Privacy Policy

This Privacy Policy is issued by AirCounsel Ltd. (Company No. 12000525) (“we”, “us”, or “our”). This Policy governs the processing of Personal Data in connection with your use of the HyperCounsel Service, which includes the Microsoft Word Add-in, Dashboard, and associated websites (collectively, the “Service”).

This Policy explains how we collect, use, disclose, and protect your personal data in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For the purposes of this Policy, AirCounsel Ltd. acts as a:

"Account Data" means the personal data provided by the User during account registration and maintenance, including but not limited to name, email address, company name, job title, telephone number, and password.

"Add-in" means the HyperCounsel Microsoft Word integration software provided as part of the Service, which enables AI-powered document drafting functionality within the Microsoft Word application environment.

"AI Output" means any text, redlines, comments, analyses, or document drafts generated by the Service's artificial intelligence functionality in response to User Content.

"AI Providers" means third-party artificial intelligence service providers utilised by the Company to process User Content and generate AI Output, including but not limited to Google Gemini and Mistral API.

"Bug Report" means an optional report submitted by a User to the Company regarding a technical issue, which may include voluntarily attached document snapshots and session logs.

"Cookie" means a small text file placed on the User's device when visiting the Website, as further described in clause 12 of this Privacy Policy.

"Data Controller" has the meaning given to it in the Data Protection Laws, being the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Dashboard" means the web-based interface provided by the Company for Users to manage their account, preferences, and review AI Output.

"Data Protection Laws" means all applicable data protection and privacy legislation in force from time to time in the UK including, but not limited to, the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and any national implementing laws, regulations, and secondary legislation relating to the processing of Personal Data.

"Document Content" means the full text of the User's open Word document that is temporarily processed by the Service when generating AI Output, which is not permanently stored server-side unless submitted as part of a Bug Report.

"Local Storage" means web storage technology (including localStorage and IndexedDB) that allows the Website or Add-in to store data on the User's device, as further described in clause 12 of this Privacy Policy.

"Personal Data" has the meaning given to it in the Data Protection Laws, being any information relating to an identified or identifiable natural person.

"PII Protection" means the optional feature that anonymises personal data before processing by AI Providers, where original data never leaves the User's device and placeholders are used during transmission.

"Processing" has the meaning given to it in the Data Protection Laws and includes any operation performed on Personal Data, such as collection, storage, alteration, or disclosure.

"Reference Documents" means files uploaded by the User to provide context for AI Output generation, from which text is extracted and stored in the Service's database.

"Service" means the HyperCounsel software-as-a-service product, including the Add-in and Dashboard, as more fully described in the Terms and Conditions.

"Terms and Conditions" means the HyperCounsel Software Terms and Conditions governing the use of the Service, as updated from time to time.

"Third-Party Processors" means the sub-processors engaged by us to provide elements of the Service, as listed in clause 9 of this Privacy Policy, including but not limited to OpenRouter, Supabase, and Stripe.

"UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

"UK Bridge" means the UK Extension to the EU-US Data Privacy Framework.

"User" or "You" means an individual or legal entity that has registered for and uses the Service, also referred to as "Customer" in the Terms and Conditions.

"User Content" means any documents, clauses, data, text, or other materials uploaded to or processed by the Service by or on behalf of the User, including but not limited to Document Content, chat/conversation history, user preferences, reference documents, and clause library entries.

"User Preferences" means the configurable settings selected by the User to customise the Service's operation, including but not limited to preferred tone, drafting style, role, governing law, party names, and custom instructions.

"Website" means the HyperCounsel corporate website located at [insert URL] and any subdomains thereof.

For the purposes of Data Protection Laws, the Company acts as:

a Data Controller in relation to Account Data collected to establish and maintain your user account, manage billing, and administer our relationship with you; and

a Data Processor in relation to User Content that you upload or process through the Service, where such content may contain Personal Data.

When processing User Content on your behalf, the Company shall:

only process such data in accordance with your documented instructions as set out in this Policy and the Terms and Conditions;

implement appropriate technical and organisational measures to protect the data;

not engage any sub-processor without ensuring equivalent data protection obligations are in place; and

not retain the data longer than necessary for the provision of the Service, unless required by applicable law.

You acknowledge and agree that you remain the Data Controller for any Personal Data contained within your User Content, and are responsible for ensuring you have an appropriate lawful basis for such processing under Data Protection Laws.

We collect and process the following categories of Personal Data when you use the Service:

Account Data: When you register for an account, we collect your name, email address, company name, job title, telephone number, and password. This data is necessary for account creation, authentication, and service delivery.

User Preferences: As you configure the Service, we store your selected preferences including preferred tone, drafting style, role designation, governing law selections, party names, and any custom instructions you provide.

Document Content: When using the Add-in, the full text of your open Word document is temporarily processed to generate AI Output. This content is not permanently stored on our servers unless you voluntarily submit it as part of a Bug Report. When our PII Protection feature is enabled, identifiable personal data is anonymised locally on your device before any content is transmitted to our AI Providers.

Reference Documents: If you upload files to provide context for AI processing, we extract and store the text content from these documents in our database.

Chat/Conversation History: We store your interaction history with the Service, including all chat messages and AI responses, scoped to your user account.

Clause Library Entries: When you save clauses to your library, we store both the clause text and associated vector embeddings to enable retrieval functionality.

Bug Reports: If you submit a bug report, we may collect document snapshots and session logs that you voluntarily attach.

We automatically collect certain technical data when you interact with the Service, including:

Feature usage metrics and session data collected through first-party analytics in the Add-in.

On our Website only, we collect page view and interaction data via PostHog analytics.

Browser fingerprint data through Google reCAPTCHA v3 on website forms for bot protection.

Payment card details and billing information are processed directly by Stripe and are not collected or stored by our systems. We only receive and store your subscription status and basic billing metadata from Stripe.

When you use the Add-in's drafting features, the full text of your open Word document (“Document Content”) is temporarily transmitted to our servers for processing by our third-party AI Providers (“AI Providers”) to generate AI Output.

Document Content is processed in real-time and is not permanently stored on our servers. It is deleted immediately after the AI Output is generated, except where you voluntarily submit it as part of a Bug Report or where transient data is retained in error logs for service quality and maintenance purposes for a period not exceeding 30 days.

When the optional PII Protection feature is enabled, identifiable personal data within your Document Content is automatically redacted locally on your device before transmission. The original data never leaves your device; placeholders are transmitted instead and the original data is reinserted locally after you receive the AI response.

Our AI Providers are contractually prohibited from using your Document Content to train their AI models or for any other purpose. They are required to delete your Document Content from their systems immediately after processing is complete, unless retention is strictly required by applicable law.

We implement appropriate technical and organisational measures to protect the security of your Document Content during transmission and processing, including encryption in transit and at rest, and strict internal access controls.

You acknowledge that to provide the Service, Document Content may be processed by our AI Providers in countries outside the United Kingdom. We ensure such transfers are lawful and protected by implementing appropriate safeguards in accordance with UK Data Protection Laws, as further detailed in clause 10 (International Data Transfers).

You acknowledge that AI Output is generated by automated systems and may contain inaccuracies or omissions. You are solely responsible for reviewing and verifying the AI Output for accuracy, completeness, and compliance with applicable legal and professional standards before use.

We only collect and process your Personal Data where we have a lawful basis to do so under the UK General Data Protection Regulation (UK GDPR). The table below sets out the different purposes for which we process your Personal Data and the corresponding legal basis for each.

Legitimate Interests. Where we rely on legitimate interests as a legal basis for processing, we have conducted a balancing test to ensure that our interests are not overridden by your interests, fundamental rights, and freedoms. You have the right to object to this processing at any time. For more information on our balancing tests, please contact us.

Consent. Where we rely on your consent to process Personal Data, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Data conducted in reliance on lawful processing grounds other than consent. You can withdraw your consent through the relevant settings in your account or browser, or by contacting us.

Special Category Data. We do not intentionally collect or process any Special Category Data (as defined in UK GDPR Article 9). However, such data may be incidentally contained in User Content you provide. In such cases, we process this data only as necessary to perform the Service in accordance with your instructions, relying on the basis that the processing relates to the establishment, exercise, or defence of legal claims (Article 9(2)(f)), or with your explicit consent where required.

The Service provides an optional PII Protection feature that enables You to pseudonymise Personal Data contained within Document Content before it is transmitted to AI Providers for processing. When this feature is enabled, it operates as follows:

Identifiable Personal Data (such as names, email addresses, and phone numbers) is detected and replaced with placeholder values locally on Your device.

The original Personal Data remains on Your device and is never transmitted to our servers or to any third-party AI Providers.

The content, with placeholder values, is transmitted for processing.

After the AI Output is received back on Your device, the original Personal Data is automatically reinserted, restoring the document.

This PII Protection feature implements pseudonymisation as defined in Article 4(5) of the UK General Data Protection Regulation (UK GDPR). The processing is not anonymous because the original data can be re-identified using the information held separately on Your device. The data therefore remains Personal Data throughout the process.

To protect Your privacy, the Company does not access, process, or store the mapping information between the placeholder values and the original Personal Data. This re-insertion process occurs exclusively on Your device.

You acknowledge and agree that:

The effectiveness of the PII Protection feature is dependent on the format and structure of Your Document Content and may not detect all instances of Personal Data.

Enabling this feature may impact the contextual accuracy and relevance of the AI Output, as the AI Providers process placeholder text instead of the original data.

You remain solely responsible for reviewing the Document Content and AI Output and for assessing whether the level of pseudonymisation meets Your specific legal and compliance requirements under applicable Data Protection Laws.

If You choose to disable the PII Protection feature, Document Content containing Personal Data will be transmitted to AI Providers without pseudonymisation. In such cases, You warrant that You have a valid lawful basis for processing and have obtained all necessary rights and consents for such transmission and processing under Data Protection Laws.

The PII Protection feature is enabled by default. You may disable or re-enable this feature at any time in the settings panel. Changes will take effect for all subsequent processing requests.

We retain different categories of Personal Data for specified periods in accordance with our data retention policy and the principle of storage limitation under UK GDPR Article 5(1)(e). The retention periods vary depending on the type of data and the purpose for which it is processed.

Account Data is retained for the duration of your active subscription plus a period of 30 days following account termination to facilitate potential reactivation. After this period, Account Data is anonymised or permanently deleted from our systems, except where we are required to retain certain information for legal, tax, or regulatory purposes.

User Content (including chat/conversation history, reference documents, and clause library entries) is retained for the duration of your subscription. Upon termination of your account, you may export your User Content. You may also request immediate deletion of this data or allow it to be retained for the standard 30-day post-termination period to enable data recovery if you choose to reactivate your account.

Document Content processed through the Add-in is transient and is not permanently stored on our servers, except where you voluntarily submit it as part of a Bug Report. Bug Report attachments containing Document Content are retained for 90 days from submission, after which they are permanently deleted.

Analytics Data collected through our Add-in is retained in an identifiable form for 12 months from collection. Website analytics data collected via PostHog is retained for 6 months. After these periods, the data is aggregated and anonymised and may be retained in a non-personally identifiable form for service improvement purposes.

Payment Data received from Stripe (excluding full payment card details which we do not process) is retained for 7 years from the transaction date to comply with UK tax and accounting requirements.

Backups containing Personal Data are retained for a maximum of 30 days before being overwritten or destroyed. Data may persist in backup systems beyond the primary retention periods specified above but will not be processed for any purpose other than disaster recovery.

Your Right to Early Deletion. You may request the early deletion of your Personal Data at any time by contacting us at [insert contact email/method]. Such requests will be handled in accordance with your rights under data protection law, subject to our need to retain certain data to comply with our legal obligations, resolve disputes, or enforce our agreements.

Notwithstanding the above, we may retain certain Personal Data where necessary for the establishment, exercise, or defence of legal claims, or where we have another overriding legitimate business purpose for which retention is permitted by law. In such cases, access to the data will be strictly limited to what is necessary for the specified purpose.

We engage carefully selected Third-Party Processors to provide elements of our Service. These processors are contractually bound to process Personal Data only in accordance with our instructions and to implement appropriate technical and organisational measures to protect the data.

Our current list of key Third-Party Processors includes:

OpenRouter (AI gateway) - routes AI requests to selected AI Providers;

Supabase (hosted PostgreSQL) - provides database, authentication and file storage services;

Stripe - processes payment transactions and manages subscriptions;

Mistral API - performs OCR processing for uploaded PDF documents;

PostHog - provides website analytics services (website only);

Zoho SMTP - delivers transactional emails;

Google OAuth/LinkedIn OIDC - enables social login functionality; and

Google reCAPTCHA v3 - provides bot protection for website forms.

All Third-Party Processors are bound by written agreements that, in compliance with UK GDPR Article 28, require them to:

process Personal Data only in accordance with our documented instructions;

implement appropriate technical and organisational security measures to protect Personal Data;

not engage additional sub-processors without our prior specific or general written authorisation;

assist us in fulfilling our data protection obligations; and

either return or delete all Personal Data at the end of the service relationship.

Where we transfer your Personal Data outside the United Kingdom, we ensure appropriate safeguards are in place as required by UK Data Protection Laws. We do this by executing data processing agreements that incorporate the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and by conducting due diligence on our processors' security practices.

We will notify you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes.

Where our Third-Party Processors engage further sub-processors, we ensure that equivalent data protection obligations are imposed on those sub-processors through legally binding contractual arrangements.

We remain liable for the acts and omissions of our Third-Party Processors to the same extent we would be if performing the services directly, unless otherwise provided by applicable law.

As part of providing the Service, we may transfer your Personal Data to countries outside the United Kingdom. This includes transfers to our offices in the United States (Palo Alto) and Australia (North Sydney), and to our Third-Party Processors. Such transfers are necessary for purposes such as:

Routing AI requests through our AI Providers, who may be located outside the UK;

Storing data in cloud infrastructure (such as Supabase) with global data centres for performance and redundancy; and

Processing payments via international payment networks like Stripe.

Where we transfer Personal Data outside the UK to a country not covered by a UK adequacy regulation, we implement appropriate safeguards to ensure your data receives an equivalent level of protection as required by UK Data Protection Laws. These safeguards include:

For transfers to US-based organisations certified under the UK Bridge, we rely on the adequacy decision implemented by the Data Protection (Adequacy) (United States of America) Regulations 2023.

For all other such transfers, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

Before making such transfers, we conduct a transfer impact assessment (TIA) to evaluate the risks involved. Where our assessment indicates it is necessary, we implement supplementary technical and organisational measures, such as enhanced encryption, to ensure the protection of your Personal Data.

Our AI Providers may process your Document Content in various locations globally. When the PII Protection feature is enabled, identifiable Personal Data is not transferred. When this feature is disabled, any Personal Data within your Document Content may be transferred internationally under the safeguards described in this clause.

Our Third-Party Processors are contractually obligated to process transferred Personal Data only for the purposes we specify, to implement protections equivalent to those required under UK Data Protection Laws, and to notify us of any legally binding requests for disclosure where permitted by law.

You may request further information about the specific safeguards we use for international data transfers by contacting us using the details provided in this Policy.

We implement robust technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with our obligations under Article 32 of the UK General Data Protection Regulation (UK GDPR). These measures are designed to ensure a level of security appropriate to the risk and include, but are not limited to:

Encryption of Personal Data in transit using industry-standard protocols (TLS 1.2 or higher).

Encryption of Personal Data at rest using strong cryptographic standards (e.g., AES-256).

Row-Level Security (RLS) policies in our databases to ensure users can only access their own data.

Regular security testing and vulnerability assessments of our systems.

Secure server-side proxying of all AI requests to prevent the exposure of API keys on client devices.

Our systems are designed to maintain strict data isolation between user accounts. We enforce logical separation at the application, database, and infrastructure levels to prevent unauthorised access or data leakage between different users.

Access to your Personal Data by our personnel is strictly controlled. We enforce:

The principle of least privilege and role-based access controls to ensure personnel only access data necessary to perform their job functions.

Multi-factor authentication (MFA) for all administrative access to production systems.

Comprehensive audit logging of access to and actions performed on production systems.

Document Content processed through our services is transient and not permanently stored on our servers, unless you voluntarily submit it as part of a Bug Report. For data stored locally on your device, authentication tokens are stored in your browser's localStorage and are subject to strict expiration policies. Clause library references are stored in your browser's IndexedDB and are subject to same-origin restrictions.

We maintain a comprehensive incident response plan to address potential security breaches. In the event of a confirmed Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) and, where required, yourself without undue delay, in accordance with our legal obligations under Articles 33 and 34 of the UK GDPR.

Our Service uses cookies and similar technologies, such as Local Storage and IndexedDB (collectively, “Cookies”), to store information on your device. This is essential to provide, secure, and improve our Service. In accordance with the Privacy and Electronic Communications Regulations (PECR), we classify these technologies as follows:

These are essential for the Service to function and do not require your prior consent. Disabling them will prevent the Service from working correctly. These include:

These are non-essential and are only used on our Website (not the Add-in) after we have obtained your explicit consent via our cookie banner. These include:

Authentication Tokens: We store authentication tokens (Supabase JWT) in your browser's localStorage to maintain your secure, logged-in session on both the Website and the Add-in.

Offline Functionality: The Add-in uses IndexedDB to store clause folder handles, enabling you to access your saved clauses if you are temporarily offline.

Security: Our Website uses Google reCAPTCHA cookies on forms to protect the Service from spam and malicious bot activity.

Usage Analysis: We use first-party PostHog cookies to analyse aggregated usage patterns on our Website. This helps us understand how our Service is used and where we can make improvements.

Managing Your Preferences

You can manage your cookie preferences at any time. On our Website, you can adjust your consent for Analytics Cookies via our cookie settings panel. You can also block or delete Cookies through your browser settings, but please be aware that disabling Strictly Necessary Technologies will significantly impair Service functionality and may prevent you from logging in.

Data Retention and Security

We design our use of these technologies with your privacy in mind:

Authentication tokens stored in localStorage automatically expire after 7 days of inactivity or immediately when you log out.

Data stored in IndexedDB persists on your device until you manually clear it via your browser's privacy settings.

We do not use any cookies or similar technologies for third-party advertising or to track your browsing activity across other websites.

All data stored locally is subject to your browser's same-origin policy to prevent unauthorised cross-site access.

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights regarding your Personal Data:

Right of Access: You have the right to request a copy of the Personal Data we hold about you and information about how we process it.

Right to Rectification: You have the right to request the correction of inaccurate or incomplete Personal Data we hold about you.

Right to Erasure: You have the right to request the deletion of your Personal Data where there is no compelling reason for its continued processing.

Right to Restriction of Processing: You have the right to request that we suspend the processing of your Personal Data in certain circumstances.

Right to Data Portability: You have the right to request the transfer of your Personal Data to you or to a third party in a structured, commonly used, machine-readable format.

Right to Object: You have the right to object to our processing of your Personal Data where we are relying on a legitimate interest, or for direct marketing purposes.

Right to Withdraw Consent: Where our processing is based on your consent, you have the right to withdraw that consent at any time.

Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.

To exercise any of these rights, please contact us at info@hypercounsel.com. You may also be able to exercise certain rights directly via self-service tools in your account settings. We may need to request specific information from you to help us confirm your identity before processing your request.

We will respond to all legitimate requests within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

You will not usually have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Please note that these rights are not absolute and may be subject to certain exemptions. For example, we may be entitled to refuse a request where we have an overriding legitimate interest or a legal obligation to continue processing the data.

You have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

The Service utilises artificial intelligence to generate drafting suggestions, analyses, and other outputs (“AI Output”). The Service is designed as an assistive tool only and does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, as defined in Article 22 of the UK GDPR.

You retain full control and responsibility for reviewing, editing, and approving any AI Output before use or reliance. The AI Output is provided for informational purposes only and does not constitute legal advice. No legal determinations or binding decisions concerning you are made solely by automated means.

You acknowledge that AI Output may reflect systemic limitations or biases inherent in machine learning systems. We do not guarantee the accuracy, completeness, or fitness for purpose of any AI Output, and you remain solely responsible for verifying its suitability for your intended use.

Notwithstanding the above, you have the right to request human intervention, express your point of view, and contest any AI Output by contacting us or by manually overriding the suggestions within the Service interface.

All payment processing for the Service is handled by Stripe, Inc. (“Stripe”), a third-party payment processor. When you subscribe to the Service or make any payments, your payment card details and billing information are collected directly by Stripe and are not stored or processed on our servers.

To facilitate payments, you authorise us to share necessary Account Data with Stripe, including your email address and unique user identifier, for transaction processing and reconciliation purposes.

We receive and store only the following limited payment-related information from Stripe for billing and subscription management:

Your subscription status and plan type;

The last four digits and expiration date of your payment card;

The card type (e.g., Visa, Mastercard); and

Your billing address (city, country, and postal code only).

Stripe's collection and use of your personal data is governed by its own privacy policy, which we strongly encourage you to review. You acknowledge and agree that we are not responsible for Stripe's data processing practices.

Stripe is certified as a PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.

As Stripe is based in the United States, it is certified under the UK Extension to the EU-US Data Privacy Framework. This ensures that your personal data receives an adequate level of protection when transferred outside the UK, in accordance with UK data protection laws.

If you have any concerns about our handling of your Personal Data or wish to make a complaint about a potential breach of Data Protection Laws, please contact us first at info@hypercounsel.com. We will investigate and respond to all legitimate complaints within one month.

If you are not satisfied with our response, or believe we are processing your Personal Data in a way that is not lawful, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters. The ICO can be contacted at:

Website: https://ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance. Please be assured that this does not affect your statutory right to lodge a complaint with the ICO.

We may update this Privacy Policy from time to time to reflect changes in our practices, service offerings, or legal requirements. When we make material changes, we will provide you with at least thirty (30) days' notice, for example by notifying you through the Service, your account dashboard, or by sending an email to the address associated with your account. This notice period may be shorter if a change is required to comply with legal obligations or to address an urgent security or operational issue.

Material changes include, but are not limited to: (a) significant changes to the types of Personal Data we collect or the purposes for which we process it; (b) fundamental alterations to how we process or share your Personal Data; (c) changes affecting your rights under applicable data protection laws; or (d) modifications to our international data transfer mechanisms.

The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised. We encourage you to review this Policy periodically to stay informed about how we protect your Personal Data.

Your continued use of our Service after the effective date of the revised Privacy Policy will constitute your acceptance of the changes. If you do not agree with the updated terms, you must stop using the Service and terminate your account before the changes take effect, in accordance with the process outlined in our Terms and Conditions.

Notwithstanding the above, where required by applicable law in England and Wales (including the UK GDPR), we will obtain your explicit consent to any material changes that expand our rights to process your Personal Data in ways not covered by the lawful bases disclosed to you when you first provided the data.

For any questions, requests, or notifications regarding this Privacy Policy or our data protection practices, you may contact our Data Protection Officer at:

Email: info@hypercounsel.com

In accordance with our obligations under applicable Data Protection Laws, we will respond to all legitimate requests from data subjects within one month of receipt. If we require additional time due to the complexity or number of requests, we will notify you of any such extension within the initial one-month period, together with the reasons for the delay.

All formal notices from you to us regarding data protection matters must be in writing and sent to the contact details in clause 18.1. Notices sent by email shall be deemed received on the next Business Day if sent after 5:00 pm (UK time) or on a day that is not a Business Day. For the purpose of this clause, “Business Day” means a day other than a Saturday, Sunday or public holiday in England.

It is your responsibility to ensure the contact information associated with your account is current and accurate. Any notices we are required to send to you will be sent to the email address associated with your account and shall be deemed received upon transmission, unless we receive a delivery failure notification.

For the purpose of serving legal proceedings or other formal legal notices, our address for service is our registered office:

AirCounsel Ltd., [Registered Office Address], United Kingdom, Company No. 12000525. Such documents must be marked for the attention of the Legal Department.