Privacy Policy

Mowly, operated by Mowly, Lda. (hereinafter "Mowly", "we", "our", or "us"), is deeply committed to protecting the privacy and personal data of all users of our artificial intelligence legal platform. This Privacy Policy has been prepared in compliance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679), the Portuguese Personal Data Protection Law (Law No. 58/2019), and other applicable data protection legislation. This policy describes in a transparent and detailed manner how we collect, use, store, share, and protect your personal information when you use our services, including our web application, add-ins for Microsoft Word and Outlook, and any other products or services we provide.

This Privacy Policy applies to all services provided by Mowly, namely: the web platform available at www.mowly.com; the Microsoft Word add-in that enables legal search, document analysis, pseudonymization, and other AI features directly within Word; the Microsoft Outlook add-in for professional email drafting assistance; all APIs and backend services that support these applications; and any mobile applications or other products we may develop. By using any of these services, you accept the practices described in this policy. We recommend that you read this document in full before using our services.

The data controller for your personal data is Mowly, Lda., a Portuguese commercial company headquartered in Lisbon, Portugal. As the data controller, we determine the purposes and means of processing the personal data entrusted to us, always ensuring compliance with legal obligations regarding data protection. For any questions related to the processing of your personal data, you can contact us at privacy@mowly.com or through our Data Protection Officer.

Mowly may act in different roles regarding the processing of personal data, depending on the context:

• Data Controller: When we collect and process your personal data to manage your account, process payments, communicate with you, and improve our services, we act as the data controller. This Privacy Policy applies in full to these situations
• Data Processor: When you process documents, emails, or other content through our AI features (summarization, analysis, pseudonymization, translation, etc.), we act as a data processor on behalf of our users or the organizations that subscribe to our services. In these cases, processing is governed by our Terms of Service and any specific Data Processing Agreements
• Content processing: Any questions related to personal data included in documents or emails you submit for processing should be directed to the original data controller of that data. If we receive requests to exercise rights regarding data where we act as processors, we will forward such requests to the appropriate data controller
• Third-party websites: This Privacy Policy applies only to mowly.com and app.mowly.com domains. Third-party websites accessible from our platform, or that you used to access Mowly, are subject to their own privacy policies

We collect different categories of personal data depending on how you interact with our services. We always apply the principle of minimization, collecting only the data strictly necessary for each purpose:

• Identification and account data: full name, professional email address, phone number (optional), firm or company name, professional title, VAT number for billing, and access credentials (passwords are stored encrypted and irreversibly)
• Billing and payment data: billing address, credit card details (processed and stored securely by our PCI-DSS certified payment processor - we do not have access to full card numbers), transaction history and invoices
• Usage and behavior data: features used, frequency of use, search queries performed, types of documents processed (without the content), session duration, navigation patterns on the platform
• Technical data: IP address, browser type and version, operating system, device type, screen resolution, time zone, language settings, device identifiers
• Document content: text from documents submitted for analysis, summarization, translation, pseudonymization, or other AI features. IMPORTANT: this content is processed temporarily only for the time necessary to execute the requested feature and is automatically deleted after processing, never being permanently stored on our servers
• Communications: content of emails sent to our support, messages through the help chat, feedback and reviews you provide
• Preferences and settings: preferred language, notification settings, third-party API keys you choose to configure (stored encrypted), custom templates and documents you create
• Microsoft 365 integration data: when using our add-ins, we receive authentication tokens from Microsoft to access the current document in Word or email in Outlook. We do not access other documents, emails, or data from your Microsoft account beyond what you are actively working on

To provide our legal search services, we access and process publicly available legal information:

• Case law: we access court decisions, rulings, and judgments publicly made available by Portuguese and European courts, official legal databases, and other authorized legal sources. This information is used to power our smart search features
• Legislation: we access legal acts, regulations, and rules published in the Official Gazette (Diário da República) and other official sources, allowing you to search and analyze the legal framework applicable to each situation
• Doctrine and institutional information: when relevant to your search, we may access information made available by regulatory bodies, professional associations, and other trusted institutional sources. This information is aggregated and presented with clear indication of the source

The processing of your personal data is based on the following legal grounds, as applicable to each purpose:

• Contract performance (Article 6(1)(b) GDPR): processing is necessary for the performance of the service agreement you enter into with us when you create an account and use the platform, including providing legal search, document analysis, and AI assistance features
• Legal obligations (Article 6(1)(c) GDPR): processing is necessary to comply with legal obligations to which we are subject, namely tax and accounting obligations related to invoicing and record keeping
• Legitimate interests (Article 6(1)(f) GDPR): we rely on our legitimate interests to improve our services, prevent fraud, and ensure platform security, provided these interests do not override your fundamental rights
• Consent (Article 6(1)(a) GDPR): where applicable, we request your explicit consent, namely for sending marketing communications or for optional features involving additional data processing
• For special category data, if inadvertently included in documents you submit, we apply technical pseudonymization measures and ensure they are not used for any other purpose
• You may withdraw your consent at any time, without affecting the lawfulness of processing carried out based on previously given consent

We use your personal data exclusively for the following specific and legitimate purposes:

• Service provision: providing all platform features, including case law, legislation, and doctrine search, document analysis and summarization, personal data pseudonymization, legal translation, opinion generation, clause suggestions, and AI assistance
• Account management: creating, maintaining, and managing your user account, authenticating your access, managing your preferences and settings
• Payment processing: processing subscriptions, charges, issuing invoices, managing renewals and refunds when applicable
• Service communications: sending essential notifications about your account, changes to terms of service, security alerts, transaction confirmations, and important feature updates
• Customer support: responding to your questions, help requests, complaints, and feedback, and resolving technical issues
• Service improvement: analyzing aggregated and anonymized usage patterns to improve user experience, optimize existing features, and develop new features
• Security and fraud prevention: protecting against unauthorized access, detecting suspicious activity, preventing platform abuse, and ensuring the integrity of our systems
• Legal compliance: fulfilling legal obligations, responding to requests from competent authorities, and defending our legal rights when necessary
• Marketing (with consent): sending newsletters, information about new features, special offers, and relevant educational content, always with an easy opt-out option
• Personalization: adapting the platform experience to your preferences, suggesting relevant features, and presenting personalized content
• Credit analysis: managing the credits system, calculating usage costs, and providing consumption reports
• AI model training: We do NOT use your document content to train AI models. Anonymized and aggregated usage data may be used to improve the overall quality of our algorithms

Mowly uses advanced artificial intelligence technologies to provide its services. It is important that you understand how your data is processed in this context:

• AI models used: we use large language models (LLMs) from providers such as Google (Gemini) and OpenAI (GPT), as well as specialized models for specific tasks such as semantic search and document analysis
• Temporary processing: when you submit text for analysis, summarization, translation, pseudonymization, or other AI features, the content is sent encrypted for processing, used only to execute the requested feature, and immediately discarded after processing. We do not store your document content
• Provider policies: our AI providers (Google, OpenAI) are contractually committed not to use data sent through their enterprise APIs to train their models. We exclusively use enterprise APIs with contractual privacy guarantees
• Personal API keys: if you choose to use your own API keys (feature available in settings), your requests will be processed directly with the provider using your account, and Mowly will not have access to the content of those communications
• Pseudonymization: the pseudonymization feature replaces identifiable personal data (names, addresses, identification numbers, etc.) with pseudonyms, allowing you to work with documents more securely. The mapping between original data and pseudonyms is provided only to you and is not stored on our servers
• Algorithmic transparency: we strive to be transparent about the capabilities and limitations of our AI systems. AI-generated results are presented as suggestions and support tools, not replacing professional legal judgment

Our add-ins for Microsoft Word and Outlook operate within the Microsoft Office environment and have specific privacy characteristics:

• Limited access: the add-ins only access the document or email you are actively working on when you invoke a specific feature. We do not have access to other files, emails, contacts, or data from your Microsoft account
• Authentication: we use OAuth 2.0 tokens provided by Microsoft to authenticate the add-in. These tokens have limited scope and are automatically renewed. We do not store Microsoft credentials
• Local vs. cloud processing: certain basic features can be executed locally in the add-in, while advanced AI features require processing on our servers. Content is always transmitted encrypted
• Enterprise installation: if the add-in was installed by your organization's administrator, certain organizational policies may apply. Consult your IT department for more information
• Telemetry data: we collect minimal technical data about add-in operation (errors, load times) to ensure service quality. This data does not include document content

Mowly does not sell, rent, or trade your personal data. We may share data in the following limited circumstances:

• Service providers: we share data with carefully selected service providers who help us operate the platform, including cloud infrastructure providers, payment processors, email services, and AI providers. All providers are bound by data processing agreements (DPAs) that ensure your data protection in compliance with GDPR
• Legal compliance: we may disclose data when required by law, court order, or request from a competent authority, or when necessary to protect our legal rights, safety, or property
• Business transactions: in the event of a merger, acquisition, reorganization, or asset sale, your data may be transferred as part of the transaction, always maintaining privacy protections
• With your consent: we may share data with third parties when you have given your explicit consent for such sharing
• Aggregated and anonymized data: we may share aggregated and anonymized statistics that do not allow identification of individual users, for research, market analysis, or demonstrating the value of our services

We use the following third-party services to operate the Mowly platform. Each is subject to its own privacy policies:

• Supabase (Infrastructure and database): data hosting in the European Union, encryption at rest and in transit, GDPR and SOC 2 compliance
• Google Cloud / Gemini AI: AI request processing, enterprise APIs with contractual guarantee of non-use of data for training, EU servers
• OpenAI: alternative AI processing, enterprise APIs with DPA, commitment to not training with customer data
• Stripe (Payments): secure payment processing, PCI-DSS Level 1 certification, we do not store card numbers
• Microsoft (Office Add-ins): add-in platform, OAuth authentication, Microsoft's privacy policy applies to Office use
• Transactional email services: sending service emails and notifications, data limited to what is necessary for delivery

Mowly primarily stores your data on servers located in the European Union. However, some of our service providers may be located or have servers outside the European Economic Area. When we transfer data outside the EU/EEA, we ensure adequate levels of protection through the following mechanisms:

• Adequacy decisions: when the European Commission has determined that a country offers an adequate level of data protection, we may transfer data to that country without additional safeguards
• Standard Contractual Clauses: we use Standard Contractual Clauses approved by the European Commission when transferring data to countries without an adequacy decision, ensuring that recipients maintain the same protection standards
• EU-US Data Privacy Framework: for transfers to the United States, we rely on EU-US Data Privacy Framework certifications when our vendors are certified under this program
• Specific derogations: in specific cases provided for in Article 49 of the GDPR, we may transfer data based on your explicit consent or when the transfer is necessary for the performance of a contract with you. You can request additional information about transfer safeguards in place by contacting us

We apply differentiated retention periods according to data type and processing purpose, deleting data when it is no longer needed:

• Account data: retained while your account is active, plus an additional 30-day period after closure to allow reactivation. After this period, data is deleted or anonymized, except when retention is required by law
• Billing data: retained for the legally required period for tax and accounting purposes (10 years in Portugal), as per legal obligations
• Document content: processed temporarily and deleted immediately after processing the requested feature. We never permanently store your document content
• Technical and security logs: retained for a maximum of 12 months for security, diagnostic, and legal compliance purposes, after which they are automatically deleted

We implement a comprehensive set of technical and organizational measures to protect your personal data:

• Encryption: all data is encrypted in transit using TLS 1.3 and at rest using AES-256. Passwords are stored using secure hashing algorithms (bcrypt) and never in plain text
• Secure authentication: we support two-factor authentication (2FA), JWT tokens with short expiration, and secure session management. Inactive sessions are automatically terminated
• Access control: we implement the principle of least privilege, limiting data access only to employees who need it for their functions. All access is logged and auditable
• Infrastructure security: we use enterprise-grade cloud infrastructure with firewalls, intrusion detection, DDoS protection, and continuous 24/7 monitoring
• Audits and testing: we conduct regular security audits, penetration tests, and vulnerability assessments to identify and fix potential risks
• Employee training: all employees receive regular training on information security and personal data protection
• Incident response plan: we maintain documented procedures for security incident response, including notification to authorities and data subjects as required by GDPR
• Secure backups: we perform regular backups of encrypted data, stored in geographically separate locations to ensure disaster recovery

Under GDPR and Portuguese data protection law, you have the following rights regarding your personal data:

• Right of access (Article 15 GDPR): you can request confirmation of whether we process your personal data and, if so, obtain a copy along with information about purposes, data categories, recipients, and retention periods
• Right to rectification (Article 16 GDPR): you can request correction of inaccurate or incomplete personal data. You can also update much of your data directly in your account settings
• Right to erasure (Article 17 GDPR): you can request deletion of your personal data when it is no longer needed, when you withdraw consent, when you object to processing, or when data was unlawfully processed. This right may be limited by legal retention obligations
• Right to restriction of processing (Article 18 GDPR): you can request restriction of your data processing while verifying its accuracy, when you object to processing, or when you need the data to exercise legal rights
• Right to portability (Article 20 GDPR): you can receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and have the right to transmit it to another controller
• Right to object (Article 21 GDPR): you can object to processing of your data for direct marketing purposes at any time. You can also object to other processing based on legitimate interests, presenting grounds related to your particular situation
• Right not to be subject to automated decisions (Article 22 GDPR): you have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you
• Right to withdraw consent: when processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of your rights under the GDPR, we provide the following communication channels:

• Communication channels: you can exercise your rights via email at privacy@mowly.com, through the contact form on our support page, or by letter to our headquarters. We will respond to your request within 30 days, which may be extended by 60 days in exceptionally complex cases, in which case you will be duly informed
• Identity verification: for your protection and the security of your data, we may request identity verification before processing any request. This verification may include confirmation of account details or, in sensitive cases, presentation of identification documents. The purpose is to ensure that data is only provided to or modified by the legitimate data subject
• Representation by third parties: you may exercise your rights personally or through a duly authorized representative. If you choose to be represented by a third party, we will request proof of written authorization or valid power of attorney before processing the request
• Costs and records: exercising your rights is free of charge, except in cases of manifestly unfounded or excessive requests, where a reasonable administrative fee may be charged. We maintain records of all rights exercise requests and responses provided to demonstrate GDPR compliance

We use cookies and similar technologies to improve your experience on the platform. A cookie is a small text file stored on your device when you visit our website:

• Strictly necessary cookies: essential for platform operation, including authentication, security, and session preferences. Cannot be disabled. Examples: session token, language preference
• Functionality cookies: allow remembering your preferences and personalizing the experience, such as interface theme or saved settings
• Performance and analytics cookies: help us understand how users interact with the platform, collecting aggregated and anonymous information about pages visited, features used, and errors encountered
• Marketing cookies (optional): used only with your explicit consent to present relevant content and measure the effectiveness of our campaigns
• You can manage your cookie preferences at any time through the cookie banner or your browser settings. Note that disabling certain cookies may affect platform functionality

We use analytics tools to understand how the platform is used and identify improvement opportunities. The data collected is aggregated and does not allow identification of individual users. We do not use Google Analytics or other tools that transfer data to third parties in an identifiable manner. The metrics we collect include number of active users, most used features, system response times, and error rates. This data is used exclusively to improve the quality and reliability of our services.

Mowly services are intended exclusively for legal professionals and adults. We do not offer services to minors under 18 years of age and do not intentionally collect personal data from minors. If we become aware that we have inadvertently collected data from a minor under 18, we will delete that data immediately and take steps to prevent future collection. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

We may send you marketing communications about our services, new features, events, and special offers, always based on your prior and explicit consent. You can opt out of receiving these communications at any time by clicking the unsubscribe link in each email, changing your preferences in your account settings, or contacting us directly. Note that even if you opt out of marketing, you will continue to receive essential service communications related to your account.

In the event of a personal data breach that results in a risk to your rights and freedoms, we will notify the competent supervisory authority (CNPD - Portuguese National Data Protection Commission) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly and without undue delay, informing you of the nature of the breach, likely consequences, and measures taken to mitigate it.

Mowly does not make solely automated decisions that produce legal effects or significantly affect you. Our AI features are assistance tools that provide suggestions and analysis, but final decisions are always made by you or the legal professionals using the platform. We do not perform profiling that results in automated processing with legal effects. The personalization and recommendation algorithms we use are based on your stated preferences and usage history to improve the experience, not to make decisions about you.

Mowly has designated a Data Protection Officer (DPO) responsible for overseeing compliance with data protection legislation and serving as a point of contact for data subjects and the supervisory authority. You can contact our DPO at dpo@mowly.com for any questions related to the processing of your personal data or to exercise your rights. The DPO will respond within a maximum of 30 days.

If you consider that the processing of your personal data violates data protection legislation, you have the right to lodge a complaint with the competent supervisory authority. In Portugal, the supervisory authority is the National Data Protection Commission (CNPD), headquartered at Av. D. Carlos I, 134, 1.º, 1200-651 Lisbon, phone (+351) 213 928 400, email geral@cnpd.pt. We encourage you, however, to contact us first so we can try to resolve any issues directly.

We may update this Privacy Policy periodically to reflect changes in our services, data processing practices, or legal requirements. When we make material changes, we will notify you through a prominent notice on the platform, by email, or by other appropriate means, at least 30 days before the changes take effect. The last updated date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

If you have questions, comments, or concerns about this Privacy Policy or the processing of your personal data, please do not hesitate to contact us: General email: support@mowly.com | Privacy email: privacy@mowly.com | Data Protection Officer: dpo@mowly.com | Website: www.mowly.com/support | Address: Mowly, Lda., Lisbon, Portugal. We are committed to responding to all inquiries within a maximum of 30 days.