Privacy Policy

1. About this notice

This Privacy Policy explains how Big Berri Limited (trading as "Writford", "we", "us", "our") collects, uses, stores, shares and protects personal data when you use the Writford platform, including writford.co.uk, any associated sub-domains, the web application, the API, and any other service we provide (collectively the "Service"). It also explains your rights under the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").

2. Who we are

We are the "controller" of your personal data for the purposes of the UK GDPR when you create or administer an account, browse our website, correspond with us, or make a payment for the Service.

When our customers (typically solicitors, law firms and legal professionals) use the Service to process personal data relating to their own clients, matters, counterparties or other third parties, we act as a "processor" on their behalf. See Section 14 (Controller / Processor Relationship).

We have not appointed a statutory Data Protection Officer because we are not legally required to do so under Article 37 UK GDPR. Privacy queries are handled directly by the management of Big Berri Limited at the email address above.

3. Scope of this policy

This Privacy Policy applies to:

• information you give us directly when signing up, subscribing, contacting support, or interacting with our website;
• information generated automatically when you use the Service, such as usage counters and technical logs;
• information received from the limited third-party providers listed in Section 9.

This Privacy Policy does NOT apply to:

• Documents you select for upload. When you choose a file in the upload dialog, the file is opened, read and parsed entirely inside your web browser using client-side JavaScript. The file itself never leaves your device and is never transmitted to Writford. See Section 6.
• The content of third-party websites linked from the Service (for example, legislation.gov.uk, The National Archives, or search results).
• Your own professional handling of client data as a solicitor. You remain the controller of your own client files and bear full professional responsibility for any personal data you choose to input into the Service.

4. Personal data we collect

We deliberately keep the personal data we hold about you to the minimum needed to run a secure, paid, professional service.

4.1 Account data

Provided by you at signup and in your account settings:

• Full name
• Work email address
• Name of law firm or organisation
• Solicitors Regulation Authority ("SRA") number (optional)
• Password, stored only as a bcrypt hash. We never see, store, or can recover your plain-text password.
• User preferences (onboarding status, notification toggles, UI options).

4.2 Subscription and billing data

We do not store full payment card details. Stripe (our PCI DSS Level 1 certified payment processor) holds this information directly and provides us only with:

• Stripe customer identifier
• Subscription identifier, status, plan key, billing interval, current period start/end
• Price snapshot (in pence)
• Invoice and payment events (paid, failed, refunded, cancelled, past due).

4.3 Security and anti-fraud data

To prevent account abuse (for example, the same person creating many free-trial accounts, or automated sign-ups by bots), we collect the following at signup and login:

• Signup IP address, taken from standard HTTP headers;
• A device fingerprint (a non-reversible hash derived from browser and hardware characteristics);
• Dates and timestamps of signup, email verification, login, password changes, and account deletion.

These values are written to a short-lived abuse-tracking database that automatically deletes entries ninety (90) days after creation using a database time-to-live index.

4.4 Service usage data

• Conversation history:the messages you send to the AI and the AI's responses, stored against your account in our database until you delete the individual conversation or delete your account.
• Mode of use: whether each query was standard chat, research, extended thinking, drafting, document analysis or image analysis.
• Token usage counters: input and output tokens per day and per billing period, used for rate limiting and billing.
• Audit-log entriesrecording that an event happened (for example "signup", "login", "chat", "account-delete") together with minimal metadata such as mode and token count. Audit logs do not contain the content of your messages.

4.5 Communication data

If you email us or contact support, we keep a record of the correspondence, including your email address, your name, the date and the contents of the message.

4.6 Website and cookie data

The Service sets only two small cookies: an HttpOnly authentication token (auth_token) and a non-sensitive login flag (auth_check). We do not use advertising cookies, marketing cookies, profiling cookies, or third-party tracking cookies. We use Google Analytics 4 and Ahrefs Analytics in cookieless mode (no cookies set on your device) to collect anonymous, aggregate website statistics (page views, traffic sources). See our Cookie Policy for detail.

4.7 Matter management data

If you use our matter management features, we collect and store the following data server-side in our database on your behalf:

• Matter metadata: matter names, matter references, descriptions, notes, areas of law, matter status and any free-text fields you complete.
• Client and party information:names of clients, counterparties and other entities you enter into matters and conflict-check records, together with entity types and roles (for example, "Individual", "Client").
• Time-tracking data: descriptions of work performed, activity types, durations and dates recorded against a matter.
• Key dates and deadlines:date labels and dates you associate with a matter (for example, "Filing deadline — 15 May 2026").
• Collaboration data: the email addresses of other registered users with whom you share access to a matter.

Lawful basis:We process matter management data under Article 6(1)(b) UK GDPR (performance of the contract to provide the Service to you) and Article 6(1)(f) (our legitimate interest in operating and improving the Service). Where the matter data you enter relates to identifiable third parties (for example, client names or counterparty details), you are the controller of that personal data and we act as your processor — see Section 14.

Retention: Matter management data is retained for as long as your account is active. You may view, export or delete individual matters at any time from within the Service. When you delete your account, all associated matter data is removed from our primary database within thirty (30) days, subject to backup rotation as described in Section 11.

Security: Matter data is encrypted at rest (AES-256) and encrypted in transit (TLS 1.2 or higher). It is stored in MongoDB Atlas in the eu-west-2 (London) region within the United Kingdom. Access is restricted to your account and to any collaborators you expressly invite.

AI processing: Matter management data (including matter names, references, client names, time entries, key dates and conflict records) is not sent to any AI model. Only chat conversations are transmitted to the AI for processing. Chat messages pass through AWS Bedrock Guardrails (Section 6.3) which anonymises detected PII before it reaches the AI model.

What we do NOT collect

• Uploaded documents (processed in your browser only)
• Location data, GPS coordinates or geolocation
• Biometric data
• Contact lists, calendar, microphone, camera or photo-library data
• Social-media profiles or friend graphs
• Advertising identifiers
• Special-category personal data (Article 9 UK GDPR), unless you yourself choose to include such data in a chat message, in which case the controller/processor terms in Section 14 apply.

5. Lawful bases for processing

We process personal data under the following lawful bases (Article 6 UK GDPR):

Where the personal data you input relates to a living person other than yourself, you are the controller of that data and we act as your processor. See Section 14.

6. How uploaded documents are handled

6.1 Client-side parsing

When you click "upload" and choose a file (PDF, Word document, plain text, or image), the file is opened, read and converted to plain text by JavaScript running inside your browser. The file itself is never transmitted to Writford's servers. We do not have a copy of the file, we cannot read the file, and no person at Big Berri Limited can retrieve it.

6.2 Text transmission

Only when you press "send" on a chat message will the extracted text of the document be transmitted to our servers as part of the message, so that the AI can respond to it. That extracted text is then handled exactly like any other chat message under this Privacy Policy: stored in your conversation history until you delete it.

6.3 Automatic personal-data detection and anonymisation

Every chat message (including extracted document text) passes through AWS Bedrock Guardrails before reaching the Claude AI model. The guardrail runs in ANONYMIZE mode and detects common personal identifiers, including names, email addresses, phone numbers, National Insurance numbers, NHS numbers, credit and debit card numbers, dates of birth, IP addresses, and other PII types supported by AWS. Detected values are replaced with type placeholders (for example [NAME], [EMAIL],[UK_NATIONAL_INSURANCE_NUMBER]) before Claude processes the message.

After the response, the guardrail trace is checked. If PII was anonymised, we display a “Data Protection Notice” banner in the chat so you can see that redaction occurred. The anonymised version is what Claude sees; your conversation history in our database stores the text you originally typed.

This is a defence-in-depth measure, not a substitute for your own professional judgement. AWS Guardrails uses machine-learning detection and will not catch every possible form of personal data. You should not input data that would breach solicitor–client privilege or your SRA obligations without careful consideration, and you should apply the data-minimisation principle in UK GDPR Article 5(1)(c) when composing messages.

6A. Writford for Outlook add-in

Writford for Outlook is an optional Microsoft Office add-in distributed via the Microsoft Marketplace (formerly AppSource). It runs inside Outlook on the web, Outlook for Windows, Outlook for Mac and Outlook mobile, and is available only to customers on a paid Writford plan. The add-in extends the Service into your inbox and is governed by this Privacy Policy in addition to all other sections.

When you click an AI action in the add-in's task pane (for example Rewrite, Draft Reply orSummarise), the subject, sender, and body of the email currently open in Outlook are transmitted over HTTPS to Writford's backend, which forwards the request to AWS Bedrock for processing. The model response is returned to your task pane. Neither the prompt nor the response is persisted by Writford — the same no-storage rule that applies to chat under Section 6 applies to AI actions triggered from the add-in. AWS Bedrock Guardrails ANONYMIZE mode is applied to every prompt before it reaches the model, exactly as described in Section 6.3.

When you choose to attach an email to a matterfrom the add-in, Writford stores a link record for that email, consisting of:

• the email subject (truncated to 200 characters);
• the sender display name (truncated to 100 characters) and email address (truncated to 200 characters);
• the send date as reported by Outlook;
• the email's internet message identifier (a value already present in the email's technical headers, used so the add-in can show you which matter an email is attached to when you re-open it);
• the first 300 characters of the email body as a search-preview snippet; and
• the matter identifier the email was attached to.

We do notcopy the full body of the email, its attachments, or its raw MIME content into Writford when you attach. The complete message remains in your Microsoft 365 mailbox under Microsoft's controllership. You can remove an attachment link at any time from the add-in's “Attach to Matter” screen; this deletes the link record described above but does not, by design, alter the audit trail entry described under Section 4.7.

The add-in authenticates by issuing a 12-hour scoped JSON Web Token after you sign in to your Writford account in a popup window. The token is stored in your browser's local storage scoped to app.writford.co.ukand is invalidated automatically if your plan loses access to the Outlook integration. We do not receive your Microsoft account password or any Microsoft access token through this flow.

Sub-processors used by the add-in are the same set listed in Section 9 (AWS for the AI call, MongoDB Atlas for the link record, AWS transactional email services). International transfers and retention periods are unchanged from Sections 10 and 11; the link record is deleted when the matter is deleted, when you unlink it, or when your account is closed, subject to the same backup-rotation window described in Section 11.

7. How we use personal data

We use the personal data described in Section 4 for these purposes only:

• to create, authenticate and administer your account, including automated abuse-prevention checks against IP, device and email signals to prevent bulk sign-ups;
• to deliver the AI features you subscribed to (chat, research, extended thinking, drafting, document analysis, image analysis);
• to provide the matter management features, including storing matter metadata, time entries, key dates, conflict records and collaboration data on your behalf;
• to enforce rate limits and the monthly token budget associated with your subscription;
• to detect and prevent fraud, credential-stuffing, abuse of free trials, brute-force login attempts and prompt-injection attacks;
• to issue invoices and process payments via Stripe;
• to send transactional emails (verification, welcome, password reset, billing and security alerts) via AWS email services;
• to maintain an audit trail of security-relevant events;
• to respond to support requests and handle complaints;
• to comply with law and respond to lawful requests;
• to establish, exercise or defend legal claims.

We do NOT:

• use your personal data, queries, documents or conversation history to train, fine-tune or develop any AI model;
• sell, rent, barter or licence your personal data to any third party;
• use your personal data for advertising, retargeting or profiling;
• engage in solely-automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 UK GDPR (see Section 16).

8. AI processing and no model training

The AI features of the Service are powered by large language models accessed exclusively through Amazon Web Services in the AWS London region. Your queries never leave the UK/EEA during AI processing.

AWS is contractually prohibited from using any data submitted through its AI services (including your queries, uploaded document text and conversation history) to train, retrain or improve any foundation model. Inference is performed on a stateless basis.

Every AI response is clearly labelled as AI-generated and carries a mandatory disclaimer that it must be reviewed by a qualified solicitor before being relied upon. Every exported document is watermarked "DRAFT - FOR SOLICITOR REVIEW ONLY". See our AI Policy for full technical detail.

9. Sub-processors

We use a small, fixed list of third-party service providers ("sub-processors") to operate the Service. All are contractually bound not to use customer data for their own purposes and not to train AI models on that data. The complete, up-to-date list is published at writford.co.uk/sub-processors.

As of the date of this policy, our sub-processors are:

• Amazon Web Services EMEA SARL: cloud hosting, AI processing services, and transactional email delivery (London region).
• MongoDB, Inc. (MongoDB Atlas): managed database hosting in the EU region.
• Stripe Payments Europe, Limited: subscription billing and payment processing. Stripe does not receive your chat messages, uploaded documents, AI responses or audit-log data.
• Brave Software, Inc. (Brave Search API): search-discovery API used by the agentic chat pipeline to find UK legal sources. Queries are restricted to a UK legal / government allowlist and are sanitised before transmission — emails, phone numbers, postcodes and recognised personal-name patterns are stripped so client identity does not leave Writford.
• The National Archives (caselaw.nationalarchives.gov.uk): UK case-law search.
• legislation.gov.uk: UK legislation search.

We will notify account administrators by email at least thirty (30) days before adding a new sub-processor. You may object during that notice period; if your objection cannot be resolved, you may terminate your subscription without penalty.

We use Google Analytics 4 (cookieless, client_storage: 'none', anonymised IP) and Ahrefs Analytics (cookieless) for aggregate website statistics. Neither service sets cookies on your device. We do NOT use Meta Pixel, LinkedIn Insight Tag, Segment, Mixpanel, Hotjar, Clarity, PostHog, Cloudflare Analytics, or any comparable advertising, profiling, or behavioural tracking service.

10. International data transfers

Your personal data is stored and processed within the United Kingdom and European Economic Area ("EEA"). The UK recognises the EEA as providing an adequate level of data protection.

Where a sub-processor (for example, Stripe or Brave Search) has global operations and personal data may be transferred to a country outside the UK or EEA in connection with billing, search or support, the transfer is protected by one of the transfer tools recognised by the UK GDPR:

• a UK adequacy decision;
• the International Data Transfer Agreement ("IDTA"); or
• the UK Addendum to the EU Standard Contractual Clauses.

We do not transfer personal data to any jurisdiction for the purpose of AI model training. All AI inference is performed within the AWS London region.

11. Data retention

If a legal obligation requires us to retain personal data for longer (for example, a litigation hold), we will retain the relevant data only for as long as that obligation applies.

12. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right to be informed: this Privacy Policy is how we inform you.
• Right of access: ask for a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your account and associated data. You can do this yourself from account settings, or by emailing us.
• Right to restrict processing: ask us to stop actively using your data in certain situations.
• Right to data portability: ask for your account data in a structured, machine-readable format.
• Right to object: object to processing carried out on the basis of legitimate interests.
• Rights in relation to automated decision-making: we do not carry out such decision-making (see Section 16).
• Right to withdraw consent: where we rely on consent.
• Right to complain: to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.

To exercise any right, email info@writford.co.uk. We will respond within one calendar month (or, in rare complex cases, within three months with an interim response). We may ask you to verify your identity. There is no charge for most requests; we reserve the right to charge a reasonable fee or refuse if a request is manifestly unfounded, excessive or repetitive.

13. How we protect your data

Our technical and organisational measures include:

• All production hosting, data storage and AI inference within the UK/EEA on reputable cloud providers (AWS London region, MongoDB Atlas).
• TLS 1.2 or higher for all connections.
• Encryption at rest using cloud-provider default encryption (AES-256 or equivalent).
• Passwords stored as bcrypt hashes. We can never see or recover your plain-text password.
• JWT authentication with short-lived (24-hour) HttpOnly, Secure, SameSite cookies and token-versioning to invalidate all sessions instantly.
• Server-side rate limiting (per minute and per day) against brute-force and abuse.
• Input validation and a prompt-injection filter on all AI inputs.
• AWS Bedrock Guardrails ANONYMIZE mode on every chat message, PII detected and replaced with type placeholders before reaching the AI model (Section 6.3).
• Mandatory email verification (6-digit code) plus automated trial-abuse signalling on IP, device fingerprint and normalised email before a new account receives a trial.
• Separation of sub-processors (Stripe for payments, AWS for email and AI) so no single third-party provider holds all categories of your data.
• Audit logging of security-relevant events.
• A documented incident-response procedure, including our obligation under Article 33 UK GDPR to notify the ICO within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals.

No system is perfectly secure. You also play an important role: use a strong, unique password, do not share your login, log out of shared devices, and keep your device and browser up to date.

14. Controller / processor relationship

Where your use of the Service involves processing personal data relating to your own clients, counterparties, witnesses or other third parties (for example, when you ask the AI to analyse a contract that names identifiable individuals, or when you enter client names, party details or case information into the matter management features), you are the controller of that personal data and we are your processor.

In that role:

• We process that personal data only on your documented instructions (your chat messages).
• We apply the measures in Section 13.
• We do not use that data for any purpose other than providing the Service to you.
• We delete that data on your instruction or when your account is deleted, subject to backup rotation in Section 11.
• We do not engage any sub-processor beyond Section 9 without following the notice process there.
• We will assist you, to the extent reasonably required, in responding to data-subject requests and DPIAs, on payment of our reasonable costs where the assistance is not trivial.

If you are a law firm that requires a separate written Data Processing Addendum signed on its own letterhead, please email info@writford.co.uk.

15. Children

The Service is a business-to-business product aimed at qualified legal professionals. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact info@writford.co.uk and we will delete it.

16. Automated decision-making and profiling

The Service uses AI language models accessed through AWS to generate responses. We do not consider this "automated decision-making which produces legal or similarly significant effects" within the meaning of Article 22 UK GDPR, because:

• every response is clearly labelled as AI-generated;
• every response carries a mandatory disclaimer that it must be reviewed by a qualified solicitor before being relied upon;
• every exported document is watermarked "DRAFT - FOR SOLICITOR REVIEW ONLY";
• no decision about you, your clients or any third party is taken by the AI. All decisions remain with the human solicitor, who retains full professional responsibility.

We do not carry out profiling of users for marketing, pricing, credit-scoring or any other purpose.

17. Law enforcement and lawful requests

We will only disclose personal data to law enforcement, regulators or government authorities where we are compelled to do so by a lawful order (for example, a court order, a production order, or a valid statutory notice) addressed to Big Berri Limited in the United Kingdom, or where we reasonably believe in good faith that disclosure is necessary to prevent an imminent risk of death or serious physical harm. We review every request individually and challenge overbroad, improperly served or invalid requests.

18. Limitation of liability for data-related claims

The Service is provided to you as a business user at a low subscription price. That pricing model is only possible because our aggregate financial exposure is capped at a commercially realistic level. Accordingly:

(a) Subject to paragraph (c) below, to the maximum extent permitted by law our total aggregate liability to you for any and all claims of any kind whatsoever arising out of or relating to the processing of personal data (including, without limitation, any claim under or in connection with the UK GDPR, the Data Protection Act 2018, the common law of confidence, negligence, breach of contract, breach of statutory duty, misrepresentation, or any other legal theory) is limited to the greater of: (i) fifty pounds sterling (£50.00); or (ii) the total fees you have paid to Big Berri Limited in the twelve (12) months immediately preceding the event giving rise to the claim.

(b) The cap in paragraph (a) applies per account and across the entire lifetime of your relationship with us. It is a single aggregate cap, not a per-incident cap. It uses the same formula as the overall liability cap in our Terms of Service.

(c) Nothing in this Privacy Policy or in our Terms of Service limits or excludes any liability that cannot be limited or excluded as a matter of the law of England and Wales, including liability for:

• death or personal injury caused by negligence;
• fraud or fraudulent misrepresentation;
• any statutory right of a data subject under the UK GDPR that cannot lawfully be limited by contract (in particular, any right to compensation under Article 82 UK GDPR, to the extent that such right cannot lawfully be capped);
• any other liability that cannot be limited or excluded as a matter of law.

(d) We will not be liable for any indirect, consequential, special, incidental, punitive or exemplary loss or damage, loss of profits, loss of goodwill, loss of reputation, loss of opportunity, loss of business, loss of revenue, or loss of anticipated savings, howsoever arising, in each case to the maximum extent permitted by law.

(e) We will not be liable for any loss, damage, fine, regulatory action or disciplinary finding (including any finding by the Solicitors Regulation Authority, the Legal Ombudsman or any professional body) that results wholly or partly from:

• your decision to input personal data, privileged information, or confidential client data into the Service;
• your reliance on an AI-generated response without the independent review of a qualified solicitor;
• your failure to follow the security best-practices described in Section 13 (such as sharing your password or logging in on a compromised device); or
• any third-party service, network, platform or device outside our reasonable control.

(f) You acknowledge that: (i) the fees for the Service are low precisely because this cap is in place; (ii) you are a business user purchasing the Service for use in your trade, business or profession; (iii) the cap was agreed between business parties and has been expressly drawn to your attention in this Privacy Policy and in our Terms of Service; and (iv) you have had the opportunity to obtain independent legal advice before agreeing to the cap. You further agree that, having regard to these matters, the cap is reasonable for the purposes of section 3 of the Unfair Contract Terms Act 1977.

This Section does not affect the statutory rights of data subjects to bring claims directly under Article 82 UK GDPR to the extent those rights cannot lawfully be limited by contract, and it does not replace the statutory breach- notification obligations we owe under Articles 33 and 34 UK GDPR.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, our sub-processors or our product. When we make a material change, we will:

• update the "Last updated" date at the top of this page;
• post a notice on the website; and
• where we have your email address, email you at least fourteen (14) days before the change takes effect.

The current version is always available at writford.co.uk/privacy. By continuing to use the Service after a change takes effect, you confirm that you accept the revised Privacy Policy.

20. How to contact us

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or want to raise a concern about how we handle your personal data, please contact:

Big Berri Limited (trading as "Writford")
Company number: 16562429 (England and Wales)
ICO registration number: ZC119995
Email: info@writford.co.uk
Website: https://writford.co.uk

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113