Privacy Policy

LeyApp S.L., domiciled in Spain. Contact: privacy@leyapp.es

We collect: registration data (name, email, encrypted password), professional profile data (bar membership number, specialties, languages, rates), usage data (pages visited, access times), and payment data (processed by Stripe — we do not store card details).

We use your data to: manage your account, connect clients with lawyers, process bookings and payments, verify bar memberships, send service communications, and improve the platform.

We process your data based on: contract performance (Art. 6.1.b GDPR), consent (Art. 6.1.a), legitimate interest (Art. 6.1.f) for service improvements, and legal obligations (Art. 6.1.c).

We retain your data while your account remains active. After account deletion, we keep legally required data for the mandatory period (5 years for tax data).

You have the right to: access your data, rectify it, erase it (right to be forgotten), restrict or object to processing, and data portability. Contact: privacy@leyapp.es

We use essential cookies for site functionality and authentication. We do not use third-party tracking or advertising cookies. Because we only use Essential Cookies right now, you do not have to accept tracking or advertising scripts on our banner. If we ever add analytics, the banner will give you a clear 'Reject All' button. See our cookie policy for details.

Your data is stored in the EU (France, Paris region). Supabase and Stripe comply with EU Standard Contractual Clauses.

We use the following third-party service providers (sub-processors) to operate LeyApp: (1) Supabase Inc. — database hosting and user authentication, data stored in EU West (Paris, France), SCCs in place; (2) Stripe Inc. — payment processing and fraud prevention, data processed within the EU, PCI-DSS Level 1 certified (the highest global standard for secure credit card processing); (3) Resend Inc. — transactional email delivery, Standard Contractual Clauses in place; (4) Vercel Inc. — website hosting, edge processing in EU, data minimised to request logs.

We protect your data with SSL/TLS encryption, hashed passwords, data isolation via Row-Level Security (a database feature ensuring your data can only be seen by you and your authorized lawyer), and encrypted backups.

LeyApp uses Google OAuth for authentication. Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We only request the minimum scopes necessary for authentication (email and profile). We do not store, share, or use Google user data beyond what is needed to create and maintain your LeyApp account.

When a third party ("Sponsor") pays for your legal consultation through LeyApp, additional data processing applies.

Legal basis: Your explicit consent (GDPR Art. 6(1)(a)). You must actively accept the sponsorship invitation and set your privacy preferences before any data is shared with the Sponsor.

Data shared with Sponsors: Only what you permit. Payment confirmation is always visible to the Sponsor. Booking status updates are shared only if you allow it. Specific lawyer progress notes are shared only if you allow it AND the lawyer explicitly chooses to share each individual note ("double-gate" model). Internal notes, document requests, and your private communications with the lawyer are never shared with the Sponsor.

Your rights: You may withdraw consent at any time by revoking the sponsorship from your dashboard. This immediately stops all data sharing with that Sponsor. You may also request access to all data shared with your Sponsor, or request deletion of sponsorship records (subject to legal retention requirements).

Retention: Sponsorship data is retained for 90 days after the last sponsored consultation is completed, then anonymized. Audit logs are retained for 5 years per Spanish record-keeping regulations.

Anti-coercion protections: If you decline a sponsorship invitation, no reason is shared with the Sponsor. After declining or revoking, the same Sponsor cannot send you a new invitation for 90 days.

For privacy concerns about sponsored consultations, contact our Data Protection Officer at dpo@leyapp.es.

To exercise your rights or for privacy enquiries: privacy@leyapp.es. You may file a complaint with the Spanish DPA (AEPD) at agpd.es.