Privacy Policy of the "Your Legal Help" Application

Last updated: 12 February 2026

1. General information

The "Your Legal Help" application (hereinafter: the "Application") is a web application designed for professional users — law firms and lawyers — enabling the management of cases, documents, and communication with clients.

This privacy policy sets out the rules for processing personal data of Application users and informs users of their rights under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.

2. Joint Controllers

The joint controllers of the personal data of Application users within the meaning of Article 26 GDPR are:

  1. Krzysztof Gołaszewski Correspondence address: ul. Miętowa 1E/8, 81‑589 Gdynia, Poland
  2. Paweł Kozielecki Correspondence address: ul. Juraty 4/1, 80‑299 Gdańsk, Poland

E‑mail for data‑protection matters: kontakt@twojapomocprawna.pl

The Joint Controllers jointly determine the purposes and means of processing the personal data of Application users. The essence of the arrangement between the Joint Controllers referred to in Article 26(2) GDPR is available upon request at the e‑mail address above.

Point of contact: Regardless of the internal allocation of responsibilities between the Joint Controllers, a user may direct any request relating to the exercise of their rights to either Joint Controller or to the shared e‑mail address indicated above (Article 26(3) GDPR).

The Joint Controllers have not appointed a Data Protection Officer (DPO), as this is not required under Article 37 GDPR.

3. Role of the Controller vs. role of the User

Important distinction:

  • With respect to the personal data of Application users (i.e. lawyers and law‑firm staff using the Application), the joint controllers are the persons identified in Section 2.
  • With respect to client data and data contained in cases and documents entered by the user into the Application, the data controller within the meaning of the GDPR is the user (law firm / lawyer). The Joint Controllers of the Application act in this regard as a data processor within the meaning of Article 28 GDPR and process such data solely on the documented instructions of the user, in accordance with a separate Data Processing Agreement (DPA) concluded between the user and the Joint Controllers.

The user, as the controller of their clients' data, is responsible for ensuring an appropriate legal basis for processing such data (including special categories of data within the meaning of Article 9 GDPR and data relating to criminal convictions and offences within the meaning of Article 10 GDPR), for fulfilling information obligations towards their clients, and for complying with all other GDPR requirements.

4. Scope of personal data processed

The Application may process the following personal data of users:

  • e‑mail address,
  • first and last name,
  • phone number (if provided by the user),
  • Google account data — only if the user connects their Google account to the Application (as described in Section 6),
  • technical data (IP address, browser and device information) — to the extent necessary to ensure the security and proper functioning of the Application.

5. Legal bases and purposes of processing

Purpose of processing Legal basis (GDPR) Provision of the service — account registration, Application functionality, management of cases, documents, and clients Art. 6(1)(b) — performance of a contract (Application terms of service) Integration with Google services (Gmail, Google Meet, Google Calendar) Art. 6(1)(a) — user's consent (given via the Google OAuth consent screen) Ensuring Application security, detecting abuse, handling incidents Art. 6(1)(f) — legitimate interest of the Joint Controllers Compliance with legal obligations (e.g. tax, accounting) Art. 6(1)(c) — legal obligation

6. Integration with Google services

The Application uses Google authorization (OAuth 2.0). Connecting a Google account is voluntary. When a Google account is connected, the Application may access data from Google services only to the extent necessary for the integration features selected by the user (e.g. Gmail, Google Meet, Google Calendar).

Google data principles:

  1. We request only the minimum OAuth scopes necessary to provide the specific features the user chooses to use.
  2. Data obtained from Google services is not used for advertising, marketing, or profiling purposes.
  3. Data obtained from Google services is not sold or disclosed to third parties, except as described in Section 8 (sub‑processors).
  4. Our use of and access to Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

7. Data protection and security measures

We treat data stored in the Application as requiring enhanced protection and apply appropriate technical and organizational security measures in accordance with Article 32 GDPR. In particular:

7.1 Encryption in transit

All communication between the user's browser, the Application, and Google APIs is protected using TLS/HTTPS.

7.2 Encryption at rest

Data stored on our servers — including Google user data and authentication tokens — is encrypted at rest using modern encryption algorithms (e.g. AES‑256 or equivalent). Access to encryption keys is restricted and managed through dedicated key‑management systems.

7.3 Limited access and least‑privilege principle

Access to data is limited to those employees and systems that need it to operate and support the service. We use role‑based access control (RBAC) and the least‑privilege principle. Administrative access is protected by strong authentication and is logged.

7.4 Secure storage of OAuth tokens

OAuth access and refresh tokens obtained from Google are stored in encrypted form and, where possible, kept separate from other Application data. We never store the user's Google password. Tokens are used only to perform actions the user has explicitly permitted via the OAuth consent screen and are revoked or deleted when the integration is disconnected.

7.5 Logging and monitoring

We log access to the Application and critical security events (e.g. failed logins, integration errors, unusual usage). Logs are monitored to detect abuse and security incidents.

7.6 Data minimization

We process only the data necessary to provide Application functionality and to support the Google integration, in accordance with the principle of data minimization (Article 5(1)(c) GDPR).

7.7 Secure development practices

We follow secure software development practices, including regular updates, code‑change reviews, and monitoring for known vulnerabilities. Production data is not used in development or testing environments unless it has been anonymized.

7.8 Security incident response

If we become aware of a personal data breach, we will investigate it without undue delay, take appropriate remedial action, and — where required by law (Articles 33 and 34 GDPR) — notify the President of the Polish Data Protection Authority (UODO) and the affected individuals.

8. Data recipients and sub‑processors

Users' personal data may be disclosed to the following categories of recipients:

Recipient / Category Purpose Data location Supabase Inc. (database infrastructure provider) Application database hosting EU — region eu‑north‑1, Stockholm, Sweden Google LLC (under the OAuth / Gmail / Meet integration) Provision of Google integration features EU / USA — see Section 9 [Analytics / error‑reporting provider — if implemented] Application performance analysis and error tracking To be specified Public authorities Only in cases required by applicable law Poland / EU

The list of sub‑processors may change. Any changes will be reflected in an updated version of this privacy policy.

We conclude a data processing agreement (Article 28 GDPR) with each sub‑processor or apply equivalent safeguards required by law.

9. Transfers of data to third countries

User data is stored on servers located within the European Union (Sweden).

Some of our sub‑processors (in particular Supabase Inc. and Google LLC) are entities based in the United States. Transfers of personal data to the USA are carried out on the basis of:

  • the European Commission's adequacy decision under the EU‑U.S. Data Privacy Framework (implementing decision of 10 July 2023) — to the extent the relevant entity is certified under the DPF, or
  • Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented — where necessary — by additional safeguards.

Users may obtain more information about the safeguards in place by contacting the Joint Controllers.

10. Data retention periods

  • User account data — stored for the duration of the user's use of the Application or until the user deletes their account.
  • Google integration data — stored until the user disconnects the integration; upon disconnection, data is promptly deleted or irreversibly anonymized.
  • Data required by law (e.g. billing, tax records) — stored for the period required by applicable legislation.
  • Security logs — stored for the period necessary to fulfill security purposes, no longer than 12 months.

After the above periods expire, data is deleted or irreversibly anonymized.

11. Cookies and similar technologies

The Application may use cookies and similar technologies for the following purposes:

  • ensuring the proper functioning of the Application (essential / technical cookies),
  • maintaining the user's session after login,
  • analyzing performance and improving the quality of the Application (analytical cookies — only with the user's consent).

Users will be informed about the cookies used via an information banner displayed on first visit and will be able to give or refuse consent for each category of cookies, in accordance with Article 173 of the Polish Telecommunications Act of 16 July 2004 and the guidelines of the European Data Protection Board (EDPB).

Detailed information about the cookies used will be provided in a separate Cookie Policy [link — to be added].

12. User rights

Under the GDPR, users have the following rights:

  1. Right of access to their personal data (Article 15 GDPR).
  2. Right to rectification of inaccurate or incomplete data (Article 16 GDPR).
  3. Right to erasure ("right to be forgotten") (Article 17 GDPR).
  4. Right to restriction of processing in the cases specified in Article 18 GDPR.
  5. Right to data portability — the right to receive their data in a structured, commonly used, machine‑readable format (Article 20 GDPR).
  6. Right to object to processing based on the Joint Controllers' legitimate interest (Article 21 GDPR).
  7. Right to withdraw consent — in particular consent for the Google integration — at any time, without affecting the lawfulness of processing carried out before the withdrawal (Article 7(3) GDPR).
  8. Right to lodge a complaint with a supervisory authority — the President of the Personal Data Protection Office (UODO) (ul. Stawki 2, 00‑193 Warsaw, Poland, https://uodo.gov.pl) (Article 77 GDPR).

To exercise any of the above rights, please contact: kontakt@twojapomocprawna.pl

13. Automated decision‑making and profiling

The Application does not make decisions about users based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect them (Article 22 GDPR).

14. Connecting and disconnecting a Google account

Users can connect their Google account to the Application via the Google OAuth consent screen. Users can revoke the Application's access to their Google data at any time:

  • in their Google account settings (Security → Third‑party access), or
  • in the Application, by using the option to disconnect the Google integration.

After disconnection, the Application will no longer access the user's Google data via APIs. Data previously obtained from Google services will be deleted or irreversibly anonymized, unless applicable law requires longer retention.

15. Changes to this privacy policy

The Joint Controllers reserve the right to amend this privacy policy. Users will be notified of material changes via the Application or by e‑mail. Continued use of the Application after the publication of an amended policy constitutes acknowledgment of its content.

The date of the most recent update is indicated at the top of this document.

16. Contact

For matters relating to the processing of personal data, please contact:

Krzysztof Gołaszewski — ul. Miętowa 1E/8, 81‑589 Gdynia, Poland Paweł Kozielecki — ul. Juraty 4/1, 80‑299 Gdańsk, Poland E‑mail: kontakt@twojapomocprawna.pl