Privacy Policy

Privacy Policy

yure.ai d.o.o. · Ulica Radoslava Lopašića 8, 10000 Zagreb · PIN (OIB): 67671630475 · Reg. No. (MBS): 081620169

Version: 2.1 · 24 June 2026

1. Introduction and who we are

Yure.ai d.o.o. (hereinafter: „yure.ai“ or „we“) provides a B2B SaaS platform for AI-assisted legal analysis that enables legal entities and professionals - including financial institutions, law firms, companies and other organizations - to analyze legal documents, manage matters and perform semantic search across document content.

This Privacy Policy describes what personal data we collect, for what purpose, on what legal basis, with whom we share it, how long we retain it and how you can exercise your rights.

We process personal data in accordance with:

  • Regulation (EU) 2016/679 (GDPR)
  • The EU Artificial Intelligence Act (Regulation 2024/1689, AI Act), in particular Article 50 on transparency
  • The guidelines of the Croatian Personal Data Protection Agency (AZOP) for the development of AI systems

Contact for privacy questions: Email: privacy@yure.ai · Mail: Yure.ai d.o.o., Ulica Radoslava Lopašića 8, 10000 Zagreb

2. Our role in data processing

Yure.ai may act in two distinct roles:

Data controller - when we collect data directly from you (website visitors, users who register, persons who contact us). In this role we determine the purpose and means of processing ourselves and this Privacy Policy applies in full.

Data processor - when a business client (a legal entity or professional - e.g. a financial institution, law firm, company or other organization) uses the platform to process data of its own clients or employees. In this role we process data solely according to the client's instructions, on the basis of a signed data processing agreement (DPA). The primary responsibility for informing data subjects then rests with the client as data controller.

3. What data we collect

3.1 Data you provide to us directly

CategoryExamples
Identification dataFirst name, last name
Contact dataEmail address
Organizational dataCompany name, job title
Geographic dataCountry of residence
Account dataUser profile, organizational role, access permissions
Communication dataContent of support inquiries, comments and requests

3.2 Technical metadata (automatic, when using the platform)

For the purposes of system diagnostics and security, we automatically record only technical metadata: operation type, internal request identifier, internal user ID and organization ID, timestamp, HTTP status code, request duration, and the code and location of an error in the code (only if an error occurred).

What is never recorded:

  • The content of your queries to the AI assistant
  • The content of AI responses
  • The content of uploaded legal documents
  • Personal data of third parties contained in documents

This architectural decision is a deliberate application of the privacy by design principle.

3.3 Data via cookies

With your consent, we collect data on website usage through cookies and similar technologies. Details are available in the Cookie Policy.

4. Purpose and legal basis of processing

PurposeLegal basis (GDPR Art. 6)
Providing the platform service and performing the contractArt. 6(1)(b) - performance of a contract
Managing the user account and authenticationArt. 6(1)(b) - performance of a contract
Newsletter and marketing communicationArt. 6(1)(a) - consent
Responding to inquiries and support requestsArt. 6(1)(b) or (f) - contract / legitimate interest
Diagnostic logs and system securityArt. 6(1)(f) - legitimate interest, applying minimization
Compliance with legal obligationsArt. 6(1)(c) - legal obligation

Where the legal basis is consent, you may withdraw it at any time without any negative consequences - via privacy@yure.ai or your account settings. Withdrawal does not affect the lawfulness of processing carried out up to the moment of withdrawal.

5. Notes on the AI system

The yure.ai platform uses artificial intelligence systems for legal analysis. In accordance with AI Act Article 50 and the GDPR transparency principle, we inform you:

  • The AI does not make autonomous legal decisions - all analyses are recommendations that require verification by a qualified professional.
  • The AI is not trained on your data - we use LLM providers that guarantee that prompts and responses are not stored or used to train models.
  • The AI can make mistakes - legal analyses are subject to hallucinations; every output must be verified by a qualified legal professional.
  • The platform is not a substitute for legal advice from an attorney.
  • There is no automated decision-making producing legal effects within the meaning of GDPR Article 22.

6. With whom we share your data

We do not sell data. We may share personal data with:

Data processors (subprocessors) that process data on our behalf under DPA agreements, in the following categories:

Subprocessor categoryLocation
Cloud infrastructure and data storage providersEU
Semantic search and vector storage providersEU
AI text-processing model providers (inference)EU
Providers of AI models for generating vector representationsUSA (under standard contractual clauses - SCC)
Diagnostic tools and error-tracking providersUSA (under SCC)
Usage analytics providersEU
Log management providersEU

An up-to-date list of specific subprocessors is available on request at privacy@yure.ai.

Public authorities where required by law or necessary to protect our legal rights.

Third parties solely with your explicit consent.

7. International data transfers

Our primary infrastructure is located within the European Economic Area (EU, Frankfurt). For subprocessors based in the USA, transfers are based on the standard contractual clauses (SCC) adopted by the European Commission in Implementing Decision 2021/914, or on the EU-US Data Privacy Framework. On request, we provide a copy of the relevant safeguards.

8. Security measures

We apply appropriate technical and organizational protection measures:

  • Encryption of data at rest: AES-256
  • Encryption in transit: TLS 1.2+, HSTS
  • Access control: RBAC and multi-factor authentication (MFA)
  • External penetration testing (planned for H2 2026)
  • A formalized vulnerability management procedure with patch deadlines
  • All employees and associates undergo mandatory security training

No system can be absolutely secure - the measures applied are aimed at reducing risk to an acceptable level.

9. How long we retain data

Data categoryRetention period
Operational user data (documents, matters, AI responses)For the duration of the contractual relationship + 30 days for export
User account (deactivated)Deletion of personal data within 30 days of deactivation
Diagnostic logs30–90 days (depending on the system)
Infrastructure audit records1 year
Business and accounting dataFor the duration of the contract + 7 years (legal obligation)

Upon expiry of the period, data is securely deleted or anonymized.

10. Your rights

In accordance with GDPR Articles 15–22, you have the following rights:

RightDescription
Right of access (Art. 15)Obtain a copy of the personal data we process
Right to rectification (Art. 16)Correction of inaccurate or incomplete data
Right to erasure (Art. 17)Deletion of data when there is no longer a basis for processing
Right to restriction of processing (Art. 18)Temporary suspension of processing in certain situations
Right to object (Art. 21)Object to processing based on legitimate interest or for direct marketing
Right to data portability (Art. 20)Receive data in a machine-readable format (JSON/CSV)
Right to withdraw consentWithdraw consent at any time without consequences

How to submit a request: By email to privacy@yure.ai or by mail to the registered office address marked „Data subject request“. We will respond within 30 days (with the possibility of an extension by 60 days in complex cases, with notice). The service is free of charge.

B2B platform users: If you use the platform as an employee or associate of a yure.ai business client, for requests relating to data processed in the course of your employment or business engagement please contact your employer or the engaging organization directly as the data controller. Yure.ai, as data processor, provides technical support according to the controller's instructions.

Complaint to the supervisory authority: Croatian Personal Data Protection Agency (AZOP), Ulica Metela Ožegovića 16, 10000 Zagreb · azop@azop.hr · www.azop.hr

11. Changes to the Policy

We will notify you of any material change by email and/or a notice upon login. The date of the last change is always indicated in the document header. Continued use of the platform after the effective date of a change will be deemed acceptance of the amended Policy, except where processing requires explicit consent.

12. Contact

  • privacy@yure.ai - privacy questions and data subject requests
  • info@yure.ai - general inquiries

Yure.ai d.o.o. · Ulica Radoslava Lopašića 8, 10000 Zagreb