Privacy Policy

1.1 “Dockit Law” refers to the SaaS platform operated by Dockit Law Ltd., providing legal workflow and productivity services, including integrations with Google APIs.

1.2 “User” means any individual or entity who accesses or uses Dockit Law’s services.

1.3 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR, CCPA, UK Data Protection Act, and Sri Lankan Personal Data Protection Act.

1.4 “Google User Data” means any data accessed from Google APIs via OAuth or other Google API Services.

1.5 “Processing” means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

1.6 “Controller” and “Processor” have the meanings set out in applicable data protection laws.

1.7 “Subprocessor” means a third party engaged by Dockit Law to process personal data on its behalf.

1.8 “Applicable Law” includes the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018 and UK GDPR, California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Sri Lankan Personal Data Protection Act, and other relevant privacy regulations.

2.1 This Privacy Policy applies to all users of Dockit Law’s services, including visitors to our website, registered account holders, and users of our integrations (including Google API integrations).

2.2 This Policy governs the collection, use, storage, retention, disclosure, and security of personal data processed by Dockit Law, whether directly or through third-party integrations.

2.3 Where Dockit Law acts as a processor on behalf of a customer (the controller), Dockit Law’s obligations are further detailed in the Data Processing Agreement (DPA).

3.1 Account and Profile Data: Name, email address, organization, job title, and contact details provided during account registration or profile updates.

3.2 Authentication and OAuth Data: OAuth tokens, Google user identifiers, and authorization scopes granted by users for Google API integrations.

3.3 Legal Workflow Data: Documents, case files, notes, and other content uploaded or created by users within Dockit Law.

3.4 Usage Data: Log data, device information, IP addresses, browser type, access times, and activity logs.

3.5 Cookies and Tracking Technologies: Cookies, pixels, and similar technologies for authentication, analytics, and user experience optimization (see Section 10).

3.6 Support and Communication Data: Correspondence with support, feedback, and survey responses.

3.7 Third-Party Data: Data received from integrations with Google APIs and other authorized third-party services, subject to user consent and scope limitations.

4.1 Consent: We process personal data based on user consent, especially for Google API integrations and marketing communications.

4.2 Contractual Necessity: Processing necessary to provide our services, fulfill contractual obligations, and manage user accounts.

4.3 Legitimate Interests: Processing for security, service improvement, fraud prevention, and analytics, balanced against user rights.

4.4 Legal Obligations: Processing required to comply with applicable laws, regulatory requirements, or court orders.

4.5 Special Categories of Data: We do not intentionally collect special categories of personal data (e.g., health, biometric, or sensitive legal data) unless explicitly provided by users for workflow purposes, in which case additional safeguards and consents apply.

5.1 Service Provision: To authenticate users, provide legal workflow tools, and enable integrations (including Google API Services).

5.3 Account Management: To manage user accounts, process payments, and provide customer support.

5.4 Service Improvement: To analyze usage patterns, improve features, and enhance user experience.

5.5 Security and Compliance: To detect and prevent fraud, abuse, or security incidents, and to comply with legal obligations.

5.6 Communications: To send service-related notifications, updates, and (with consent) marketing communications.

5.7 Research and Analytics: Aggregated and anonymized data may be used for analytics, research, and reporting, ensuring no individual is identifiable.

6.1 Third-Party Service Providers: We engage subprocessors for hosting, analytics, email delivery, and support. All subprocessors are contractually bound to data protection obligations equivalent to those in this Policy and applicable law.

6.3 Legal and Regulatory Disclosures: We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of Dockit Law, our users, or others.

6.4 Business Transfers: In the event of a merger, acquisition, or sale of assets, users will be notified and data will remain subject to this Policy.

6.5 International Transfers: Where data is transferred outside the user’s jurisdiction (e.g., EU, UK, Sri Lanka, California), we implement appropriate safeguards such as Standard Contractual Clauses, UK International Data Transfer Addendum, or adequacy decisions, as required by law.

6.6 Subprocessor List: A current list of subprocessors is available upon request and in our DPA. Users will be notified of any material changes.

7.1 Retention Periods: Personal data is retained only as long as necessary for the purposes described in this Policy, contractual obligations, or as required by law.

7.2 Account Data: Retained for the duration of the user’s account and deleted within 30 days of account closure, unless longer retention is required for legal, regulatory, or dispute resolution purposes.

7.3 Google API Data: OAuth tokens and Google user data are deleted promptly upon user revocation of access or account deletion.

7.4 Usage Logs: Retained for up to 24 months for security and analytics, then anonymized or deleted.

7.5 Backup and Recovery: Data in backups is securely deleted within 90 days of deletion from active systems.

7.6 Data Deletion Requests: Users may request deletion of their data at any time (see Section 8). We will fulfill such requests within 30 days, subject to legal exceptions.

8.1 Access: Users have the right to access their personal data and receive a copy in a structured, commonly used, machine-readable format.

8.2 Rectification: Users may request correction of inaccurate or incomplete data.

8.3 Erasure (“Right to be Forgotten”): Users may request deletion of their data, subject to legal and contractual obligations.

8.4 Restriction: Users may request restriction of processing in certain circumstances.

8.5 Objection: Users may object to processing based on legitimate interests or direct marketing.

8.6 Data Portability: Users may request transfer of their data to another service provider.

8.7 Withdrawal of Consent: Where processing is based on consent, users may withdraw consent at any time without affecting the lawfulness of prior processing.

8.8 Non-Discrimination: Dockit Law will not discriminate against users for exercising their privacy rights.

8.9 How to Exercise Rights: Users can exercise their rights via account settings or by contacting privacy@dockitlaw.com. We may require verification of identity before fulfilling requests.

8.10 Response Time: We aim to respond to all requests within 30 days (GDPR/UK), 45 days (CCPA/CPRA), or as required by law.

9.1 Technical and Organizational Measures: Dockit Law implements industry-standard security measures, including but not limited to:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls and multi-factor authentication
• Regular security audits, penetration testing, and vulnerability management
• Secure key management using Hardware Security Modules (HSMs)
• Continuous monitoring and incident detection systems

9.3 Incident Response: In the event of a data breach, Dockit Law will notify affected users and relevant authorities within 72 hours (GDPR/UK), or as required by law (CCPA/CPRA, Sri Lanka), providing details of the breach, affected data, and remedial actions taken.

9.4 Subprocessor Security: All subprocessors are required to implement equivalent security measures and are regularly assessed for compliance.

9.5 Privacy by Design and Default: Dockit Law incorporates privacy and security into the design and operation of all systems and services, including regular Data Protection Impact Assessments (DPIAs) for high-risk processing.

10.1 Use of Cookies: Dockit Law uses cookies and similar technologies for authentication, session management, analytics, and service improvement.

10.2 Consent: Where required by law, users are presented with a cookie consent banner and may manage preferences at any time.

10.3 Analytics: We use Google Analytics and similar tools in compliance with GDPR and CCPA. IP addresses are anonymized where required.

10.4 Do Not Track: Dockit Law honors browser “Do Not Track” signals and provides opt-out mechanisms for tracking and analytics.

12.1 Cross-Border Transfers: Personal data may be transferred to and processed in countries outside the user’s jurisdiction, including the United States, European Economic Area, United Kingdom, and Sri Lanka.

12.2 Safeguards: Transfers are conducted in accordance with applicable law, using Standard Contractual Clauses, UK International Data Transfer Addendum, or adequacy decisions as appropriate.

12.3 Sri Lankan Data Protection: For users in Sri Lanka, Dockit Law complies with the Personal Data Protection Act, including requirements for cross-border transfers and data subject rights.

13.2 Other Integrations: Use of other third-party integrations is subject to their respective privacy policies and terms.

14.1 Controller-Processor Relationships: Where Dockit Law acts as a processor on behalf of a customer, a DPA is incorporated by reference into this Policy and the Terms of Service, detailing roles, responsibilities, and data protection obligations in compliance with GDPR, UK GDPR, CCPA/CPRA, and Sri Lankan law.

14.2 Subprocessor Authorization: Customers are notified of and may object to new subprocessors. All subprocessors are contractually bound to equivalent data protection obligations.

14.3 Audit Rights: Customers may audit Dockit Law’s compliance with data protection obligations, subject to reasonable notice and confidentiality.

15.1 Exercising Rights: Users may exercise their rights via account settings or by contacting privacy@dockitlaw.com.

15.2 Data Protection Officer: Dockit Law has appointed a Data Protection Officer (DPO). Contact: dpo@dockitlaw.com.

15.3 Supervisory Authorities: Users have the right to lodge a complaint with their local data protection authority.

16.1 Updates: Dockit Law may update this Privacy Policy from time to time. Material changes will be notified to users via email or prominent notice on our website at least 30 days before taking effect.

16.2 Continued Use: Continued use of Dockit Law’s services after the effective date of changes constitutes acceptance of the updated Policy.