Privacy Policy

Effective date: 4 February 2026  |  Last updated: 4 February 2026

This Privacy Policy explains how OrdoLux Limited (“OrdoLux”, “we”, “us”) collects and uses personal data when you use: (i) our website (www.ordolux.co.uk) (the “Website”); (ii) our mobile applications (the “App”); and (iii) the OrdoLux platform and related services (together, the “Services”).

1) Who we are

OrdoLux Limited (Company No. 16691273), registered in England & Wales.
Registered office: 62 Rowsley Avenue, London, United Kingdom, NW4 1AJ.
Phone: 0208 058 2850.
Email: support@ordolux.co.uk.

2) Controller vs processor (important)

Data protection roles depend on what data is being processed:

• Firm / matter data (usually): if you use OrdoLux through a law firm or organisation (your “Firm”), your Firm is typically the data controller for client, matter, document and communications content processed in OrdoLux. OrdoLux generally acts as a data processor for this data and processes it on the Firm’s instructions (under contract / data processing terms).
• OrdoLux business/admin data: OrdoLux is the data controller for data we process to run our business and deliver the Services (for example: Website enquiries, billing contacts, and certain security/usage logs).

3) Personal data we collect

Depending on how you use OrdoLux, we may collect the following types of personal data:

A. Website visitors and enquiries (controller)

• Contact details you submit (name, email, phone, firm name) and enquiry content.
• Website usage and device data (e.g., pages viewed, browser/device info).
• Cookies and similar technologies (see section 10).

B. Account and user profile data (controller and/or processor)

• Name, work email address, username, role/permissions, organisation/Firm name.
• Authentication details (e.g., SSO identifiers where used).
• Preferences/settings.

C. Firm / matter data (typically processor)

Depending on your Firm’s configuration, this may include:

• Matter and client details (including names, references, addresses, key dates and notes).
• Documents and metadata (e.g., filenames, folder paths, timestamps).
• Time entries and matter billing/WIP information.
• Emails/messages/attachments linked to matters (where enabled).

D. App/device and diagnostics data (controller)

• Device type, OS/app version, language/timezone.
• Device tokens for push notifications (if you enable notifications).
• Crash reports and performance diagnostics.

E. Support data (controller; sometimes processor)

• Support tickets, correspondence, and anything you choose to send us (including attachments/screenshots).

F. Integrated communications (processor)

If your Firm enables integrations (for example, messaging channels such as WhatsApp), we process message content and related metadata (such as timestamps and delivery status) to provide the feature, plus operational logs/audit trails.

G. Usage data (controller)

We may collect information about how the Website/App/Services are used (for example: feature usage, pages viewed, and in-app events) to operate, secure, and improve the Services.

H. Billing and payments (controller)

If you (or your Firm) purchase the Services directly from OrdoLux, we process billing contact details, invoices, and subscription status. Payments are typically handled by a third-party payment provider; we generally receive confirmation of payment status but do not store full card details.

4) How we use personal data

When OrdoLux is a controller, we use personal data to:

• Provide and administer accounts and access to the Services.
• Respond to enquiries, provide demos, and deliver customer support.
• Bill customers and manage subscriptions.
• Keep the Services secure (monitoring, audit trails, fraud prevention).
• Maintain and improve reliability and performance (bug fixing, diagnostics).

When OrdoLux is a processor, we use Firm/matter data to provide the Services on the Firm’s instructions.

App permissions

The App may request access to certain device features, depending on which features you use (for example: notifications, camera/photos/files, microphone, or contacts). You can control permissions in your device settings.

AI features

AI-assisted features may generate outputs that are inaccurate or incomplete. OrdoLux is not a law firm and does not provide legal advice. Users must review outputs before relying on them.

5) Lawful bases (UK GDPR)

Where OrdoLux is the controller, we rely on one or more lawful bases such as: contract, legitimate interests, legal obligation, and (where applicable) consent (especially for non-essential cookies/marketing).

Where OrdoLux is a processor for Firm/matter data, your Firm determines the lawful basis and we process that data on the Firm’s instructions.

6) Who we share data with

We may share personal data with:

• Your Firm and authorised users (as part of the Services).
• Service providers (sub-processors) who help us run the Services (for example: hosting, storage, authentication, monitoring, customer support tooling, messaging/integration providers, and (where applicable) payment processors) under contract.
• Professional advisers (e.g., legal/accounting/insurance) where necessary.
• Authorities where required by law or to protect rights, safety, and security.

Where required, we put appropriate contractual terms in place with suppliers. We can provide an up-to-date list of key sub-processors on request.

Where enabled, this may include sharing with specific providers such as messaging integration providers and payment processors, who process data on our behalf under contract.

7) International transfers

Some suppliers may process data outside the UK. Where personal data is transferred internationally, we use appropriate safeguards required under UK data protection law (for example, contractual protections and risk-based measures).

8) Retention

We retain personal data only as long as necessary:

• Firm/matter data: retained according to the Firm’s instructions and contractual terms.
• Website enquiries/support: retained as long as needed to deal with the request, then for a reasonable period.
• Security logs/diagnostics: retained for a limited period unless needed to investigate incidents.

9) Security

We use technical and organisational measures designed to protect personal data (such as access controls and logging). No system is 100% secure, but we work to protect data appropriate to its sensitivity.

10) Cookies and similar technologies (Website and Apps)

Our Website uses cookies and similar technologies, and our apps may use similar device storage/access technologies (for example, for analytics or crash reporting). Where required, we provide clear information and obtain consent for non-essential technologies.

For more information, see our Cookies page.

11) Your rights

Your rights depend on whether OrdoLux or your Firm is the controller:

• For Firm/matter data, contact your Firm first.
• For data where OrdoLux is the controller, contact us using the details above.

UK GDPR provides rights such as access, rectification, erasure, restriction, objection, and portability (subject to conditions and exemptions).

12) Complaints

You can raise concerns with us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

13) Children

Our Services are intended for business/professional use and are not directed to children.

14) Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date and, where appropriate, provide notice via the Website/Apps or through your Firm.

15) Contact

Questions about this Privacy Policy: support@ordolux.co.uk.