Privacy Policy

LawReach Pty Ltd (ACN: 693 897 862) trading as LawReach AI ("LawReach AI", "we", "us", "our"), operates the AI-powered legal information platform at lawreach.ai ("Platform").

We are committed to protecting your privacy and handling personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act.

This Privacy Policy applies to all users of lawreach.ai, including visitors who do not create an account, free-tier (Aware) users, and paid subscribers (Assured and Ahead tiers).

By using the Platform or creating an account, you consent to the collection, use, storage, and disclosure of your personal information as described in this Privacy Policy. Your consent is provided through the act of creating an account (which requires you to agree to these terms) and through your continued use of the Platform.

This Privacy Policy is incorporated into and forms part of our Website Terms and Conditions. If you do not consent to this Privacy Policy, you must not use the Platform.

This Privacy Policy does not cover the practices of third-party service providers or other websites linked to from the Platform. We encourage you to read the privacy policies of those third parties before providing them with your personal information.

For all privacy-related enquiries, complaints, or access and correction requests, contact us at: support@lawreach.ai

LawReach AI is the relevant APP entity responsible for complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles in respect of the personal information we collect, use, and disclose. We may refer to ourselves as a "data controller" elsewhere in this Policy as a general descriptor only, this is not a defined term under Australian law, and its use does not constitute an undertaking to comply with the GDPR or any other jurisdiction's data protection framework beyond what is otherwise required by law.

We engage the following third parties to help us provide the Platform. Each provider accesses only the personal information necessary to perform its specific function, except as otherwise described in this Policy:

We engage these providers under their respective commercial or API terms of service. We do not control how each provider's infrastructure operates internally, and we rely on each provider's own security practices, terms of service, and (where applicable) industry certifications. While we select reputable providers and take reasonable steps to protect your information, we cannot guarantee a provider's compliance with the Australian Privacy Principles, and our liability in connection with any provider's handling of your information is limited as set out in our Terms and Conditions.

If you believe your personal information has been mishandled by any of our providers, contact us at support@lawreach.ai. We will investigate and, where appropriate, raise the matter directly with the relevant provider.

You retain ownership of your User Content at all times. We do not claim any intellectual property rights over User Content.

We use User Content only for the purpose of delivering the Service to you (including transmitting relevant portions to Anthropic for AI processing, as described in Section 6). We do not use User Content for advertising, marketing, model training, or any purpose unrelated to delivering the Service.

If your User Content contains personal information about third parties (for example, names, addresses, or other identifiable information in a contract you upload), you are responsible for: (a) ensuring you have the legal authority to disclose that personal information to us; (b) notifying those third parties that their information may be processed through the Platform as described in this Privacy Policy; and (c) any consequences arising from your failure to obtain the necessary authority. You acknowledge that uploading third-party personal data without authorisation may constitute a breach of the Privacy Act 1988 (Cth) and that you will be solely responsible for any resulting complaint, regulatory action, or liability, in accordance with the indemnity provisions in our Terms and Conditions.

We strongly recommend you do not submit highly sensitive personal information through the AI chat or document upload features. Highly sensitive information includes (without limitation): tax file numbers, Medicare numbers, passport numbers, financial account or card numbers, health or medical information, criminal records, or classified or legally privileged material.

No Intentional Collection of Sensitive Information. LawReach AI does not design the Platform to request, prompt for, or intentionally collect "sensitive information" within the meaning of section 6(1) of the Privacy Act 1988 (Cth) (which includes, among other things, health information, genetic information, information about criminal records, and information about racial or ethnic origin, sexual orientation, or religious beliefs). The profile collection process and account fields described in Section 3 do not request sensitive information.

Incidental Sensitive Information. Notwithstanding clause 4.5, the nature of the Platform means that User Content you submit as part of a free-text query, matter, or uploaded document may incidentally contain sensitive information about you or a third party, including where you were not specifically asked to provide it (for example, where a workplace dispute query refers to a person's health condition, or an uploaded contract refers to a party's criminal history). You acknowledge that:

In-Product Notices. The Platform displays a notice at or near the point of input (for example, above the chat field) advising you not to enter tax file numbers, Medicare numbers, passport numbers, financial account or card numbers, or other highly sensitive information of the kind described in clause 4.4. This notice is a reasonable step we take to reduce unnecessary collection of sensitive information, but it does not prevent you from submitting such information if you choose to do so, and clauses 4.5 and 4.6 will apply.

No Special Retention for Sensitive Information. We do not apply a different storage location, security standard, or retention period to sensitive information than applies to other User Content under Section 15. If you have submitted sensitive information and wish it to be deleted before the standard retention period described in Section 15 expires, contact us at support@lawreach.ai to request earlier deletion. Where the Platform offers self-service deletion of individual queries, organisational data, or documents, you may also use that feature directly through your account settings.

If you have submitted sensitive information about yourself and have concerns about how it has been handled, contact us at support@lawreach.ai. If your enquiry concerns sensitive information about a third party submitted in breach of clause 4.3, see the indemnity provisions in our Terms and Conditions.

Commercially Sensitive Business Information. This Privacy Policy, and the Australian Privacy Principles it's based on, protect personal information about individuals, not confidential information about businesses. If your User Content includes commercially sensitive business information (for example, details of an unannounced transaction, financial figures, pricing, or trade secrets, whether yours or someone else's), that information falls outside the scope of this Privacy Policy. Our position on handling that kind of information is set out instead in clause 9.5A of our Terms and Conditions. We do, however, store and secure commercially sensitive business information using the same measures described in Sections 7, 13, and 15, we don't treat it any less carefully, we just don't apply Privacy Act protections to it, because those protections only ever apply to individuals.

We collect personal information through the following means:

We collect personal information only by lawful and fair means, and only to the extent reasonably necessary for one or more of the purposes described in this Privacy Policy (APP 3).

The AI functionality on lawreach.ai is powered by Claude, a large language model developed and operated by Anthropic PBC ("Anthropic"), a company incorporated in the United States. We access Claude through Anthropic's commercial API. Anthropic processes your queries as a service provider on our behalf and does not independently determine the purposes of that processing.

When you submit a question or upload a document for AI processing, the content of your input, along with relevant profile context (your state, location type, business structure, and industry) and your current session history, is transmitted to Anthropic's servers in the United States to generate a response. Your email address, password, billing details, and technical data are not transmitted to Anthropic.

Anthropic does not use data submitted through its commercial API to train or improve its AI models. This is the default position under Anthropic's standard API terms, separate from the rules that apply to individual Claude.ai Free, Pro, and Max accounts, which are not what we use to provide the Service.

If we change to a different AI provider whose data practices materially differ from those described here, we will update this Privacy Policy and notify you before the change takes effect.

For information on how Anthropic handles data, see: https://www.anthropic.com/legal/privacy

Your Platform Data and User Content are stored on infrastructure provided by our cloud database provider (“Database Provider”). The Database Provider uses Amazon Web Services (AWS) infrastructure located in the Sydney, Australia region (ap-southeast-2) to store your data.

The Database Provider acts as a data processor on our behalf, processing your data only as directed by us and subject to confidentiality obligations. The Database Provider implements row-level security (RLS) and access controls on our database, meaning each user’s data is isolated and accessible only to that user and to authorised administrative processes.

The Database Provider’s privacy practices are governed by their privacy policy. Current details are available on request by contacting support@lawreach.ai.

The Platform is hosted and deployed via a cloud hosting provider incorporated in the United States (“Hosting Provider”). Application requests are processed by our Hosting Provider’s infrastructure in Sydney, Australia (ap-southeast-2), consistent with our database location. Initial request routing may pass through the Hosting Provider’s global edge network, but serverless function execution occurs in the Sydney region.

The Hosting Provider’s privacy practices are governed by their privacy policy. Current details are available on request by contacting support@lawreach.ai.

Data at rest (your stored account data, profile, queries, organisational data, and documents) is held on AWS Sydney (ap-southeast-2) infrastructure via our Database Provider.

Data in transit (your requests to and responses from the Platform) is processed through our Hosting Provider’s infrastructure in Sydney, Australia (ap-southeast-2).

Data processed by AI (your queries and document text) is transmitted to Anthropic PBC's servers in the United States.

Payment data is processed by Stripe, Inc. (see Section 8).

All subscription payments are processed by Stripe, Inc. ("Stripe"), a PCI DSS Level 1 certified payment processor. When you subscribe to a paid plan:

Stripe acts as a data processor for billing purposes and as an independent data controller in respect of payment card data.

Stripe's privacy policy is available at: https://stripe.com/au/privacy

Stripe's servers may be located in the United States, Australia, and other jurisdictions. By providing payment information through the Platform, you consent to Stripe processing your data in accordance with their terms.

We use your personal information to:

We do not use your chat history or uploaded documents for advertising, marketing, or any purpose other than delivering the Service to you.

We will never share your chat history or uploaded documents with any third party for marketing or advertising purposes.

Multi-User and Team Accounts. Where multiple individuals use the Platform under a business or team arrangement, each user's personal information is collected and processed separately. The business that arranged team access does not have the right to access another individual user's chat history, uploaded documents, or personal information without that user's consent.

The Platform uses cookies and similar technologies for the following purposes:

We do not use third-party advertising cookies, do not allow advertising networks to place cookies on the Platform, and do not track you across other websites.

You may disable cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

If we introduce additional cookies or tracking technologies, or our use changes materially, we will update this section and notify you.

We may disclose your personal information to the following categories of recipients, for the purposes described:

We do not sell, rent, or trade your personal information to any third party for any purpose.

We do not disclose your personal information to any third party for that third party's own marketing or advertising purposes.

We do not share User Content (including chat history and uploaded documents) with any third party except Anthropic PBC for the sole purpose of AI processing as described in Section 6.

Some of our service providers are located overseas. The following overseas disclosures occur in the ordinary operation of the Platform:

Primary data storage is on AWS Sydney infrastructure via our Database Provider, which is located in Australia.

We take reasonable steps to ensure overseas recipients handle your personal information consistently with Australian privacy law. However, data protection laws in the United States differ from Australia's, and we cannot guarantee that an overseas recipient will comply with the Australian Privacy Principles in all circumstances.

By using the Platform, you expressly consent to your personal information being disclosed to the overseas service providers described in this Privacy Policy, where this is necessary to deliver the Service. By providing this consent, you acknowledge that Australian Privacy Principle 8.1 does not apply to such disclosures, and that LawReach AI will not be accountable under the Privacy Act 1988 (Cth) for the overseas recipient’s handling of your personal information once disclosed. We take reasonable contractual steps to protect your information but cannot guarantee that an overseas recipient will comply with Australian Privacy Principles in all circumstances.

The Platform relies on multiple third-party service providers to operate, including Anthropic PBC (AI processing), cloud infrastructure providers (data storage and hosting), and Stripe, Inc. (payment processing). Each of these providers processes some or all of your personal information as described in this Privacy Policy.

While we take reasonable steps to select reputable providers, enter into appropriate contractual arrangements, and verify their security certifications (see Sections 6, 7, and 8), you acknowledge and agree that:

LawReach AI's obligations under this Privacy Policy extend to the steps we take to protect your information within our own systems and to our selection of, and contractual arrangements with, our third-party providers. To the maximum extent permitted by law, LawReach AI does not accept liability for the acts, omissions, failures, or breaches of any third-party provider, except where we have been negligent in our selection of, or instructions to, that provider.

Specifically, and without limiting the generality of clause 13.3:

You expressly acknowledge and consent to the processing of your personal information by the third-party providers identified in this Privacy Policy, on the terms and subject to the limitations described in this section. If you do not accept these risks and limitations, you should not use the Platform.

In the event of a data breach or incident involving a third-party provider, we will comply with our obligations under the Notifiable Data Breaches scheme (see Section 18) and will cooperate with the relevant provider to investigate and remediate the incident. We will notify affected users as required by law.

We review our third-party provider arrangements periodically and may change providers. If we change a provider in a way that materially affects the processing of your personal information, we will update this Privacy Policy and notify you in accordance with Section 24.

We may send you marketing communications about LawReach AI products and services where you have opted in to receive such communications.

We comply with applicable Australian law regarding commercial electronic messages. All marketing emails include accurate sender information, a functional unsubscribe mechanism, and clear identification as commercial messages.

You may opt out of marketing communications at any time by: (a) clicking the unsubscribe link in any marketing email; or (b) contacting us at support@lawreach.ai.

Opting out of marketing communications does not affect transactional communications, which are necessary for the operation of your account (e.g. billing notifications, subscription status updates, security alerts, and account verification emails).

We retain different categories of personal information for different periods, depending on the purpose of collection and our legal obligations:

Where we are required by law to retain information for a specified period (e.g. for tax, regulatory, or dispute resolution purposes), we will retain it for that period regardless of account deletion.

After the applicable retention period, personal information will be securely deleted or permanently de-identified.

We may de-identify personal information by removing all information that could reasonably be used to identify you or your business. "De-identified data" means data that is not personal information within the meaning of the Privacy Act because it cannot be reasonably re-identified.

We may use de-identified and aggregated data (for example, total number of users by state, average session duration, feature usage statistics, and patterns in the types of questions asked) for analytics, product improvement, internal reporting, research purposes, and improving our AI system prompts and response frameworks. This use is not subject to the APPs or this Privacy Policy because the data is no longer personal information and cannot be used to identify you or your business.

We will not attempt to re-identify de-identified data except for the purpose of testing our de-identification processes.

We take reasonable technical and organisational measures to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, as required by APP 11.1. These measures include:

You are responsible for maintaining the security of your own account credentials. We are not liable for any unauthorised access to your account resulting from your failure to secure your password or your decision to share it with others.

No data transmission over the internet or method of electronic storage is completely secure. While we take all reasonable steps, we cannot guarantee absolute security and do not warrant that your personal information will be free from unauthorised access.

If you believe your account has been compromised, contact us immediately at support@lawreach.ai.

If we become aware of a data breach that is likely to cause serious harm to any affected individual, we will notify those individuals and, where required, the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

If you believe a data breach may have affected your personal information, contact us immediately at support@lawreach.ai.

Under the Privacy Act 1988 (Cth), you have the right to:

We may require you to verify your identity before actioning any request.

We may decline a request in limited circumstances permitted by the Privacy Act, and will provide written reasons for any refusal.

If you believe we have mishandled your personal information or breached the Australian Privacy Principles, you may lodge a complaint with us at support@lawreach.ai.

We will acknowledge your complaint within 7 business days.

We will investigate and provide a written response within 30 days of receiving your complaint.

If you are not satisfied with our response, or if we fail to respond within 30 days, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy/privacy-complaints

lawreach.ai is a business-facing platform intended exclusively for use by individuals who are 18 years of age or older. We do not knowingly collect personal information from persons under 18.

If we become aware that personal information has been collected from a person under 18, we will take reasonable steps to delete that information as soon as practicable.

The Platform or AI-generated responses may contain links to third-party websites, including government websites, legislation databases, court registries, legal aid services, and other external resources. These links are provided for informational purposes only.

We do not operate or control those websites and are not responsible for their content or privacy practices. We encourage you to read the privacy policy of any third-party website before providing personal information to it.

The inclusion of a link does not imply endorsement of the linked website or any association with its operators.

LawReach Pty Ltd also operates a separate legal template store at lawreach.com.au. The two websites are operated by the same legal entity (LawReach Pty Ltd) but maintain:

This Privacy Policy applies to lawreach.ai only. The privacy policy for lawreach.com.au is available at lawreach.com.au/policies/privacy-policy.

We do not share personal information between the two platforms without your explicit consent, except where you contact us through a shared support channel (e.g. a general enquiry email).

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or applicable law.

Material changes (including changes to the categories of personal information collected, new data processors, or changes to overseas disclosure practices) will be notified to you by email to your registered address and/or by prominent notice on the Platform at least 14 days before the changes take effect.

Non-material changes (such as formatting or clarifications) may be made without notice.

The current version of this Privacy Policy, including the "Last updated" date, is always available at lawreach.ai/privacy.

Your continued use of the Platform after any update constitutes your acceptance of the updated Privacy Policy. If you do not agree with a material change, you should cease using the Platform and delete your account.