Privacy Policy

Last updated: 2026-06-12

Welcome to Andri, a product of Andri AI B.V. ("we," "us," or "our"), registered in the Netherlands. This Privacy Policy outlines how we collect, use, store, and protect personal data when you use our legal AI assistant or visit our website. For our security measures, please refer to our Security Policy.

1. Our Role

For the data law firms process in the Andri platform (case files, documents), the firm is the controller and we are the processor (Art. 28 GDPR); the terms are set out in the data processing agreement every customer signs before go-live. This Privacy Policy primarily covers the data for which we are the controller ourselves: account data, billing, support contact, and website visits. See also our Data Collection & Processing Policy.

2. Responsible AI Use

In line with the EU AI Act, the Dutch Bar Association (NOvA) guidance on AI in legal practice, and best practices for the responsible use of AI in legal contexts:

  • AI-generated content assists and supports legal professionals and does not replace their judgment; every output goes to the responsible lawyer.
  • All AI-generated results must be reviewed and verified by the end user, who retains full responsibility for their use in legal documents or reports.
  • Every AI interaction is logged with provenance metadata (AI-generated flag, model ID, provider), making transparency demonstrable towards courts and regulators (Art. 50 AI Act).
  • Customer data is never used to train AI models; we deploy existing foundation models with a zero data retention policy at the model provider.
  • Confidentiality is technically enforced through tenant isolation: every database partition, search query, and AI call is scoped to the owning firm and case.
  • Andri does not profile individuals and does not make solely automated decisions within the meaning of Art. 22 GDPR.

3. Data We Collect

3.1 Personal Data

  • Contact Information: name, email address, phone number
  • Professional Information: law firm details, practice areas
  • Legal Data: case files and documents you upload to the platform (processed as processor, under the data processing agreement)

3.2 Usage Data

We may also collect information on how the service is accessed and used, which may include:

  • IP address, browser type and version
  • Pages visited, time and date of visits, time spent on pages
  • Diagnostic data

This information helps us maintain the quality, security, and performance of our services. For cookies and similar technologies on the website, see our Cookie Policy.

3.3 Publicly Available Legal Information

To provide our service, we access publicly available legal information (judgments, legislation, public filings), similar to what law firms access daily. This information may contain personal data; we process it solely to provide context for user queries, never to identify or profile individuals, and never to train AI models. See our Data Collection & Processing Policy for the full approach.

4. How We Use Your Data

  • To provide and maintain the Andri service.
  • Account administration, billing, and support.
  • Service communications, such as product updates and security notices.
  • Marketing communications (such as product news and our newsletter), only where permitted and always with an unsubscribe option in every message. We use HubSpot as our CRM and email provider for this; contact data is processed by HubSpot as our processor partly in the US, under the EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Security, abuse prevention, and improving the service on the basis of aggregated data.
  • Compliance with legal obligations.

We will not process your data in ways that are incompatible with the purposes stated above without your prior consent, unless otherwise required by law.

5. Legal Basis for Processing Personal Data

  • Contract Performance: processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
  • Consent: where you have given explicit consent for specific purposes (such as marketing cookies).
  • Legal Obligations: compliance with a legal obligation to which we are subject.
  • Legitimate Interests: processing necessary for our legitimate business interests, such as security and service improvement, provided these do not override your fundamental rights and freedoms.

6. Data Retention

We retain personal data no longer than necessary. In concrete terms: client files are subject to zero retention by design (no backups outside primary storage, immediate permanent deletion), account data is deleted within 30 days of full account closure subject to statutory retention obligations, metadata backups are kept for 35 days, and security and audit logs for at least 90 days. The full retention periods are set out in our Data Collection & Processing Policy.

7. Data Security & Breach Notification

Our information security management system is ISO 27001 certified by Kiwa (certificate number K-0229199/1, verifiable online). Data is stored within the EU, in AWS regions eu-west-1 (Ireland) and eu-central-1 (Frankfurt), encrypted in transit (TLS 1.3) and at rest (AES-256), with strict access controls, independent penetration testing (Fox-IT / NCC Group), and technically enforced tenant isolation. A full overview is available in our Security Policy.

In the event of a personal data breach posing a risk to your rights and freedoms, where we are the controller we will notify the Dutch Data Protection Authority within 72 hours and inform affected individuals where required. Where we act as processor, we notify the controller without undue delay and no later than within 72 hours, in accordance with the data processing agreement.

8. Data Transfers

Customer data is stored and processed within the EU. A limited number of sub-processors partly operate outside the EEA; in those cases appropriate safeguards apply, such as Standard Contractual Clauses or the EU-US Data Privacy Framework. See our Data Transfers page and the current sub-processor list.

9. Disclosure of Data

9.1 Legal Requirements

We may disclose your personal data in good-faith belief that such action is necessary to:

  • Comply with a legal obligation or respond to lawful requests by public authorities
  • Protect and defend the rights or property of Andri AI B.V.
  • Prevent or investigate possible wrongdoing in connection with the service
  • Protect the personal safety of users or the public

9.2 No Data Sharing Between Customers

We do not share your private data with other customers. Tenant isolation is technically enforced: each customer’s data is isolated and inaccessible to others. Access to personal data is restricted to employees who need it to operate the service and who are subject to strict contractual confidentiality obligations.

10. Your Data Protection Rights Under GDPR

  • Right of Access: request copies of your personal data
  • Right to Rectification: request correction of any inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): request that we erase your personal data under certain circumstances
  • Right to Restrict Processing: request that we restrict the processing of your personal data under certain conditions
  • Right to Data Portability: request that we transfer your data to another organization, or directly to you, under certain conditions
  • Right to Object: object to our processing of your personal data under certain circumstances

To exercise any of these rights, you can submit a request through our data privacy portal or contact us at info@andri.ai. We respond within the statutory timeframes. If your request concerns data we process as a processor on behalf of a law firm, we will forward it to that firm as the controller. You also always have the right to lodge a complaint with the Dutch Data Protection Authority.

11. Third-Party Services

Our service may include links to third-party websites or services that we do not own or control. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

12. Children’s Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personally identifiable information from anyone under 18. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us. We will take steps to remove such data from our systems.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices or for legal or regulatory reasons. When we do, we will post the new Privacy Policy on this page and update the "Last updated" date. For material changes, we will actively inform customers.

14. Contact Us

  • Data Protection Officer: info@andri.ai
  • Address: Andri AI B.V., Hildegard Von Bingenstraat 44, 1081 LH Amsterdam, The Netherlands
  • Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

For information about our support services and availability, please see our Support & Service Level Agreement.

We remain committed to protecting your privacy and ensuring the security of your data in accordance with GDPR and applicable data protection laws.

Disclaimer: while we strive to provide accurate and reliable information, any legal or compliance-related content generated by our AI is for informational purposes only and should not be construed as legal advice. Always consult with qualified legal professionals for guidance tailored to your specific circumstances.