Legal
Data Protection Policy
Last updated: May 15, 2026
1. Purpose
This policy outlines how ModulawAI Inc. (incorporated in Delaware, USA; principal place of business: 7 Peter Utulu Close, Anu Crescent, Badore, Ajah, Lagos, Nigeria; registered agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713) and its Nigerian subsidiary ModulawAI Nigeria Limited (RC-8401723) (together, “ModulawAI”) collect, handle, store, and protect personal and sensitive data. It ensures compliance with the Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA), the General Data Protection Regulation (GDPR), applicable US state privacy laws, and industry best practices, while building trust with clients, users, and legal institutions.
Next review date: May 15, 2027. Acting Data Protection Officer: Founder (see section 17).
2. Scope
This policy applies to:
- All employees, contractors, and service providers of ModulawAI in all jurisdictions.
- All user data, legal documents, and platform interactions.
- All tools, systems, and subprocessors that process data on behalf of ModulawAI.
3. Data classification
| Classification | Examples | Sensitivity | Handling |
|---|---|---|---|
| Personal data | Email, name, login IP, device ID | High | Encrypted at rest; access-controlled |
| Sensitive legal data | Uploaded court judgments, case notes, client correspondence | Very high | Encrypted at rest and in transit; staff access only with user consent; never used for AI training |
| Privileged content | Attorney-client communications, draft legal advice, litigation strategy documents | Critical | Treated as confidential and legally privileged; no access by ModulawAI personnel without explicit consent; excluded from all analytics and AI training |
| Employee / contractor data | Names, contact details, contracts, payroll, performance records | High | Stored in HR systems; HR and senior management access only; retained per local employment law |
| Anonymous / aggregated data | Click events, heatmaps, aggregated usage statistics | Low | May be shared with analytics partners subject to consent |
4. Roles and responsibilities
| Role | Entity / person | Responsibility |
|---|---|---|
| Data controller | ModulawAI Inc. (US parent) | Determines purposes and means of processing; ultimate accountability |
| Data controller (Nigeria) | ModulawAI Nigeria Limited | Processes data under instruction from ModulawAI Inc. per intra-group agreement; local NDPC accountability |
| Data processors | Microsoft Azure, AWS (Bedrock + Amplify), MongoDB Atlas, Pinecone, Neo4j, AI providers (Azure OpenAI, AWS Bedrock, Fireworks AI, Anthropic), voice providers (LiveKit, Deepgram, ElevenLabs, Cartesia), Paystack, Stripe, ZeptoMail, WhatsApp/Meta, search and legal-data providers (Tavily, Bing, Google CSE, CourtListener, CanLII, EUR-Lex, TinyFish), analytics providers — full list in §11 | Process data on our behalf under written data-processing agreements |
| Acting DPO | Founder (engineering and product lead) | See section 17 for conflict acknowledgement |
| Independent legal reviewer | Chief Legal Officer (Mr. Oluwatobi Andrew Owoeye, LL.B, B.L) | Reviews data subject requests, subprocessor objections, and policy correspondence directed to dpo@modulaw.ai |
5. Lawful basis for processing
We collect and process data based on:
- User consent for optional analytics, marketing cookies, calendar integration, and AI processing of uploaded documents.
- Contractual necessity for account creation, service delivery, and billing.
- Legitimate interests for security monitoring, fraud prevention, and anonymized service improvement (subject to balancing test; see Privacy Policy section 5).
- Legal obligation for financial records, regulatory compliance, and data breach reporting.
6. Data collection and usage
| Data | Purpose | Basis |
|---|---|---|
| Email and password | User authentication | Contract |
| Court judgments (PDFs) | Legal research and case management | Contract / Consent |
| Chatbot queries | AI-driven legal assistance | Contract |
| Payment information | Subscription management (via Paystack and Stripe) | Contract; legal obligation |
| Usage logs | Security, error tracking | Legitimate interests |
| Analytics data | UX improvements (anonymized) | Consent |
7. Data storage and security
- User data stored in MongoDB Atlas with role-based access control.
- Legal documents and files stored in Azure Blob Storage (AES-256 encryption at rest).
- Case-law relationship graphs stored in Neo4j; session state and rate-limit counters in Redis (Azure-hosted).
- AI embeddings and vector data stored in Pinecone (anonymized; see section 14).
- OCR / form parsing on uploaded documents performed by Azure Document Intelligence; extracted text retained according to the document’s retention rules and not used for AI model training.
- AI inference is routed to multiple providers (Azure OpenAI, AWS Bedrock, Fireworks AI, Anthropic) based on the task. Each provider operates under a no-training assurance for API inputs.
- Voice and call data flows through LiveKit (transport), Deepgram (transcription), and ElevenLabs / Cartesia (synthesis). Call recordings and transcripts are stored in our Azure Blob Storage and inherit our retention rules.
- TLS 1.2+ encryption in transit for all data transfers.
- Daily encrypted backups.
- Security logs monitored and retained for 90 days.
8. Access controls
- Role-based access for all internal tools and systems.
- Passwords stored using bcrypt hashing.
- Access logs reviewed bi-monthly.
- Admin actions recorded and auditable.
- Staff access to user-uploaded legal documents is prohibited except for technical support with the user’s explicit consent, logged, and time-limited.
9. Data retention and deletion
| Data type | Retention period |
|---|---|
| Active user accounts | Duration of account plus 12 months after last activity |
| Chat history | 90 days (unless deleted by user earlier) |
| Uploaded documents (no active case link) | 180 days |
| Uploaded documents (linked to active case) | Duration of case plus 90 days after closure |
| Payment and billing records | 7 years (legal and tax obligation) |
| Security and access logs | 90 days |
| Employee and contractor data | Duration of engagement plus applicable statutory period (minimum 6 years) |
Users may request deletion of their data at any time by contacting dpo@modulaw.ai, subject to legal retention obligations.
10. Cross-border data transfers (US–Nigeria)
Data processed by ModulawAI may flow between ModulawAI Inc. (US) and ModulawAI Nigeria Limited. These intra-group transfers are governed by a Data Transfer and Processing Agreement that incorporates:
- Standard Contractual Clauses (SCCs) as required for transfers affecting EEA or UK data subjects.
- The transfer mechanism approved by the Nigeria Data Protection Commission (NDPC) for international transfers of Nigerian personal data.
Data processed by our subprocessors (e.g. Microsoft Azure, Pinecone) may also be transferred internationally subject to their respective data processing agreements.
11. Third-party subprocessors
We engage the subprocessors below to deliver the Service. Each is bound by a written agreement containing confidentiality, security, and (where applicable) data-protection obligations equivalent to those in this policy. We notify customers at least 30 days before adding a new subprocessor that processes Personal Data on our behalf (see our DPA, §6).
The authoritative, continuously-maintained list — including a changelog of additions and removals — lives at modulaw.ai/subprocessors. The tables below mirror that page as of the “Last updated” date at the top of this policy.
Infrastructure & storage
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Primary cloud hosting (App Service, Static Web Apps, Blob Storage) | US East 2 / EU |
| AWS | Bedrock AI inference; Amplify hosting for the ModulawAI for Word add-in | US / EU regions |
| MongoDB Atlas | Primary application database (user accounts, conversations, cases, contacts) | US / Azure regions |
| Neo4j | Graph database for case-law relationship analysis | US / EU |
| Redis | Session caching and rate-limiting | Azure region |
| Pinecone | Vector database for AI embeddings | US |
| Azure Document Intelligence | OCR and form parsing on uploaded documents | US / EU |
AI / inference providers
| Provider | Purpose | Location |
|---|---|---|
| Azure OpenAI Service | Chat completions and text embeddings | US / EU |
| AWS Bedrock | Chat completions on hosted foundation models (Anthropic Claude, Amazon Nova, Meta Llama, Moonshot Kimi) | US / EU regions |
| Fireworks AI | Chat completions on open-weight reasoning models | US |
| Anthropic | Where used directly outside Bedrock (e.g. some ModulawAI for Word features) | US |
| LangSmith (LangChain) | Optional LLM-call tracing; only active when tracing is enabled by configuration | US |
Each AI provider receives the prompt and contextual snippets necessary to answer a request. Where the provider offers no-training assurances (Azure OpenAI, AWS Bedrock, Anthropic API), we rely on those contractual commitments to ensure inputs are not used to train base models.
Voice and real-time communication
| Provider | Purpose | Location |
|---|---|---|
| LiveKit | Real-time voice/video infrastructure for AI voice agent and call features | US / EU / global edge |
| Deepgram | Speech-to-text transcription of call recordings | US |
| ElevenLabs | Text-to-speech voice synthesis for AI responses | US |
| Cartesia | Text-to-speech fallback provider | US |
Email, messaging, payments, security
| Provider | Purpose | Location |
|---|---|---|
| Paystack | Payment processing (NGN subscriptions, invoices, seat purchases) | Nigeria / US |
| Stripe | Payment processing (non-NGN subscriptions) | United States / EU |
| ZeptoMail (Zoho) | Transactional email delivery (OTP codes, receipts, booking confirmations) | India / US |
| WhatsApp Business / Meta | OTP and booking notifications where the user opts in | US / Ireland |
| Google reCAPTCHA | Bot protection on public forms | US |
Research, search and legal data sources
| Provider | Purpose | Location |
|---|---|---|
| CourtListener | US case law lookup and citation verification | US |
| CanLII | Canadian case law lookup | Canada |
| EUR-Lex | EU legislation lookup | EU |
| TinyFish | Browser-based citation verification for jurisdictions without an official API (UK, Ghana, Kenya, South Africa) | US |
| Tavily | Web search augmentation for research queries | US |
| Bing Search API (Microsoft) | Web search augmentation | US / EU |
| Google Custom Search | Web search augmentation | US |
Analytics and marketing (consent-gated)
| Provider | Purpose | Location |
|---|---|---|
| Google Analytics (GA4) | Website analytics (anonymized) | US |
| Microsoft Clarity | Behavioral analytics (masked) | US |
| Meta (Facebook Pixel) | Marketing attribution | US |
| TikTok Pixel | Marketing attribution | US |
| X / Twitter Ads | Marketing attribution | US |
| Apollo | Marketing attribution | US |
User-authorised integrations
The following are not subprocessors in the traditional sense; users (or workspace administrators) choose to connect their own accounts and we act on their authorised instructions. Data flows to and from these systems are governed by the third party’s own terms.
| Provider | Purpose |
|---|---|
| Google Workspace (Gmail, Calendar, Drive) | Email, calendar, document access on user authorisation |
| Microsoft 365 (Outlook, OneDrive, Teams Calendar, Word add-in) | Email, calendar, document access on user authorisation |
| Zoho (CRM, Mail, Bookings) | CRM / email / scheduling sync on user authorisation |
12. Employee and contractor data
ModulawAI processes personal data about its employees and contractors including names, contact details, employment contracts, payroll information, and performance records.
- Processed on the basis of contractual necessity and legal obligation.
- Accessible only to HR and senior management with a legitimate need.
- Retained for the duration of employment plus the applicable statutory period under Nigerian or US law (minimum 6 years).
- Employees and contractors have the same data rights as users (see section 13).
13. User rights
In line with NDPR, NDPA, GDPR, and applicable US privacy law, data subjects have the right to:
- Access their personal data.
- Correct inaccurate or incomplete data.
- Request deletion (subject to legal retention obligations).
- Object to processing.
- Request data portability.
- Withdraw consent at any time.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
Requests: dpo@modulaw.ai. We will respond within 30 days.
14. AI-specific data governance (Pinecone and embeddings)
ModulawAI uses Pinecone as a vector database to store AI embeddings: mathematical representations of text used to power semantic search and AI responses.
- Embeddings are derived from legal case law and public legal materials, not from user-uploaded documents or personal data.
- User-uploaded documents are processed transiently for the purpose of answering a specific query; they are not stored as persistent embeddings in Pinecone.
- Embeddings are mathematical vectors that cannot, in normal circumstances, be reverse-engineered to reconstruct the original text. However, we apply access controls to Pinecone to reduce any residual risk.
- No personal data is knowingly stored as an embedding in Pinecone.
15. Data protection impact assessments (DPIA)
ModulawAI conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals’ rights and freedoms. DPIAs are required under NDPR for high-risk processing, which includes:
- Processing of sensitive legal data and privileged attorney-client communications.
- AI-powered processing of legal documents at scale.
- Any new feature involving systematic processing of personal data.
DPIAs are documented internally and reviewed annually or upon material changes to the relevant processing activity.
16. Data breach notification
If a data breach occurs:
- The breach will be assessed and contained immediately upon discovery.
- Affected users and relevant regulatory authorities (including NDPC) will be notified within 72 hours where required.
- A root cause analysis will be completed within 7 days.
- Remediation steps will be documented and implemented.
17. Data protection officer — conflict acknowledgement
ModulawAI’s Founder, who also leads engineering and product, currently serves as the acting Data Protection Officer. ModulawAI acknowledges that under NDPR and GDPR the DPO should be functionally independent from operational decision-making, and that combining the DPO role with founder-level operational authority creates a potential conflict of interest.
Material requests, data subject rights exercises, and regulatory matters submitted to dpo@modulaw.ai are reviewed by our Chief Legal Officer, Mr. Oluwatobi Andrew Owoeye (LL.B, B.L; in active legal practice since 2014; profile at /about), who provides functionally independent legal assessment. This independent legal review provides a substantive mitigation of the Founder/DPO conflict pending the appointment of a dedicated DPO.
dpo@modulaw.ai is a shared mailbox with access limited to a defined set of authorised reviewers — currently the acting DPO (Founder) and the Chief Legal Officer. Access is logged and reviewed periodically. ModulawAI remains committed to appointing an independent, dedicated Data Protection Officer as operations scale.
18. Policy review
This policy is reviewed annually and updated following material changes to data architecture, legal requirements, or regulatory guidance.
19. Contact
Data Protection Officer (Acting)
Email: dpo@modulaw.ai
ModulawAI Inc.
7 Peter Utulu Close, Anu Crescent, Badore, Ajah, Lagos, Nigeria (Principal Office)
Registered Agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA
ModulawAI Nigeria Limited (RC-8401723)