Privacy Policy

1. Who We Are

Serverity is operated by Serverity Ltd (company details to be inserted after incorporation). We are the data controller for personal data processed through the Serverity platform.

Serverity is a legal workflow platform for self-represented litigants (litigants in person) in England and Wales. We provide document management, AI-assisted drafting, legal source retrieval, and structured case management tools.

• Email: privacy@serverity.ai
• General support: support@serverity.ai

2. What Data We Collect

Personal data

• Name and email address (from Google OAuth sign-in)
• Profile picture (from Google OAuth)
• Account preferences and settings
• Subscription and billing information (processed by Stripe — we do not store full card numbers)

Legal case data

• Documents you upload (witness statements, correspondence, evidence, court orders)
• Matter details (case names, parties, dates, jurisdiction, court/tribunal)
• Chronology entries, issues, and legal arguments
• AI-generated drafts, analyses, and audit reports
• Filing compliance check results
• Bundle configurations and exports

Usage data

• Pages visited and features used within Serverity
• AI operation counts and credit usage
• Error logs and performance data
• Device type, browser, and operating system
• IP address

Legal intelligence data

• Legal sources you bookmark or monitor
• Alert preferences for legislation and case law changes
• Search queries within the legal source engine

3. How We Use Your Data

We process your data for the following purposes, each with a lawful basis under UK GDPR:

Special category data: Legal case documents may contain special category data (health information, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation). We process this data under Art. 9(2)(f) — processing necessary for the establishment, exercise, or defence of legal claims. You control what documents you upload.

4. AI Processing Disclosure

Serverity uses two AI providers to process your data:

Anthropic (Claude)

• Used for: primary document analysis, drafting, chronology generation, legal reasoning
• Data sent: document text, matter context, prompts constructed by Serverity
• Anthropic does not use API inputs/outputs to train models
• Data is processed in accordance with Anthropic's API Terms of Service
• Processing location: United States

OpenAI (GPT)

• Used for: adversarial audit review (second-opinion verification of Claude outputs)
• Data sent: AI-generated outputs for cross-verification, relevant document context
• OpenAI does not use API inputs/outputs to train models (API data usage policy)
• Data is processed in accordance with OpenAI's API Terms
• Processing location: United States

Important: Neither AI provider retains your data after processing. Inputs and outputs are not used for model training. Serverity uses the API (not consumer) tiers of both services, which have stronger data protection commitments.

AI processing is integral to the Serverity service. If you do not wish your documents to be processed by AI, you should not use Serverity.

5. Data Sharing

We share your data only with the following categories of processor, all under appropriate data processing agreements:

We do not sell your personal data. We do not share your legal case data with any party other than the processors listed above, and only for the stated purposes.

6. Legal Source Data

Serverity retrieves and displays legal source material (legislation, case law, procedural rules, practice directions) from publicly available sources including:

• legislation.gov.uk (Open Government Licence)
• The National Archives
• Courts and Tribunals Judiciary (Open Justice Licence)
• BAILII and other open legal databases

This data is Crown Copyright and/or made available under open licences. Serverity does not claim ownership of legal source material. Currency monitoring may have delays — always verify critical legal sources independently.

7. Data Retention

You can request early deletion at any time. Account deletion removes all personal and case data within 30 days, except where retention is required by law (e.g., billing records).

8. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — request correction of inaccurate personal data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, commonly used format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw at any time
• Rights related to automated decision-making — Serverity does not make solely automated decisions with legal or significant effects

To exercise any right, email privacy@serverity.ai. We will respond within one month. You can also use the data export and account deletion features within Serverity directly.

9. Data Security

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Authentication via Google OAuth 2.0 with secure session management
• Row-level security on all database tables — you can only access your own data
• AI API calls use encrypted connections and do not persist data on provider systems
• Regular security reviews and dependency updates
• Access to production systems is restricted and logged

If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.

10. Cookies

Serverity uses the following cookies:

Essential cookies (always active)

• Session cookie — maintains your logged-in session
• CSRF token — protects against cross-site request forgery
• Cookie consent preference — records your cookie choice

Functional cookies (with consent)

• Theme preference — remembers light/dark mode selection
• UI state — remembers sidebar, panel, and view preferences

Analytics cookies (with consent)

• We may use privacy-focused analytics (e.g., Plausible or PostHog) to understand platform usage
• These are only set if you accept analytics cookies
• No data is shared with advertising networks

You can change your cookie preferences at any time via the cookie settings in your account, or by clearing your browser cookies. See our cookie consent banner for controls on first visit.

11. International Transfers

Some of our processors (Anthropic, OpenAI, Stripe, Google) are based in the United States. These transfers are protected by:

• UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) where the processor is certified
• Standard Contractual Clauses (UK International Data Transfer Agreement) where the Data Bridge does not apply
• Supplementary measures including encryption and access controls

We ensure all international transfers have appropriate safeguards as required by UK GDPR Chapter V.

12. Children

Serverity is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@serverity.ai and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and in-app notification at least 14 days before taking effect. The "last updated" date at the top of this page indicates the most recent revision.

14. Complaints

If you are unhappy with how we handle your data, please contact us first at privacy@serverity.ai. We will do our best to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF