Privacy Policy
Nomoaxis ("we", "us", "Nomoaxis") operates a legal practice management platform for law firms worldwide. This Privacy Policy explains what personal data we process, why, on what legal basis, with whom we share it, and how we keep it safe.
1. Controller and contact
For data about your account (your email, name, billing) Nomoaxis is the data controller. For data you enter about your clients, matters, documents, and time entries, your firm is the data controller and Nomoaxis acts as data processor under the Data Processing Agreement at /dpa.
Contact for privacy matters: [contact@nomoaxis.com](mailto:contact@nomoaxis.com). EU/EEA data subjects may also contact our representative at the same address.
2. Personal data we process
- Account data: email, display name, hashed password, authentication identifiers, MFA factors.
- Firm data: firm name, currency, jurisdiction, logo, attorney profiles.
- Practice data: clients, matters, tasks, deadlines, time entries, invoices, fee agreements, documents.
- Billing data: plan, subscription status, billing address; card data is held by Stripe only.
- Technical data: session identifiers, IP address, user-agent, audit log entries.
3. Legal basis for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the service to your firm | Art. 6(1)(b) — performance of contract |
| Bill subscriptions and process payments | Art. 6(1)(b) + Art. 6(1)(c) — contract + legal obligation |
| Security, fraud prevention, audit logging | Art. 6(1)(f) — legitimate interests |
| Compliance with tax, accounting, AML duties | Art. 6(1)(c) — legal obligation |
| Service emails (renewals, security alerts) | Art. 6(1)(b) and (f) |
| AI assistance (prompts, context, model responses) | Art. 6(1)(b) and (f) |
We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).
3a. AI features and data processing
3a.1 How AI features process your data
When you use Nomoaxis AI features, the following data may be processed to generate AI responses:
- (a) Matter metadata (matter name, type, status, deadlines, and assigned personnel) entered into the Nomoaxis platform.
- (b) Client metadata (name, contact information, and relationship type) to the extent entered into the platform and relevant to the AI query.
- (c) The text of your prompt or query submitted to Nomoaxis AI.
- (d) Document text that you explicitly submit for AI analysis.
This data is transmitted over an encrypted connection to Anthropic PBC's API infrastructure solely for the purpose of generating a response to your query. It is not stored in plaintext by Nomoaxis beyond the duration of the session, and it is not used to train AI models by Anthropic under the terms of our API agreement.
3a.2 Anthropic PBC as sub-processor
Anthropic PBC (160 Eureka Street, San Francisco, CA 94114, United States) acts as a sub-processor when you use Nomoaxis AI features. Anthropic processes data solely on our documented instructions and for no other purpose. Anthropic is bound by a Data Processing Agreement with Nomoaxis that incorporates:
- (a) The obligations of Article 28 of Regulation (EU) 2016/679 (GDPR).
- (b) Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914/EU for transfers of personal data to the United States.
- (c) Anthropic's obligation not to use data submitted via API requests for training its AI models.
3a.3 Data minimisation for AI queries
Nomoaxis AI is designed to operate on metadata and user-submitted text only. We recommend that users avoid submitting special categories of personal data (as defined in Article 9 GDPR), sensitive client information beyond what is necessary for the query, or data relating to ongoing criminal proceedings, to Nomoaxis AI unless strictly required. Nomoaxis AI does not have access to your full client or matter database and retrieves only the data you explicitly include in or attach to a query.
3a.4 Logging and audit trail
Nomoaxis maintains server-side logs of AI feature usage for security, abuse prevention, and billing purposes. These logs record: the timestamp of the query, the subscription seat that initiated it, the approximate token volume consumed, and whether the query was successfully completed. Logs do not contain the full text of prompts or AI responses. Logs are retained for 90 days and then automatically deleted.
3a.5 Your rights in relation to AI processing
You may exercise the following rights in relation to personal data processed through AI features:
- (a) Right of access (Article 15 GDPR): You may request confirmation of whether and how your data has been processed by AI features.
- (b) Right to erasure (Article 17 GDPR / Article 17 N. 5104/2024): Deletion of your account will result in the deletion of all matter and client metadata. Server-side AI usage logs will be deleted within 90 days. Anthropic retains technical API logs for up to 7 days for security and abuse prevention, after which they are automatically deleted. Anthropic does not retain prompt or response content beyond the duration of the API request and holds no personal data subject to erasure upon request.
- (c) Right to object (Article 21 GDPR): You may disable AI features for your account at any time from the Settings panel. Disabling AI features stops all further transmission of your data to Anthropic's infrastructure.
To exercise these rights, submit a request to: [privacy@nomoaxis.com](mailto:privacy@nomoaxis.com).
4. Sub-processors
| Sub-processor | Role | Region |
|---|---|---|
| Lovable Cloud | Application hosting, edge runtime, CDN, and AI Gateway for support chat. The AI Gateway receives user-typed support messages and reportContext (current URL, user-agent, browser locale, app version, workspaceId, user role) for routing requests to Google Gemini and creating support tickets. Redacted payloads retained up to 90 days when capture is enabled. No matter data, client names, documents, or encrypted workspace content is processed. | EU / Global |
| Supabase | Managed PostgreSQL, authentication, file storage | EU |
| Stripe Payments Europe, Ltd. | Subscription billing and card processing | IE / US |
| Anthropic PBC (160 Eureka Street, San Francisco, CA 94114, USA) | AI language model inference for the Nomoaxis AI panel and document assistant. Receives user-typed prompts, role-filtered matter and client metadata summaries (matter titles, client names, contact details, opposing party names, deadline titles, team member names, internal record identifiers), and document text explicitly submitted for analysis. No billing data, revenue figures, or encrypted workspace content transmitted. Processing is ephemeral; technical API logs retained up to 7 days for security and abuse prevention, automatically deleted thereafter. No training on Customer Data. | USA |
| Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) | Model inference for support chat (gemini-3-flash-preview) via Lovable AI Gateway. Receives user-typed support messages and reportContext (current URL, user-agent, browser locale, app version, workspaceId (pseudonymous), user role). No matter data, client names, documents, or encrypted workspace content is transmitted. Processed under Google Paid Services terms — no product-improvement use. Retained for a limited period for abuse monitoring (exact period to be confirmed with Lovable/Google); up to 24 hours implicit RAM caching. | USA |
| Sentry (sentry.io) | Client-side error monitoring. EU region; no PII, no IP, no session replay, no performance tracing. | EU |
| open.er-api.com | Public FX rate feed for Reports currency conversion. No personal data sent. | US |
For support chat, Google LLC acts as a sub-processor of Lovable Cloud. Support chat messages and reportContext data are subject to Google's Paid Services Data Processing Terms. Google does not use this data to improve its products. Exact abuse-monitoring log retention is subject to confirmation with Lovable/Google and will be updated when confirmed.
An up-to-date list is maintained at /dpa. We notify customers at least 30 days in advance of adding or replacing a sub-processor; you may object during that window and terminate your subscription if the change is unacceptable.
Our firm-default Article 30 GDPR register, including data categories, legal bases, retention periods and security measures, is published at /legal/record-of-processing.
5. International data transfers
Where personal data leaves the EEA, UK, or Switzerland (for example, to Stripe in the United States) we rely on the European Commission's Standard Contractual Clauses (Module 2: controller to processor; Module 3: processor to sub-processor) supplemented by the UK Addendum and the Swiss-specific addendum, plus technical measures including end-to-end encryption of practice data in transit and at rest. A copy of the SCCs in force for your tenant is available on request from [contact@nomoaxis.com](mailto:contact@nomoaxis.com).
6. Retention
We retain data for as long as your account is active. On termination, personal data is deleted within 30 days unless we are required to keep it longer (e.g. invoicing records under tax law — kept for the legally mandated period). You may export or delete your data at any time from Settings → Data & privacy.
Nomoaxis AI and document-assistant conversation history is stored per user and retained until you clear it from the AI panel or your workspace is deleted. Each user only sees their own conversations.
7. Your rights
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten").
- Portability — receive your data in a machine-readable format (we provide JSON export in-app).
- Restriction — limit processing pending verification.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint — with your local supervisory authority (in Greece, the HDPA — www.dpa.gr).
8. CCPA (California residents)
We do not sell personal information and we do not share it for cross-context behavioural advertising. California residents have the right to know what categories of personal information we collect, to request deletion, to correct inaccuracies, and to be free from retaliation for exercising these rights. To exercise them, email [contact@nomoaxis.com](mailto:contact@nomoaxis.com).
9. Other jurisdictions
We support data subject rights under the Brazilian LGPD, Canadian PIPEDA, and Singapore PDPA on equivalent terms to those described above. Requests may be sent to [contact@nomoaxis.com](mailto:contact@nomoaxis.com) and will be answered within the statutory timeframe (typically 30 days, extendable once by an additional 60 days for complex requests).
10. Cookies and analytics
Nomoaxis uses only strictly-necessary cookies and local storage entries required to keep you signed in, remember your selected workspace, and protect against CSRF. We do not use third-party analytics, advertising, or behavioural tracking cookies. No consent banner is therefore required for our cookies. Stripe's embedded checkout sets its own strictly-necessary cookies on the checkout iframe under Stripe's privacy policy.
11. Security
All practice data is encrypted at rest with XChaCha20-Poly1305 using per-workspace data encryption keys. Passwords are hashed with bcrypt and checked against the HIBP breached-password database. Multi-factor authentication is supported and may be required by workspace administrators. Database access is gated by row-level security; documents live in a private bucket with signed-URL access. All admin actions are written to an append-only, hash-chained audit log.
12. Contact for data requests
Email: [contact@nomoaxis.com](mailto:contact@nomoaxis.com). Postal address available on request. We respond within 30 days. If you are unhappy with our response you may complain to your supervisory authority (in Greece, the Hellenic Data Protection Authority).