Regulatory Compliance & Trust

Last updated: March 2026

LeyApp is committed to operating transparently and in full compliance with European and Spanish regulations. This page summarizes the standards we meet and the measures we have implemented to protect our users.

Why compliance matters

When you trust a platform for sensitive legal matters, you deserve to know exactly how your data, payments, and rights are protected. Our compliance program is not just a checklist of requirements: it reflects our conviction that access to justice must be built on a foundation of transparency and security. Each certification below represents a concrete commitment: your data stays in the EU, your payments never pass through our servers, your lawyer is verified, and your consumer rights are protected by law.

Our 21 compliance measures

GDPR / LOPDGDD — Full data protection compliance

EU data residency — All servers in the EU (Paris, Ireland, Frankfurt)

Cookie consent — Accept/reject banner with 180-day expiry

LSSI-CE Art. 10 — Legal notice with company information

EGAE 2021 — Bar verification, fee autonomy, ethics mandate

Bar verification — Colegiado number check + admin review

Consumer rights — 14-day withdrawal, clear pre-contractual information

'Not a law firm' disclaimers

PCI-DSS Level 1 — No card data passes through our servers (via Stripe)

VAT 21% — Transparent pricing on every transaction

VeriFactu 2026 — Sequential invoicing with QR + AEAT phrase

Encryption — TLS 1.2+, RLS, hashed passwords, CSP headers

WCAG 2.1 AA — Skip to content, ARIA, Arabic RTL, keyboard navigation

Google API Limited Use — Declared in Privacy Policy

Acceptable Use Policy — Escalating sanctions, prohibited conduct

Dispute resolution — 3-step process in Terms of Service

Data retention — Active + 5 fiscal years (GDPR + RD 1619/2012)

Right to file a complaint with the AEPD — Declared in Privacy Policy

Cloudflare Turnstile CAPTCHA — GDPR-compliant bot protection

TOTP 2FA + Session management — MFA, session timeout, trusted devices

CSP violation reports — Real-time monitoring across all routes

Data Protection (GDPR / LOPDGDD)

We comply with the General Data Protection Regulation (EU) 2016/679 and Spain's Organic Law 3/2018 (LOPDGDD). All personal data is processed under a valid legal basis, and data subjects can exercise their rights (access, rectification, erasure, portability) at any time.

All data is stored in the EU (Paris, France) and no personal data is transferred outside the European Economic Area.

Legal Profession Regulations (EGAE 2021)

LeyApp complies with the Estatuto General de la Abogacia Espanola (2021). Every lawyer on our platform is verified with their Bar Association. Lawyers set their own reservation fees with full professional autonomy. All client communications are treated as confidential.

Consumer Protection

We comply with Directive 2011/83/EU on consumer rights and the Spanish TRLGDCU. Users benefit from a 14-day right of withdrawal (with exceptions for scheduled services under Art. 103(a)), clear pre-contractual information, and a transparent dispute resolution process.

Payment Security (PCI-DSS)

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. No credit card numbers, CVVs, or banking data pass through LeyApp's servers. Pricing is transparent: the lawyer's fee plus a 15% platform commission, with 21% VAT clearly indicated.

Web Security (OWASP Top 10)

Our platform is built with defense in depth:

* Encryption: All traffic encrypted via TLS 1.2+ with HSTS preloading * Access control: Row-Level Security (RLS) on all database tables * Authentication: Multi-factor authentication (TOTP), bot protection (Cloudflare Turnstile) * Headers: Content Security Policy, X-Frame-Options, Permissions-Policy * Input validation: All user inputs validated on the server

Accessibility (WCAG 2.1 AA)

LeyApp targets WCAG 2.1 Level AA conformance. This includes skip-to-content navigation, ARIA landmarks and labels, keyboard-accessible interfaces, right-to-left (RTL) support for Arabic, and sufficient colour contrast ratios.

E-Commerce Compliance (LSSI-CE)

We comply with Spain's Law 34/2002 (LSSI-CE), including Art. 10 (Legal Notice with company data), Art. 22.2 (cookie consent with accept/reject), and transparent commercial communications.

Tax & Invoicing

Invoices comply with Spain's RD 1619/2012 and the upcoming VeriFactu 2026 requirements, including sequential invoice numbering, QR code markers, and the mandatory AEAT phrase.

Certifications & Trust Signals

SSL Labs A+ — TLS configuration tested and verified (when production domain is live)

OWASP Top 10 — Self-assessed compliance across all 10 categories (2021 edition)

Confianza Online — Application planned (pending company registration)

EuroPriSe — EU Privacy Seal planned for post-launch phase

Sub-processors

We use the following third-party processors, all operating within the EU/EEA:

Database & Authentication — Hosted in Paris, France (EU). Manages user accounts, data storage, and file uploads.

Payment Processing — Hosted in Ireland (EU). PCI DSS Level 1 certified. Handles all payment transactions securely.

Web Hosting & CDN — Main servers in Frankfurt, Germany (EU). Distributes the application globally via the edge network.

Transactional Email — EU processing. Sends account confirmations, booking notifications, and security alerts.

Bot Protection — EU processing. Protects forms from automated abuse.

Have a question?

If you have any questions about our compliance practices, contact us at privacy@leyapp.es or visit our contact page.