Privacy Policy
Last updated: May 2026
1. Introduction
This Privacy Policy explains how Legal Flow (“we,” “our,” or “us”) processes personal data when you visit our website or use our legal practice management service. Your use of the Service is also governed by our Terms of Service.
We are committed to compliance with Namibia’s data protection framework, South Africa’s Protection of Personal Information Act (POPIA), and — where applicable — the EU General Data Protection Regulation (GDPR).
2. Who We Are (Data Controller)
Legal Flow is operated by FutureCC Namibia. For questions about this Privacy Policy, or to exercise any of the rights described in §7, contact us at privacy@yourlegalflow.com.
For complaints, you may also contact the Information Regulator of South Africa (the operative POPIA authority) inforegulator.org.za or, once established, the Namibian Information Regulator. EU residents may complain to their national Data Protection Authority.
3. Information We Collect
3.1 Account Information
When you register, we collect your name, email address, phone number, and firm details.
3.2 Client and File Data
Data you enter into the system: client information (including ID numbers, addresses, bank-account numbers), file details, financial records (trust + business accounting), documents, time entries, and invoices. Sensitive fields are encrypted at rest using AES-256-GCM, with searchable lookups handled by HMAC-SHA256 hash columns.
3.3 Usage Data
Information about how you interact with the Service: features used, pages visited, and actions taken within the application (recorded in audit log entries to support the statutory audit obligations of legal practitioners).
3.4 Technical Data
IP address, browser type, device information, operating system, and other technical identifiers. We store IP and user-agent on audit-log rows and on contact-form submissions for security forensics.
3.5 Browser Storage
We use browser local storage to keep you signed in (a JSON Web Token) and to remember interface preferences. We currently set no first-party cookies, no third-party trackers, and no analytics scripts. See our Cookie Policy for details.
4. How We Use Your Information and the Lawful Basis
Under GDPR Article 6 and POPIA s11, processing must have a lawful basis. For each purpose:
| Purpose | Lawful basis |
|---|---|
| Provide the Service — account, files, billing, trust accounting | Contract (Art. 6(1)(b)) / POPIA s11(1)(b) |
| Send transactional emails — invoices, password resets, support replies | Contract + legitimate interest (Art. 6(1)(b) + (f)) |
| Maintain audit log entries on financial actions | Legal obligation (Art. 6(1)(c)) — Law Society + tax law require these records |
| Store IP / user-agent for security forensics and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Respond to a contact-form enquiry | Pre-contract steps (Art. 6(1)(b)) |
We do not currently process any data on the basis of consent. If we introduce analytics, marketing emails, or any other consent-based processing, we will obtain your opt-in before any data is collected for those purposes.
5. Data Storage, Security, and International Transfers
Production data is stored on cloud servers operated by DigitalOcean in the European Union region. All data transmission is encrypted using TLS. Sensitive fields are encrypted at rest using AES-256-GCM. Off-site backups are written nightly to a separate server, also under our control.
For Namibian and South African users, the transfer of personal data to EU-region servers is lawful under POPIA s72(1)(b) — the recipient jurisdiction (EU) provides protection substantially similar to POPIA. EU residents’ data remains within the EU.
6. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by applicable law:
| Data category | Retention |
|---|---|
| Active account data | While account is active + 30 days after termination |
| Trust accounting records (your firm’s data) | At least 5 years — Law Society Rule 17 (Legal Practitioners Act 15 of 1995) requires trust records be kept ≥5 years from the last entry; you, the firm, are the data controller for client records and may retain longer |
| Audit log entries | At least 5 years — to support Section 26 trust audits |
| Support tickets | 24 months |
| Contact form submissions (no associated firm) | 12 months unless an active inquiry |
| Server access logs (IP, user-agent) | 90 days |
| Authentication failures (security telemetry) | 90 days |
After the retention period, data is permanently deleted unless a specific legal hold applies.
7. Your Rights
Under POPIA and GDPR, you have the right to:
- Access — receive a copy of your personal data
- Correction — fix inaccurate or incomplete data
- Erasure — request deletion of your data (subject to legal-retention requirements above)
- Portability — export your data in a machine-readable format
- Restriction — limit certain types of processing
- Objection — object to processing based on legitimate interest
- Withdraw consent — where consent is the lawful basis
- Lodge a complaint — with the regulator named in §2
To exercise these rights, contact us at privacy@yourlegalflow.com. We will respond within 30 days (the timeframe required by both POPIA s23 and GDPR Art. 12(3)).
8. Third-Party Processors
We use the following third parties to provide the Service. Each is bound by a Data Processing Agreement that restricts their use of your data to the service they provide to us:
| Processor | Purpose | DPA |
|---|---|---|
| DigitalOcean | Application + database hosting (EU region) | digitalocean.com/legal/dpa |
| Resend | Outbound email transport (transactional) | resend.com/legal/dpa |
We do not sell, rent, or share personal data with third parties for their own marketing purposes.
9. Cookies and Similar Technologies
Legal Flow currently sets no first-party cookies and uses no third-party analytics or advertising trackers. Authentication uses browser local storage. Full disclosure in our Cookie Policy.
10. Children’s Privacy
Legal Flow is a B2B service for licensed legal practitioners and their authorised staff. It is not directed at children. We do not knowingly collect personal data from anyone under 18, nor from any individual below the age of digital consent applicable in their jurisdiction (which can be as low as 13 under some EU member-state laws). If you believe a child has provided us with personal data, contact us and we will delete it.
11. Data Breach Notification
In the event of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33) and notify affected data subjects without undue delay (POPIA s22 / GDPR Art. 34).
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email and via an in-product notice. The “Last updated” date at the top of this page is your guide.
13. Contact Us
Privacy enquiries: privacy@yourlegalflow.com.
General enquiries: see our contact page.