Complaints / abuse: abuse@juris.ink
- General questions: hello@juris.ink
- Legal entity: Individual Entrepreneur Aleksei Eliseev, ID 326127221, Georgia
- Legal address: Georgia, City Borjomi, Meskheti Street 31g, floor 0, office N3
- Website: juris.ink