This data protection policy explains how the Company collects, uses, shares, and protects users’ (hereinafter referred to as the “you” or “your”) personal data (hereinafter referred to as the "Personal Data”) when you use our legal research and analysis platform and associated services (hereinafter referred to as the "Services”). We are committed to protecting your privacy and handling your Personal Data in an open and transparent manner. This privacy policy (hereinafter referred to as the “Privacy Policy”) is designed to comply with the EU Regulation 2016/679 of 27 April 2016 on the protection of individuals with regards to the processing of personal data (hereinafter referred to as the “GDPR”) and relevant Luxembourgish data protection laws.

If you have any questions about this Privacy Policy, the practices of our Services or our website (www.alize.lu) (hereinafter referred to as the “Website”), you can contact us at the above e-mail and/or postal addresses.

The Company, when collecting, storing, sharing and processing your Personal Data obtained in the context of the provision of the Services or via the Website, is acting as data controller - pursuant to Articles 4, n. 7) and 24 of the GDPR – (hereinafter referred to as the “Data Controller”).

The Data Controller hereby undertakes to always process Personal Data in accordance with the provisions of the GDPR and any applicable Luxembourgish data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for data protection and the general system on data protection, as amended from time to time) (collectively hereinafter the “Data Protection Laws”).

Any terms foreseen under the GDPR, unless defined otherwise in the present Privacy Policy, should have the meaning given to them in such regulation.

You represent and warrant that you have carefully read this Privacy Policy.

1. Preamble

What personal data does the Company as Data Controller collect?
What is Personal Data used for and on the basis of which legal grounds?
With whom will Personal Data be shared?
How long will Personal Data be retained?
The Data Subject’s rights
Changes to this Privacy Notice
Data Security
International Data Transfers
Children's Privacy

2. What personal data does the Company as Data Controller collect?

The Company only collects Personal Data that is strictly necessary for the provision and appropriate functioning of our Services and of our Website.

The Personal Data we collect includes: Account information (account name/username, email address, organization name if applicable, website if applicable, password stored in hashed format[1]), content data (chat conversations that are end-to-end encrypted[2], queries submitted to our AI-powered tools), and usage data (information about how you access and use the Services, such as IP address, browser type, operating system, pages viewed, and dates/times of visits).

The only Personal Data that are processed when you visit our Website are technical information collected from the cookies that we have in place. For more information, please see Section III below.

We will also collect your e-mail address and any other Personal Data that you may disclose to us when contacting us at the e-mail or postal address mentioned above.

3. What is the Personal Data used for and on the basis of which legal grounds?

The Personal Data are processed by the Data Controller to provide and maintain our Services (create and manage your account, operate the platform), process your queries (queries are sent to our generative AI provider to generate responses for legal research and analysis tools), communicate with you (send service-related notices, updates, security alerts), improve our Services (understand user interactions, identify improvements, develop new features using aggregated and anonymized data), ensure security (protect against unauthorized access, fraud, malicious activities), and comply with legal obligations.

The Data Controller may also, where applicable, process your Personal Data to take steps at your request prior to entering into a contract or where it is necessary for the performance of a contract to which you are subject.

We process your Personal Data based on the following legal grounds:

Contractual necessity (Article 6(1)(b) of the GDPR) for processing account information necessary to fulfil our contract to provide the Services;
Legitimate interests (Article 6(1)(f) of the GDPR) for processing queries through our AI provider, improving our Services, ensuring security, and communicating essential service information;
Consent (Article 6(1)(a) of the GDPR) for any uses not covered by other legal bases, and
Legal obligation (Article 6(1)(c) of the GDPR) when required to comply with legal obligations.

4. With whom will Personal Data be shared?

The Personal Data may be processed by (and thus shared to) the Data Controller’s data recipients including: The Company’s generative AI provider (currently Google Cloud for processing queries, which processes data in accordance with GDPR and may process globally, though EU-only processing can be arranged upon request); our cloud hosting provider (Linode, an Akamai company, hosting our servers including databases in Germany where encrypted chat history and account information are stored); the Website administrator; the Website analytics service provider; and the communication agency (collectively hereinafter the “Recipients”).

The Recipients may, under their own responsibility, disclose your Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations.

The Recipients and Sub-Recipients are located inside the European Economic Area (the “EEA”).

Should Recipients and Sub-Recipients be located in a country outside the EEA which benefits from an adequacy decision of the European Commission, the Personal Data would be transferred to the Recipients and Sub-Recipients upon such adequacy decision. Where the Recipients and Sub-Recipients would be located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data or does not benefit from an adequacy decision of the European Commission, the Data Controller will enter into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved model clauses or any other appropriate safeguards pursuant to the GDPR, as well as, if necessary, supplementary measures. In this respect, You as data subject would have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Data Controller at the address mentioned under Section I above.

The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).

5. How long will Personal Data be retained?

The Data Controller will retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy: Account Information is retained as long as your account is not deleted, the encrypted chat history is retained as long as your account is not deleted or until you choose to delete it, the query data sent to the AI provider is processed for the duration of the active query. Upon account deletion, we will delete or anonymize your Personal Data unless retention is required by law.

6. The Data Subject’s rights

In accordance with the conditions and limitations laid down by the Data Protection Laws, You acknowledge your right to:

access your Personal Data;
correct your Personal Data where it is inaccurate or incomplete;
object to the processing of your Personal Data;
restrict the use of your Personal Data;
ask for Personal Data portability.

You may exercise your above rights by writing to the Data Controller to the contact details mentioned under Section I above.

The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: cnpd.public.lu; or with any competent data protection supervisory authority of their EU Member State of residence.

7. Changes to this Privacy Notice

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our online information practices. When changes are made to this Privacy Policy, they will be made available to Data Subjects on the present Website. We therefore encourage you to periodically check this Privacy Policy to understand how the Company protects and uses your information.

8. Data Security

We implement robust technical and organizational measures to protect your Personal Data: Password hashing (passwords are not stored in plain text but are hashed), chat encryption (chat conversations are end-to-end encrypted using a private key stored in your browser and known only to you), secure servers (servers hosted with Linode in Germany are protected by industry-standard security measures), and data minimization (we only collect and store data that is strictly necessary).

Important note: Our Services and tools are designed for legal research and analysis and do not benefit from the inclusion of confidential or sensitive personal information in your queries. We strongly advise you not to include sensitive Personal Data, client-confidential information, or any information they would not want processed by a third-party AI provider in their queries.

9. International Personal Data transfers

Servers and databases: Your account information and encrypted chat data are stored on servers located in Germany (EU).

AI query processing: By default, chat prompts are processed in EU-located Google Cloud resources. Users can manually switch to a global pool if they wish to do so. Our Google Cloud project operates under a Zero Data Retention policy, which excludes it from any logging, caching or storage of your chat prompts. It is also exempted from Abuse Monitoring.

EU-Only AI processing: We can offer configurations where your AI query data is processed exclusively within the EU upon request. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

10. Children’s Privacy

Our Services are not intended for individuals under the age of 16 (or a higher age if stipulated by local law). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child, we will take steps to delete such information promptly.

III. USE OF COOKIES

This Website uses cookies. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

With specific regard to the cookies present on this Website, the Company informs you that it uses only technical cookies for the proper functioning of the pages of this site, for example:

Name of cookie

Purposes

Duration of storage

Functional cookies

Cookies implanted in the user/contractor terminal directly by the owner of the single website, if they are not used for other purposes: this is the case of session cookies, authentication cookies, customization cookies (for example, for the choice of the navigation language)

365 days

Analytics cookies

Cookies used to statistically analyse accesses/visits to the site which pursue exclusively statistical purposes and collect information in aggregate form

365 days

There is no need under applicable law to collect your consent when using “essential” or “functional” cookies. In case we would use cookies qualified as “non-essential”, we would collect your explicit consent in compliance with applicable law. You would in such a case have the possibility to withdraw your consent the same way and as easily as you gave it.

If you wish to change the settings of your browser with respect to the use of cookies, please find the step-by-step guides on how to disable cookies for different devices, operating systems, and browsers:

The guide on how to disable cookies on Android.
The guide on how to disable cookies on iPhone.
The guide on how to disable cookies on iPad.
The guide on how to disable cookies on Macbook.
The guide on how to disable cookies in Chrome.
The guide on how to disable cookies in Firefox.
The guide on how to disable cookies in Safari.
The guide on how to disable cookies in Edge.

Please remember if you turn off cookies in your browser then the settings would apply to all other websites as well, and not just this one.To find out more information about cookies, including information about how to manage and delete cookies, please visit http://www.allaboutCookies.org/.

IV. INTELLECTUAL PROPERTY RIGHTS

Any intellectual property rights of the Website pages and of the Services belong to the Company. Reproduction, copying, distribution or inclusion in other works, of part or all of the protected material available on the Website, is prohibited in any form except for printing or downloading the material for the sole purpose of private use in good faith.

V. LEGAL DISCLAIMER

The information contained on the Website is provided for informational purposes only.

Third-party resources that can be accessed with hypertext links from the Website are not under the control of the Company, and the Company is not responsible for the contents of any of these third-party resources. The third-party hypertext links presented on this site are provided for your convenience only. The inclusion of any link on this website does not imply any recommendation, approval or endorsement of that site by the Company.

Your use of this Website is at your own risk. The materials presented on this Website may be changed, improved, or updated without notice. The Company is not liable for any errors or omissions in the content of this Website or for damages arising from the use or performance of this Website under any circumstances.

Please be informed that any proceedings arising out of or relating to your use of this Website, its content and services will be subject to the laws of Luxembourg and the courts in Luxembourg shall have exclusive jurisdiction.

[1] This means it is converted into an unreadable string of characters, and we cannot access or see your original password.

[2] The private key required to decrypt these conversations is generated and stored locally in your browser and is known only to you. Alizé cannot access or read the content of your encrypted chats stored in our database.