Data Collection & Processing Policy
Last updated: 2026-06-12
Welcome to Andri, a product of Andri AI B.V., registered in the Netherlands. This Data Collection & Processing Policy ("Policy") outlines how we collect, process, store, and distribute legal data and other personal data in connection with our services. Our practices are designed to comply with applicable legal requirements, including EU data protection regulations (such as the GDPR), and to respect the intellectual property rights of third parties.
1. Data Processing Roles
Under the EU General Data Protection Regulation ("GDPR"):
- For the data you process in the Andri platform, you are the Data Controller and Andri AI B.V. is the Data Processor (Art. 28 GDPR). We process that data solely on your behalf and according to your instructions, as recorded in a data processing agreement that every customer signs before go-live.
- For data we process for our own purposes, such as account administration, billing and website analytics, Andri AI B.V. is itself the controller. For this, see our Privacy Policy and our Cookie Policy.
2. Processing Purposes & Legal Basis
We process personal data and legal data for the following specific purposes:
- To provide and maintain the Andri service.
- To improve our service, for example on the basis of aggregated usage statistics and feedback. Customer data is never used to train AI models in doing so.
- For any purposes explicitly set forth in our service agreement or in any supplemental agreements you accept.
Important: Your data is never used for AI training. We deploy existing foundation models; customer data does not enter any training loop. All client data is private, encrypted, and strictly segregated per customer.
Our processing is based on:
- Contract Performance (Article 6(1)(b) GDPR): where processing is necessary for the performance of our contract with you.
- Legitimate Interests (Article 6(1)(f) GDPR): for example to secure and improve our service, unless overridden by your fundamental rights and freedoms.
- Consent (Article 6(1)(a) GDPR): where required by law, we obtain your explicit consent.
- Compliance with Legal Obligations (Article 6(1)(c) GDPR): where necessary to comply with legal obligations under EU or Member State law.
3. Introduction to Our Legal Data Collection
At Andri, we manually collect and summarize publicly available legal data from trusted sources, including BAILII, uitspraken.rechtspraak.nl, and judiciary.uk, in accordance with their terms of use. We ensure that any summarized data is clearly attributed, and users are provided with direct links to the original sources for verification and further review.
4. Publicly Available Information and AI
4.1 Sources of Public Information
To provide our service, Andri accesses publicly available legal information from authorized sources, including:
- Court judgments and decisions from official court websites and legal databases
- Public legal filings and documents
- Statutes, legislation, and regulatory materials
- Public legal briefs and submissions
- Academic legal publications and journals
- Official government legal resources
This information is similar to what law firms and legal professionals routinely access to serve their clients effectively.
4.2 Processing of Public Information
Some publicly available information may contain references to individuals and, in certain jurisdictions, may be considered Personal Data. We process this information:
- Only to provide context for customer queries and to enhance the accuracy and relevance of our legal analysis
- To improve the accuracy and understanding of legal concepts and precedents
- Never with the intention to identify or profile individuals
We do not use personal client data for AI training. Your uploaded documents and private data remain confidential.
4.3 Privacy Rights and Public Information
We recognise that even publicly available information requires responsible handling:
- We respect privacy rights as outlined in our Privacy Policy
- We acknowledge that privacy rights may apply to public information in certain contexts
- We provide mechanisms for individuals to exercise their data protection rights (see Section 11)
- We carefully assess and balance legitimate interests in processing public information against individual privacy rights
4.4 Safeguards and Limitations
- Regular reviews of our data collection practices
- Strict access controls and security measures
- Clear documentation of our legal basis for processing
- Transparent communication about our use of public information
- Regular privacy impact assessments, following the Dutch Bar Association (NOvA) DPIA standards for law firms
5. How We Collect Data
We collect legal information manually from publicly accessible sources such as BAILII, uitspraken.rechtspraak.nl, judiciary.uk, governmental websites, and other legal databases. Our process respects the limitations set by these third-party sites, which prohibit automated data scraping or bulk downloading. We only collect a reasonable amount of material needed for our legal AI services.
6. Summarizing and Using Data
Our team manually reviews and summarizes the collected legal data to provide helpful insights to users of our services. We do not republish full judgments or other legal materials from BAILII, uitspraken.rechtspraak.nl, judiciary.uk, or similar sites, but provide summaries and direct links to the live version of each document, ensuring compliance with copyright and intellectual property requirements.
7. Attribution and Linking to Original Sources
- The original source (e.g., judiciary.uk) is explicitly cited.
- A direct link to the live version of the document is provided, enabling users to verify the source and access any updates or amendments.
This practice aligns with the copyright and usage policies of each respective platform.
8. Compliance with Third-Party Terms
- Manual data collection: we do not use automated scraping mechanisms, adhering to the restrictions placed by these platforms.
- Reasonable use: we do not impose excessive load on third-party servers, respecting their requirement to avoid bulk downloading.
- Attribution: we always provide proper attribution and direct links to the original source, as required by these platforms.
9. Intellectual Property and Copyright Compliance
- Crown Copyright and Judicial Decisions: we comply with Crown Copyright guidelines for UK cases and applicable copyright laws for materials from judiciary.uk. We ensure any use of such material is accurate, includes proper attribution, and is within the scope of permitted use.
- Third-Party Copyright Owners: we respect the copyright of third parties (e.g., shorthand writers, courts, commercial publishers) and do not republish content where permission has not been granted.
10. Data Retention
We retain data no longer than necessary for the purposes for which it was collected, or as required by law. In concrete terms:
- Client files (uploaded documents): zero retention by design. Document files are not backed up outside primary storage; when you delete a file, it is immediately and permanently gone.
- Account data: retained for as long as you have an active account. Upon full account closure, all personal data is deleted within 30 days, subject to statutory retention obligations.
- Metadata and system data: automated backups with a 35-day retention period.
- Security and audit logs: retained for at least 90 days for security and accountability purposes.
- Financial records: in accordance with statutory (tax) retention periods.
10.1 Data Segregation and Customer Privacy
- Customer Data Separation: tenant isolation is technically enforced: every database partition, search query, and AI call is scoped to the owning firm and case. Data is never shared between customers.
- Encryption: all customer data is encrypted in transit (TLS 1.3) and at rest (AES-256), with self-managed encryption keys.
- Access Controls: multi-factor authentication and role-based access control; only authorized personnel can access data, and only for legitimate purposes. A lawyer who leaves the firm immediately loses access.
10.2 Model-Provider Retention: Standard versus Frontier Intelligence
For AI processing we distinguish between two tiers. Which tier applies is your choice, on a per-matter basis.
- Standard processing: runs under a zero-data-retention arrangement with our model provider. Your prompts and the generated output are not retained by the model provider. This is the default and applies under the data processing agreement (DPA).
- Frontier intelligence (Premium credits): as soon as you enable this for a specific matter in the app, the zero-data-retention arrangement no longer applies. We follow the model provider’s guidance: prompts and output are retained for 30 days and then deleted. Even here, your data is never used to train AI models.
This lets you handle complex matters with the most powerful models where that adds value, while keeping the most confidential files on standard, zero-retention processing. The choice is yours.
11. Data Subject Rights
If and to the extent that we process your personal data, you have certain rights under the GDPR and other applicable data protection laws, including:
- Right of Access: you can request a copy of personal data we hold about you.
- Right to Rectification: you can request corrections of inaccurate personal data.
- Right to Erasure ("Right to be Forgotten"): you can request the deletion of your personal data, subject to legal or contractual obligations.
- Right to Restrict Processing: you can request that we limit the way we use your data.
- Right to Data Portability: you can request to receive your data in a structured, commonly used, and machine-readable format.
- Right to Object: you can object to the processing of your data if processing is based on our legitimate interest.
- Right to Withdraw Consent: where processing is based on consent, you may withdraw that consent at any time.
A request to erase your data can be submitted directly via our privacy request form. To exercise any of the other rights, please contact us at info@andri.ai.
12. User Rights and Verification
We encourage our users to review the full legal documents from which our summaries are derived. Each summary contains a direct link to the live version of the document, ensuring transparency and enabling users to verify the original content.
13. Data Security & Breach Notification
Our information security management system is ISO 27001 certified by Kiwa (certificate number K-0229199/1, verifiable online). Our measures include:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256).
- Independent penetration testing by Fox-IT / NCC Group and regular security scanning.
- Multi-factor authentication, role-based access control, and least privilege.
- Continuous automated security monitoring and alerting (24/7) with a documented incident response process.
- Technically enforced tenant isolation between customers.
- Regular security training and background checks for all employees.
In the event of a personal data breach, we will notify you (as the Data Controller) without undue delay and, where feasible, not later than 72 hours after becoming aware of it, in accordance with GDPR Article 33. An overview of our sub-processors is available on the sub-processors page.
14. Cross-Border Data Transfers
Customer data is stored and processed within the EU (AWS regions eu-west-1 Ireland and eu-central-1 Frankfurt), with no replication outside the EU. AI processing takes place via AWS Bedrock in the EU region. Transfers outside the EEA only take place where:
- A specific sub-processor (such as Vercel or Clerk) partly operates in the US; this takes place under Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.
- A country benefits from an adequacy decision of the European Commission (such as Switzerland).
- It is otherwise permitted by applicable data protection legislation.
15. EU AI Act Compliance
The EU AI Act is in force, and Andri complies with the obligations that apply to us:
- Classification: limited risk. Andri is a general-purpose AI assistant for qualified legal professionals (research, document analysis, drafting support). None of the Annex III high-risk categories apply.
- Transparency (Art. 50): every AI-generated interaction is logged with provenance metadata (AI-generated flag, model ID, provider).
- Human oversight (Art. 14): Andri supports decisions but does not make them; every output goes to the qualified lawyer, who remains responsible.
- No profiling: Andri does not profile individuals and does not make solely automated decisions within the meaning of Art. 22 GDPR.
We monitor the further implementation of the AI Act and will update our practices and this Policy as obligations evolve.
16. Liability & Disclaimers
Accuracy of Summaries: while we endeavor to ensure the accuracy of our legal data summaries, the original live version of the document should be treated as the authoritative source for any legal or compliance matters. We disclaim liability for any errors or omissions in the summaries, and users should consult professional legal advice as needed.
Third-Party Content: we are not responsible for the content, privacy, or security practices of any third-party websites or platforms from which we collect or link data.
17. Changes to This Policy
We may update this Data Collection & Processing Policy from time to time to reflect changes in our practices or to remain compliant with new legal standards. Any changes will be posted on this page and accompanied by an updated "Last updated" date. For material changes, we will actively inform customers.
18. Contact Us
For any data protection or privacy-related queries:
- Data Protection Officer: info@andri.ai
- Address: Andri AI B.V., Hildegard Von Bingenstraat 44, 1081 LH Amsterdam, The Netherlands
- Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
We remain committed to transparency, accountability, and full compliance with EU data protection regulations in our collection and processing of both legal and personal data.