Legal

Privacy Policy

Version: 1.0 (DRAFT) · Last updated: April 2026 · Data controller: MyLiP Ltd (England & Wales)

Plain-English summary

We take data protection seriously — the documents you upload to MyLiP are among the most sensitive information you have. Here are the key points: (1) we are the data controller. (2) We only process your data to provide the Service to you. (3) We never use your case documents to train AI models — ours or anyone else’s. (4) We use a small set of processors (Anthropic, Supabase, Vercel, Stripe, Resend) to run the Service; some of those are US-based, and we document the transfer safeguards. (5) You have the full set of UK GDPR rights. (6) You can complain to the ICO if we get this wrong.

1. Who we are

This policy is issued by MyLiP Ltd (“MyLiP”, “we”), the data controller for personal data processed through the MyLiP.ai service.

Registered office: Hoxton Mix, 3rd Floor, 86-90 Paul Street, London EC2A 4NE
Company number: [to be inserted following incorporation]
ICO registration number: [to be inserted following registration]
Data protection contact: hello@mylip.ai

2. The data we process

We process the following categories of personal data:

Category	Examples	Source
Account data	Name, email, password (hashed), subscription tier, billing records	From you at sign-up
Case content	Documents you upload (Form E, bank statements, correspondence, court orders, witness statements), notes you write, AI queries you run, AI outputs	From you, uploaded or generated during use
Special-category data (Art. 9 UK GDPR)	Health, family, sexual-orientation or similar information appearing in your case documents	Incidental to your case content
Usage data	Pages visited, features used, query counts, device and browser metadata, IP address	Generated automatically while you use the Service
Support data	Emails you send us, records of support interactions	From you when you contact us

3. Why we process it — lawful bases

Under Article 6 UK GDPR, we rely on the following lawful bases:

Contract performance (Art. 6(1)(b)): to provide the Service you subscribed to — including analysing your case documents, running AI queries, maintaining your account, and processing payment.
Legitimate interests (Art. 6(1)(f)): to operate and improve the Service, prevent abuse, maintain security, and keep accurate business records. A legitimate interests assessment is on file and available on request.
Legal obligation (Art. 6(1)(c)): to comply with UK tax, accounting and regulatory obligations.
Consent (Art. 6(1)(a)): where we rely on consent — for example for non-essential cookies — you can withdraw it at any time.

For special-category data (Article 9 UK GDPR), which is commonly present in family, employment and benefits documents, we rely on:

Explicit consent (Art. 9(2)(a)) — given at sign-up — to process your case content; and
Establishment, exercise or defence of legal claims (Art. 9(2)(f)), to the extent your use of the Service is for that purpose.

4. How long we keep your data

Data	Retention
Account data	Duration of your subscription + 6 years (statutory record-keeping)
Case content (documents, notes, queries, outputs)	Duration of subscription + 30 days after cancellation (for export), then deleted
Usage data	24 months
Payment records	6 years (UK tax-record obligations)
Support correspondence	3 years from last interaction

You can export and delete your case content at any time from your account settings. Deletion is final and irrecoverable after a 30-day grace window.

5. Who we share your data with — processors and subprocessors

We use the following processors to run the Service. Each has a data processing agreement in place with appropriate safeguards.

Processor	Purpose	Location	Transfer mechanism
Anthropic	AI model (Claude) that powers case analysis and drafting	USA	UK IDTA / UK Addendum to EU SCCs. Anthropic’s zero-retention configuration is used for Claude API calls. Your content is not used to train Anthropic’s models.
Supabase	Database and authentication	EU (Frankfurt) for UK customers	UK data stays in EU region; Supabase parent in USA under UK IDTA.
Vercel	Application hosting and edge functions	USA / EU edge nodes	UK IDTA.
Stripe	Payment processing	UK & Ireland (EU)	UK Stripe entity under UK GDPR; IDTA for any US transfers.
Resend	Transactional email delivery	USA	UK IDTA.
Netlify	Marketing site hosting (pre-launch)	USA / global CDN	UK IDTA.

We do not sell your personal data to anyone, and we do not share it with advertisers. We may share it with law enforcement where required by law, with professional advisers in connection with our business, or with a successor in interest if the business is sold (in which case the acquirer will be bound by equivalent privacy commitments).

Our training-data commitment. Your case documents, inputs and AI outputs are never used to train any AI model — ours or any third party’s. We use Anthropic’s zero-retention API configuration. This is a firm contractual commitment, not a discretionary policy.

6. International transfers

Some of our processors (above) are based in the United States. For those transfers, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with any additional organisational and technical safeguards required following the UK government’s adequacy assessments. Copies of the specific transfer documents are available on request.

7. Security

We take security seriously because the alternative is not acceptable given the sensitivity of our users’ data. Our technical and organisational measures include:

TLS 1.2 or higher for data in transit.
Encryption at rest (AES-256) for case content and database records.
Role-based access control — engineering staff access to user data is restricted, audited and only on an as-needed basis.
Multi-factor authentication for all administrative access.
Incident response plan with defined escalation and breach-notification procedures.
Regular security reviews and patch management.

No system is perfectly secure; if a breach occurs that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay.

8. Your rights

Under UK GDPR you have the following rights. We will respond to any request within one month (extendable by a further two months for complex requests):

Access — a copy of the personal data we hold about you.
Rectification — correction of inaccurate or incomplete data.
Erasure — deletion of your data where there is no overriding legitimate reason for us to keep it.
Restriction — limit how we process your data in certain circumstances.
Portability — receive a machine-readable copy of data you have provided to us.
Objection — object to processing based on legitimate interests.
Withdraw consent — where we rely on consent, you can withdraw it at any time.
Complain — to the Information Commissioner’s Office (ICO).

To exercise any of these rights, email hello@mylip.ai. We may ask you to verify your identity before responding. These rights are free to exercise; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

9. Legal professional privilege — important

Read this carefully. Because MyLiP is not a law firm and we are not your solicitor, communications between you and MyLiP are not covered by legal professional privilege. The UK judiciary’s October 2025 guidance treats inputs to AI tools as unprivileged. If you are in litigation, the opposing side may, in certain circumstances, be entitled to seek disclosure of your MyLiP content. Take this into account when using the Service.

10. Cookies

We use a small number of cookies to run the Service — see our Cookie Policy for details.

11. Children

The Service is not directed at anyone under 18. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified to subscribers by email at least 30 days in advance, and the version history is available on request. Continued use of the Service after changes take effect is acceptance of the updated policy.

13. Complaints and contact

If you’re unhappy with how we’ve handled your data, please contact us first at hello@mylip.ai — we’d rather fix the problem. If you’re not satisfied, you can complain to the ICO: ico.org.uk, or by phone on 0303 123 1113.