Privacy Policy
1. Data Controller
The data controller responsible for your personal data is the organisation operating this NeedleSearch instance. Contact details are available in Section 14 below, or by emailing privacy@needlesearch.ai.
Where we act as a data processor on behalf of an organisation (your employer or a contracting entity), that organisation is the data controller and their privacy policy applies in addition to this one.
2. Data We Collect
2.1 Account Data
| Category | Data | Source |
|---|---|---|
| Identity | Full name, display name | Registration form / OAuth |
| Contact | Email address, phone number (optional) | Registration form / OAuth |
| Credentials | Hashed password (bcrypt, never stored in plaintext) | Registration form |
| Authentication | OAuth tokens (Google, Apple), session cookies | OAuth provider |
| Profile | Language preference, timezone, UI preferences | User settings |
| Organisation | Organisation name, role | Admin assignment / registration |
2.2 Usage Data
| Category | Data | Source |
|---|---|---|
| Chat history | Chat titles, messages, AI responses | User interaction |
| Documents | Uploaded file names, types, sizes, extracted text, embeddings | File uploads |
| Search queries | Search text, parameters, results | User interaction |
| Token usage | AI token consumption counts, estimated cost | System measurement |
2.3 Technical Data
| Category | Data | Source |
|---|---|---|
| Access logs | IP address, user agent, request path, timestamp | Web server |
| Security logs | Failed login attempts, IP addresses | Security system |
| Audit logs | Document access events, data export events | Application |
2.4 Data We Do NOT Collect
- Special categories of data (health, race, religion, political opinions) — unless contained in documents you upload
- Financial information or payment data
- Biometric data
- Data about children under 16 (the service is not directed at children)
3. Legal Basis for Processing (GDPR)
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of a contract | Art. 6(1)(b) |
| Providing AI search and chat features | Performance of a contract | Art. 6(1)(b) |
| Document storage and processing | Performance of a contract | Art. 6(1)(b) |
| Security and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Audit logging (access records) | Legitimate interests / Legal obligation | Art. 6(1)(c)(f) |
| Analytics cookies | Consent | Art. 6(1)(a) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Token usage tracking (service limits) | Performance of a contract | Art. 6(1)(b) |
Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You have the right to object to this processing (see Section 9).
4. How We Use Your Data
- Service delivery: Provide AI-powered legal document search, chat, and analysis features.
- Account management: Authenticate you, manage your profile and preferences.
- Document processing: Extract text, generate embeddings, and index documents for search.
- AI inference: Send document excerpts and queries to language model APIs to generate answers.
- Security: Detect and prevent fraud, abuse, and unauthorised access.
- Compliance: Maintain audit trails and comply with legal obligations.
- Communications: Send service-related notifications (with consent, where required).
- Analytics (with consent): Understand product usage to improve the service.
5. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (profile, email) | Until account deletion + 30 days backup | Contract / user request |
| Chat messages | Until account deletion | Contract |
| Uploaded documents | Until deletion by user or account deletion | Contract |
| Document access audit logs | 12 months | Legitimate interest (security) |
| Login attempt logs | 90 days | Legitimate interest (security) |
| Cookie consent records | 3 years from consent / 180 days from withdrawal | Legal obligation (GDPR Art. 7) |
| GDPR audit log (exports, deletions) | 3 years | Legal obligation (accountability) |
| Breach notification records | 5 years | Legal obligation (GDPR Art. 33) |
| Session tokens | Up to 30 days (or until logout) | Contract |
After the retention period, data is securely deleted or anonymised. Backups are rotated within 30 days. You may request early deletion by exercising your right to erasure (Section 9).
6. Sharing & Sub-processors
We do not sell your personal data. We do not share it with third parties for their own marketing purposes.
We use the following categories of sub-processors to operate the service:
| Sub-processor | Location | Purpose | Data Transferred |
|---|---|---|---|
| PostgreSQL (self-hosted) | Operator infrastructure | Primary database | All user data |
| Qdrant (self-hosted) | Operator infrastructure | Vector search | Document embeddings (numeric vectors) |
| Redis (self-hosted) | Operator infrastructure | Caching, sessions | Session tokens, cache keys |
| Qwen / vLLM (self-hosted) | Operator infrastructure | AI embeddings & reranking | Document text chunks, queries |
| DeepSeek API Cloud | China / Cloud | LLM inference (AI answers) | User queries, document excerpts |
| Surya OCR (self-hosted) | Operator infrastructure | OCR for scanned PDFs | Document images |
The current authoritative sub-processor list is available at /api/gdpr/sub-processors (authenticated users).
We may also disclose data: (a) as required by law or court order; (b) to protect the rights and safety of users; (c) in connection with a merger or acquisition, with notice to you.
7. International Transfers
Most data is processed within the operator's infrastructure. However, where LLM inference services (e.g., DeepSeek API) are located outside the European Economic Area (EEA), data transfers are covered by:
- Standard Contractual Clauses (SCCs) approved by the European Commission (where applicable)
- Supplementary measures: data minimisation (only relevant excerpts sent), encryption in transit (TLS 1.2+)
If you have concerns about international transfers affecting your data, you may contact us to request details of the transfer safeguards in place for your specific data.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption at rest: AES-256-GCM encryption for all PII fields (email, name, phone) and message content
- Encryption in transit: TLS 1.2+ for all connections; HSTS in production
- Access control: Row-level security (RLS) in the database; multi-tenant data isolation
- Authentication: Bcrypt password hashing, session tokens with secure flags, account lockout after failed attempts
- Monitoring: Rate limiting, anomaly detection, audit logging of sensitive operations
- Security headers: Content Security Policy, X-Frame-Options, X-Content-Type-Options
In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33/34.
9. Your Rights Under GDPR
If you are located in the European Economic Area, you have the following rights:
Art. 15 — Right of Access
Request a copy of all personal data we hold about you. Use: Settings → Export My Data, or POST /api/user/export.
Art. 16 — Right to Rectification
Correct inaccurate or incomplete data. Use: Settings → Profile to update your name, email, and phone.
Art. 17 — Right to Erasure (Right to be Forgotten)
Request deletion of your account and all associated data. Use: Settings → Delete Account, or email us. We will process requests within 30 days.
Art. 18 — Right to Restriction of Processing
Request that we restrict processing of your data (e.g., while a dispute is pending). Use: POST /api/gdpr/restriction, or email us.
Art. 20 — Right to Data Portability
Receive your data in a structured, machine-readable format (JSON). Use: Settings → Export My Data.
Art. 21 — Right to Object
Object to processing based on legitimate interests, or to direct marketing at any time. Use: POST /api/gdpr/objection, or email us. Direct marketing objections are honoured immediately.
Art. 22 — Automated Decision-Making
We do not make solely automated decisions with legal or significant effects. AI search and chat responses are tools to assist human review, not final decisions.
How to Exercise Your Rights
Email: privacy@needlesearch.ai
Response time: Within 30 days (extendable by 2 months for complex requests, with notice)
Identity verification: We may ask you to verify your identity before processing a request
No fee: Rights requests are free of charge (unless manifestly unfounded or excessive)
Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. We encourage you to contact us first so we can address your concerns directly.
10. Your Rights Under CCPA/CPRA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know
Request disclosure of the categories and specific pieces of personal information we have collected about you. Use: Settings → Export My Data.
Right to Delete
Request deletion of your personal information. Use: Settings → Delete Account. Subject to exceptions (e.g., legal obligations).
Right to Correct
Request correction of inaccurate personal information. Use: Settings → Profile.
Right to Opt-Out of Sale / Sharing
We do not sell your personal information. We do not share it for cross-context behavioural advertising.
If this changes, you will be notified and an opt-out mechanism will be provided.
To record an opt-out preemptively, use: POST /api/gdpr/ccpa-opt-out.
Right to Limit Use of Sensitive Personal Information
Request that we limit use of sensitive personal information to necessary purposes. Use: POST /api/gdpr/ccpa-opt-out with type sensitive_pi_limit.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. You will receive the same level of service regardless.
How to Submit a CCPA Request
Email: privacy@needlesearch.ai with subject "CCPA Request"
Response time: 45 days (extendable by 45 days with notice)
Authorised agents: We accept requests from authorised agents with written permission from the consumer
Categories of Personal Information Collected (CCPA)
| CCPA Category | Examples | Sold? |
|---|---|---|
| Identifiers | Name, email, IP address, session ID | No |
| Personal records information | Phone number, organisation | No |
| Internet / network activity | Usage logs, search queries, page views | No |
| Professional information | Role, organisation, uploaded legal documents | No |
| Inferences | User preferences derived from usage | No |
11. Cookies
We use the following categories of cookies:
| Category | Purpose | Opt-in Required? |
|---|---|---|
| Necessary | Authentication sessions, CSRF protection, security tokens | No — required for service |
| Analytics | Understanding how users navigate the product (anonymised) | Yes — consent required |
| Marketing | Communicating relevant product updates | Yes — consent required |
You can manage your cookie preferences at any time via the cookie banner (shown on first visit) or by visiting Settings → Privacy. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
12. Children
NeedleSearch is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@needlesearch.ai.
13. Policy Changes
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Posting a prominent notice in the application
- Sending an email to your registered address (for significant changes)
- Updating the "Last updated" date at the top of this page
Your continued use of the service after the effective date of changes constitutes acceptance of the updated policy. For changes requiring renewed consent, we will ask you explicitly.
14. Contact & Data Protection Officer
For any privacy-related questions, requests, or complaints:
Privacy enquiries: privacy@needlesearch.ai
Data Protection Officer: dpo@needlesearch.ai
Response time: We aim to respond within 5 business days for general enquiries, and within 30 days for formal rights requests.
You also have the right to lodge a complaint with your local data protection authority at any time. For EU residents, find your authority at edpb.europa.eu. For UK residents, contact the ICO (ico.org.uk). For California residents, contact the CPPA (cppa.ca.gov).