This policy explains how Noor Legal Ltd ("we", "us", "Noor") collects, uses, stores, and protects personal data under the UK General Data Protection Regulation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
If you are a prospective or existing customer firm, the personal data your caseworkers enter about clients is processed by us under a separate Data Processing Agreement, not this policy. This policy covers the data of the firm's own users + marketing-site visitors only.
1. Controller and contact
Noor Legal Ltd— Company No. 14982201. Registered office: 14 Gray's Inn Square, London WC1R 5JP, United Kingdom.
ICO registration: ZA982114. Data Protection contact: dpo@trynoor.legal. We respond to all data-subject enquiries within one calendar month (UK GDPR Art. 12(3)).
2. Categories of data we collect
| Context | Data collected | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Marketing-site visits | IP address, user-agent, page viewed, referrer, performance metrics. Aggregated via Vercel Analytics + Speed Insights. | 6(1)(f) Legitimate interests — measuring site performance + product demand. A documented balancing test is available on request. |
| Walkthrough / contact forms | Full name, work email, firm name, SRA or IAA number (optional), phone (optional), message content, Cal.com booking metadata. | 6(1)(b) Contract — taking steps to enter into a service agreement with your firm. |
| Authenticated product use | Account email, password hash (scrypt, salted), session token, last-sign-in timestamp, IP address of each sign-in for audit. | 6(1)(b) Contract + 6(1)(f) Legitimate interests (security / fraud prevention). |
| Cookies & similar tech | Single strictly-necessary auth cookie, theme preference in localStorage, optional analytics cookie after explicit consent. | Strictly-necessary = PECR exemption. Analytics = 6(1)(a) Consent (opt-in banner). |
3. How we use the data
- Deliver, maintain, and improve the service.
- Respond to enquiries and coordinate walkthroughs.
- Issue invoices and handle billing (future — post-Stripe).
- Investigate security incidents, fraud, or abuse. We may temporarily retain login/IP metadata for up to 30 days for this purpose.
- Comply with legal obligations (HMRC, SRA information requests).
We do not sell personal data. We do not use it for ad targeting. We do not use client-submitted data to train AI models — our contractual terms with Anthropic and our infrastructure providers carry Zero Data Retention (ZDR).
4. Where we store and process data
All personal data is hosted in the United Kingdom (AWS eu-west-2 — London). Convex operates our application database in the same region. Marketing analytics sit with Vercel (EU infrastructure).
No personal data is transferred outside the UK except where contractually required for a specific integration (e.g. Cal.com uses US infrastructure for calendar sync — booked under Standard Contractual Clauses + UK addendum). The current list is in the sub-processors register.
5. Retention
- Marketing enquiries (contact / walkthrough forms where no engagement follows): 24 months after last contact, then deleted.
- Customer account data (firm admins, caseworkers): retained for the life of the agreement + 7 years (SRA standard retention expectation) after termination. On termination the firm can request earlier deletion; our obligation to retain audit hashes for accountability supersedes only where a regulator mandates it.
- Security logs (sign-in IPs, failed-auth attempts): 30 days rolling.
- Backups: encrypted daily snapshots retained 30 days, then purged.
6. Your rights
Under UK GDPR you have the following rights:
- Right of access (Art. 15) — copy of the data we hold on you.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure (Art. 17) — subject to retention obligations.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20).
- Right to object (Art. 21), including to direct marketing.
- Right not to be subject to solely automated decisions (Art. 22) — Noor does not make such decisions about individuals.
To exercise any right, email dpo@trynoor.legal. We verify identity before responding (e.g. by confirming you own the email on record) and reply within 30 days. No fee is charged for a first request within a 12-month window.
7. Security
All traffic is TLS 1.2+ only. Data at rest is encrypted using AES-256. Passwords are hashed with scrypt and never logged. Access to production infrastructure is restricted to principals with MFA; every administrative action is logged to an immutable custody log. We maintain a documented incident-response runbook (published on /security) and will notify the ICO within 72 hours of any qualifying personal-data breach, per UK GDPR Art. 33.
8. Cookies
Noor sets the following cookies:
- Strictly-necessary: convex-auth (session token, HttpOnly, Secure, SameSite=Lax, 30-day lifetime). Required for sign-in; exempt from PECR consent.
- Optional analytics (set only after you accept in the banner): va-user, va-session (Vercel Analytics; no cross-site identity, 24-hour lifetime).
9. Changes to this policy
We will revise this policy as our processing changes. The "last updated" date at the top reflects the current version. Material changes are announced on changelog and, where required, by email to active customers.
10. Complaints
You have the right to complain to the Information Commissioner's Office at ico.org.uk, by phone on 0303 123 1113, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We'd appreciate the chance to resolve the issue first — email dpo@trynoor.legal.
Solicitor-review note.This policy is drafted to UK-GDPR / DPA 2018 best practice. A customer firm's COLP or outside counsel should review it against their own compliance framework before signing. Noor Legal Ltd is a technology provider, not a law firm, and this text is not legal advice.