Privacy Policy

Last updated: February 2026

LeyApp ("we") operates the leyapp.es platform. This policy explains how we collect, use, and protect your personal data in accordance with the GDPR (Regulation (EU) 2016/679) and Spanish LOPDGDD.

1. Data Controller

LeyApp S.L., domiciled in Spain. Contact: privacy@leyapp.es

2. Data We Collect

We collect: registration data (name, email, encrypted password), professional profile data (bar membership number, specialties, languages, rates), usage data (pages visited, access times), and payment data (processed by Stripe — we do not store card details).

3. Purpose of Processing

We use your data to: manage your account, connect clients with lawyers, process bookings and payments, verify bar memberships, send service communications, and improve the platform.

4. Legal Basis

We process your data based on: contract performance (Art. 6.1.b GDPR), consent (Art. 6.1.a), legitimate interest (Art. 6.1.f) for service improvements, and legal obligations (Art. 6.1.c).

5. Data Retention

We retain your data while your account remains active. After account deletion, we keep legally required data for the mandatory period (5 years for tax data).

6. Your Rights

You have the right to: access your data, rectify it, erase it (right to be forgotten), restrict or object to processing, and data portability. Contact: privacy@leyapp.es

7. Cookies

We use essential cookies for site functionality and authentication. We do not use third-party tracking or advertising cookies. Because we only use Essential Cookies right now, you do not have to accept tracking or advertising scripts on our banner. If we ever add analytics, the banner will give you a clear 'Reject All' button. See our cookie policy for details.

8. International Transfers

Your data is stored in the EU (France, Paris region). Supabase and Stripe comply with EU Standard Contractual Clauses.

9. Sub-Processors

We use the following third-party service providers (sub-processors) to operate LeyApp: (1) Supabase Inc. — database hosting and user authentication, data stored in EU West (Paris, France), SCCs in place; (2) Stripe Inc. — payment processing and fraud prevention, data processed within the EU, PCI-DSS Level 1 certified (the highest global standard for secure credit card processing); (3) Resend Inc. — transactional email delivery, Standard Contractual Clauses in place; (4) Vercel Inc. — website hosting, edge processing in EU, data minimised to request logs.

10. Security

We protect your data with SSL/TLS encryption, hashed passwords, data isolation via Row-Level Security (a database feature ensuring your data can only be seen by you and your authorized lawyer), and encrypted backups.

11. Third-Party API Services

LeyApp uses Google OAuth for authentication. Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We only request the minimum scopes necessary for authentication (email and profile). We do not store, share, or use Google user data beyond what is needed to create and maintain your LeyApp account.

12. Contact

To exercise your rights or for privacy enquiries: privacy@leyapp.es. You may file a complaint with the Spanish DPA (AEPD) at agpd.es.

Version History

February 2026: Initial publication.