Skip to main content

Privacy Policy

Last updated: June 9, 2026

RBS Responsible Business Solutions GmbH ("RBS", "Company", "we", "us", or "our"), also operating under the brand "AI Solutions for Lawyers", is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Coffee & Law platform ("Platform", "Service").

This policy is provided in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Austrian Data Protection Act (Datenschutzgesetz, DSG), and the Austrian Telecommunications Act 2021 (TKG 2021).

1. Data Controller

The data controller responsible for your personal data is:

RBS Responsible Business Solutions GmbH
Hegelgasse 13
1010 Vienna, Austria
Phone: +43 (0) 1 51 21 820-0
Email: support@ai-solutions-for-lawyers.com

For all data protection inquiries, please contact us using the details above and include "Data Protection Request" in your email subject line.

2. Our Role: Controller and Processor

We process personal data in two distinct roles:

  • As controller for data relating to visitors of this website, firm administrator accounts, and our own communication and business records.
  • As processor (Art. 28 GDPR)for personal data of lawyers that a law firm uploads to the Platform (names, professional email addresses, office, practice group, seniority). For this data, the law firm is the controller; we process it solely on the firm's behalf and instructions to provide the Service. A data processing agreement is available upon request. Firms are responsible for informing their lawyers about this processing in accordance with Art. 13/14 GDPR.

3. Data We Collect

3.1 Personal Data Provided by Firm Administrators

When your law firm registers for and uses Coffee & Law, firm administrators may provide the following personal data about lawyers within the organization:

  • Name: First and last name of each lawyer
  • Email address: Professional email address for communication and login
  • Office location: The office or geographic location where the lawyer works
  • Practice group: The legal practice area or department
  • Seniority level: Professional rank or seniority within the firm

3.2 Account and Authentication Data

  • Login credentials (email and hashed password)
  • Account settings and preferences
  • Authentication tokens and session data

3.3 Usage and Log Data

When you access the Platform, certain information is processed automatically:

  • IP address and device information
  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Referring website or source

3.4 Bot Protection Data (Cloudflare Turnstile)

Sign-up and login are protected against automated abuse by Cloudflare Turnstile. When you access these pages, Cloudflare processes technical signals from your browser and device (such as IP address, browser characteristics, and interaction data) to distinguish humans from bots. Turnstile does not use this data for advertising or cross-site tracking.

3.5 Coffee Roulette, Meeting and Feedback Data

  • Matching history and pairing records
  • Meeting participation status
  • Network relationship data
  • Post-meeting feedback submitted via token-protected feedback links

4. Legal Basis for Processing

Under the GDPR, we process personal data based on the following legal grounds:

4.1 Contract Performance (Article 6(1)(b) GDPR)

Processing is necessary for the performance of a contract to which you are a party. This includes processing required to:

  • Create and manage your account
  • Provide the coffee roulette matching service
  • Send meeting notifications and reminders

4.2 Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, including:

  • Ensuring the security and integrity of our systems, including bot protection via Cloudflare Turnstile
  • Improving and optimizing our Platform
  • Fraud prevention and abuse detection

4.3 Legal Obligation (Article 6(1)(c) GDPR)

Processing is necessary for compliance with legal obligations, such as tax and accounting requirements, or responding to lawful requests from authorities.

4.4 Consent (Article 6(1)(a) GDPR)

Where required, we obtain your consent for specific processing activities — for example, before setting any non-essential (analytics or marketing) cookies, or before sending marketing communications. You may withdraw consent at any time with effect for the future.

5. How We Use Your Data

We use the collected data for the following purposes:

5.1 Service Delivery

  • Operating and maintaining the Platform
  • Executing coffee roulette matches based on firm criteria
  • Sending meeting invitations, notifications, and follow-up emails
  • Providing network analytics and relationship insights to your firm

5.2 Account Management

  • Creating and managing user accounts
  • Authenticating users and maintaining security
  • Communicating important service updates

5.3 Platform Improvement

  • Analyzing usage patterns and trends
  • Improving matching algorithms
  • Developing new features and functionality

5.4 Security and Compliance

  • Detecting and preventing fraud, bots, or abuse
  • Enforcing our Terms and Conditions
  • Complying with legal obligations
  • Responding to legal requests

6. Cookies and Similar Technologies

6.1 Essential Cookies and Storage (No Consent Required)

We use only technically necessary cookies and browser storage to operate the Platform. Under § 165(3) of the Austrian Telecommunications Act 2021 (TKG 2021), these do not require consent:

  • Authentication cookies (Supabase): Keep you signed in and secure your session. Set only when you log in; deleted or expired when your session ends.
  • Cookie consent storage (localStorage):Remembers your cookie choice ("cookieConsent", "cookiePreferences") so we do not ask you again.
  • Interface preferences (localStorage): Remembers minor interface settings, such as dismissed onboarding hints, on your own device.
  • Cloudflare Turnstile: On the sign-up and login pages, Turnstile may set a cookie and process technical browser signals strictly for bot protection and security.

6.2 Analytics and Marketing Cookies (Consent Required — Currently Not in Use)

We currently do not set any analytics or marketing cookies and do not use any third-party tracking or advertising services. Our cookie banner lets you state your preference for these categories in advance. Should we introduce analytics or marketing cookies in the future, they will only be set if you have given (or then give) your prior consent (Article 6(1)(a) GDPR, § 165(3) TKG 2021), and this policy will be updated to name the specific services before they are activated.

6.3 Managing Your Choice

You can change or withdraw your cookie choice at any time via the cookie settings link on our website or through your browser settings. Disabling essential cookies may prevent the Platform from functioning (e.g., you cannot stay logged in).

7. Data Sharing and Processors

7.1 Service Providers (Processors)

We share data with the following service providers that assist us in operating the Platform. Each is bound by a data processing agreement (Art. 28 GDPR) and may only use the data for the purposes we authorize:

  • Vercel Inc. (USA): Web hosting and content delivery of the Platform
  • Supabase Inc. (USA): Database, authentication, and application infrastructure
  • Postmark / ActiveCampaign, LLC (USA): Delivery of transactional emails (match notifications, reminders, feedback links)
  • Cloudflare, Inc. (USA): Bot protection (Turnstile) on sign-up and login

7.2 Legal Requirements

We may disclose your data when required by law, legal process, or binding requests of competent authorities, or when we believe disclosure is necessary to:

  • Comply with applicable laws or regulations
  • Enforce our Terms and Conditions
  • Protect our rights, privacy, safety, or property
  • Respond to emergency situations

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

7.4 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

8. International Data Transfers

Application data is primarily stored in data centers located within the European Union. However, some of our service providers listed in Section 7.1 are headquartered in the United States, so personal data may be transferred to or accessed from the USA.

For such transfers, we rely on the safeguards required by Chapter V GDPR:

  • The European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (DPF), where the provider is certified under the DPF
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR), supplemented by additional technical and organizational measures where appropriate

You may request a copy of the relevant safeguards by contacting us at the address in Section 1.

9. Data Retention

9.1 Active Accounts

We retain personal data for as long as your account is active and as needed to provide the Service. Matching history and relationship data are retained to enable the matching algorithm to avoid repeat pairings and provide network insights.

9.2 After Account Termination

Upon account termination or deletion request, we will:

  • Delete or anonymize personal data within 30 days
  • Retain records we are legally required to keep — in particular under § 132 of the Austrian Federal Fiscal Code (BAO, generally 7 years for books and records) — for the duration of the statutory retention period
  • Maintain anonymized, aggregated data (which is no longer personal data) for analytics purposes

9.3 Backup Retention

Data in backup systems may persist for up to 90 days after deletion from active systems, after which it is permanently removed.

10. Your Rights Under the GDPR

As a data subject, you have the following rights. To exercise any of these rights, please contact us at support@ai-solutions-for-lawyers.com. Where we act as processor for your firm (Section 2), we will forward your request to your firm as controller and support its response.

10.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data along with information about how it is processed.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

10.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Legal obligation requires erasure

10.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

  • You contest the accuracy of the data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing pending verification

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

10.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Austria is:

Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42, 1030 Vienna, Austria
www.dsb.gv.at

You may also complain to the supervisory authority of the EU Member State of your residence, place of work, or the place of the alleged infringement.

10.9 Response Time

We will respond to valid requests within one month. This period may be extended by two additional months for complex requests, in which case we will inform you of the extension.

11. Security Measures

11.1 Technical Safeguards

We implement appropriate technical security measures, including:

  • Encryption: Data is encrypted in transit (TLS) and at rest
  • Access Controls: Role-based access controls and row-level security scoping all data to your firm
  • Network Security: Security headers, bot protection, and DDoS mitigation
  • Infrastructure: SOC 2 Type II certified hosting providers

11.2 Organizational Safeguards

  • Access to personal data restricted to personnel who need it
  • Confidentiality obligations for all staff
  • Incident response and data breach procedures

11.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and notify affected individuals without undue delay where required (Art. 34 GDPR).

12. Children's Privacy

Our Platform is designed for professional use by law firms and is not intended for children. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it.

13. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. For significant changes that affect how we process your data, we will provide additional notice, such as email notification to firm administrators.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RBS Responsible Business Solutions GmbH
Hegelgasse 13
1010 Vienna, Austria
Phone: +43 (0) 1 51 21 820-0
Email: support@ai-solutions-for-lawyers.com

For data protection inquiries or to exercise your rights, please include "Data Protection Request" in your email subject line.

Related documents: Terms and Conditions | Imprint