Privacy Policy
Last updated: February 1, 2026 | Version 2.0
🔒 Privacy by Design: Praxis is designed with privacy as a core principle. Your client data stays by default on your own devices - we have no access to it.
1. Data Controller
Praxis Legal
Belgium
Email: privacy@praxislegal.be
Praxis Legal ("we", "our", "us") is the data controller within the meaning of the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and the Belgian Law of July 30, 2018 on the protection of natural persons with regard to the processing of personal data.
2. What Data Do We Process?
2.1 Account Data (processed by us)
| Data | Purpose | Retention Period |
|---|---|---|
| Email address | Account management, communication | Up to 2 years after termination |
| Name, company | Billing, identification | 7 years (legal retention requirement) |
| Payment data | Subscription management | 7 years (accounting legislation) |
| Login credentials | Security, authentication | Until account deletion |
| IP address | Security, fraud prevention | 90 days |
2.2 Client Data (NOT processed by us)
Local storage: All data you enter in Praxis (cases, contacts, documents, time entries) is stored on:
- Your own computer/device, or
- Your own cloud storage (OneDrive, Dropbox, Google Drive)
Praxis has no access to this data. You are the data controller for your client data.
2.3 Praxis Cloud (optional)
If you choose Praxis Cloud synchronization:
| Data | Processing | Location |
|---|---|---|
| Synchronized database | Encrypted storage | EU (Hetzner, Germany) |
| Documents | Encrypted storage | EU (Hetzner, Germany) |
When using Praxis Cloud, Praxis acts as a data processor. A Data Processing Agreement is available upon request.
3. Legal Bases (GDPR Article 6)
| Processing | Legal Basis | Explanation |
|---|---|---|
| Account creation and management | Art. 6(1)(b) Contract | Necessary for service delivery |
| Payment processing | Art. 6(1)(b) Contract | Necessary for subscription |
| Billing data retention | Art. 6(1)(c) Legal obligation | 7-year accounting requirement |
| PEPPOL e-invoicing | Art. 6(1)(c) Legal obligation | B2B mandatory e-invoicing law |
| Security logs | Art. 6(1)(f) Legitimate interest | Fraud and cyberattack protection |
| Marketing communications | Art. 6(1)(a) Consent | Optional, with consent |
4. Recipients and Transfers
4.1 Sub-processors
| Service | Purpose | Location | GDPR Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting | Germany (EU) | GDPR compliant, DPA |
| Stripe/Mollie | Payment processing | EU | GDPR compliant, DPA |
| Migadu | Email services | Switzerland | Adequacy decision |
| Storecove | PEPPOL e-invoicing | Netherlands (EU) | GDPR compliant, DPA |
4.2 No Transfer Outside EEA
We do not transfer personal data to countries outside the European Economic Area, unless with adequate safeguards (adequacy decision or SCCs).
4.3 No Sale of Data
We never sell, rent, or trade your personal data.
5. Your Rights
Under the GDPR, you have the following rights:
| Right | GDPR Article | Description |
|---|---|---|
| Access | Art. 15 | Request what data we hold about you |
| Rectification | Art. 16 | Correction of inaccurate data |
| Erasure | Art. 17 | Deletion of your data ("right to be forgotten") |
| Restriction | Art. 18 | Restriction of processing |
| Portability | Art. 20 | Export of your data in readable format |
| Objection | Art. 21 | Object to processing based on legitimate interest |
Submit requests to privacy@praxislegal.be. We respond within 30 days.
6. Security
We implement appropriate technical and organizational measures in accordance with GDPR Article 32:
- TLS 1.3 encryption for data transport
- AES-256 encryption for stored data
- Two-factor authentication (optional)
- Regular security audits
- ISO 27001-compliant procedures
- Bcrypt password hashing
7. Cookies and Tracking
7.1 Privacy-Friendly Analytics
We use Umami, a privacy-friendly analytics solution that:
- Does not place cookies
- Does not collect personal data (no IP address tracking)
- Is fully hosted in the EU on our own servers (Germany)
- Is open source and GDPR compliant
Umami collects only anonymized statistics such as page views and referrers, without identifying individual users.
7.2 Essential Cookies
Our website uses only:
- Essential cookies: Session authentication, language settings
7.3 No Invasive Tracking
We do not use:
- Google Analytics or other tracking tools that use cookies
- Advertising cookies
- Cross-site tracking
- Social media pixels or widgets
8. Data Processing Agreement (DPA)
When is a DPA needed?
| Usage Mode | DPA Required? | Reasoning |
|---|---|---|
| Local use only | No | Praxis does not process client data |
| Praxis Cloud | Yes | Praxis acts as data processor |
Request a Data Processing Agreement via privacy@praxislegal.be
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We notify the Belgian Data Protection Authority within 72 hours
- We notify you without undue delay if the breach is likely to result in a high risk
10. Complaints
You have the right to lodge a complaint with the supervisory authority:
Belgian Data Protection Authority (GBA/APD)
Drukpersstraat 35 / Rue de la Presse 35
1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be
www.autoriteprotectiondonnees.be
11. Changes
For material changes, we will inform you by email. The current version is always available on this page.
Contact
Praxis Legal
Email: privacy@praxislegal.be