Skip to content
clerk&

Legal

Privacy Policy.

Last updated: May 2026. How Leeside Labs Limited ("we", "our", or "us") collects, uses, and protects your data when you use clerk&.

Overview

Leeside Labs Limited is committed to protecting your privacy. This policy explains how we collect, use, and safeguard personal data when you use the clerk& application and website.

Data we collect

Account data

Authentication is provided by Supabase Auth using Microsoft (Azure AD) sign-in. We collect your name, email address, and the provider identifier — used to authenticate you and associate your account.

User profile

We store your role (clerk, barrister, solicitor, legal secretary), practice or firm name, country, and subscription status to personalise your experience and manage billing.

Audio recordings

Voice dictations are recorded on your device and uploaded over TLS to our EU-based cloud storage. Audio submitted for transcription is held in Google Cloud Storage in europe-west1 (Belgium) under a 30-day storage lifecycle. Where audio is also retained for in-app playback, it is held in Supabase Storage in Dublin. All audio is encrypted at rest, accessible only via short-lived signed URLs, and deletable by you; audio is purged when you close your account.

When dictations or notes contain third-party personal data (e.g. client names), clerk& acts as a data processor on your instructions, and you remain the data controller.

Scanned pages

When you scan or photograph pages to create a document, the page images are captured on your device and uploaded over TLS to our EU-based storage (Supabase Storage in Dublin) for text extraction. The original pages are then retained so you can review the extracted document against its source. They are encrypted at rest, accessible only via short-lived signed URLs, and deletable by you; the pages are purged when you delete the document or close your account.

Transcripts, documents, and matter data

Transcribed text, formatted fee notes, briefs, attendance notes, listings, correspondence, action items, and matter data are stored in our EU-based database (Supabase Postgres, Dublin).

Files and folders

Uploaded files (photographed notes, scanned documents, email attachments) and folder structures are stored in EU-based storage with the same retention and deletion rights.

Workspace data

Workspace names, membership records, role assignments, and invitation data are stored in our EU-based database to support team collaboration.

Billing data

Subscription and payment data is processed by Stripe. We store a Stripe customer ID and invoice metadata; full payment card details are never retained on our servers.

Operational logs

We maintain server-side diagnostic logs to monitor service health, investigate errors, and ensure reliability. These contain request identifiers, timestamps, performance metrics, and anonymised account identifiers — not dictation content. Logs are retained for the minimum period necessary to diagnose service issues, currently no longer than 7 days.

Analytics

With your consent, we use PostHog (EU Cloud, Frankfurt) to collect anonymised usage analytics and error reports. Session replay, where enabled, captures UI interactions only — not the content of your dictations or documents. Opt-out is available in account settings.

Legal bases for processing

  • Contract performance (Art. 6(1)(b)): account data, recordings, scanned pages, transcripts, documents, workspace data, and profile information.
  • Legitimate interest (Art. 6(1)(f)): operational logs for service reliability and security (retained for a maximum of 7 days).
  • Legal obligation (Art. 6(1)(c)): billing records for Irish Revenue and VAT compliance.
  • Consent (Art. 6(1)(a)): analytics and session replay via PostHog, withdrawable anytime.

Where your dictations or matter data contain special category data (Article 9 GDPR), you, as data controller, are responsible for establishing an appropriate Article 9(2) basis.

Data controller and processor roles

Leeside Labs Limited acts as a data controller for account, profile, billing, and analytics data.

For dictated, photographed, or pasted content (matter material), Leeside Labs Limited acts as a data processor on your instructions. You are the data controller for that content and are responsible for ensuring you have the appropriate legal basis to process it through our service.

Professional users who regularly process client personal data using clerk& should contact us at hello@clerkand.com to obtain a Data Processing Agreement (DPA), as required under Article 28 GDPR.

Where your data is processed

Personal data is stored within the European Economic Area. Each processor below operates under a Data Processing Agreement with Leeside Labs Limited. Where any onward transfer to a third country occurs, it is governed by the 2021 Standard Contractual Clauses (Module 2) and, where applicable, the EU-US Data Privacy Framework.

  • Application hosting: Vercel, Inc., with EU function execution in dub1 (Dublin, Ireland).
  • Database, file storage, authentication, and backend functions: Supabase, Inc., with the project running on AWS eu-west-1 (Dublin, Ireland). Matter content is held only in private storage buckets.
  • AI processing: Google LLC (Google Vertex AI), with Gemini models running in europe-west1 (Belgium). Vertex AI is the sole AI processor for all user-facing tasks: transcription, document drafting, classification, formatting, filing suggestions, and image extraction. Prompts and completions are not used to train Google models.
  • Audio storage (transcription): Google LLC (Google Cloud Storage), with the audio bucket co-located with Vertex AI in europe-west1 (Belgium). Audio bytes are uploaded directly from the client via short-lived signed PUT URLs and are auto-expired by a 30-day storage lifecycle.
  • Subscription billing: Stripe Payments Europe Limited (Dublin, Ireland), an Irish entity within the Stripe group, with onward processing by Stripe, Inc. (USA) under SCCs and the EU-US Data Privacy Framework.
  • Opt-in product analytics: PostHog, Inc., EU Cloud hosted in eu-central-1 (Frankfurt, Germany). PostHog is loaded only after explicit consent.
  • Admin signup alerts: Brevo (Sendinblue SAS, France) — used solely to notify us of new signups. Not used for user-facing transactional or marketing email.

Matter content stays narrow

Your dictations, transcripts, briefs, attendance notes, correspondence, and other matter content are processed only by:

  • Supabase — database, file storage, and backend functions, EU region (Dublin).
  • Google Cloud Storage — audio bucket for the transcription pipeline, EU region (Belgium), co-located with Vertex AI, 30-day lifecycle.
  • Google Vertex AI — sole AI processor for transcription, drafting, classification, formatting, filing, and vision, EU region (Belgium). No fallback provider.

Matter content is not sent to Stripe, PostHog, Brevo, or any analytics, marketing, or advertising processor. It is not sold, rented, or shared with third parties, and is not used to train AI models.

International transfers and the CLOUD Act

Several of our processors — including Supabase, Google, Microsoft, Vercel, PostHog, and the parent of Stripe Payments Europe — are US-headquartered corporations. Although personal data is processed in the European Economic Area, US incorporation means a processor may, in principle, be subject to US legal process such as the CLOUD Act, regardless of where the data sits at rest.

We rely on the following supplementary measures, in line with European Data Protection Board guidance following Schrems II:

  • Encryption at rest (AES-256) and encryption in transit (TLS 1.3) across all processors.
  • Per-tenant access controls and row-level security on the database.
  • Contractual protections: 2021 Standard Contractual Clauses (Module 2) with each processor, and EU-US Data Privacy Framework certification where applicable.
  • Matter-content minimisation: matter content is sent only to the two processor categories above (storage and AI), never to billing, analytics, push, or email processors.

If you are a barrister, solicitor, or other regulated professional evaluating clerk& for privileged or sensitive material, we will provide a Transfer Impact Assessment and a signed Article 28 Data Processing Agreement on request — email hello@clerkand.com.

How we use your data

  • Provide and operate the clerk& application
  • Transcribe, structure, and format your dictations and notes
  • Manage your account, workspace, and subscription
  • Monitor and maintain service reliability
  • Improve the service with your consent
  • Respond to support requests
  • Meet legal and financial obligations

We do not use your dictations, briefs, or matter documents to train AI models. Your data is not sold, rented, or shared for advertising or marketing purposes.

Data security

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Row-level security on all database tables
  • Access controls and authentication on every request
  • Regular security assessments

Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission (Ireland) within 72 hours per Article 33 GDPR. High-risk breaches trigger direct user notification per Article 34 GDPR.

Your rights

  • Access: obtain a copy of personal data we hold
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion (account deletion available in-app)
  • Portability: receive your data in structured, machine-readable format
  • Restriction: restrict processing in certain circumstances
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw analytics consent anytime

We will respond to all rights requests within one month of receipt. Contact: hello@clerkand.com or via in-app settings.

Cookies & analytics

The clerk& website uses no tracking cookies. PostHog EU Cloud provides cookieless analytics after acceptance via a privacy banner; the preference is stored in local storage.

The application uses PostHog for analytics only after you provide explicit consent via the in-app consent prompt. Session replay does not capture the content of your dictations or documents.

Data retention

We retain your data for as long as your account is active. When you delete your account, all personal data — including audio recordings, scanned pages, transcripts, documents, and workspace data — is permanently deleted within 30 days.

Enquiry emails you send us are kept only as long as needed to handle your query and related correspondence, and are deleted on request.

Exception: billing and transaction records are retained for 7 years from the date of the transaction in accordance with Irish Revenue and VAT obligations. This includes only transaction metadata, not matter content.

Contact & supervisory authority

Contact: hello@clerkand.com.

Our supervisory authority is the Data Protection Commission (Ireland). You have the right to lodge a complaint at dataprotection.ie.

clerk& is a product of Leeside Labs Limited, an Irish company.