Privacy Policy
How LucidLaw collects, uses, stores, and protects your personal information — and your rights in relation to that information.
About this Policy
LucidLaw Pty Ltd ("LucidLaw", "we", "us", or "our") operates lucidlaw.com.au and related services (collectively, the "Platform"). This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and with UK GDPR where applicable.
By using the Platform, you acknowledge that you have read and understood this policy. If you do not agree with any part of it, please do not use the Platform.
This policy applies to all users of the Platform, including consumers seeking legal guidance, legal professionals subscribing to our professional tools, and visitors to our website.
LucidLaw provides legal information, not legal advice. Nothing on the Platform creates a solicitor-client relationship. If you need legal advice specific to your circumstances, you should consult a qualified Australian legal practitioner.
What We Collect
Consumer users
- Name and contact details (email address, phone number where provided)
- Details of your legal situation as entered into our triage tool — including issue type, jurisdiction, and urgency indicators
- Documents you upload or generate through the Platform
- Payment information processed via Stripe (we do not store card numbers)
- Usage data: pages visited, features used, session duration, device type, and browser information
- Communications with LucidLaw including support messages
Professional users (lawyers and mediators)
- Name, law firm or practice name, and contact details
- Professional registration details (admission jurisdiction, practising certificate number)
- Practice areas, geographic coverage, and subscription tier
- Referral activity and intake data associated with your account
- Billing and subscription payment information
Sensitive information
Some legal matters involve sensitive personal information as defined under the Privacy Act — including information relating to health, family circumstances, financial hardship, or safety concerns. We only collect sensitive information where you have voluntarily provided it as part of describing your legal situation, and we apply heightened protections to it as described in this policy.
How We Collect It
We collect personal information:
- Directly from you — when you create an account, use the triage tool, upload documents, purchase a document, or contact us
- Automatically — through cookies, analytics tools, and server logs as you interact with the Platform
- From third parties — including identity verification services (where applicable) and referral partners who direct users to the Platform
We will not collect personal information by unlawful means or in ways that are unreasonably intrusive.
Why We Use Your Data
| Purpose | Legal basis (Australia) | Legal basis (UK GDPR) |
|---|---|---|
| Providing the triage, document, and referral services you request | APP 6 — primary purpose | Contract performance |
| Account management and authentication | APP 6 — primary purpose | Contract performance |
| Processing payments via Stripe | APP 6 — primary purpose | Contract performance |
| Improving the Platform and training AI models on anonymised data | APP 6 — related secondary purpose | Legitimate interests |
| Safety notifications and platform communications | APP 6 — related secondary purpose | Legitimate interests |
| Legal compliance and fraud prevention | APP 6 — required by law | Legal obligation |
| Generating anonymised B2B insights (see Section 6) | APP 6 — related secondary purpose | Legitimate interests |
AI Processing Disclosure
LucidLaw uses artificial intelligence — including the Anthropic Claude API — to power its triage engine, jurisdiction detection, and document generation tools. When you interact with these features, the information you provide is processed by our AI systems to generate outputs.
What this means in practice
- Your inputs are processed to classify your legal issue, identify the relevant jurisdiction, and suggest appropriate next steps or documents
- AI outputs are generated responses — they are not legal advice and have not been reviewed by a qualified lawyer unless explicitly stated
- We apply a citation verification layer to check AI outputs against authoritative legal sources (AustLII, legislation.gov.au) before presenting them to you
- We maintain human review protocols and escalation triggers for complex or high-stakes matters
AI tools can make errors. Do not rely solely on AI-generated outputs for important legal decisions. Where the Platform indicates you should speak with a lawyer, you should do so.
Anthropic data handling
Queries processed through the Anthropic Claude API are subject to Anthropic's privacy policy and data processing terms. We have configured our integration to minimise the transmission of personally identifiable information to the extent technically practicable, using anonymisation and session-based processing where possible.
Anonymised Data & B2B Insights
LucidLaw aggregates and anonymises data from across the Platform to generate insights about legal need patterns — for example, the most common tenancy issues in a given postcode, or seasonal trends in employment-related enquiries.
How anonymisation works
- Data is stripped of all direct identifiers (name, email, contact details) before aggregation
- Aggregated outputs contain a minimum threshold of data points to prevent re-identification
- We do not sell raw personal data to any third party
- Anonymised insights may be shared with law firms, insurers, financial institutions, government bodies, and academic researchers as part of LucidLaw's B2B data product
Anonymised insights cannot be used to identify you. No third party receiving B2B insight data can trace it back to any individual user. We do not and will not sell identifiable personal data.
Referral Disclosures
When you are matched with a legal professional through the Platform, the following applies:
What is shared with referred professionals
- A structured summary of your legal issue — the information you provided during triage — is shared with the professional you are matched with or who you choose to contact
- Your contact details are only shared once you have expressly chosen to connect with a specific professional
- Professionals on the Platform are verified subscribers, bound by Platform terms prohibiting use of your information for any purpose other than providing legal services to you
Referral fees
LucidLaw receives subscription and referral-related revenue from legal professionals listed on the Platform. This commercial relationship does not affect which professionals are suggested to you — relevance (practice area and jurisdiction match) is the sole criterion for any placement. All featured listings are clearly disclosed as such.
LucidLaw does not accept advertising from external parties. Only verified platform subscribers may appear in professional listings. This is a permanent platform policy.
Domestic Violence Safety Path
Information entered through LucidLaw's domestic violence safety pathway is subject to the strongest data protections we apply. This data is never monetised, never included in B2B insight products, and is handled under a separate data governance protocol.
Specific commitments
- DV safety path data is stored separately from general platform data with additional access controls
- It is never shared with professional subscribers unless you have expressly requested a referral
- It is never used to train AI models
- It is never included in aggregated or anonymised data sets
- Retention of DV safety path data is subject to the shortest practicable retention period consistent with providing the service requested
- You may request deletion of this data at any time — actioned within 5 business days
If you are in immediate danger, please contact emergency services (000) or the National Domestic Violence and Counselling Service (1800RESPECT — 1800 737 732).
Sharing & Disclosure
We do not sell personal information. We may share personal information with:
Service providers
- Stripe — payment processing
- Amazon Web Services (AWS Sydney region) — cloud hosting and data storage
- Anthropic — AI processing (see Section 5)
- Loops.so — email communications and waitlist management
- Google Analytics / Search Console — website analytics (anonymised)
All service providers are engaged under contractual terms that restrict their use of personal information to the services they provide to LucidLaw.
Legal professionals
As described in Section 7, triage summaries are shared with referred professionals only where you have chosen to connect with them.
Legal requirements
We may disclose personal information where required by law, court order, or regulatory authority. We will notify you of such disclosure where legally permitted to do so.
Business transfers
If LucidLaw is acquired or merges with another entity, personal information may be transferred to the acquirer, subject to equivalent privacy protections. We will notify users of any such transfer in advance.
Overseas disclosure
Some of our service providers operate outside Australia (including the United States). Before disclosing personal information overseas, we take reasonable steps to ensure the recipient applies privacy protections substantially similar to the APPs. By using the Platform, you consent to this transfer where it is necessary to provide our services.
Data Storage & Security
All personal data is stored on AWS infrastructure in the Sydney region (ap-southeast-2), maintaining Australian data residency for consumer and DV safety data.
Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls with multi-factor authentication for all internal systems
- Separate, access-controlled storage for DV safety path data
- Regular security assessments and penetration testing
- Incident response procedures compliant with the Notifiable Data Breaches scheme
Despite these measures, no internet-based service can guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@lucidlaw.com.au.
Data breach notification
In the event of an eligible data breach under the Privacy Act 1988 (Cth), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme, as soon as practicable and within 30 days of becoming aware of the breach.
Retention & Deletion
| Data type | Retention period |
|---|---|
| Account and profile information | Duration of account plus 2 years after closure |
| Documents — free plan | 30 days from creation unless upgraded or downloaded |
| Documents — paid plan | Duration of subscription plus 12 months |
| Triage session data | 12 months from session date |
| Payment transaction records | 7 years (Australian tax law requirement) |
| DV safety path data | Minimum period required; deletion on request within 5 business days |
| Anonymised aggregated data | Indefinite (cannot identify individuals) |
You may request deletion of your personal data at any time (see Section 12). Some data must be retained for legal compliance reasons and cannot be deleted on request.
Your Rights
Under the Australian Privacy Act
- Access — the right to request access to the personal information we hold about you
- Correction — the right to request correction of inaccurate, incomplete, or out-of-date information
- Complaints — the right to make a complaint about how we handle your personal information
- Opt-out of direct marketing — you may opt out of receiving marketing communications at any time
Additional rights for UK users (UK GDPR)
- Erasure — the right to request deletion of your personal data, subject to legal retention requirements
- Portability — the right to receive your personal data in a structured, machine-readable format
- Restriction — the right to request we restrict processing of your data in certain circumstances
- Objection — the right to object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, the right to withdraw it at any time
How to exercise your rights
Contact us at privacy@lucidlaw.com.au. We will respond to all requests within 30 days and will not charge you for making a request.
Complaints
- Australia — Office of the Australian Information Commissioner (OAIC): oaic.gov.au · 1300 363 992
- United Kingdom — Information Commissioner's Office (ICO): ico.org.uk
Cookies & Tracking
| Category | Purpose | Can be declined? |
|---|---|---|
| Strictly necessary | Session management, authentication, security | No — required for the Platform to function |
| Functional | Remembering your preferences and settings | Yes — via cookie banner |
| Analytics | Understanding usage patterns (anonymised) | Yes — via cookie banner |
We do not use advertising or tracking cookies. You can manage cookie preferences through the banner displayed on your first visit, or through your browser settings.
Children
The Platform is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe we may have inadvertently collected such information, please contact us at privacy@lucidlaw.com.au and we will delete it promptly.
Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email and prominently displayed on the Platform for 30 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
Contact Us
For all privacy enquiries, access requests, corrections, or complaints, contact our Privacy Officer:
Privacy Officer — LucidLaw
Email: privacy@lucidlaw.com.au
Post: LucidLaw Pty Ltd, Adelaide, South Australia
We aim to respond within 5 business days, and within 30 days for formal access or correction requests.