itsNOTaLawyer
Sign inAsk a question
Ask AILibraryJurisdictionsAbout

Privacy policy

Last updated: May 25, 2026

itsNOTaLawyer (the "Service") is operated by 1A 2A, LLC ("we", "us", "our"). We are the data controller responsible for personal data processed through the Service. Privacy is one of the reasons itsNOTaLawyer exists — we built it so you can ask sensitive legal questions without anyone, including us, being able to tie those questions back to you.

What we don't do

  • We do not require an account to use the free tier. Browsing the library and asking up to our daily free limit are fully anonymous.
  • We do not run analytics on the content of your questions.
  • We do not store your AI conversation. It exists only in your browser tab.
  • We do not sell or share your information with data brokers.

Accounts (only if you pay)

If you choose to buy credits or subscribe, we create an account so we can attach your balance and entitlements to it. We collect only what is needed: an email address and, via our payment processor, the billing details required to take payment. We never see or store your full card number. You can ask us to delete your account at any time through the contact page.

The free daily limit is enforced for anonymous visitors with a signed, short-lived cookie that stores only the date and a count — no identifier, no question content. For signed-in users the count is stored against the account.

Categories of personal data we process

  • Account data (paid users only): email address, account ID.
  • Billing data: name, billing address, country, tax ID where applicable, and payment method metadata — collected and stored by Paddle (see below). We receive only a transaction reference and the masked details needed for receipts and support.
  • Usage data: per-account question counts and entitlement balances.
  • Technical data: IP address, user-agent, request timestamps and URLs in short-term server logs.
  • Local browser data: selected jurisdiction, cookie-banner acknowledgement, and the signed daily-limit cookie.

Legal bases for processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) — creating and operating your paid account, processing payments, and delivering AI responses you request.
  • Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, short-term server logging, and enforcing the free daily limit.
  • Consent (Art. 6(1)(a)) — non-essential and personalized advertising cookies, where required by your region. You can withdraw consent at any time via the cookie banner.
  • Legal obligation (Art. 6(1)(c)) — tax, accounting, and fraud-prevention records that we (or Paddle on our behalf) are required to retain.

What we do

  • AI processing. When you ask a question, the text is sent to our AI provider only to generate the answer. It is not associated with an account.
  • Server logs. Like any web service, our hosting provider keeps short-term request logs (IP, timestamp, URL) for security and abuse prevention. These are not inspected for content and are rotated quickly.
  • Local storage. Your selected jurisdiction and a one-time cookie-banner acknowledgement are stored in your browser only.

Who we share data with

We share personal data only with the categories of recipients below, and only as needed to operate the Service:

  • Paddle.com Market Limited ("Paddle") — our Merchant of Record and payment processor. Paddle handles checkout, billing, payment-method storage, tax calculation, invoicing, refunds, and subscription management. When you pay, your billing data is collected and processed directly by Paddle as an independent controller for those purposes. See Paddle's privacy notice.
  • Hosting and infrastructure providers — process server logs and store account/usage data on our behalf as processors.
  • AI model provider — receives the text of your question solely to generate a response. Questions are not linked to your account.
  • Email delivery provider — sends transactional and account emails.
  • Google AdSense — serves advertising (see Advertising below).
  • Professional advisers and authorities — where required by law or to defend legal claims.

International transfers

Some of the providers above are located outside the UK / EEA (notably in the United States). Where personal data is transferred, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an applicable adequacy decision.

Data retention

  • Server logs: up to 30 days, then deleted or anonymized.
  • Account data (email, entitlements): kept for the life of the account, and deleted within 30 days of an account-deletion request, unless we are required to retain it longer to comply with law.
  • Billing and tax records held by Paddle and by us: retained for up to 7 years to comply with tax, accounting, and anti-fraud obligations.
  • Question content sent to the AI provider: not stored by us; retention by the AI provider is governed by their policy and is typically short.
  • Local browser data (jurisdiction, cookie banner, daily-limit cookie): stored on your device until you clear it; the daily-limit cookie expires within 24 hours.

Your rights

Depending on where you live, you have the following rights with respect to your personal data, including (for users in the UK / EEA) the rights under UK GDPR and EU GDPR:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your account and associated data.
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — where we rely on consent, withdraw it at any time (without affecting prior processing).
  • Complain to a supervisory authority — for example, the UK ICO (ico.org.uk) or your local EEA data-protection authority.

We aim to respond to verified requests within one month. Contact us through the contact page to exercise any of these rights.

Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), encryption at rest for stored account data, access controls, and row-level database policies that restrict each user to their own records.

Advertising

The site is supported by ads served through Google AdSense. AdSense and its partners may set cookies to serve and measure ads, including personalized ads where permitted. You can control or opt out of personalized advertising at google.com/settings/ads, and learn more at Google's advertising policies. If you are in the EU/UK, EEA, or another region with strict ad-tracking laws, our consent banner reflects that.

Changes

We may update this policy. The current version is always at this URL.

Contact

Questions about privacy, or requests to exercise any of the rights above, can be sent through our contact page. The data controller is 1A 2A, LLC.