;

Choose your cookies

Cookies help us improve your user experience, tailor ads to your interests and enhance our website.

Learn more and customize

PRIVACY POLICY

Effective date:

15 June 2026

Version:

1.0

Applies to:

factum.law, chat.factum.law and all related applications and services (the "Services")

1. Introduction

Welcome to Factum. Your privacy and the security of the information you entrust to us are central to how we build and operate our Services. This Privacy Policy explains what data we process, the purposes and legal grounds for processing, with whom we share it, how long we keep it, how we protect it, and the rights you have in relation to your personal data.

Factum is an artificial-intelligence legal platform owned and operated by FAKTUM DOO Skopje, a company established in the Republic of North Macedonia (referred to as "Factum", "we", "us" or "our").

By creating an account or otherwise using the Services, you confirm that you have read and understood this Policy. This Policy forms an integral part of our General Terms of Use.

We understand that our users are predominantly legal professionals who handle sensitive and confidential information. For that reason, a single principle governs everything that follows: your User Content is never used to train our AI models or those of any third party, and all processing of your content takes place exclusively within the European Union.

Because we offer the Services to users located in the European Union / European Economic Area, this Policy is governed primarily by the General Data Protection Regulation (Regulation (EU) 2016/679 – "GDPR"), which applies to us under Article 3(2) GDPR. As a company established in North Macedonia, we are additionally bound by the Law on Personal Data Protection of the Republic of North Macedonia ("LPDP"), which is harmonized with the GDPR. Where this Policy refers to the GDPR, the equivalent LPDP provisions apply correspondingly.

2. Key definitions

The terms used in this Policy have the following meaning:

Controller

the party that determines the purposes and means of the processing of personal data.

Processor

the party that processes personal data on behalf of, and on the documented instructions of, the Controller.

Account Data

information you provide and that we generate when you register for and use your account. Factum is the Controller of this data.

Input Content

the questions (prompts), text, data, documents and files that you enter into or upload to the Services.

Output Content

the text, analyses, summaries, documents and other content generated by the Services in response to your Input Content.

User Content

Input Content and Output Content together. For this data, you (or the organization you represent) are the Controller and Factum acts solely as a Processor.

Sub-processor

a third party we engage to help us provide the Services, which may process data on our behalf.

3. Our roles: Controller and Processor

Our responsibilities under data-protection law depend on the category of data:

Account Data — Factum is the Controller.

We decide why and how this data is processed in order to operate your account and the Services.

User Content — you are the Controller and Factum is the Processor.

We process User Content only on your instructions, for the sole purpose of delivering the Services to you. Where you use the Services on behalf of an organization (for example, your law firm, employer or institution), that organization is the Controller and you act under its authority. As Controller, you are responsible for ensuring that you have a valid legal basis to process any personal data that you submit through the Services, including personal data relating to third parties (such as your clients).

For business and enterprise customers, the terms of our processing of User Content are governed by these provisions and, where applicable, by a separate Data Processing Agreement (DPA).

4. What data we process and why

4.1 Account Data (Factum as Controller)

Data we collect:

Identification data:

first and last name, email address.

Authentication data:

password (stored only in encrypted, hashed form), or the relevant identifiers from your Google account where you sign in via Google OAuth 2.0, or via a one-time "Magic Link".

Subscription and billing data:

the package you selected, billing status and payment history. We do not store your payment-card details — online payments are processed by our Merchant of Record, Paddle (see Section 6).

Technical and usage data:

IP address, device and browser type, login times, and data about how you use the Services.

Communications data:

the content of your correspondence with our support team.

Purposes: creating and administering your account; providing access to the Services according to your subscription; processing payments and managing subscriptions; communicating with you about your account, service changes and important notices; providing technical support; preventing fraud and abuse; and maintaining the security and integrity of the platform.

Legal bases:

Performance of a contract

— processing necessary to provide the Services you have subscribed to.

Legitimate interests

— maintaining the security of the platform and improving our Services, balanced against your rights and freedoms.

Legal obligation

— where we must retain certain data (for example, for accounting and tax purposes).

Consent

— where we rely on consent (for example, for certain optional communications), which you may withdraw at any time.

4.2 User Content (you as Controller, Factum as Processor)

Data we process: your Input Content and the resulting Output Content, which may include personal data of third parties that you choose to submit.

Purpose: the sole purpose is to process your Input Content and generate Output Content for you through our AI assistant, strictly in accordance with your instructions.

Legal basis: performance of the contract between you and us; we process this data exclusively on your behalf in order to deliver the requested Service.

A note on minimization. Because you control what you submit, we recommend that you avoid entering personal data, banking-secrecy information, payment instruments, or special categories of data beyond what is necessary for your query, and that you follow your organization's own data-classification and data-loss-prevention policies.

5. The fundamental commitment: no training, full EU processing

Two principles distinguish Factum and apply to all User Content:

No model training.

We do not use your Input Content or Output Content to train, fine-tune, evaluate or otherwise improve our AI models or those of any third party. This obligation is contractually binding on our AI sub-processor. Our AI provider operates under an enterprise configuration with training opt-out and a confirmed Zero Data Retention arrangement, meaning your prompts and documents are processed transiently to generate your answer and are not retained or logged for human review by the AI provider.

EU data residency.

All hosting, storage and AI processing of your User Content takes place exclusively on infrastructure located within the European Union / European Economic Area. Your Input Content and Output Content are not transferred outside the EU/EEA for storage or AI processing. Factum itself is established in North Macedonia, and a strictly limited number of our authorized personnel may access data from there for support and administration; such access is subject to appropriate safeguards as described in Section 7.

6. With whom we share your data (Sub-processors)

To deliver the Services we rely on a small number of carefully selected technology partners. We share data with them only to the extent necessary, under written contracts (including, where required, Standard Contractual Clauses and data-processing terms) that bind them to protect your data and prohibit any other use. All sub-processors that process User Content do so within the EU/EEA.

6.1 Sub-processors that process User Content

Hetzner Online GmbH

Purpose: Hosting of the application backend, self-hosted PostgreSQL database (folder data, document chunks, embeddings), Elasticsearch (logs) and encrypted backups/snapshots

Location: Falkenstein, Germany (EU)

Assurances: ISO/IEC 27001; EU SCCs

Google Cloud — Vertex AI (Gemini)

Purpose: Large-language-model generation of answers and creation of text embeddings (RAG)

Location: EU/EEA region

Assurances: Enterprise tier with training opt-out and Zero Data Retention; ISO/IEC 27001/27017/27018; SOC 2

Google Firebase

Purpose: Authentication, user-account data, chat history and references to sources (Cloud Firestore)

Location: EU region

Assurances: ISO/IEC 27001/27017/27018; SOC 2

Google Cloud Storage

Purpose: Private storage of original files uploaded in Folder/Agent Mode; backup destination for Firestore exports

Location: EU region

Assurances: ISO/IEC 27001/27017/27018; SOC 2

6.2 Sub-processors that process Account/Operational Data only (not User Content)

Brevo (Sendinblue SAS)

Purpose: Sending transactional emails (account verification, notifications). Processes notification metadata only — never your User Content

Location: France (EU)

Assurances: GDPR-compliant; ISO/IEC 27001

Paddle.com Market Ltd

Purpose: Merchant of Record for online subscriptions: payment processing, invoicing, tax/VAT handling, billing support

Location: United Kingdom (UK adequacy decision); appropriate safeguards applied

Assurances: PCI-DSS; GDPR-compliant

Namecheap, Inc.

Purpose: Domain registration and DNS management for factum.law / factum.mk. Does not process User Content

Location: United States (DNS only)

Assurances: Appropriate safeguards; no personal content transferred

We will keep an up-to-date list of sub-processors and will notify customers of material changes in accordance with our agreements. We may also disclose data where required by law, court order, or a lawful request from a competent authority, and to establish, exercise or defend legal claims.

7. International data transfers

Our servers, databases and all AI processing are located within the European Union / European Economic Area, and your User Content is not transferred outside the EU/EEA for storage or AI processing. Where any transfer of personal data to a third country occurs, it is carried out only under a valid transfer mechanism recognized by Chapter V of the GDPR — an adequacy decision, Standard Contractual Clauses (SCCs), or another lawful safeguard — ensuring an essentially equivalent level of protection. The relevant transfers are:

Access by Factum from North Macedonia.

Factum is established in North Macedonia, which is not (currently) covered by an EU adequacy decision. To the extent our authorized personnel access EU/EEA-hosted data from North Macedonia for support, maintenance or security, this constitutes a transfer to a third country, which we cover by Standard Contractual Clauses and supplementary technical and organizational measures (encryption, least-privilege access, NDAs).

Paddle (United Kingdom).

Account and billing data processed by our Merchant of Record; the UK benefits from a European Commission adequacy decision.

Namecheap (United States).

DNS management only; does not process User Content or other personal content. Any incidental personal data is transferred under SCCs.

You may request further information about these safeguards using the contact details in Section 13.

8. Data security

We apply layered technical and organizational measures, governed by our certified Information Security Management System:

Encryption:

all data is encrypted in transit (TLS 1.3) and at rest (AES-256).

Network isolation:

critical systems (PostgreSQL, Elasticsearch, administrative interfaces) are not exposed to the public internet and are reachable only over a private VPN (Tailscale) with explicit firewall rules. All public traffic is served over TLS 1.3 / HTTPS.

Tenant isolation:

logical separation between customers via Firebase security rules (RLS-equivalent), application-level tenant context on every database query, and per-tenant object isolation with IAM controls and time-limited signed URLs in storage.

Access control:

access to production data follows the principles of least privilege and need-to-know and is technically restricted to a small number of named members of our technical leadership, all bound by NDAs and subject to pre-employment screening. Exceptional access follows a documented "break-glass" procedure.

Secure development:

mandatory code review, testing in isolated environments before production, regular vulnerability scanning of third-party components (CVEs), and disciplined patch management, based on OWASP, SEI CERT, UK NCSC and NIST best practices.

Resilience:

daily automated backups, Point-in-Time Recovery and disaster-recovery procedures, with periodic restoration drills.

Certification:

Factum operates an Information Security Management System certified to ISO/IEC 27001:2022 (certificate no. IC-IS-2511022, issued by INTERCERT; recertification due 03.11.2028), with the scope "Design, development, support and maintenance of digital legal services."

No method of transmission or storage is completely secure, but we continuously review and strengthen our controls to protect your data.

9. Data retention

We retain data only for as long as necessary for the purposes described in this Policy:

Folder documents, files and metadata

Kept until you delete them; deletion from the database and storage occurs in the same cycle. Deletion on a customer's request is completed within 30 days.

Chat history and source references

Kept in Firebase (EU) until deleted by you or your tenant administrator. Optionally, at your choice, chat history can be stored locally in your browser (Local Storage) — in which case it never leaves your device. This option is off by default.

Account data (authentication, profile)

Kept for the duration of your active contract; deleted when you stop using the Services.

Operational and security logs

Default retention of 6 months (Elasticsearch, Germany); configurable to 12 or 24 months for enterprise customers under a DPA.

Backups

Rolling 7-day window for server snapshots and Firestore exports; older copies are automatically deleted.

Accounting/tax records

Retained for the period required by applicable law, after which they are securely destroyed.

On termination, you may request a full export of your data before deletion. Production data is deleted across all systems within 30 days of account/tenant deactivation, with up to a further 7 days for backup rotation. Upon completion, and on request, we issue a signed Certificate of Data Destruction.

10. Your rights

In accordance with the GDPR, you have the following rights in respect of personal data for which we are the Controller:

Right of access

— to obtain confirmation of, and information about, the personal data we process about you.

Right to rectification

— to have inaccurate data corrected and incomplete data completed.

Right to erasure ("right to be forgotten")

— to have your data deleted under the conditions provided by law; you can exercise much of this directly by deleting your content or account.

Right to restriction of processing

— to request that we limit how we use your data.

Right to data portability

— to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to object

— to object to processing based on our legitimate interests.

Right to withdraw consent

— where processing is based on consent, at any time, without affecting prior lawful processing.

Where Factum acts as a Processor (for your User Content), requests from data subjects should be directed to the relevant Controller (you or your organization); we will assist the Controller in responding to such requests as required by law.

To exercise your rights, contact us using the details in Section 13. You also have the right to lodge a complaint with the data-protection supervisory authority of your EU/EEA Member State (for example, the authority where you live, work, or where the alleged infringement occurred). A list of EU/EEA supervisory authorities is maintained by the European Data Protection Board (edpb.europa.eu).

11. Security incidents and notification

We maintain documented incident-management procedures. In the event of a personal-data breach affecting the confidentiality, integrity or availability of your data, we will notify affected customers without undue delay and no later than 24 hours after becoming aware of it, and will cooperate as required under applicable law. Security and incident matters can be reported to our Data Protection Officer at dpo@factum.law.

12. Cookies

Our websites use cookies and similar technologies to operate the platform, keep you signed in, remember your preferences and improve your experience. You can control non-essential cookies through your browser settings and, where applicable, our cookie banner. We do not use third-party advertising or cross-site tracking cookies. Further detail is provided in our Cookie Policy, where published.

13. Contact

If you have questions about this Privacy Policy or how we process your data, please contact us.

Personal data controller: FAKTUM DOO Skopje, st. "Kliment Ohridski" no. 48, 1000 Skopje, Republic of North Macedonia, Tax ID: 4032022554313. General contact: info@factum.law Data Protection Officer (DPO): Metodij Ristomanov — dpo@factum.law

You may direct any data-protection request or complaint to the contacts above; we will respond in accordance with the GDPR and applicable law.

14. Children

The Services are intended for professional use by persons aged 18 and over. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us so we can take appropriate action.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform in advance of their taking effect. The current version, with its effective date, will always be available on our website.

Security

Security your clients can trust

For lawyers, confidentiality is the job. Factum protects every case you bring to it — by design.

Save time on legal analysis

Join thousands of legal professionals who already work with Factum.