Apply for Private Beta

Privacy Policy

Privacy Policy

Referent - referent.law
Last updated: June 11, 2026

This Privacy Policy explains how AI Lawtech Sp. z O.O., Henryka Sienkiewicza 36 / 5, 26-600 Radom, Poland (“Referent”, “we”, “us”) collects, uses, stores, and protects information when you use the Referent platform at app.referent.law and related services (the “Service”). Referent is a practice-management and AI-assistant platform for legal professionals.

If you do not agree with this policy, please do not use the Service.

  1. Who we are

Data controller: AI Lawtech Sp. z O.O.
Contact: contact@referent.law
Website: https://referent.law

  1. Information we collect

Account information. Name, email address, password hash, organization name, and role - provided when you create an account or accept an invitation.

Workspace content. Clients, matters, notes, tasks, documents, time entries, and other records you or your team create in the Service.

Connected Google account data (only if you choose to connect a Google account - see Section 3).

Usage and device data. Log data, IP address, browser type, pages viewed, and product analytics events. We use this to operate, secure, and improve the Service.

Communications. Messages you send to support.

  1. Google user data

If you connect your Google account, Referent requests access to the following Google services. We only request scopes needed for features you enable:

Google data: Gmail
What we access: Email messages and attachments in the connected mailbox
Why: To display your correspondence inside Referent, link emails to the relevant clients and matters, surface unread/important items, and let our AI assistant summarize and search your correspondence at your request

Google data: Google Calendar
What we access: Calendar events
Why: To display your schedule, sync events both ways, and let the assistant create and find events

Google data: Google Drive
What we access: File metadata and the content of Google-native documents
Why: To show and search your files, link them to matters, and let the assistant find documents at your request

How we handle Google user data:

  • Google user data is displayed to you in the Service, processed to link items to your clients and matters, and indexed (including via vector embeddings) so that you and the AI assistant can search it.
  • Google user data is stored encrypted at rest in our database hosted on Google Cloud (region: europe-west1, EU).
  • We retain Google user data only while the relevant Google account connection is active. When you disconnect an account or delete your Referent account, the associated synced data is deleted from our systems.
  • We do not sell Google user data. We do not share it with third parties except the subprocessors listed in Section 6, acting on our instructions. We do not use it for advertising.
  • AI/ML disclosure: we do not use Google user data to develop, improve, or train generalized artificial intelligence or machine-learning models. Google user data is processed by AI models only at your request, to provide features of the Service to you (for example, summarizing an email thread you opened or answering your question about your own correspondence).
  • Human access to Google user data is not permitted except (a) with your explicit consent for a specific support case, (b) where necessary for security purposes (e.g., investigating abuse), or (c) where required by applicable law.

Limited Use disclosure: Referent’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can disconnect a Google account at any time in Settings → Integrations, and additionally revoke Referent’s access at myaccount.google.com/permissions.

  1. How we use information
  • Provide, operate, and maintain the Service;
  • Link correspondence, events, and files to your clients and matters;
  • Provide AI-assisted features you invoke (summaries, drafting, search, suggestions);
  • Secure the Service, prevent abuse, and debug issues;
  • Communicate with you about the Service (transactional emails);
  • Comply with legal obligations.

We do not sell personal data. We do not serve third-party advertising.

  1. Legal bases (EEA/UK users)

Where the GDPR applies, we process personal data on the following bases: performance of a contract (operating the Service for you), legitimate interests (security, product improvement), consent (connecting Google accounts; you may withdraw it at any time by disconnecting), and compliance with legal obligations.

Note for legal professionals: for the content of your workspace (including synced correspondence), you and your firm act as the data controller of your clients’ personal data; Referent acts as a processor on your documented instructions. A separate Data Processing Agreement is available on request at contact@referent.law.

  1. Subprocessors

We use a small number of service providers to operate the Service, each bound by data-protection obligations:

Google Cloud Platform — Hosting and database (EU region)
Nango (nango.dev) — OAuth connection management for integrations (SOC 2 Type II)
AI model providers (via OpenRouter) — Processing of content you submit to AI features; not used to train their models
PostHog — Product analytics and error monitoring
Resend — Transactional email delivery

  1. Data retention and deletion
  • Workspace content is retained while your account is active.
  • Synced Google data is deleted when you disconnect the relevant Google account.
  • On account deletion, we delete your personal data and workspace content within 30 days, except where retention is required by law.
  • You can request deletion at any time at contact@referent.law.
  1. Security

We protect data with encryption in transit (TLS) and at rest, network isolation, least-privilege access controls, secrets management, and audit logging. No method of transmission or storage is 100% secure, but we work to protect your information consistent with industry practice. Given the sensitivity of legal correspondence, access to production systems is restricted to authorized personnel only.

  1. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, restrict, object to processing of, or delete your personal data, and to lodge a complaint with a supervisory authority. Contact us at contact@referent.law - we respond within 30 days.

  1. International transfers

Data is hosted in the EU. Where data is transferred outside the EEA (e.g., to subprocessors), we rely on adequacy decisions or Standard Contractual Clauses.

  1. . Children

The Service is intended for professional use and not directed to individuals under 18.

  1. . Changes to this policy

We may update this policy from time to time. We will post the updated version on this page and, for material changes, notify you via the Service or email. The “Last updated” date reflects the latest revision.

  1. . Contact

Questions or requests: contact@referent.law
AI Lawtech Sp. z O.O., Henryka Sienkiewicza 36 / 5, 26-600 Radom, Poland

Notes on verbatim fidelity:

  • The page <h2> title is Privacy Policy; the first body paragraph also repeats the plain text Privacy Policy.
  • Section headings are single-item <ol start="N"> entries in the source (plain text, not bold). Sections 11–13 literally contain a leading . in the item text (source typo).
  • <br> line breaks inside paragraphs are shown above as hard line breaks (trailing double-space).
  • The only <a> in the body is https://referent.law with href="./" (Section 1). The mentions of contact@referent.law, app.referent.law and myaccount.google.com/permissions are plain text, not links.
  • Em dashes (—) vs hyphens (-) are as in the source: e.g. Referent - referent.law (hyphen) but subprocessor lines use .