Is Legora safe with your data?

Legora

Legora AB

64/100

Partial disclosure · high confidence

Legora earns a C (64/100) because it discloses its data practices only in part.

#75

of 177 apps ranked

score · Legal avg 53

+11

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Legora is a legal-tech processor that defines user inputs, outputs and uploaded documents as Subscriber Content outside its privacy policy, governed instead by the Subscriber Agreement, and commits to never collecting or storing data tied to that content outside that agreement, so user content is kept out of model training under this policy. It grants full GDPR data-subject rights and names international transfer safeguards: adequacy decisions, standard contractual clauses and the EU-US Data Privacy Framework. It lists GDPR, AICPA SOC, ISO 27001 and ISO 42001 certifications. It says nothing about whether it sells personal data, breach notification, AI-log retention, or a children age gate, and its general retention relies on a vague "as long as necessary" standard.

What Legora's privacy policy says about your data

Content kept out of training

The policy states that Subscriber Content (inputs, outputs and uploaded documents) is processed only as a data processor under the Subscriber Agreement, and that Legora will never collect or store data directly related to Subscriber Content outside that agreement, so user content is not used to train models under this policy.

Full data-subject rights

Section 6 grants access through a data extract, rectification, erasure, restriction, objection, portability in a machine-readable format and withdrawal of consent, each with a described way to exercise it.

Named transfer safeguards and certifications

International transfers rely on adequacy decisions, standard contractual clauses and the EU-US Data Privacy Framework. The site lists GDPR, AICPA SOC, ISO 27001 and ISO 42001 as certifications.

Gaps on selling, breaches and AI logs

The policy never states that it does not sell personal data, makes no breach-notification commitment, and defers retention of AI interaction content to the Subscriber Agreement rather than disclosing a period.

What the policy is silent or vague on

Not stated: a way to opt out of training
Not stated: whether training use differs by plan
Not stated: shorter retention for AI conversation logs
Not stated: whether it sells or shares data for advertising

Legora privacy rating

Training-data use1 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inDisclosed

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsPartial

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion0 of 4 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestPartial

Sets a shorter retention for AI conversation logsSilent

Commits to collecting only the data it needsPartial

Third-party sharing3 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementPartial

Does not sell or share data for advertising, or offers opt-outSilent

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessDisclosed

Transparency3 of 4 disclosed

Discloses that you are interacting with AIPartial

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children0 of 2 disclosed

Discloses automated decisions and a human-review pathNot applicable

Limits the use of special-category dataSilent

Governs biometric data specificallyNot applicable

States protections for children's dataSilent

Security and accountability2 of 3 disclosed

Describes its security safeguardsDisclosed

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: Legal
Modalities: text
Processes biometrics: No
Policy last updated: 2026-06-04
Region scored: Global / US-default
Assessed: 2026-06-20

Read Legora's privacy policy

Other legal apps

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.