Privacy Policy.

1. Who we are.

Kefilex is a product of Kefilab, based at 301 Bath Road, Hounslow, London TW3 3DB, United Kingdom. We are the data controller for personal data described below. This policy applies to the marketing site at kefilex.com, the Kefilex web application at app.kefilex.com, and the platform-admin surface at admin.kefilex.com.

When you connect a Clio account to Kefilex, we act as a data processor for the matter / contact / time-entry / bill records inside that Clio account on the firm's behalf — see the Data Processing terms incorporated into our Terms of Service.

2. Information we collect.

Account & authentication

Your email address, optional display name, and timestamps for sign-in events. We use a passwordless email-magic-link flow via our authentication sub-processor (Supabase) — we never see or store your password.

Firm & integration data

When a firm administrator connects a Clio account, we receive via OAuth: a Clio access token and refresh token (used only to fetch records on the firm's behalf), the firm's Clio account ID and region, and a copy of the firm's matters, contacts, time entries, bills, fee earners and practice areas (refreshed in real time via webhooks plus a daily reconcile). We do not ingest Clio documents, calendar items, communications or trust-account balances, and we never write back to Clio.

Subscription & billing

When a firm subscribes to a paid plan we receive a Stripe customer ID and subscription state from our billing sub-processor (Stripe). Card details are entered directly into Stripe's hosted page and never reach Kefilex servers.

Product analytics — consent-gated, trial tenants only

For firms on a 48-hour trial who explicitly consent at the consent banner, we collect product-usage events and masked session recordings through PostHog (EU region). All form-input contents are masked at capture by default; recordings are used solely for product-UX research and never shared outside the Kefilab team. Paying tenants and sandbox tenants don't load the analytics SDK at all and have zero session-recording exposure.

Marketing-site analytics — consent-gated

On kefilex.com we use PostHog (EU region) for product analytics. With your explicit consent (the "Allow analytics" banner) we capture pageviews, click events, scroll depth, web vitals, heatmaps, and session recordings of mouse movement, scrolling and clicks with form-input contents masked at capture. We never see what you type into a field; only submitted form values reach us, and only after you press the submit button. Decline the banner and zero events are sent. Full breakdown on the Cookies & analytics page. Analytics requests route through kefilex.com/ingest (a reverse proxy to PostHog EU) so that browser-level ad-blockers don't silently drop them — the data still flows to PostHog EU under the same consent gate.

Server logs and operational telemetry

We retain HTTP request metadata (timestamps, IP addresses, response codes, user-agent strings) for 14 days in our hosting provider's standard log retention. Used solely to diagnose service issues and detect abuse.

3. Lawful bases for processing.

• ·Providing the service to a logged-in user — Contract (UK GDPR Article 6(1)(b)).
• ·Marketing to prospective customers — Legitimate interest (Article 6(1)(f)); we honour every opt-out.
• ·Product analytics on trial tenants — Consent (Article 6(1)(a)); withdrawable at any time.
• ·Billing and fraud prevention — Legitimate interest and contract.
• ·Compliance with UK / EU legal obligations — Legal obligation (Article 6(1)(c)).

4. Sub-processors.

Each processes personal data on our behalf under written terms that mirror or exceed UK GDPR Article 28. List current as of the effective date above; we revise it whenever a sub-processor changes.

When a sub-processor is located outside the UK we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum, plus the sub-processor's published transfer-impact assessment.

5. How we share information.

We share personal data only with: (a) the sub-processors listed above, strictly to deliver the service; (b) law enforcement or regulators when required by a binding legal request; and (c) a successor in a sale of the business (with written notice to the firm). We do not sell personal data, ever, full stop.

6. Data residency.

Customer data is stored in the United Kingdom (Supabase eu-west-2). Some sub-processors are headquartered in the USA or Canada and operate from EU regions; transfers occur under the contractual safeguards described in §4.

7. Retention.

• ·Account email + display name — while the account is active; 30 days after account deletion, then permanently erased.
• ·Clio-sourced cached records (matters, contacts, time entries, bills) — while connected; 30 days after disconnect, then permanently erased. A firm administrator can request immediate deletion from Admin → Clio settings.
• ·Billing and subscription records — 7 years (UK tax / HMRC requirement).
• ·Server logs and operational telemetry — 14 days.
• ·Audit log entries (platform admin actions) — retained indefinitely as a tamper-evident operational record.

8. Your rights.

As a UK or EU resident you have the right to:

• ·Access the personal data we hold about you
• ·Rectify inaccurate personal data
• ·Erase your personal data (subject to legal-retention overrides like the billing-records rule above)
• ·Restrict or object to processing
• ·Port your data to another provider
• ·Withdraw consent for any processing based on consent (including product analytics) at any time
• ·Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority

To exercise any of these rights, email privacy@kefilab.com. We respond within 30 days, or sooner where the request is straightforward.

9. Cookies and similar technologies.

We use only the strictly-necessary cookies required for sign-in and session management. We do not use advertising cookies. If you are a trial-tenant user who consented to product analytics, the PostHog SDK sets a first-party cookie scoped to your tenant; withdraw consent in Settings → Privacy to clear it. Full details on the Cookies & analytics page.

10. Children.

Kefilex is a business product intended for legal-practice professionals. It is not directed at anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@kefilab.com and we will erase it.

11. Security.

For a full description of our security posture see the Security Policy. In summary: HTTPS everywhere, AES-256-encrypted storage, application-layer encryption of long-lived integration credentials, dependency vulnerability scanning, written incident-response playbook, and a 72-hour breach-notification commitment.

12. Breach notification.

If we confirm a personal-data breach we will notify the UK Information Commissioner's Office without undue delay and in any event within 72 hours of confirmation, as required by UK GDPR Article 33. We will notify affected customers in parallel by email to their registered administrator address with the information required by Article 33(3).

13. Changes to this policy.

We may update this policy from time to time. Material changes will be announced by email to active customers at least 30 days before they take effect, and the "Effective" date at the top of this page will be updated. Continued use of the service after the effective date constitutes acceptance.

14. Contact us.

• ·Privacy queries: privacy@kefilab.com
• ·General enquiries: info@kefilab.com
• ·Postal: Kefilab, 301 Bath Road, Hounslow, London TW3 3DB, United Kingdom

Last updated 13 May 2026. The contact above is the named point of contact for all data-protection matters.