LawCrewLawCrew
Get Started

Privacy Policy

Version 2026-05-21b.

Who is the data controller

Lawcrew.AI — the operator of the lawcrew.ai service — is the organisation responsible for personal data you provide. We are subject to the Singapore Personal Data Protection Act 2012 ("PDPA" or "PDPA-SG").

Pre-incorporation notice. Lawcrew.AI is currently operated in a pre-incorporation phase as a development-stage service. Once an operating entity is registered, this notice will be updated with the entity's full legal identity (including UEN and registered office address), and the change will be flagged in-product.

Our role

For data about you as a LawCrew user (your account, your billing, your usage), we are the organisation responsible under the PDPA. For personal data contained in matters and documents you upload — for example, your counterparty's name and contact details — we act on your instructions and only as needed to deliver the service to you. We do not treat that data as our own, do not use it to train AI models, and do not disclose it except as described in this Policy. We remain bound by the Protection Obligation (section 24) and Retention Limitation Obligation (section 25) of the PDPA in respect of all personal data we hold, whether about you or about third parties whose data you upload. To the extent that any aspect of our processing of third-party personal data is properly characterised as that of a data intermediary under section 4(2) of the PDPA — for example, transient transmission to an AI sub-processor purely on your instruction — we will treat that processing accordingly; we do not, however, rely on data-intermediary status as a general characterisation of our role.

Data Protection Officer

In compliance with section 11 of the PDPA, our Data Protection Officer can be contacted at [email protected]. You can write to the DPO to exercise your access, correction, or withdrawal-of-consent rights under the PDPA, or to raise a complaint. The DPO role for Lawcrew.AI is held by the individual designated as Data Protection Officer from time to time; the current postholder's name and business contact information will be published here once the operating entity is registered (see the pre-incorporation notice above).

Our legal basis

We collect and process your personal data on the following bases under the PDPA:

  • Consent (PDPA s.13–14) — for account creation, processing the matter and intake data you submit, generating drafts, and sending you transactional emails. You give this consent when you sign up and when you tick the per-generation consent box.
  • Deemed consent by contractual necessity (PDPA s.15A) — for onward sharing of your personal data (account-holder data) with the sub-processors listed below where that sharing is reasonably necessary to perform the service contract between you and LawCrew.
  • Customer responsibility for third-party data. Where you upload documents containing personal data of third parties (for example, counterparties), you confirm that you have a lawful basis under the PDPA (or applicable local law) to disclose that personal data to LawCrew and to permit its onward processing by our sub-processors as described in this Policy. To the extent our processing of that third-party personal data is properly characterised as that of a data intermediary under section 4(2) of the PDPA, we process it only on your instructions, consistent with the "Our role" section above.
  • Legitimate interests (PDPA First Schedule Part 3) — for security monitoring, fraud and abuse prevention, and keeping append-only audit logs to evidence compliance. Before relying on this basis we have conducted and documented a legitimate-interests assessment weighing our interest against any adverse effect on you; a summary is available from our DPO on request.
  • Legal obligation — where we are required to retain or disclose data under Singapore law or by a court order.

What we collect

  • Account data: your name, email address, hashed password, and role.
  • Matter and intake data: the parties, facts, terms, and uploaded documents you provide to generate drafts. This may contain personal data about you and about third parties (e.g., counterparties).
  • Generated drafts and verification traces: the documents produced for you and the gate / critique / adversarial-review trace attached to each draft.
  • Usage data: server logs, IP address, user-agent, and product events used to operate and secure the service.
  • Billing data: when paid billing is enabled, our payment processor handles card data; we do not store card numbers.

NRIC, FIN, and other national-ID numbers. Please do not paste NRIC, FIN, or equivalent national-ID numbers into intake fields. Where uploaded documents contain such identifiers (for example, in a counterparty's signature block), we treat them as sensitive personal data and minimise their use, consistent with the PDPC's Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers.

How we use it

  • To run the AI drafting and verification pipeline you requested.
  • To deliver drafts and the audit trace to your account.
  • To facilitate connection to a panel lawyer if you request escalation.
  • To secure the service, detect abuse, and meet our legal obligations.
  • To improve LawCrew. We review aggregated product metrics (counts, latencies, gate outcomes) to improve our templates, prompts, and gates. Where we need to review the content of a matter to debug a quality issue, we will either (a) work from a pseudonymised copy in which direct identifiers (names, contact details, NRIC/FIN, email addresses) are replaced with opaque tokens — this is pseudonymisation, not anonymisation, so the copy remains personal data under the PDPA and is protected accordingly — or (b) ask for your specific consent. Where we permanently anonymise data in line with the PDPC's Guide to Basic Anonymisation such that there are no reasonable means of re-identification, we may use it without further reference to this Policy.
  • We do not sell your personal data, and we do not share it with third parties for behavioural advertising, profiling for marketing, or cross-site tracking. We do not use your matter content to train AI models.
  • We will only send you marketing email if you have opted in; every such email will identify Lawcrew.AI as the sender and contain an unsubscribe link, in line with the Spam Control Act 2007 (Singapore) and the Do Not Call provisions of Part 9 of the PDPA.

Third parties who process your data

We use the following categories of sub-processors. Each is bound by a data processing agreement (DPA). The current list (with provider names, service, country of processing, model-training opt-out status, and DPA reference) is available on request from our DPO.

  • AI model providers — specifically Anthropic (Claude models, processed in the United States) and Google (Gemini models, processed in the United States or other regions selected by Google), and (optionally) the local Claude command-line provider running on our own infrastructure (processed in Singapore). Inputs you submit are transmitted to the selected model provider for processing on its servers. We configure these providers, where the provider supports it, to disable use of your inputs for model training, and we rely on each provider's published API-tier DPA terms governing input handling and retention. The current primary and fallback providers are visible to administrators in the in-product AI settings page.
  • Cloud hosting and database — to run the application and store your data.
  • Email delivery — for transactional emails (welcome, lawyer-handoff notifications).
  • Payment processing — when paid billing is enabled.
  • Panel lawyers — only if you choose to engage a panel lawyer. We share the matter details necessary for the lawyer to take instructions. We disclose only on your explicit instruction to escalate, we tell you in-product which firm we are sending the matter to before disclosure, and our copy of the matter continues to be held under this Policy's retention rules (see "How long we keep it"). The panel lawyer is then an independent data controller for that engagement under the lawyer's own engagement letter, and remains separately bound by the Legal Profession Act 1966 and the PDPC's Advisory Guidelines for the Legal Industry.

Where your data is stored

Our production target hosting region is Singapore (AWS ap-southeast-1). Pre-production and current production hosting regions may differ during early-stage operation; we will update this page when we complete migration to the target region. Backups are encrypted at rest.

Where sub-processors operate outside Singapore (notably AI model providers in the United States), we ensure recipients are bound by legally enforceable obligations to provide a standard of protection at least comparable to the PDPA, by way of data-processing addenda that impose confidentiality, purpose limitation, security, breach notification, sub-processing controls, and (where supported) model-training opt-outs, consistent with section 26 of the PDPA and regulation 10 of the Personal Data Protection Regulations 2021. For personal data about you, your per-generation consent provides an additional basis where contractual safeguards alone are insufficient; for personal data about third parties contained in your uploads, the customer-confirmed lawful basis applies (see "Customer responsibility for third-party data" above).

How long we keep it

We hold personal data only for as long as is reasonably needed for the purposes set out above (PDPA Retention-Limitation Obligation, section 25):

  • Account data: while your account is active and for up to 12 months after closure.
  • Matters, drafts, and verification traces: while the matter is open, then archived for up to 6 years from closure to allow legal claims arising from the draft to be brought or defended within the 6-year limitation period for simple contract under section 6(1)(a) of the Limitation Act 1959. Where a longer period applies to a specific matter (for example, the 12-year period for a deed under section 6(3) of the Limitation Act), we will hold that matter for that longer period.
  • Audit-event records (consents, security and admin events): kept on an append-only basis for the 6-year limitation period from creation, on the basis that retention is reasonably necessary to defend or bring legal claims, to evidence consent and Notification compliance under the PDPA, and to support investigations under the Sixth Schedule of the PDPA.
  • Server and application logs: typically 30–90 days; longer where needed for active security investigation.
  • Billing records: 5 years from the end of the financial year of the transaction, to meet our tax-recordkeeping obligations under the Income Tax Act 1947 and Goods and Services Tax Act 1993.

Your rights under the PDPA

  • Access (PDPA s.21): ask what personal data we hold about you and how it has been used or disclosed in the year before your request. We will respond as soon as reasonably possible; if we need more than 30 days, we will write to you within 30 days to tell you when we will respond. We may charge a reasonable fee to recover the cost of locating, retrieving, and reproducing the data (consistent with regulation 7 of the Personal Data Protection Regulations 2021). We will give you a written fee estimate before incurring the cost, and you can withdraw the request after seeing the estimate.
  • Correction (PDPA s.22): ask us to correct inaccurate personal data.
  • Withdrawal of consent (PDPA s.16): ask us to stop relying on consent to process your data. We will give effect to the withdrawal as soon as reasonably possible under section 16(4), and in any event within 30 working days of receiving your request; we will tell you in writing if more time is needed and why. Withdrawal may mean we can no longer provide the service to you.
  • Account and data deletion: ask us to close your account and delete your personal data. We will do so, subject to records we are required or entitled to retain. These records include (a) matters, drafts, and verification traces for the limitation period set out in "How long we keep it" above where retention is needed to defend or bring legal claims arising from the draft, and (b) audit-event records (which include consent timestamps, IP addresses, and admin actions) for the 6-year limitation period from creation, on the basis that retention is reasonably necessary to defend or bring legal claims, to evidence consent and Notification compliance under the PDPA, and to support investigations under the Sixth Schedule of the PDPA. On request, we will pseudonymise the identifiers in audit-event records linked to your closed account (replacing your account ID, email, and IP addresses with opaque tokens) while retaining the event metadata needed for the legal-claims purpose, unless doing so would defeat that purpose in a specific case.
  • Data portability: the PDPA portability obligation (Part 6B) is not yet in force as at the version date of this Policy. In the meantime, you can request an export of your account data, matters, drafts, and verification traces in machine-readable JSON form by writing to our DPO. Where Part 6B comes into force in a form that applies to us, we will give effect to it.
  • Complaint to the PDPC: if you are not satisfied with how we have handled your personal data, you may complain to the Personal Data Protection Commission of Singapore (pdpc.gov.sg) after first giving us a reasonable opportunity to address the matter.

Write to our DPO at [email protected] to exercise any of these rights.

Closing your account

You can close your account at any time by writing to [email protected] from the email address on your account. We will confirm closure and explain what data will be deleted and what (if anything) we must retain and for how long.

Children

LawCrew is a service for business users and is not directed to minors. We do not knowingly collect personal data from a person under the age of 18. If we become aware that a minor has given us personal data without the consent of a parent or legal guardian, we will close the account and delete the data. Where local law in your country of residence sets a different minimum age for valid consent, that local-law minimum applies in addition to the floor of 18 stated here.

Scope

LawCrew is offered to users in Singapore, Malaysia, Indonesia, Thailand, Vietnam, and the Philippines. We do not target users in the European Economic Area, the United Kingdom, or other jurisdictions; we do not monitor the behaviour of, or intentionally offer services to, data subjects in those jurisdictions. If you access LawCrew from outside our target jurisdictions, you do so on your own initiative and at your own risk; the PDPA-SG and this Policy will continue to govern our processing of your data.

Regional rights for users outside Singapore

If you are a data subject in Malaysia, Indonesia, Thailand, Vietnam, or the Philippines (see Scope above), you may have additional rights under your local data-protection law — Malaysia's Personal Data Protection Act 2010 (as amended), Indonesia's Undang-Undang Pelindungan Data Pribadi 2022, Thailand's Personal Data Protection Act 2019, Vietnam's Decree 13/2023 (and any Vietnam Personal Data Protection Law in force from time to time), and the Philippines' Data Privacy Act 2012. Where local law gives you a stronger right than the PDPA-SG (for example, a stronger right to object, to erasure, or to data portability), you can exercise that stronger right by writing to our DPO at [email protected].

Cross-border transfer. Cross-border transfer of your data out of your home country (for example, to our cloud-hosting region in Singapore and to AI model providers in the United States) is necessary to deliver the service, and is done on the basis of (i) your consent at sign-up and at each generation for personal data about you, and the lawful basis you confirm for personal data about third parties contained in your uploads (see "Customer responsibility for third-party data" above), (ii) contractual safeguards with our sub-processors that bind them to a level of protection at least comparable to the PDPA-SG, and (iii) where your local law requires additional formalities (for example, Vietnam's Decree 13/2023 requires a transfer-impact assessment), we will undertake those formalities or, where we cannot, we will not transfer your data and will tell you why so you can decide how to proceed.

Security

We use industry-standard encryption in transit (TLS) and at rest, least-privilege database access, and append-only audit logging. No system is perfectly secure.

If we become aware of a data breach that is notifiable under sections 26A–26D of the PDPA — meaning a breach that results in, or is likely to result in, significant harm to an affected individual (including breaches involving the classes of personal data prescribed under the Personal Data Protection (Notification of Data Breaches) Regulations 2021) or that affects 500 or more individuals — we will notify the Personal Data Protection Commission as soon as practicable, and in any event no later than 3 calendar days after assessing the breach to be notifiable (section 26D(1)).

We will notify affected individuals as soon as practicable, on or after that PDPC notification (section 26D(2)). We may not notify affected individuals where an exception under section 26D(5)–(7) applies — for example, where we have taken remedial action that renders significant harm to the affected individual unlikely.

Cookies

We use cookies that are strictly necessary to keep you signed in and to run the application (session cookies and short-lived CSRF cookies). We may use first-party analytics cookies to understand product usage in aggregate; these are set only after you have had a clear opportunity to opt out, and you can change your choice at any time from the cookie-preferences link in the site footer. We do not use third-party advertising, retargeting, or cross-site tracking cookies.

Changes

We will update this Privacy Policy from time to time. Material changes will be flagged in-product and the version date at the top will be updated.

Contact

Privacy questions: [email protected].