Themis LegalVersion 2026-05-09

Privacy

Privacy Policy

Effective 12 May 2026

Themis Legal ("Themis", "we") is a workspace for law firms. We are operated by Arkon Technology Ltd. ("Arkon Technology"), the data controller for the marketing site and the data processor for the data you store inside a chambers account. This policy describes what information we collect, why, how long we keep it, and the rights you can exercise against us.

Themis is engineered so that the documents and case notes you put into a chambers vault are encrypted on your devices with keys we never see. The detail below distinguishes consistently between account data (which we hold in cleartext and process to run the service) and vault content (which we hold only as ciphertext and cannot read).

1. What we collect

1.1 Account data

  • Identity: name, work email, locale preference, Clerk user identifier. We use Clerk for authentication; their privacy policy applies to the sign-in flow.
  • Firm metadata: firm name, jurisdiction code, default locale, billing plan, subscription status.
  • Billing: we process payments through LemonSqueezy / Stripe; we store the resulting customer and subscription identifiers, not the card itself.
  • Operational telemetry: IP address, user-agent string, and request timestamps for every privileged action. These are stored in the firm-scoped audit log so a partner can review who saw what when.

1.2 Vault content (encrypted)

  • Cases, hearing notes, parties, time entries, correspondence, payments, and the document blobs themselves.
  • For documents and other privileged payloads, the bytes that reach our servers have already been encrypted on your device with the firm's symmetric key. We store the ciphertext; we cannot decrypt it without your vault password, which never leaves your devices.

1.3 Cryptographic material

  • Your X25519 public key (plaintext — needed to wrap the firm key for you).
  • Your X25519 private key (encrypted with a key derived from your vault password via Argon2id — we cannot decrypt it).
  • Per-user firm-key grants (encrypted for each user's public key — we cannot decrypt these either).

2. Why we collect it

  • To operate the service. Account data is needed to sign you in, route requests to your firm's data, enforce access controls, and bill you.
  • To satisfy our legal obligations. Tax records, audit trail retention, and responses to lawful requests.
  • To improve the service. Aggregated, non-PII usage signals (e.g. error rates, average request latency).

We do not sell or rent personal data. We do not run advertising networks. We do not profile users for marketing.

3. What we cannot do

  • We cannot read the contents of your vault. The decryption keys live on your devices. A compromise of our database does not expose your documents — the worst-case scenario produces ciphertext.
  • We cannot respond to a subpoena with cleartext documents. A request served on us produces only ciphertext. The decision to decrypt and respond is yours.
  • We cannot recover a forgotten vault password. That is the price of the architecture: if we could recover it, so could anyone who compelled us to. The recovery kit you download at vault setup is your insurance against forgetting.

4. Where data lives

Account data and ciphertext are stored on Supabase infrastructure in the EU (eu-west-1, Ireland). The application servers run on Vercel's Frankfurt region. Transactional email is dispatched through transactional providers based in the EU/US — only the recipient's email address and the message body are shared. Payment processing happens via LemonSqueezy / Stripe; their data localisation policies apply.

5. How long we keep it

  • Live account: for as long as the account exists.
  • After deletion: soft-deleted for 90 days so a partner can request a restore, then hard-purged from our database and storage on the weekly cron — including every document blob.
  • Audit log: survives user deletion by design — it has no foreign key to the user, so the ledger remains intact for the firm. After firm hard-purge, the audit rows are no longer queryable in the application but may persist in backup snapshots for up to 30 days.
  • Backups: point-in-time backups of the database are retained for 30 days, then rotated out.

6. Sub-processors

We use a small set of vendors to operate the service. Each is contractually bound to handle the data they touch under terms equivalent to our own. The current list:

  • Supabase — managed Postgres + object storage (EU region).
  • Vercel — application hosting and edge network.
  • Clerk — authentication and user identity.
  • LemonSqueezy / Stripe — billing and payment processing.
  • Sentry — error monitoring (request metadata only; vault content is never sent).

The full and current list with addresses and processing purposes is also available in the Data Processing Addendum.

7. Your rights

You have the right to access, correct, port, restrict, and delete personal data we hold about you. Concretely, inside the app:

  • Access + portability: Settings → Your data → Export ZIP downloads everything we hold for your firm (including a standalone offline decryption tool for the ciphertext blobs).
  • Deletion: Settings → Your data → Delete account triggers the soft-delete + 90-day support window + hard-purge sequence.
  • Correction: Settings → Firm and the per-row edit affordances inside the app.

For requests that cannot be self-served — for example, exercising rights against personal data held in operational logs — write to support@themis-legal.co. We aim to acknowledge within 5 working days and substantively respond within 30.

8. Security

The architecture itself is the primary security control: end-to-end encryption with keys held only by you, an append-only audit log with a cryptographic hash chain, default deny on row-level security, and explicit ON DELETE behaviour on every relation so cascades cannot silently destroy a paper trail. We complement that with conventional measures — TLS in transit, hardened CSP, secret rotation, audit-anchor publication, and supplier review.

We will notify affected users without undue delay if we detect a personal-data breach materially likely to affect them, and in any event within 72 hours of discovery where applicable law requires it.

9. Children

Themis is a workplace product for legal professionals. It is not intended for, marketed to, or knowingly used by anyone under 16. If you believe a minor has been signed up, write to us and we will delete the account.

10. Changes

Material changes will be announced in-app at least 14 days before they take effect, and the "Effective" date at the top of this page will be updated. Continued use of the service after the effective date constitutes acceptance.

Questions about this policy?

Write to support@themis-legal.co and a human will reply. For requests under GDPR or other applicable data-protection regulations, please include the firm name and the email registered on the account so we can verify your identity.