Privacy Policy
yure.ai d.o.o. · Ulica Radoslava Lopašića 8, 10000 Zagreb · PIN (OIB): 67671630475 · Reg. No. (MBS): 081620169
Version: 2.1 · 24 June 2026
Yure.ai d.o.o. (hereinafter: „yure.ai“ or „we“) provides a B2B SaaS platform for AI-assisted legal analysis that enables legal entities and professionals - including financial institutions, law firms, companies and other organizations - to analyze legal documents, manage matters and perform semantic search across document content.
This Privacy Policy describes what personal data we collect, for what purpose, on what legal basis, with whom we share it, how long we retain it and how you can exercise your rights.
We process personal data in accordance with:
Contact for privacy questions: Email: privacy@yure.ai · Mail: Yure.ai d.o.o., Ulica Radoslava Lopašića 8, 10000 Zagreb
Yure.ai may act in two distinct roles:
Data controller - when we collect data directly from you (website visitors, users who register, persons who contact us). In this role we determine the purpose and means of processing ourselves and this Privacy Policy applies in full.
Data processor - when a business client (a legal entity or professional - e.g. a financial institution, law firm, company or other organization) uses the platform to process data of its own clients or employees. In this role we process data solely according to the client's instructions, on the basis of a signed data processing agreement (DPA). The primary responsibility for informing data subjects then rests with the client as data controller.
| Category | Examples |
|---|---|
| Identification data | First name, last name |
| Contact data | Email address |
| Organizational data | Company name, job title |
| Geographic data | Country of residence |
| Account data | User profile, organizational role, access permissions |
| Communication data | Content of support inquiries, comments and requests |
For the purposes of system diagnostics and security, we automatically record only technical metadata: operation type, internal request identifier, internal user ID and organization ID, timestamp, HTTP status code, request duration, and the code and location of an error in the code (only if an error occurred).
What is never recorded:
This architectural decision is a deliberate application of the privacy by design principle.
With your consent, we collect data on website usage through cookies and similar technologies. Details are available in the Cookie Policy.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the platform service and performing the contract | Art. 6(1)(b) - performance of a contract |
| Managing the user account and authentication | Art. 6(1)(b) - performance of a contract |
| Newsletter and marketing communication | Art. 6(1)(a) - consent |
| Responding to inquiries and support requests | Art. 6(1)(b) or (f) - contract / legitimate interest |
| Diagnostic logs and system security | Art. 6(1)(f) - legitimate interest, applying minimization |
| Compliance with legal obligations | Art. 6(1)(c) - legal obligation |
Where the legal basis is consent, you may withdraw it at any time without any negative consequences - via privacy@yure.ai or your account settings. Withdrawal does not affect the lawfulness of processing carried out up to the moment of withdrawal.
The yure.ai platform uses artificial intelligence systems for legal analysis. In accordance with AI Act Article 50 and the GDPR transparency principle, we inform you:
We do not sell data. We may share personal data with:
Data processors (subprocessors) that process data on our behalf under DPA agreements, in the following categories:
| Subprocessor category | Location |
|---|---|
| Cloud infrastructure and data storage providers | EU |
| Semantic search and vector storage providers | EU |
| AI text-processing model providers (inference) | EU |
| Providers of AI models for generating vector representations | USA (under standard contractual clauses - SCC) |
| Diagnostic tools and error-tracking providers | USA (under SCC) |
| Usage analytics providers | EU |
| Log management providers | EU |
An up-to-date list of specific subprocessors is available on request at privacy@yure.ai.
Public authorities where required by law or necessary to protect our legal rights.
Third parties solely with your explicit consent.
Our primary infrastructure is located within the European Economic Area (EU, Frankfurt). For subprocessors based in the USA, transfers are based on the standard contractual clauses (SCC) adopted by the European Commission in Implementing Decision 2021/914, or on the EU-US Data Privacy Framework. On request, we provide a copy of the relevant safeguards.
We apply appropriate technical and organizational protection measures:
No system can be absolutely secure - the measures applied are aimed at reducing risk to an acceptable level.
| Data category | Retention period |
|---|---|
| Operational user data (documents, matters, AI responses) | For the duration of the contractual relationship + 30 days for export |
| User account (deactivated) | Deletion of personal data within 30 days of deactivation |
| Diagnostic logs | 30–90 days (depending on the system) |
| Infrastructure audit records | 1 year |
| Business and accounting data | For the duration of the contract + 7 years (legal obligation) |
Upon expiry of the period, data is securely deleted or anonymized.
In accordance with GDPR Articles 15–22, you have the following rights:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Obtain a copy of the personal data we process |
| Right to rectification (Art. 16) | Correction of inaccurate or incomplete data |
| Right to erasure (Art. 17) | Deletion of data when there is no longer a basis for processing |
| Right to restriction of processing (Art. 18) | Temporary suspension of processing in certain situations |
| Right to object (Art. 21) | Object to processing based on legitimate interest or for direct marketing |
| Right to data portability (Art. 20) | Receive data in a machine-readable format (JSON/CSV) |
| Right to withdraw consent | Withdraw consent at any time without consequences |
How to submit a request: By email to privacy@yure.ai or by mail to the registered office address marked „Data subject request“. We will respond within 30 days (with the possibility of an extension by 60 days in complex cases, with notice). The service is free of charge.
B2B platform users: If you use the platform as an employee or associate of a yure.ai business client, for requests relating to data processed in the course of your employment or business engagement please contact your employer or the engaging organization directly as the data controller. Yure.ai, as data processor, provides technical support according to the controller's instructions.
Complaint to the supervisory authority: Croatian Personal Data Protection Agency (AZOP), Ulica Metela Ožegovića 16, 10000 Zagreb · azop@azop.hr · www.azop.hr
We will notify you of any material change by email and/or a notice upon login. The date of the last change is always indicated in the document header. Continued use of the platform after the effective date of a change will be deemed acceptance of the amended Policy, except where processing requires explicit consent.
Yure.ai d.o.o. · Ulica Radoslava Lopašića 8, 10000 Zagreb