GDPR Compliance
Last updated: January 27, 2026
For Users in the European Union
This page explains how Intake Form Pro by Adam Legal Systems complies with the General Data Protection Regulation (GDPR) when processing personal data of EU residents, including prospective clients submitting intake forms.
1. Our Commitment to GDPR
Intake Form Pro is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 and applicable member state laws. We process intake data lawfully, fairly, and transparently.
2. Data Controller and Processor Roles
The Intake Form Pro platform involves multiple parties with different data protection responsibilities:
Your Law Firm (Data Controller)
The law firm using Intake Form Pro is the Data Controller for personal data collected through intake forms. Your firm determines the purposes and means of processing prospective client data.
Adam Legal Systems (Data Processor)
Adam Legal Systems acts as a Data Processor for intake submission data, processing it on behalf of the law firm according to their instructions and this agreement.
Adam Legal Systems (Data Controller)
For law firm account data (registration, billing, usage analytics), Adam Legal Systems is the Data Controller.
Data Protection Contact:
Email: dpo@adamlegalsystems.com
3. Categories of Personal Data Processed
The Intake Form Pro system processes the following categories of personal data:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, date of birth, address | Client identification |
| Contact Data | Email, phone, address | Communication |
| Legal Matter Data | Case description, incident details | Case evaluation |
| Financial Data | Estimated case value, insurance info | Case assessment |
| Documents | Uploaded contracts, evidence | Document analysis |
Special Category Data
Intake forms may contain special category data (health information, racial/ethnic origin, etc.) depending on the legal matter type. Law firms must ensure appropriate legal basis and safeguards for processing such data under GDPR Article 9.
4. Legal Basis for Processing
Personal data is processed under the following GDPR Article 6 legal bases:
- Legitimate Interest (Art. 6(1)(f)): Processing intake submissions for the legitimate interest of the law firm in evaluating potential client matters
- Consent (Art. 6(1)(a)): Where the prospective client provides explicit consent when submitting the intake form
- Contract Performance (Art. 6(1)(b)): Processing necessary for steps at the request of the data subject prior to entering into a contract (legal representation)
- Legal Obligation (Art. 6(1)(c)): Processing required for compliance with legal obligations (e.g., conflict checks)
5. AI Processing and Automated Decision-Making
Intake Form Pro uses artificial intelligence to assist law firms with intake analysis. Here is how we handle AI processing under GDPR:
AI Case Brief Generation
AI analyzes intake submissions to generate preliminary case summaries. This is an assistive tool for attorneys, not automated decision-making. All AI outputs require attorney review before any decisions affecting the data subject are made.
Lead Scoring
AI assigns engagement likelihood scores (Hot/Warm/Cold). These scores indicate potential client engagement factors only and do not determine legal merit, case acceptance, or produce legal effects. Attorneys make all client engagement decisions.
Document Analysis
AI extracts information from uploaded documents to assist attorney review. Document content is processed transiently and not retained by AI providers beyond the processing session.
GDPR Article 22 Compliance
No Solely Automated Decisions: We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect data subjects. All AI analysis is reviewed by licensed attorneys who make final decisions about client engagement, case acceptance, and legal matters.
6. Data Subject Rights
Prospective clients whose data is collected via intake forms have the following rights under GDPR:
Right of Access (Art. 15)
Request a copy of your intake data and how it's being processed.
Right to Rectification (Art. 16)
Request correction of inaccurate information in your submission.
Right to Erasure (Art. 17)
Request deletion of your intake data (subject to legal retention requirements).
Right to Restrict (Art. 18)
Request limitation of processing while disputes are resolved.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
To exercise these rights: Contact the law firm that collected your intake data directly. They are the Data Controller responsible for responding to your requests. The law firm may contact us as the Data Processor to assist with fulfilling your request.
7. Sub-Processors
We use the following sub-processors to deliver our services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Digital Ocean | Cloud infrastructure hosting | USA (SCCs in place) |
| Anthropic (Claude API) | AI processing for case briefs | USA (SCCs in place) |
| Stripe | Payment processing | USA (SCCs in place) |
| Twilio | SMS notifications | USA (SCCs in place) |
All sub-processors are bound by data processing agreements requiring GDPR-equivalent protections. We conduct due diligence on sub-processor security practices.
8. International Data Transfers
Our infrastructure is located in the United States. For transfers of personal data from the EEA to the USA, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual safeguards
- Supplementary Measures: Additional technical measures including encryption and access controls
- Transfer Impact Assessments: We evaluate transfer risks and implement appropriate safeguards
9. Data Security
We implement appropriate technical and organizational measures per GDPR Article 32:
10. Data Retention
Intake submission data is retained according to the law firm's (Data Controller's) instructions:
- Active Submissions: Retained while law firm account is active
- Deleted Submissions: Permanently deleted within 30 days of deletion request
- Account Closure: All data deleted within 90 days of account termination
- Backups: Purged within 30 days of primary data deletion
Law firms may have additional retention requirements based on professional conduct rules and statute of limitations periods.
11. Data Breach Notification
In the event of a personal data breach affecting intake data:
- We will notify affected law firms (Data Controllers) without undue delay
- Law firms are responsible for notifying supervisory authorities within 72 hours (Article 33)
- Law firms are responsible for notifying affected data subjects if required (Article 34)
- We will provide all information necessary to fulfill notification obligations
12. Data Processing Agreement
Law firms using Intake Form Pro to process EU resident data should execute our Data Processing Agreement (DPA). The DPA includes:
- Subject matter, nature, and purpose of processing
- Duration and data categories
- Controller and processor obligations
- Sub-processor terms and notification procedures
- Security measures and audit rights
- Data return and deletion procedures
To request a DPA, contact dpo@adamlegalsystems.com
13. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your EU member state. We encourage you to contact us first at dpo@adamlegalsystems.com so we can address your concerns.
14. Updates to This Policy
We may update this GDPR compliance page to reflect changes in our practices, technology, or regulatory guidance. Material changes will be communicated to law firm users via email notification.
Related policies: Privacy Policy | Terms of Service | Security | AI Policy