LegalGE...
Loading...
LegalGEContents
Legal Sandbox Georgia LLC
Version: 2.1 Effective Date: 13 May 2026 Last Updated: [Date] Document Language: English (Georgian version prevails in case of conflict) Status: Binding contract; incorporated by reference into the Master Terms and Conditions, all Role Terms and Conditions, and applicable Function Rulebooks.
| Question | Answer |
|---|---|
| Who is responsible for your data? | Legal Sandbox Georgia LLC (contact@legal.ge) |
| What law applies? | Georgian Personal Data Protection Law (No. 3144 of 2023) and, for EU residents, GDPR |
| What data do we collect? | Account, profile, transaction, usage, professional, Engagement, and (with explicit consent) Marketing tracking data via Meta Pixel and Meta Conversions API (see Section 3) |
| Cabinet content special status? | Privileged by default; Platform commits to access only on three narrow grounds, with audit trail (see Section 9) |
| Where is your data stored? | Primarily European Union (Germany); payment data with Bank of Georgia in Georgia |
| Do we sell your data? | No, never. |
| Do we use cookies? | Yes, but only with your explicit consent for non-essential cookies. See Cookie Policy. |
| How long do we keep your data? | Varies by data category — see Section 7 detailed retention table |
| What are your rights? | Access, correction, deletion, portability, objection, complaint (see Section 10) |
| Supervisory authority? | Personal Data Protection Service of Georgia (PDPS); office@pdps.ge |
| How do you contact us? | contact@legal.ge |
| Age requirement? | 18+ only |
For complete details, please read the full Policy below.
This Privacy Policy ("Policy") explains how Legal Sandbox Georgia LLC ("we," "us," "our," or the "Platform"), operator of legal.ge, collects, uses, shares, and protects your personal data when you visit our website, use our services, or interact with us.
We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including:
(a) The Georgian Law on Personal Data Protection No. 3144 adopted on 14 June 2023, which replaced the 2011 law and introduces strengthened safeguards aligned with EU standards;
(b) Where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR").
The 2023 Georgian Personal Data Protection Law applies to data processing of Georgian residents and to any processing performed within Georgia. The GDPR applies to data processing of European Union residents.
(a) Where you are a Georgian resident, the 2023 Georgian Law governs the processing of your personal data;
(b) Where you are an EU resident, the GDPR applies to the processing of your personal data by us;
(c) Where both apply, we apply whichever provides greater protection to the data subject.
Legal Sandbox Georgia LLC Registration Number: 405713768 Registered Address: Tbilisi, Agmashenebeli Alley N240, Georgia Email: contact@legal.ge CEO: Vakhtang Baramashvili
For data protection purposes, Legal Sandbox Georgia LLC is the Data Controller for personal data collected through the Platform, except where:
(a) Cabinet Cases: the Specialist (or Affiliated Company, where applicable) is the Data Controller for Client personal data entered into the Cabinet; we provide technical infrastructure (see Section 9.5);
(b) Organisation membership data: the Organisation may serve as Data Controller for its own membership and Token Economy data, with the Platform serving as Data Processor or co-Controller depending on the matter (see Organisation T&C Article 17);
(c) Other circumstances specified in this Policy or applicable role-specific Terms and Conditions or Function Rulebooks.
This Policy applies to:
This Policy should be read together with:
We have designated a contact person for data protection matters:
Vakhtang Baramashvili Chief Executive Officer Legal Sandbox Georgia LLC
Registration Number: 405713768
Email: contact@legal.ge Address: Tbilisi, Agmashenebeli Alley N240, Georgia
The 2023 Georgian Personal Data Protection Law introduces requirements that may make Data Protection Officer (DPO) appointment mandatory for certain entities. Provisions concerning DPO appointment came into effect on 1 June 2024.
We are assessing whether DPO appointment is required based on the volume, scope, and risk profile of our data processing activities. This assessment is under qualified Georgian legal counsel review.
(a) Until that assessment is complete, all data protection inquiries should be directed to contact@legal.ge addressed to our designated contact person;
(b) Where DPO appointment is determined to be required, we will appoint a DPO and update this Policy with the DPO's contact details;
(c) Where DPO appointment is not legally required, we will continue to designate Vakhtang Baramashvili (CEO) as our data protection contact person.
We collect and process the following categories of personal data:
| Data | Examples |
|---|---|
| Identity Data | First name, last name, username, salutation/title |
| Contact Data | Email address, phone number |
| Authentication Data | Password (encrypted/hashed), OAuth tokens, session tokens |
| Profile Data | Biography, professional qualifications, profile photo, Georgian Bar Association membership number (for Licensed Attorneys) |
| Identity Verification Data | Personal ID number (11-digit Georgian ID or foreign equivalent) — for training enrollment certificate issuance |
| Data | Examples |
|---|---|
| Transaction Data | Payment confirmations, enrollment records, subscription tier history |
| Usage Data | Login timestamps, feature usage, page access logs |
| Communication Data | Correspondence with us, support requests |
| Data | Examples |
|---|---|
| Content Data | Blog posts, articles, training materials (for Authors and Trainers); Specialist Profile content |
| Data | Examples |
|---|---|
| Inquiry Data | Inquiry submissions, pre-engagement messaging, Quotes, Pre-Authorization and Capture metadata, SLA timing data, decline reasons (governed by Inquiries & Messaging Function Rulebook) |
| Cabinet Engagement Metadata | Litigation Case metadata: Lifecycle State, Procedural Stage, Case parties (names), financial entries, Hearings and Deadlines records, Specialist team membership (governed by Cabinet (Litigation) Function Rulebook) — note that Cabinet content (Notes, Chat, Documents) is treated as Privileged Content per Section 9 |
| Reviews & Ratings Data | Star ratings (3+3 categories, public), written feedback (private to Specialist), Top Rated Badge eligibility, review submission timestamps (governed by Reviews & Ratings Function Rulebook) |
| Pricing & Specialization Data | Selected L2 specializations, published Service prices (FIXED/RANGE/QUOTE), consultation_fee values (governed by Specializations & Pricing Function Rulebook) |
| Subscription & Billing Data | Subscription tier history, Card on File metadata (no full card numbers — see Section 3.2), payment records, renewal events, downgrade/upgrade events, Past Due history (governed by Subscriptions & Billing Function Rulebook) |
| Calendar Data | Available Slots, Personal Blocks, External Busy mirrors from Google Calendar, Google OAuth tokens (server-side stored), connection events (governed by Calendar Function Rulebook) |
| Video Session Metadata | Video session timestamps, attendance records, Capture status, magic-link issuance events. No video recordings stored in v1.0 (governed by Video Consultations Function Rulebook) |
| Data | Examples |
|---|---|
| Organisation Membership Data | Organisation ID, membership status, role within Organisation, governance permissions, history of role changes (governed by Organisation T&C Article 17) |
| Token Economy Data | Token balances per Organisation per Member, token issuance history, top-up payment records, expiry events, allocation rules state (governed by Organisation T&C Article 6) |
| Data | Examples |
|---|---|
| Audit Trail Data | Platform access logs to privileged content (per Cabinet Rulebook §5.5); credential retrieval logs; moderation action logs; subscription billing audit |
| Content Moderation Data | Posting decisions, moderator review records, dispute history |
The Platform operates a marketing and conversion tracking stack consisting of Meta Pixel (client-side) and the Meta Conversions API (server-side). These mechanisms are gated behind explicit marketing consent and only collect data after the user has affirmatively opted in via the cookie consent banner.
| Data | Examples |
|---|---|
| Meta Pixel Browser Identifier | _fbp cookie value — anonymous browser identifier set by Meta Pixel to track user actions across the Platform for conversion attribution |
| Meta Click Identifier | _fbc cookie value — set when a user arrives at the Platform from a Meta-served advertisement; preserves click attribution for conversion measurement |
| Conversion Event Data | Event names (e.g., subscription purchase, role registration), event timestamps, event parameters; transmitted to Meta both client-side (via Pixel) and server-side (via Conversions API) |
| Server-Side Event Metadata | IP address, user agent string, _fbp, _fbc, and other request metadata transmitted from Platform servers to Meta via the Conversions API for matching and attribution |
| Anonymous Consent Session Identifier | cookie_consent_session cookie value — used to link consent decisions to authenticated user IDs when available, for audit purposes |
This tracking is governed by:
(a) Marketing consent category — collection requires explicit user consent through the cookie consent banner; consent is recorded and persisted in the cookie_consent cookie and audited server-side via /api/consent;
(b) International data transfer — Meta data is transmitted to Meta Platforms, Inc. infrastructure in the United States; lawful basis is dual (user consent + Standard Contractual Clauses), per Section 6.3;
(c) Withdrawal of consent — users may withdraw marketing consent at any time via Cookie Settings; upon withdrawal, the Platform ceases new transmissions of marketing data, though prior transmissions cannot be recalled from Meta and are subject to Meta's own retention policies.
We want to be clear about data we do not collect or store:
(a) Payment Card Details: We do not store credit card numbers, CVV codes, or full bank account details. All payment processing is handled by our payment processor (Bank of Georgia), and we receive only transaction confirmations and Card-on-File tokens (which do not reveal full card numbers).
(b) Browsing History Outside the Platform: We do not track your browsing activity outside of our Platform.
(c) Video Recordings (v1.0): We do not record or store video session content. Only metadata (timestamps, attendance) is stored. This is governed by Video Rulebook Article 11.
(d) Cabinet Content for Platform Use: While we have technical capability to access Cabinet content under defined exceptional circumstances (see Section 9), we do not access Cabinet content for product development, training data, analytics, marketing, or any purpose other than the three narrow grounds defined in Cabinet Rulebook §5.2.
We generally do not collect "special category" data (also known as sensitive personal data), such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation.
However:
(a) Professional credentials (such as Georgian Bar Association membership) may indirectly reveal professional or educational background. We process such data only as necessary to verify professional qualifications;
(b) Cabinet Cases may incidentally contain special category data within Privileged Content (e.g., a Case involving health or family matters). Such content is protected under the Cabinet privilege framework (Section 9) and is the Specialist's responsibility to handle in accordance with Bar rules and applicable law.
We collect personal data that you voluntarily provide when you:
When you visit or use the Platform, we automatically collect certain data through cookies and similar technologies, including:
For detailed information about cookies, please see our Cookie Policy.
We may receive personal data from third-party sources:
| Source | Data Received | Purpose |
|---|---|---|
| Google (OAuth) | Name, email address, profile picture | Account authentication |
| Google Calendar (OAuth) | Calendar metadata: time and title of busy events on Specialist's primary Google Calendar | Calendar sync per Calendar Rulebook §9 (Specialists at Expert/Enterprise tiers only) |
| Georgian Bar Association | Verification of membership status | Professional credential verification |
| Bank of Georgia | Transaction confirmation, payment status | Payment processing |
Other Platform users may provide data about you in defined circumstances:
We process your personal data only when we have a valid legal basis to do so. The table below summarises our processing activities, purposes, and legal bases:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Identity, Contact, Authentication | Performance of contract |
| Providing Platform services (Inquiries, Cabinet, Calendar, etc.) | Profile, Usage, Engagement | Performance of contract |
| Processing payments (subscriptions, Inquiry fees, Cabinet payments) | Identity, Contact, Transaction, Subscription | Performance of contract |
| Verifying professional credentials | Identity, Profile (GBA number) | Legitimate interest (Platform integrity) |
| Issuing training certificates | Identity, Identity Verification | Performance of contract |
| Calendar sync with Google | Calendar, Authentication tokens | Consent + Performance of contract |
| Cabinet Case storage and infrastructure | Cabinet metadata + privileged content | Performance of contract (Specialist as Controller for Client data) |
| Audit trail maintenance | Platform access logs | Legitimate interest (security and accountability) |
| Responding to inquiries | Identity, Contact, Communication | Legitimate interest (customer service) |
| Sending service communications | Identity, Contact | Performance of contract |
| Sending marketing communications | Identity, Contact | Consent |
| Website analytics (anonymised/aggregated) | Usage Data | Legitimate interest (service improvement) |
| Meta Pixel + Meta Conversions API marketing tracking | Marketing & Conversion Tracking Data (§3.1.7) | Consent (marketing category) + SCCs for US transfer |
| Cookieless performance monitoring (Vercel Analytics) | Anonymised request metadata | Legitimate interest (operational monitoring) |
| Security and fraud prevention | Identity, Usage, Authentication, Audit | Legitimate interest (security) |
| Legal compliance | Various | Legal obligation |
| Dispute resolution | Various | Legitimate interest / Legal obligation |
Performance of Contract: We need to process certain data to provide our services to you. Without this data, we cannot create your account, process your payments, or deliver the services you request.
Legitimate Interest: We have legitimate business interests in processing certain data — for service improvement (anonymised/aggregated only), security, professional credential verification, and accountability. We balance these interests against your rights and freedoms.
Consent: We rely on your explicit consent for marketing communications and for non-essential cookies. You may withdraw consent at any time (see Section 10).
Legal Obligation: We may be required to process data to comply with Georgian law, tax regulations, or court orders.
We may share your personal data with the following categories of recipients:
We use trusted third-party service providers to help operate the Platform:
| Provider Type | Provider | Location | Purpose | Consent Basis |
|---|---|---|---|---|
| Hosting & Database | Supabase | EU (Germany) | Data storage, authentication, transactional email | Performance of contract |
| Frontend Hosting & CDN | Vercel | EU | Website hosting, content delivery | Performance of contract |
| Performance Analytics | Vercel Analytics | EU/Global | Cookieless page-view and performance monitoring; uses anonymised request metadata only; does not set cookies or track users across sites | Legitimate interest (operational monitoring) |
| Payment Processing | Bank of Georgia | Georgia | Payment processing for subscriptions, Inquiry fees, Cabinet payments | Performance of contract |
| Website Analytics | Google Analytics 4 | EU-only configuration | Anonymised website analytics | Explicit consent (analytics category) |
| Calendar Integration | Google Calendar | EU/Global (Specialist's Google account) | Two-way calendar sync (only for Specialists at Expert/Enterprise tier with explicit OAuth grant) | Explicit consent + Performance of contract |
| Marketing Tracking — Browser | Meta Platforms, Inc. (Facebook/Instagram Pixel) | United States | Conversion tracking and remarketing via client-side Pixel; collects _fbp, _fbc cookies and event data |
Explicit consent (marketing category) |
| Marketing Tracking — Server | Meta Platforms, Inc. (Conversions API) | United States | Server-side transmission of conversion events to Meta for attribution; transmits IP address, user agent, _fbp, _fbc, and event metadata from Platform servers to Meta |
Explicit consent (marketing category) + Standard Contractual Clauses |
These providers process data on our behalf under data processing agreements that require them to protect your data and use it only for specified purposes.
Marketing tracking note: The Meta Pixel and Meta Conversions API operate only after the user has affirmatively granted marketing consent via the cookie consent banner. Without marketing consent, neither the Pixel script nor the Conversions API server-side calls are activated for the user.
Depending on your role and activities, certain data may be visible to other Platform users:
| Your Role / Activity | Data Shared | With Whom | Source |
|---|---|---|---|
| Specialist Profile | Profile information, ratings | Public (website visitors) | Posting Rulebook |
| Specialist Contact (paid tiers) | Phone, email | Public (subject to contact disclosure tier) | Subscriptions Rulebook §5.1.1 / §6.1.1 |
| Author | Name, bio, published content | Public | Posting Rulebook |
| Trainee | Name, email, attendance | Trainer | Training Rulebook (forthcoming or Trainer T&C) |
| Trainee | Personal ID | Trainer | For certificate issuance only |
| Company Specialist | Profile, Case metadata | Affiliated Company | Subscriptions Rulebook §7 |
| Cabinet Lead Specialist | Full Cabinet Chat, Documents (per visibility), Notes, Hearings, Deadlines, Activity Log | Other Cabinet Lead Specialist | Cabinet Rulebook |
| Cabinet Collaborator | Cabinet content per per-document/per-note visibility levels | Lead Specialist + other Collaborators | Cabinet Rulebook §6.1.2 |
| Cabinet Client (User as Client) | Case-shared and Client-shared content; Cabinet Chat | All Case Specialists (Lead + Collaborators) | Cabinet Rulebook §19 |
| Multi-Specialist Cabinet Team | Cabinet content per role | All team Specialists | Cabinet Rulebook §6 |
| Reviewer of Specialist | Star ratings (public); written feedback (PRIVATE — only Specialist sees) | Public for ratings; Specialist for written feedback | Reviews Rulebook |
| Organisation Member | Token balance, allocation rules state | Organisation governance roles per permission category | Organisation T&C §17 |
| Calendar Public View | Specialist's Available Slots; "Busy" indicator only for Personal Blocks and External Busy | Public visitors browsing Specialist's Profile | Calendar Rulebook §3.5 |
| Calendar Outbound Sync | Confirmed Booking events (anonymised metadata; no privileged content) | Specialist's connected Google Calendar | Calendar Rulebook §9.7 |
| Multi-Specialist Confirmed Booking | Confirmed Booking event | All team Specialists' Google Calendars (where each connected) | Calendar Rulebook §11.3 |
For Licensed Attorneys, we may verify credentials with or report violations to the Georgian Bar Association (GBA) as required by professional conduct rules. The Specialist's underlying professional and ethical obligations to their clients (including conflict checking, privilege maintenance, and Bar reporting requirements) are independent of and in addition to Platform protections (see Cabinet Rulebook §5.6).
We may disclose personal data when required by law, court order, or regulatory request, including to:
Where the request concerns Cabinet content, we follow the protocol in Section 9.4.
Platform Moderators have NO routine access to Cabinet content (per Cabinet Rulebook §15.6 and §24). Moderator access to Cabinet content is permitted only:
(a) Where a dispute is opened concerning the Case (per Inquiries Rulebook §12 dispute mechanism, where Cabinet derives from an Inquiry-converted Case);
(b) Where the Moderator's role under the Moderator T&C requires access for a specific dispute matter;
(c) Limited in scope to the dispute matter;
(d) Logged in the Article 5.5 Cabinet audit trail.
We do not sell your personal data to third parties. This commitment applies to all data categories covered by this Policy.
Your personal data is stored and processed primarily within the European Union:
Exceptions for which data is processed outside the EEA:
Transfer of personal data to Meta Platforms, Inc. in the United States is supported by dual lawful basis:
(a) Explicit user consent — the user has affirmatively granted marketing consent via the cookie consent banner before any Meta-related data is collected or transmitted;
(b) Standard Contractual Clauses (SCCs) — Meta's data processing terms incorporate Standard Contractual Clauses approved by the European Commission as the safeguard for international transfers, providing supplementary contractual protection beyond user consent.
Where the user withdraws marketing consent, we cease new transmissions of marketing data to Meta. Data already transmitted to Meta is subject to Meta's own retention and deletion policies; we cannot recall data already transmitted.
In the event that any further data transfer outside the EEA becomes necessary, we will ensure appropriate safeguards are in place, such as:
We will update this Policy to reflect any changes to our data transfer practices.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When determining retention periods, we consider:
| Data Category | Retention Period | Source / Rationale |
|---|---|---|
| Account Data | Duration of account + 2 years | Legitimate interest (reactivation, disputes) |
| Inactive Account Data | Account deleted after 24 months of inactivity (with 30-day notice) | Data minimisation |
| Authentication & Session Data | Session tokens: ephemeral; refresh tokens per provider policy | Security |
| Profile Data | Duration of account + 2 years | Account lifecycle |
| Identity Verification Data (Trainee Personal ID) | 1 year after Training completion | Certificate issuance |
| Inquiry Data | Per Inquiries Rulebook §16 — typically 5 years for completed Consultations; per Cabinet Rulebook for converted Cases | Inquiries Rulebook |
| Cabinet Engagement Data (Active) | Duration of engagement | Cabinet Rulebook §20 |
| Cabinet Engagement Data (Closed) | 5 years post-Closure | Cabinet Rulebook §20.1; Georgian record-keeping standards for legal practice |
| Cabinet Engagement Data (Archived) | 5 years from original Closure | Cabinet Rulebook §20.1 |
| Cabinet Privileged Content (Notes, Documents, Chat, Custom Pages, Credentials) | Same as Case retention (5 years post-Closure) | Cabinet Rulebook §20.1 |
| Cabinet Audit Trail (Platform access logs) | Case retention period + 5 years | Cabinet Rulebook §5.5.3 |
| Subscription & Billing Data | 7 years for tax records; subscription history retained for account lifetime + 2 years | Georgian tax law; Subscriptions Rulebook |
Calendar Data — specialist_availability |
Per Privacy Policy schedule (~5 years) | Calendar Rulebook §12.3 |
Calendar Data — specialist_external_busy |
Deleted on Google Calendar disconnect or account termination | Calendar Rulebook §8.4, §12.3 |
| Calendar Data — Google OAuth tokens | Deleted on disconnect or account termination | Calendar Rulebook §12.3 |
| Video Session Metadata | Per Video Rulebook Article 11 — typically retained per Inquiry / Case lifecycle | Video Rulebook |
| Reviews & Ratings (public ratings) | Indefinite (public reputation; unless removal requested for valid reason) | Reviews Rulebook |
| Reviews — written feedback (private) | Same as Reviews retention | Reviews Rulebook |
| Pricing & Specialization Data | Active during account; archive after Specialist removes | Pricing Rulebook |
| Organisation Membership Data | Duration of membership + 2 years post-departure | Organisation T&C |
| Token Economy Data | 30-day token lifetime per Organisation T&C; transaction history 7 years for tax purposes | Organisation T&C Article 6; Georgian tax law |
Marketing & Conversion Tracking Data — _fbp cookie |
90 days (Meta default) | Cookie Policy v2.0; Meta's standard cookie lifetime |
Marketing & Conversion Tracking Data — _fbc cookie |
90 days (Meta default) | Cookie Policy v2.0; Meta's standard cookie lifetime |
| Marketing & Conversion Tracking Data — events transmitted to Meta | Per Meta's retention policies (Platform cannot recall transmitted data) | Meta data processing terms |
| Cookie consent records (server-side audit) | Account lifetime + 2 years | Audit trail for consent compliance |
Cookie consent session ID (cookie_consent_session) |
365 days | Cookie Policy §3.2 |
| Transaction/Payment Records | 7 years | Georgian tax law requirements |
| Communication Records | 3 years | Dispute resolution |
| Published Content (posts, articles, training materials) | Indefinite (unless removal requested) | Public interest, Platform operation |
| Analytics Data | Aggregated/anonymised — indefinite | Service improvement |
| Audit Trail Data (general Platform access logs) | 5 years | Security, accountability |
Detailed retention rules for specific roles and Function features are set forth in:
When you delete your account or request data deletion:
(a) We will delete or anonymise your personal data within 30 days;
(b) Certain data may be retained where required by law (e.g., tax records for 7 years; Cabinet Case data for 5 years post-Closure if matters were converted);
(c) Data shared with other users (e.g., reviews, published content, Cabinet Chat between Specialist and Client) may be anonymised rather than deleted to preserve the integrity of communications already shared;
(d) Data necessary for ongoing legal proceedings may be retained until those proceedings conclude;
(e) Cabinet-derived audit trails are retained for the Case retention period plus 5 years per Cabinet Rulebook §5.5.3.
Court orders or regulatory directives that compel disclosure are handled per Section 9.4. Data subject access requests under Section 10 may surface personal data despite retention scheduling.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.
Technical Measures:
Organisational Measures:
You are responsible for:
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
(a) Notify the Personal Data Protection Service of Georgia within 72 hours where the breach poses a risk to data subject rights, in compliance with the 2023 Georgian Personal Data Protection Law;
(b) Notify affected individuals without undue delay where the breach poses a significant risk to their rights and freedoms;
(c) Take steps to mitigate the impact of the breach;
(d) For Cabinet content breaches: notify the Lead Specialist of the affected Case immediately; the Specialist's professional obligations regarding privilege and Bar rules apply independently.
The Cabinet (Litigation Case management module) stores attorney-client privileged content. Per Cabinet (Litigation) Function Rulebook v1.0 Article 5, all Cabinet content is treated as Privileged Content by default.
This includes:
Cabinet content is stored with standard encryption-at-rest as the Platform's default protective measure (per Cabinet Rulebook §5.3).
(a) Where applicable Georgian or other law specifically requires end-to-end encryption for legal practice content, the Platform commits to upgrading to end-to-end encryption for affected Cases;
(b) The Platform's standard encryption protects against external attackers; the Platform retains the technical capability to decrypt Privileged Content for legitimate operational purposes, but contractually commits not to do so absent the three narrow grounds in §9.3.
We have corrected this Policy in v2.0 to accurately reflect the Cabinet Rulebook's encryption framework. The earlier version of this Policy contained an inaccurate statement claiming end-to-end encryption with no Platform technical access; this has been corrected.
The Platform commits to NOT access Cabinet Privileged Content except on the following specific grounds (per Cabinet Rulebook §5.2):
(a) Legal compulsion — court order, regulatory directive, or other legally binding requirement;
(b) Specialist's explicit request for technical support that requires content access (the Specialist provides scoped access);
(c) Investigation of suspected serious misuse — fraud, illegal activity, security incident — subject to internal Platform-Admin approval procedures, audit logging per §9.5, and Specialist notification where lawful.
The Platform's access is NOT permitted for:
Where the Platform receives a court order or other legally binding directive compelling disclosure of Cabinet content (per Cabinet Rulebook §5.7):
(a) The Platform shall notify the affected Specialist of the demand before disclosure where legally permissible (i.e., where no gag order or similar restriction applies);
(b) The Platform shall give the Specialist a reasonable opportunity to assert privilege through their own counsel;
(c) The Platform shall comply with the order's scope only and not voluntarily disclose data beyond what is compelled;
(d) Where notification is prohibited, the Platform shall notify the Specialist as soon as the prohibition expires.
The Specialist remains primarily responsible for asserting privilege; the Platform's role is procedural.
Every instance of Platform access to Privileged Content is recorded in an immutable audit trail (per Cabinet Rulebook §5.5):
(a) Timestamp;
(b) Identity of accessing party (Platform staff member, system process);
(c) Reason for access (per the §9.3 grounds);
(d) Scope of access (which Case, which content);
(e) Court order or regulatory directive reference where applicable.
The audit trail is viewable by the Lead Specialist of the affected Case through the Platform interface or upon request.
The audit trail is preserved for the Case retention period plus an additional 5 years.
Privilege protections continue indefinitely after:
Privilege protections lapse only upon lawful waiver by the privilege holder (typically the Client), court order specifically requiring disclosure, or other lawful basis under Georgian law.
For Cabinet Cases:
(a) The Specialist (or Affiliated Company, where applicable) is the Data Controller for Client personal data entered into the Cabinet;
(b) The Platform provides technical infrastructure as Data Processor for Specialist-Controller data;
(c) Specialists and Companies are responsible for their own data protection compliance regarding their Clients;
(d) The Specialist's professional obligations to maintain attorney-client privilege under the Georgian Bar Association rules and applicable law are independent of and additional to the Platform's protections (per Cabinet Rulebook §5.6).
Cabinet Custom Pages support link-based sharing where anyone with the URL can view the page (per Cabinet Rulebook §14.3).
(a) This sharing model is at the Specialist's discretion — the Specialist controls distribution by sharing the URL only with intended recipients;
(b) Distribution of Custom Page URLs to non-Case-Participant third parties may waive privilege with respect to those recipients;
(c) The Specialist bears responsibility for the privilege consequences of distributing Custom Page URLs;
(d) The Platform does not control onward distribution once a URL has been shared.
Under applicable data protection laws, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure ("Right to be Forgotten") | Request deletion of your data |
| Restriction | Request limitation of processing |
| Data Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent for processing based on consent |
| Complaint | Lodge a complaint with the supervisory authority |
To exercise any of these rights, please contact us at:
Email: contact@legal.ge
Subject Line: "Data Subject Request — [Type of Request]"
Include:
We may need to verify your identity before processing your request. We will ask you to provide information that matches our records.
We will respond to your request within 30 days. If your request is complex or we receive many requests, we may extend this period by up to 60 additional days, in which case we will notify you.
Your rights may be limited in certain circumstances:
If you believe we have not handled your data correctly, you have the right to lodge a complaint with:
Personal Data Protection Service of Georgia (which superseded the State Inspector's Service in 2022)
Address: 7 Vachnadze Street, 0105, Tbilisi, Georgia (Branch office: Bako Street No. 48, Batumi, Georgia)
Email: office@pdps.ge Phone: +995 032 242 10 00 Website: https://personaldata.ge/en or https://pdps.ge
For EU residents, you may additionally complain to your local data protection authority.
With your consent, we may send you marketing communications about:
We will only send marketing communications if you have given explicit consent. You provide consent by:
You may withdraw marketing consent at any time by:
Withdrawal of consent does not affect:
We use cookies and similar technologies on our Platform. Cookies are small text files stored on your device that help us provide and improve our services.
We operate a strict opt-in cookie policy. Non-essential cookies are only placed after you provide affirmative consent through our cookie banner.
For detailed information about the cookies we use, their purposes, and how to manage them, please see our separate Cookie Policy.
The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18.
If we become aware that we have collected personal data from a child under 18 without appropriate consent, we will take steps to delete that data as soon as possible.
If you believe we have inadvertently collected data from a minor, please contact us immediately at contact@legal.ge.
Our Platform may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those external sites.
We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of any external sites you visit.
We endeavour to link only to reputable, relevant external resources. However, inclusion of a link does not constitute endorsement.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
If we make material changes to this Policy, we will notify you by:
Where this Policy is updated to reflect changes in a Function Rulebook (e.g., Cabinet, Subscriptions, etc.), the corresponding Function Rulebook's amendment process governs the substantive change. Function Rulebook material amendments require 30-day advance notice and affirmative re-consent per the applicable Rulebook's amendment provisions.
We encourage you to review this Policy periodically to stay informed about how we protect your data.
Your continued use of the Platform after changes become effective constitutes acceptance of the updated Policy. If you do not agree with changes, you should stop using the Platform and may request deletion of your data.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Legal Sandbox Georgia LLC
Registration Number: 405713768
Address: Tbilisi, Agmashenebeli Alley N240, Georgia
Email: contact@legal.ge
CEO: Vakhtang Baramashvili
We aim to respond to all inquiries within 14 days.
This Privacy Policy is governed by the laws of Georgia, including the Georgian Law on Personal Data Protection No. 3144 of 2023. Where applicable, the GDPR applies in addition to Georgian law for EU residents.
The Georgian language version of this Policy prevails in case of any conflict or ambiguity with translations.
For your convenience, here is a summary of key information:
| Topic | Summary |
|---|---|
| Data Controller | Legal Sandbox Georgia LLC (except Cabinet Cases, where Specialist is Controller) |
| Contact Person | Vakhtang Baramashvili (CEO) |
| DPO Status | Under assessment per 2023 Georgian law |
| Contact Email | contact@legal.ge |
| Data Location | Primarily EU (Germany); payment data with Bank of Georgia in Georgia |
| Cookies | Strict opt-in consent required |
| Marketing | Opt-in only, easy unsubscribe |
| Cabinet Content | Privileged by default; Platform access only on three narrow grounds; standard encryption with E2E if law requires; immutable audit trail viewable by Lead Specialist |
| Marketing Tracking | Meta Pixel + Meta Conversions API; explicit consent required; data transferred to Meta (US) under consent + SCCs; DPIA required (Schedule A item 19) |
| Cabinet Retention | 5 years post-Closure |
| Tax Records Retention | 7 years |
| Your Rights | Access, rectification, erasure, portability, objection, complaint |
| Response Time | 30 days for data requests, 14 days for general inquiries |
| Breach Notification | Within 72 hours where breach poses risk to data subject rights |
| Age Requirement | 18+ only |
| Supervisory Authority | Personal Data Protection Service of Georgia (PDPS) |
LEGAL SANDBOX GEORGIA LLC
Version 2.1 — Effective 13 May 2026
END OF DOCUMENT
© 2026 LegalGE. All rights reserved.