Skip to content
clerk&

Legal

Privacy Policy.

Last updated: May 2026. How Leeside Labs Limited ("we", "our", or "us") collects, uses, and protects your data when you use clerk&.

Overview

Leeside Labs Limited is committed to protecting your privacy. This policy explains how we collect, use, and safeguard personal data when you use the clerk& application and website.

Data we collect

Account data

Authentication via Microsoft, Google, or email magic-link (through Supabase Auth) collects your name, email address, and provider identifier — used to authenticate you and associate your account.

User profile

We store your role (clerk, barrister, solicitor, legal secretary), practice or firm name, country, and subscription status to personalise your experience and manage billing.

Audio recordings

Voice dictations are recorded on your device and uploaded to our EU-based storage (Supabase Storage, Dublin). Recordings are encrypted and deletable by you; all recordings are deleted upon account closure.

When dictations or notes contain third-party personal data (e.g. client names), clerk& acts as a data processor on your instructions, and you remain the data controller.

Transcripts, documents, and matter data

Transcribed text, formatted fee notes, briefs, attendance notes, listings, correspondence, action items, and matter data are stored in our EU-based database (Supabase Postgres, Dublin).

Files and folders

Uploaded files (photographed notes, scanned documents, email attachments) and folder structures are stored in EU-based storage with the same retention and deletion rights.

Workspace data

Workspace names, membership records, role assignments, and invitation data are stored in our EU-based database to support team collaboration.

Billing data

Subscription and payment data is processed by Stripe. We store a Stripe customer ID and invoice metadata; full payment card details are never retained on our servers.

Operational logs

We maintain server-side diagnostic logs to monitor service health, investigate errors, and ensure reliability. These contain request identifiers, timestamps, performance metrics, and anonymised account identifiers — not dictation content. Logs are retained for the minimum period necessary to diagnose service issues, currently no longer than 7 days.

Analytics

With your consent, we use PostHog (EU Cloud, Frankfurt) to collect anonymised usage analytics and error reports. Session replay, where enabled, captures UI interactions only — not the content of your dictations or documents. Opt-out is available in account settings.

Legal bases for processing

  • Contract performance (Art. 6(1)(b)): account data, recordings, transcripts, documents, workspace data, and profile information.
  • Legitimate interest (Art. 6(1)(f)): operational logs for service reliability and security (retained for a maximum of 7 days).
  • Legal obligation (Art. 6(1)(c)): billing records for Irish Revenue and VAT compliance.
  • Consent (Art. 6(1)(a)): analytics and session replay via PostHog, withdrawable anytime.

Where your dictations or matter data contain special category data (Article 9 GDPR), you, as data controller, are responsible for establishing an appropriate Article 9(2) basis.

Data controller and processor roles

Leeside Labs Limited acts as a data controller for account, profile, billing, and analytics data.

For dictated, photographed, or pasted content (matter material), Leeside Labs Limited acts as a data processor on your instructions. You are the data controller for that content and are responsible for ensuring you have the appropriate legal basis to process it through our service.

Professional users who regularly process client personal data using clerk& should contact us at hello@clerkand.com to obtain a Data Processing Agreement (DPA), as required under Article 28 GDPR.

Data location & international transfers

All personal data is stored and processed within the European Union:

  • Ireland (Dublin): application hosting, database, file storage (Supabase, Vercel)
  • Sweden (Stockholm): AI transcription and document processing (Azure OpenAI)
  • Germany (Frankfurt): opt-in usage analytics (PostHog EU Cloud)

Where any transfer of personal data to a third country occurs, it is governed by Standard Contractual Clauses approved under Article 46(2)(c) GDPR.

Third-party processors

Processors operate under Data Processing Agreements with Leeside Labs Limited:

  • Supabase (Dublin, Ireland) — database, file storage, auth
  • Microsoft Azure OpenAI (Sweden Central) — transcription and formatting
  • Stripe (EU-compliant, SCCs) — billing
  • PostHog EU Cloud (Frankfurt, Germany) — opt-in analytics
  • Vercel (Dublin, Ireland) — application hosting

Your dictation, brief, and matter content is processed only by Supabase (storage / database) and Azure OpenAI (transcription / formatting).

How we use your data

  • Provide and operate the clerk& application
  • Transcribe, structure, and format your dictations and notes
  • Manage your account, workspace, and subscription
  • Monitor and maintain service reliability
  • Improve the service with your consent
  • Respond to support requests
  • Meet legal and financial obligations

We do not use your dictations, briefs, or matter documents to train AI models. Your data is not sold, rented, or shared for advertising or marketing purposes.

Data security

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Row-level security on all database tables
  • Access controls and authentication on every request
  • Regular security assessments

Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission (Ireland) within 72 hours per Article 33 GDPR. High-risk breaches trigger direct user notification per Article 34 GDPR.

Your rights

  • Access: obtain a copy of personal data we hold
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion (account deletion available in-app)
  • Portability: receive your data in structured, machine-readable format
  • Restriction: restrict processing in certain circumstances
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw analytics consent anytime

We will respond to all rights requests within one month of receipt. Contact: hello@clerkand.com or via in-app settings.

Cookies & analytics

The clerk& website uses no tracking cookies. PostHog EU Cloud provides cookieless analytics after acceptance via a privacy banner; the preference is stored in local storage.

The application uses PostHog for analytics only after you provide explicit consent via the in-app consent prompt. Session replay does not capture the content of your dictations or documents.

Data retention

We retain your data for as long as your account is active. When you delete your account, all personal data — including audio recordings, transcripts, documents, and workspace data — is permanently deleted within 30 days.

Waitlist emails are retained until removal is requested.

Exception: billing and transaction records are retained for 7 years from the date of the transaction in accordance with Irish Revenue and VAT obligations. This includes only transaction metadata, not matter content.

Contact & supervisory authority

Contact: hello@clerkand.com.

Our supervisory authority is the Data Protection Commission (Ireland). You have the right to lodge a complaint at dataprotection.ie.

clerk& is a product of Leeside Labs Limited, an Irish company.