Skip to main content
FRITH

Privacy Policy

Last updated: March 2026

1. Introduction

FRITH (“we”, “us”, or “our”) operates the frithai.com platform and Frith mobile application (“Service”). We are committed to protecting the privacy of legal professionals, law firms, and their clients. This Privacy Policy explains what data we collect, how we use it, and the rights you have over your information. By using FRITH you consent to the practices described in this policy.

2. Information We Collect

Information you provide directly:

  • Account registration details: name, email address, law firm or organisation name, job title, and jurisdiction
  • Payment and billing information (collected and stored by our payment processor, Stripe — we do not store card numbers)
  • Profile and professional credentials including bar admission details
  • Documents, queries, and content you submit to the AI platform
  • Communications with our support team, including tickets and live chat
  • Feedback, survey responses, and feature requests

Information collected automatically:

  • Usage data: pages visited, features used, AI tool runs, documents generated, and session duration
  • Device and browser information: browser type, operating system, screen resolution, and device identifiers
  • Log data: IP address, access timestamps, HTTP status codes, and referring URLs
  • Performance and crash data to improve service reliability
  • Cookie and tracking data as described in our Cookie Policy

Information from third parties:

  • Authentication providers when you sign in with Google or Microsoft OAuth
  • Payment processors (Stripe) for billing verification and fraud prevention
  • Identity verification services if required for enterprise accounts

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the FRITH platform and mobile application
  • Process payments, manage subscriptions, and issue invoices
  • Authenticate your identity and maintain account security
  • Send transactional communications (receipts, password resets, security alerts)
  • Send product updates and marketing communications where you have opted in
  • Provide customer support and respond to enquiries
  • Analyse aggregate usage patterns to improve features and performance
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations and enforce our Terms of Service
  • Generate anonymised, aggregated statistics about platform usage (never linked to you personally)

4. AI Model Training — Your Data Is Not Used

We do not use your confidential client data, documents, or queries to train AI models.

Your documents and generated content are treated as confidential. We use third-party AI providers — Anthropic (Claude) and Google (Gemini) — under strict Data Processing Agreements (DPAs) that explicitly prohibit those providers from using your data for model training or improvement.

AI inference requests are transmitted over encrypted connections and are not stored by the AI provider beyond the duration required to generate a response. We retain AI interaction logs only as necessary for billing, debugging, and compliance, and these are subject to the same data retention rules as all other data.

5. Attorney–Client Privilege and Legal Professional Obligations

We understand the critical importance of attorney–client privilege and legal professional confidentiality obligations (including solicitor–client privilege in the UK and equivalent protections in other jurisdictions). FRITH implements the following safeguards:

  • End-to-end encryption for data in transit using TLS 1.3
  • AES-256 encryption for all data stored at rest
  • Strict access controls: our staff cannot read your documents or client communications without your explicit authorisation
  • Separate data siloing between organisations so no firm can access another firm's data
  • Audit logs for all data access events

Users remain responsible for ensuring their own compliance with applicable professional conduct rules and bar regulations when using AI-assisted tools.

6. Data Security

We implement industry-standard and beyond-standard security measures:

  • AES-256 encryption for data at rest; TLS 1.3 for data in transit
  • Regular third-party security audits and penetration testing
  • SOC 2 Type II compliance framework
  • Multi-factor authentication (MFA) available for all accounts, required for enterprise
  • Role-based access controls (RBAC) within your organisation
  • Automated vulnerability scanning and dependency monitoring
  • Incident response plan with 72-hour breach notification in accordance with GDPR
  • Employee security training, background checks, and NDA agreements

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • AI providers: Anthropic and Google receive query content solely to generate responses; both are bound by DPAs prohibiting training on your data
  • Payment processors: Stripe processes payments under their own PCI-DSS-compliant privacy policy
  • Infrastructure providers: Vercel (hosting), Supabase (database), and AWS S3 (document storage) operate under strict data processing agreements
  • Analytics: Aggregated, anonymised usage analytics only — never individual user data
  • Legal compliance: We may disclose data when required by applicable law, court order, or government authority, and will notify you where legally permitted to do so
  • Business transfers: In the event of a merger or acquisition, your data may be transferred; we will notify you and provide an opportunity to delete your account before any transfer

8. Data Retention

We retain your personal data for as long as your account remains active or as needed to provide the Service. Specific retention periods:

  • Account data: retained for the lifetime of your account plus 90 days after deletion
  • Billing records: retained for 7 years to comply with financial regulations
  • AI interaction logs: retained for 90 days for debugging, then anonymised
  • Support communications: retained for 3 years from last interaction
  • Anonymised usage analytics: retained indefinitely as aggregate statistics

Upon account deletion, we delete or irreversibly anonymise your personal data within 30 days, except where a longer retention period is required by law.

9. International Data Transfers

FRITH is operated from the United Kingdom. If you access the Service from outside the UK or the European Economic Area (EEA), your data may be transferred to and processed in countries with different data protection laws. We ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms. Where we transfer data to the United States, we rely on SCCs approved by the UK ICO and the European Commission.

10. Your Rights

Depending on your jurisdiction, you have some or all of the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (“right to be forgotten”)
  • Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
  • Restriction: Request that we restrict processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Opt out of marketing: Unsubscribe from marketing emails at any time via the link in any email

To exercise any of these rights, email us at privacy@frithai.com. We will respond within 30 days (or within the period required by applicable law). We may need to verify your identity before processing certain requests.

11. Children's Privacy

FRITH is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal data, please contact us and we will delete the information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a prominent notice on our website at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Regulatory Authority

If you are located in the UK or EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local supervisory authority. In the UK this is the Information Commissioner's Office (ICO).

14. Contact Us

For privacy questions, data subject requests, or to report a concern, please contact our Data Protection team at privacy@frithai.com. You may also write to us at: FRITH Legal Technologies, London, United Kingdom.