Privacy Policy

Legal Data Hunter ("we", "us") operates the website legaldatahunter.com, the REST API at /v1/*, and the MCP server at /mcp. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR).

Data controller: Legal Data Hunter is operated by Zacharie Laik, entrepreneur individuel / micro-entreprise. SIREN: 880 498 142. SIRET: 880 498 142 00046. Contact: zacharie@goodlegal.fr. VAT number: not provided / pending verification.

1. What we collect

Account data

• Email address (from GitHub, Google, or Microsoft OAuth, or supplied at sign-up)
• Display name and avatar URL (from the OAuth provider, where available)
• OAuth provider identifier (so we can re-authenticate you on subsequent sign-ins)
• Plan (Free, Developer, Pro, Enterprise) and Stripe customer ID, if you subscribe to a paid plan

Connector / API client data

• OAuth dynamic-client-registration records (RFC 7591): client name, redirect URIs, supported grant types — submitted by clients like Claude.ai or ChatGPT when they connect
• API keys you create (stored hashed; we never see the plaintext after creation)

Request logs

• Endpoint path, HTTP status, timestamp, plan, user ID
• JSON-RPC method name (for MCP requests)
• Customer search queries and result payloads are not stored in the application database.
• Query bodies and result payloads are not exposed in dashboards, admin tools, or application logs.
• Query text may be transmitted to Scaleway, our hosted LLM inference and embedding provider in France/Europe, where needed to answer a request.

Customer search queries and result payloads are not stored by Legal Data Hunter in our application database, dashboards, admin tools, or application logs. Query text may be transmitted to Scaleway, our hosted LLM inference and embedding provider in France/Europe, where needed to answer a request. Scaleway states that its Generative APIs apply Zero Data Retention by default: prompt, input, and output content is not collected, read, reused, analyzed, or used to train base models. Scaleway documents a narrow operational/security exception under which HTTP request content may be stored temporarily, for up to two weeks, to investigate abnormal errors, malicious activity, or security issues.

Operational logs

• Server-side application logs may include user IDs, request IDs, and error stack traces. They are retained for 30 days.

2. How we use it

• Authentication and access control — to identify you across requests and apply your plan's rate limits.
• Rate limiting and abuse detection — per-minute, per-day, and per-period counters; abuse / bot detection.
• Billing — to compute usage against your plan and process subscription payments (via Stripe).
• Operations and debugging — to investigate errors and improve service reliability.
• Aggregate analytics — request counts by endpoint or country, never tied to individual users in public-facing reporting.

We do not use your queries or usage history to train any machine-learning model.

3. Where it is stored

• Customer account/session data is hosted on Fly.io in Europe.
• Neon serves legal data, not customer query bodies.
• Inference and embeddings are provided by Scaleway in France/Europe where needed to answer requests.
• OAuth providers: GitHub, Google, Microsoft.
• Stripe handles billing.
• All connections are TLS-encrypted; backups are encrypted at rest.

4. Third-party processors

We rely on the subprocessors listed on our Subprocessors page. They include Fly.io, Scaleway, Neon, Stripe, GitHub, Google, Microsoft, and Sleek for the purposes described there.

We maintain and archive data processing terms for relevant subprocessors. Current DPA status is listed on the Subprocessors page.

We do not sell or rent your personal data.

5. Retention

• Account data: kept until account deletion.
• Usage metadata: 90 days, then aggregated and/or deleted.
• Application server logs: 30 days.
• Stripe billing records: retained for the legal period required by French/EU accounting law (10 years).
• Legal acceptance records: signup and paid-checkout acceptance records are retained as contract/compliance audit records, including the accepted document versions and timestamp.
• Scaleway inference/embedding processing: Scaleway states that its Generative APIs apply Zero Data Retention by default for prompt, input, and output content, with a documented narrow operational/security exception allowing temporary HTTP request content retention for up to two weeks to investigate abnormal errors, malicious activity, or security issues.

6. Your rights (GDPR)

If you are in the European Economic Area, you have the right to:

• Access the personal data we hold about you
• Have it corrected if inaccurate
• Have it deleted ("right to be forgotten")
• Receive an export in a portable format
• Object to or restrict processing
• Lodge a complaint with the French data-protection authority (CNIL)

To exercise any of these rights, email zacharie@goodlegal.fr. We respond within 30 days.

7. Cookies and tracking

The web dashboard stores an authentication token in localStorage after sign-in; this is a first-party storage item used only to keep you signed in across page loads. We do not use third-party advertising or cross-site tracking cookies. Sleek is configured as cookie-free analytics for lightweight, privacy-respecting analytics on public pages; analytics events do not include any personal identifiers or customer query bodies.

8. Children

The service is not directed at children under 16. We do not knowingly collect personal data from children.

9. Changes to this policy

If we materially change how we handle your data we will update this page and, for substantive changes, notify active users by email at least 14 days before the change takes effect.

10. Contact

Questions about this policy or about your data: zacharie@goodlegal.fr.