Legal

Privacy Policy

Last updated 24 May 2026. All legal documents

Lawfully Australia Pty Ltd (ACN 656 083 340) trading as Lawlux (Lawlux) takes the protection of personal and confidential information seriously.

This Privacy Policy explains what personal information we collect, how we collect and use it, who we disclose it to, how we keep it secure, how long we keep it, and how you can access, correct or complain about our handling of your personal information.

In this Privacy Policy, ‘us’, ‘we’ or ‘our’ means Lawlux.

By providing personal information to us, you consent to our collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.

This Privacy Policy forms part of – and should be read with – Lawlux’s Terms of Use. Capitalised terms used in this Privacy Policy have the meanings given in the Terms of Use.

Types of information

Personal information is defined in the Privacy Act 1988 (Cth) (Privacy Act) to mean any information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not or recorded in material form or not. Examples include the name, signature, address, telephone number, date of birth, medical records, bank account details, credit card information, employment details and commentary or opinion about a person.

Sensitive information is a subset of personal information and is defined in the Privacy Act to mean health information, genetic information, biometric information, biometric templates, and any information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record.

What personal information do we collect?

Lawlux collects and stores personal information in connection with it performing its business as a law firm, software developer and software vendor.

Depending on how you interact with us, we may collect the following kinds of personal information:

  • Name, job title, and contact details (including email address, phone number, and address).
  • Age or date of birth.
  • Financial and credit card information.
  • Information to verify your identity (including driver licence number, passport number and photo identification).
  • Dietary requirements.
  • Educational details, academic and other transcripts, employment history, skills and background checks, referee details, references from past employers, interview and assessment details.
  • Authentication metadata including single sign on identifiers (including via Microsoft), sign in timestamps, IP addresses and user-agent strings.
  • Platform and AI Services usage content including the legal queries, audit and log data, instructions, prompts and documents you submit to the website, Lixo AI or Reassure, and the AI-generated responses, summaries and cited sources returned to you (Inputs and Outputs).
  • Your device ID, device type, geo-location information, browsing behaviour, advertising data, acquisition sources, computer and connection information, statistics on page views, traffic to and from the Digital Services, ad data, IP address and standard web log information.
  • Details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries.
  • Any additional information relating to you and clients that you provide to us directly (including through our website, via email and during meetings with us) or indirectly through your use of the Digital Services, your online presence or through other websites or accounts from which you permit us to collect information.
  • Information that you provide to us through customer surveys, feedback processes and questionnaires.
  • Any other personal information that may be required in order to facilitate your dealings with us.

We do not deliberately collect sensitive information (as defined in the Privacy Act) through the AI Services. You should not submit sensitive information into the AI Services unless we request it in writing. The Terms of Use also prohibit the upload of privileged information into the AI Services.

Separately from the AI Services, in the course of providing legal services under an engagement agreement, Lawlux may need to collect and hold sensitive information about clients (including their directors, employees, contractors and service providers), other parties to a dispute, other persons, employment candidates and employees.

Sensitive information collected in this context may include pre-existing illnesses or disabilities, criminal record details, vaccine information, membership of a professional or trade association, membership of a trade union, religious beliefs or affiliations, and other information about an individual’s race, ethnicity or political opinions where relevant to the matter.

We collect this information only where it is reasonably necessary for, or directly related to, the legal services we are engaged to perform. Where the individual is not Lawlux’s client, you confirm (by providing the information to us) that you are authorised to disclose the information to Lawlux for that purpose.

How do we collect personal information?

We collect personal information:

  • directly from you when you access or use the Digital Services, contact or communicate with us, share information with us from other social applications, services or websites, register for an event or webinar, meet with us, apply for a job or position with us directly or via a recruitment consultant, or invest in us;
  • through single sign on when you sign in using your organisation’s identity provider;
  • automatically through application logs, telemetry and audit logging when you use the website, the AI Services or Reassure; and
  • from your employer or its agents.

The third parties that we may collect personal information from include the following:

  • Our clients.
  • Government agencies.
  • Law enforcement bodies.
  • Publicly available records.
  • Government databases (including the Australian Securities and Investments Commission and the Australian Business Register).
  • Court or tribunal records.
  • Service providers (including the Google Places API).
  • Recruitment agencies.
  • Online searches.
  • Social media platforms (including LinkedIn, Instagram and Facebook).

If you provide us with personal information about another person, you agree to refer that person to this Privacy Policy.

Before you provide us with personal information about another person that is sensitive information, you must ensure that you are authorised by the relevant individual to disclose that information to us.

Why do we collect, store, use and disclose personal information?

We may collect, store, use and disclose your personal information for the purposes for which it was collected, related purposes, and any other purposes including the following:

  • Providing the legal, software and software vendor services that our users and clients request.
  • Enabling you to access and use the Digital Services, including to authenticate you and manage your Reassure account and permissions.
  • Contracting out services to external service providers and suppliers, including to barristers, title and court searches, forensic witnesses, accountants, mediators, printers, carriers, mail providers, virtual offices, photocopiers, information technology providers, advertising, marketing and campaign managers, market research providers and recruiters.
  • Maintaining and developing our relationship with clients and potential clients.
  • Operating, protecting, improving, expanding and optimising the Digital Services (including by reviewing Inputs, Outputs and any feedback you provide), our business and our users’ experience, including to perform analytics, conduct research and for advertising and marketing.
  • Sending you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you.
  • Providing legal advice and services under an Engagement Agreement where one is in place.
  • Carrying out research, planning, service development, security and risk management processes.
  • Sending you information on legal developments, marketing our services and events, and providing other information that may be of interest to you, including information sent by, or on behalf of, third parties that we think you may find interesting.
  • Organising seminars and events.
  • Assessing applications from prospective employees, contractors and service providers.
  • Developing and managing relationships with our employees, contractors and service providers.
  • Managing insurance.
  • Conducting further searches and enquiries regarding the information you have provided to us or more generally to collect additional personal information about you or your associates for our operational or regulatory purposes.
  • Ensuring a safe workplace to the extent reasonably practicable.
  • Complying with our legal and regulatory obligations (including obligations under the Legal Profession Uniform Law, court orders, subpoenas and lawful regulatory requests), resolving any disputes that we may have with any of our users, and enforcing our agreements with third parties.
  • Otherwise carrying out our functions as a law firm, software developer and software vendor.

We do not sell your personal information. We do not use it for third party advertising. We do not disclose it for direct marketing purposes.

We do not develop, train or fine tune any large language model on personal information. We do not provide your personal information to any third party large language model provider for the purpose of that provider training, fine tuning or improving its model.

Do we use your personal information for direct marketing?

We may send you direct marketing communications and information about our services and products, including publications, alerts, seminar invitations and newsletters. That may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act 2003 (Cth) and the Privacy Act.

You may opt-out of receiving marketing materials from us at any time by contacting our Privacy Officer on the details set out below, or by using the opt-out facility provided in the relevant communication (for example, an unsubscribe link).

We do not disclose your personal information to third parties for their own direct marketing purposes.

Who do we disclose your personal information to?

We disclose personal information to the following categories of recipients:

  • Your employer (where it’s our user or client) – for example, to its administrators, in audit reports and on request.
  • The service providers and sub-processors that help us operate the Digital Services (listed below).
  • Our employees, contractors and related bodies corporate.
  • Payment systems operators, including Stripe, National Australia Bank Limited and Clio (which we use for in-platform invoice payments for some client matters).
  • Our professional advisers (legal, accounting, insurance) where reasonably necessary.
  • Government databases, regulators and law enforcement where required or authorised by law (for example, in response to a subpoena, court order or statutory notice).
  • A successor entity in the context of a corporate transaction (such as a merger, acquisition or restructure), subject to appropriate confidentiality protections.

Do we use service providers and sub-processors that involve cross-border disclosure?

We use the following sub-processors and service providers that receive and process information, potentially including personal information, on our behalf:

Sub-processor / service providerServiceCountry of processing
Microsoft Corporation (Microsoft Azure)Cloud infrastructure that hosts the website, Lixo AI and Reassure and primarily hosts databasesAustralia (Sydney primary; Melbourne for geo-redundant disaster recovery backups)
OpenAI LLC (OpenAI API)AI inference (enterprise API)United States
Google LLC (Gemini API)AI inference (enterprise API)United States
Anthropic PBC (Claude API)AI inference (enterprise API, fallback)United States
IBM Corporation (watsonx™)AI platform supporting Lawlux’s legal product workflowsAustralia or United States (depending on workload)
Clio (Themis Solutions Inc.)Legal practice management platform and in-platform invoice payment processing for some client mattersAustralia / Canada / United States (per Clio’s data residency)
Stripe Payments Australia Pty LtdPayment processing for online card paymentsAustralia / United States (per Stripe’s payment processing arrangements)
National Australia Bank Limited (NAB)Banking services and merchant payment processingAustralia

Primary data storage for Lawlux is in the Microsoft Azure Australia East (Sydney) region.

When you submit a query or document to Lixo AI or Reassure, the relevant Input content may be transmitted to AI inference endpoints operated by Lawlux or by third party AI providers, which may process the request in the United States or another jurisdiction outside Australia.

Lawlux does not, and does not permit any other person or entity to use Inputs to train any large language model. Each of the AI providers above is contractually prohibited (under its enterprise commercial agreement with Lawlux) from using Inputs to train, fine tune or otherwise improve its foundation models, and does not retain Input or Output content between requests for that purpose.

Before disclosing personal information to an overseas recipient, we take steps that are reasonable in the circumstances, consistent with Australian Privacy Principle 8. These steps include:

  • selecting providers with credible certifications (such as SOC 2 Type 2 and/or ISO/IEC 27001),
  • entering into commercial enterprise agreements that include data protection commitments, and
  • limiting the personal information transmitted to that which is necessary for the relevant function.

Lawlux may update the table of sub-processors and service providers from time to time.

Do we use cookies and other tracking technology?

We may collect information about you when you use and access the Digital Services.

While we do not use browsing information to identify you personally, we may record certain information about your use of the Digital Services, such as which pages you visit, the time and date of your visit, and the internet protocol (IP) address assigned to your computer or device.

We may also use cookies, web beacons or other similar tracking technologies (including from third party service providers) on the Digital Services that help us operate the Digital Services and provide services to you, enhance and customise your experience across the Digital Services, track your website usage, remember your preferences, perform analytics, and deliver advertising and marketing that is relevant to you.

Cookies are small files that store information on your computer, mobile device or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser, but the Digital Services may not work as intended for you if you do so.

Where a cookie collects data that includes personal information (for example, where a cookie is linked to your account), we handle that personal information in the same way as all other personal information described in this Privacy Policy.

How do we keep personal information secure?

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our principal safeguards include:

  • encryption of data in transit using TLS 1.2 / 1.3;
  • encryption of data at rest using AES-256;
  • single sign on with multi factor authentication inherited from your organisation (where available);
  • two factor authentication for our key applications;
  • role-based access control and strict tenant isolation;
  • audit logging of access to and operations on personal information;
  • automated data backup;
  • vulnerability scanning, security monitoring and a defined patch service level;
  • integrated document upload virus and malware scanning and isolation; and
  • a documented Information Security Policy, Incident Response Plan, AI Governance Policy and Data Retention and Destruction Policy.

Despite these safeguards, no system is completely secure; you can help us protect your personal information by keeping your sign in credentials safe and reporting any suspected security issue.

How long do we keep personal information?

We keep personal information only for as long as we need it for the purposes set out in this Privacy Policy, including to satisfy any legal, accounting, regulatory or professional reporting requirements. Our default retention periods are set out in Lawlux’s Data Retention and Destruction Policy and include:

  • client matter related data – for the duration of the matter or contract, plus the period required by the Legal Profession Uniform Law and the Legal Profession Uniform General Rules (typically seven years from the end of the matter);
  • Reassure account and platform data – for the duration of the contract, plus a 30-day post-termination wind-down;
  • application audit logs – 12 months from creation;
  • Azure Monitor and Application Insights logs – 90 days; and
  • Azure-managed PostgreSQL automated backups – up to 35 days for production.

After these retention periods we delete personal information from production systems, and any remaining backup copies expire on the relevant managed schedule.

What are your rights?

Subject to applicable law, you may:

  • access the personal information we hold about you;
  • correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading;
  • request deletion of your personal information (we will delete it where the law and our agreements with your employer or you permit); and
  • complain about how we have handled your personal information.

To make a request, please contact our Privacy Officer. They will acknowledge your request within 5 business days and respond within 30 days, except where a longer time is reasonably required. We may need to verify your identity before responding.

Sometimes, we may not be able to provide you with access to all of the personal information we hold about you, including where the personal information is covered by client legal privilege. In those circumstances, we will tell you why.

Employee records

This Privacy Policy does not apply to acts and practices in relation to employee records of Lawlux’s current and former employees. Those records are exempt from the operation of the Privacy Act under section 7B(3) of that Act.

How do you make a complaint?

If you believe we have mishandled your personal information or breached the principles we have voluntarily adopted in this Privacy Policy, please contact our Privacy Officer. We will investigate and respond within 30 days. If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

Application

Lawlux is not an APP entity for the purpose of the Privacy Act and has not made a choice in writing to the Office of the Australian Information Commissioner to be treated as an APP entity under section 6EA of the Privacy Act.

That said, Lawlux voluntarily intends to align its handling of personal information with the Australian Privacy Principles as set out in this Privacy Policy.

Can we make changes to this Privacy Policy?

We may update this Privacy Policy from time to time. The current version is available at lawlux.com.au/privacy-policy. If changes are material, we will provide reasonable advance notice (for example, by email to registered Reassure users or through prominent notice on the platform), consistent with the ‘Changes to these Terms of Use’ clause in Lawlux’s Terms of Use.

How do you contact us?

If you have any questions on this Privacy Policy, please contact our Privacy Officer:

  • Attention: Privacy Officer, Lawlux
  • Email: privacy@lawlux.com.au
  • Address: Level 30, 35 Collins Street, Melbourne 3000 Victoria
Camille Pissarro, View from my Window, Éragny (1888) · public domain
Why impressionism

Up close, the detail. Step back, the firm.

Even the fine print is part of the picture. Read it closely, then step back to the regulated, insured law firm that stands behind it.

About Lawlux →Why impressionism? →