ThinkLikeLaw ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website and use our services (collectively, the "Service"), in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).
Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
The data controller responsible for your personal data is:
For the purposes of the UK GDPR, we are the data controller in respect of the personal data we process about you.
We collect and process the following categories of personal data:
| Category | Data Elements | Purpose |
|---|---|---|
| Account Registration | First name, last name, email address, password (hashed), university | Account creation, personalisation, communication |
| Profile Information | Target qualification year, current academic status, study preferences | Personalised learning experience |
| User Content | Uploaded lecture notes, essays, notes created within the Service | Providing AI-powered analysis and feedback |
| Payment Information | Billing name, email, payment method details (processed by Stripe) | Subscription billing and invoicing |
| Support Requests | Name, email, message content | Responding to enquiries and providing support |
| Category | Data Elements | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, time spent, click patterns | Service improvement and analytics |
| Device Data | Browser type, operating system, screen resolution, device identifiers | Compatibility and debugging |
| Network Data | IP address, approximate geolocation (country/region level) | Security, fraud prevention, legal compliance |
| Cookies & Similar Technologies | Session tokens, preference cookies, analytics identifiers | Authentication, personalisation, analytics |
If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
We process your personal data under the following lawful bases as defined in Article 6(1) UK GDPR:
| Lawful Basis | Processing Activity |
|---|---|
| Contract (Art. 6(1)(b)) | Account registration, providing the Service, processing subscriptions and payments, delivering AI-generated content |
| Legitimate Interests (Art. 6(1)(f)) | Service improvement, analytics, fraud prevention, security monitoring, customer support. Our legitimate interest is to operate and improve the Service. We have assessed that this processing does not override your rights and freedoms. |
| Consent (Art. 6(1)(a)) | Marketing emails (where applicable), non-essential cookies. You may withdraw consent at any time. |
| Legal Obligation (Art. 6(1)(c)) | Tax records, regulatory compliance, responding to lawful requests from authorities |
We use your personal data for the following purposes:
We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Supabase Inc. (Database & Auth) | Hosting, authentication, database storage | Data Processing Agreement (DPA), Standard Contractual Clauses (SCCs) for US transfers, SOC 2 Type II compliant |
| Stripe Inc. (Payments) | Payment processing, subscription management | PCI DSS Level 1 certified, DPA, SCCs |
| Google LLC (OAuth) | Social login authentication | OAuth 2.0, limited data scope (email, name, profile picture), DPA |
| Cloudflare Inc. (Hosting) | CDN, DDoS protection, edge computing | DPA, EU-US Data Privacy Framework |
| OpenAI / AI Providers | AI-powered content generation | DPA, data not used for model training, API-only access |
We may also disclose your data where required by law, regulation, court order, or other governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Some of our third-party service providers are located outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with Article 46 UK GDPR, including:
You may request a copy of the relevant safeguards by contacting us at the address above.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Contract performance, account recovery |
| User-generated content | Duration of account | Service delivery |
| Payment records | 7 years from transaction date | UK tax and accounting obligations (Taxes Management Act 1970) |
| Support tickets | 2 years from resolution | Legitimate interest in quality assurance |
| Analytics data | 26 months (anonymised after) | Service improvement |
| Cookie consent records | 2 years | PECR compliance, proof of consent |
Upon expiry of the retention period, personal data will be securely deleted or irreversibly anonymised.
We use cookies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and ICO guidance.
These cookies are essential for the Service to function and cannot be switched off. They include session authentication tokens and CSRF protection tokens.
These cookies remember your preferences such as theme selection (dark/light mode), sidebar state, and language preferences.
With your consent, we may use analytics cookies to understand how visitors interact with the Service. No analytics cookies are set without your prior consent.
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Service.
Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at privacy@thinklikelaw.com. We will respond to all legitimate requests within one calendar month. In exceptional circumstances, we may extend this by two further months, but we will inform you of the reason for the extension.
There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 UK GDPR. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
The Service is intended for users aged 16 years and older, in line with the UK GDPR age of digital consent. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete such data promptly.
The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of such third parties. We encourage you to read the privacy policies of any third-party sites you visit.
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
Your continued use of the Service after any modifications constitutes your acceptance of the updated Privacy Policy.
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We would appreciate the opportunity to resolve your concern before you contact the ICO.
If you have any questions about this Privacy Policy or our data practices, please contact us: