Privacy Policy: Duplar AI Infrastructure

Last Updated: 27th April 2026

1. Introduction

Duplar (“we”, “us”, or “our”) provides automated legal intake and administrative infrastructure designed specifically for law firms. We understand that for legal professionals, data privacy is not just a regulatory requirement but a matter of Legal Professional Privilege. This policy outlines how we process data as a Data Processor on behalf of our clients (the “Firm”).

2. The ‘Stateless’ Data Principle

Unlike standard consumer AI tools, Duplar operates on a Stateless Architecture. This means:

  • Zero-Persistence: We do not store client matter data, enquiry details, or document contents on our servers permanently.
  • In-Memory Processing: Data is processed “in-memory” via encrypted transit and is purged immediately once the automation cycle (e.g., matter creation in your CRM) is complete.
  • No Training: We utilize Private Enterprise API tiers. Your data is never used to train global AI models (such as public versions of ChatGPT).

3. Data We Process

As part of our Automated Intake Solution, we process the following categories of data on your instruction:

  • Contact Information: Name, email, and phone numbers from prospective clients.
  • Matter Details: Fact patterns, legal enquiries, and case backgrounds extracted from emails, web forms, and IM channels.
  • Identity & Evidence: Information contained within documents uploaded for analysis (e.g., IDs, contracts).

4. Sub-Processors & Security

To provide our infrastructure, we utilize high-tier technical partners who meet rigorous international security standards:

  • Make.com (Integromat): Used as the automation “engine.” We configure all scenarios with “Data Logging OFF” and “Data is Confidential” modes enabled to ensure no records of your data remain in the automation logs.
  • Enterprise API Providers (OpenAI/Groq): We access these models via Private API Tiers that explicitly opt-out of data training and enforce strict 30-day (or less) data deletion policies on their backend, though our workflows are designed to trigger immediate purging.
  • Encryption: All data is encrypted in transit using TLS 1.2 or higher.

5. Confidentiality & Legal Professional Privilege

We acknowledge our role in the legal supply chain. Our systems are engineered to ensure that the Firm maintains exclusive custody of the client record within their chosen Practice Management System (e.g., Clio, Lawcus). Duplar does not maintain a secondary database of your client files.

6. GDPR Compliance

In accordance with UK GDPR:

  • Data Minimisation: We only process the data necessary to complete the specific automation task.
  • Right to Erasure: Since we do not store your data, “erasure” is inherent to our system architecture.
  • Data Subject Access Requests (DSAR): As the Firm remains the Data Controller, we will assist you in responding to any DSARs by providing technical information regarding the data flow.

7. Contact Us

For enquiries regarding data processing or to request our full Data Processing Addendum (DPA), please contact: Privacy Officer, Duplar Digital at: alan@duplar.digital