Privacy Policy
Search the Law (“we,” “us,” or “our”) is committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.
1. Who We Are
Search the Law is operated by Search The Law Group Ltd, a company registered in England and Wales (company number 17161794), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
Data protection contact: hello@searchthe.law
ICO registration: ZC133505. We are registered with the Information Commissioner’s Office (ICO) as a data controller. You can verify our registration at ico.org.uk.
2. What Data We Collect
Account information. Your email address and, optionally, your name. We use passwordless authentication — we do not ask for, collect, or store passwords.
Search queries. When you are signed in, your search queries are stored and linked to your account to provide saved search functionality.
Research outputs. Bookmarks, folders, and any saved analyses associated with your account.
Technical data. Server logs collected by our hosting provider, including IP addresses, browser type, operating system, and access times. We also collect first-party analytics data (page views, search counts, and result clicks) to understand how the service is used.
Subscription and payment data. If you subscribe to a paid plan, payment processing is handled by our third-party payment provider. We do not directly collect or store your credit card or bank details. We retain a record of your subscription tier, start date, and billing status.
Data we do not collect. We do not collect passwords, government identity documents, financial account details, health information, or data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or biometric data.
3. How and Why We Use Your Data
UK GDPR requires us to have a lawful basis for each type of processing.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Providing the search and research service | Email, search queries, saved research | Contract performance (Article 6(1)(b)) |
| Account creation and authentication | Email address | Contract performance (Article 6(1)(b)) |
| Sending transactional emails (sign-in links, account notifications) | Email address | Contract performance (Article 6(1)(b)) |
| Processing payments and managing subscriptions | Subscription records, payment provider references | Contract performance (Article 6(1)(b)) |
| Improving search quality and service performance | Aggregated and anonymised search data, analytics | Legitimate interest (Article 6(1)(f)) |
| Maintaining security and preventing abuse | IP addresses, server logs, rate-limiting data | Legitimate interest (Article 6(1)(f)) |
| Service communications | Email address | Legitimate interest (Article 6(1)(f)) — you can opt out at any time |
| Responding to enquiries and support requests | Email address, content of your message | Legitimate interest (Article 6(1)(f)) |
| Complying with legal obligations | Account and transaction records | Legal obligation (Article 6(1)(c)) |
We do not sell your data, share it with advertisers, or use it to build advertising profiles.
Marketing communications. We do not currently send marketing emails. If we introduce marketing communications in the future, we will only send them with your explicit opt-in consent (Article 6(1)(a)), and you will be able to unsubscribe at any time.
4. Third-Party Processors
We use a limited number of third-party services to operate the platform. Each processor only receives the minimum data necessary for its function.
| Processor | Location | Purpose | Data shared | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU adequate) | Server hosting | Server logs (IP, browser, access times) | UK adequacy decision for EU/EEA |
| Anthropic (Claude API) | United States | AI-assisted search analysis and brief generation | Query text and publicly available judgment excerpts only. We do not send your email, name, IP address, or account details to Anthropic | UK Extension to the EU-US Data Privacy Framework |
| DeepSeek | China (self-hosted API) | Structured extraction from public court records | Publicly available judgment text only. Our architecture structurally prevents any user-derived data from reaching DeepSeek — no search queries, case descriptions, client positions, email addresses, names, IP addresses, or account identifiers are included in DeepSeek API calls. Because only publicly available government data is processed, this does not constitute a transfer of personal data under UK GDPR Chapter V | N/A — no personal data transferred |
| Resend | United States | Transactional email delivery | Email address | UK Extension to the EU-US Data Privacy Framework |
| UK Government APIs | United Kingdom | Legal database searches | Search query text forwarded to Find Case Law (The National Archives), legislation.gov.uk, Hansard, and other official databases | N/A — domestic processing |
We have Data Processing Agreements (DPAs) in place with all processors that handle personal data, as required by UK GDPR Article 28.
A note on DeepSeek and data transfers to China (click to expand)
Detailed explanation: We take the regulatory concerns around data transfers to China seriously. Our architecture is designed so that DeepSeek receives only publicly available court judgment text retrieved from UK government databases — the same text that is freely accessible to anyone on the internet via The National Archives. This is an architectural guarantee, not a filtering or sanitisation measure: user queries, case descriptions, client positions, and all other user-derived inputs are structurally excluded from the code paths that call the DeepSeek API. DeepSeek’s role is limited to structured extraction from public judgment texts; all user-context-aware analysis is performed by Anthropic’s Claude models under the EU-US Data Privacy Framework. If our architecture changes in a way that would require personal data to be processed by DeepSeek, we will implement appropriate safeguards (including an International Data Transfer Agreement and Transfer Impact Assessment) or cease using DeepSeek before any such change takes effect.
5. International Data Transfers
Some of our processors are located outside the United Kingdom. We ensure that any transfer of personal data to a country outside the UK is protected by one of the following safeguards, as required by UK GDPR Chapter V:
- EU/EEA countries (including Germany): The UK has issued adequacy regulations for the EEA, meaning personal data can flow freely.
- United States: Where the processor is certified under the UK Extension to the EU-US Data Privacy Framework, or where we have entered into the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum.
- Other countries: We will not transfer personal data to any country without an adequacy decision unless appropriate safeguards are in place and documented.
6. Cookies and Local Storage
Session token (strictly necessary). We store an authentication session token in your browser’s local storage to keep you signed in. This is strictly necessary to provide the service you have requested, and does not require consent under PECR Regulation 6(4).
We do not use third-party analytics trackers, advertising cookies or tracking pixels, third-party cookies of any kind, or cross-site tracking technologies.
First-party analytics. We collect aggregate usage data (page views, search counts, result click positions) using our own server-side analytics. You can request deletion of your analytics data at any time by contacting us.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account information (email, name) | Retained while your account is active. Deleted within 30 days of a deletion request |
| Search queries and saved research | Retained while your account is active. Deleted within 30 days of a deletion request |
| Subscription and billing records | Retained for 6 years after the end of the subscription period (Taxes Management Act 1970) |
| Server logs (IP, browser, access times) | Retained for 90 days, then automatically deleted |
| First-party analytics data | Retained in aggregate form indefinitely. Per-user analytics deleted within 30 days of account deletion |
| Transactional email records | Retained for 12 months |
When you request account deletion, we will delete or anonymise your personal data within 30 days. Some data may be retained in encrypted backup systems for up to an additional 30 days before being permanently purged.
8. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
Right of access (Article 15). You can request a copy of the personal data we hold about you.
Right to rectification (Article 16). You can ask us to correct inaccurate personal data or complete incomplete data.
Right to erasure (Article 17). You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it.
Right to restriction of processing (Article 18). You can ask us to restrict how we use your data in certain circumstances.
Right to data portability (Article 20). You can request your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21). You can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds.
Rights related to automated decision-making (Article 22). Our AI-powered features generate research outputs using automated processing. These outputs are informational tools to assist your legal research — they do not constitute legal advice and do not produce decisions with legal or similarly significant effects on you. If you believe automated processing has significantly affected you, you can contact us to request human review.
Right to withdraw consent. Where we rely on consent as the lawful basis for processing, you can withdraw that consent at any time.
How to exercise your rights. Contact us at hello@searchthe.law. We will respond within one month.
Right to complain. You have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint · 0303 123 1113
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encrypted data transmission (HTTPS/TLS) for all connections
- Passwordless authentication, eliminating the risk of password breaches
- Access controls limiting who can access personal data
- Regular security reviews of our infrastructure and processors
- Architectural separation ensuring user-derived data cannot reach third-party processors that operate outside UK-adequate jurisdictions
No system is completely secure. If you become aware of any security vulnerability, please contact us immediately at hello@searchthe.law.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours (Article 33) and notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Article 34). We document all breaches in our internal breach register.
11. Children’s Data
Search the Law is designed for adults and is not directed at children. You must be at least 18 years old to create an account. We do not knowingly collect personal data from anyone under 18. If you believe a child under 18 has provided us with personal data, please contact us at hello@searchthe.law.
12. Changes to This Policy
For material changes — such as new categories of data collection, new processors, changes in lawful basis, or reduction in your rights — we will notify you by email before the changes take effect.
For minor or clarifying changes, we will update the policy on this page with a new “last updated” date.
13. Governing Law
This privacy policy is governed by the laws of England and Wales. Any disputes will be subject to the jurisdiction of the courts of England and Wales, without prejudice to your right to lodge a complaint with the ICO.
14. Contact Us
Data protection enquiries: hello@searchthe.law
Postal address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Search the Law is a legal research tool that provides access to publicly available UK legal information. It does not provide legal advice, legal representation, or create a solicitor-client relationship. For legal advice, consult a qualified solicitor or contact your local Citizens Advice service.