Privacy Policy

1. About this policy

1.1 Who this policy is for

This policy describes how LexBrief COUNSEL ("LexBrief", "we", "us", or "our") handles personal information. It is directed at:

(a) legal practitioners who use the LexBrief COUNSEL service (the "Service") to manage their legal practice ("users" or "you"); and

(b) other individuals whose personal information may pass through the Service, including the contacts, clients, witnesses, opposing parties, and other persons whose information our users enter into their LexBrief COUNSEL account ("third party individuals").

If you are a third party individual whose information is held in a user's account, that information is held by us on behalf of that user. Your primary point of contact for access, correction, and complaint is the user (a legal practitioner) who controls the account that holds your information. You may also contact us directly using the details in section 13.

1.2 Our regulatory position

LexBrief is currently operated by the operator as a sole trader. At our current scale, we may not meet the threshold for an "APP entity" under section 6D of the Privacy Act 1988 (Cth). Despite this, we voluntarily commit to handling personal information in substantial compliance with the Australian Privacy Principles (APPs) set out in Schedule 1 to that Act. We do this because:

(a) our users are legal practitioners with their own confidentiality obligations under the Legal Profession Uniform Law, the Legal Profession Uniform Law Australian Solicitors' Conduct Rules 2015 (rule 9), and the Legal Profession Uniform Conduct (Barristers) Rules 2015 (rule 114), and they need to be able to rely on us to handle their clients' information appropriately;

(b) Australian individuals expect APP-equivalent handling regardless of whether the entity is technically caught by the Act; and

(c) we may, at any point, become an APP entity (for example, if our turnover exceeds $3 million, if we enter a Commonwealth contract, or if we begin to provide services that fall within the s 6D(4) exceptions). When that happens, the APPs will apply automatically, and we want our practices to already meet that standard.

This policy is therefore drafted as if the APPs apply to us in full. References to "APPs" or "APP [number]" in this policy are references to the corresponding principle in Schedule 1 to the Privacy Act 1988 (Cth).

1.3 What this policy is not

This policy is not a substitute for our Terms of Use, which separately govern your contractual relationship with us. It is not legal advice. It does not affect any rights you have under the Privacy Act 1988 (Cth), the Australian Consumer Law, the new statutory tort of serious invasions of privacy (Schedule 2 to the Privacy and Other Legislation Amendment Act 2024 (Cth)), or any other Australian law.

2. Personal information we collect

2.1 What "personal information" means

In this policy, "personal information" has the same meaning as in section 6(1) of the Privacy Act 1988 (Cth): information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether it is recorded in a material form or not. "Sensitive information" is the subset of personal information identified in section 6(1), including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal record information.

2.2 What we collect from users

When you sign up for and use LexBrief COUNSEL as a legal practitioner, we collect:

(a) Account information: your name and email address. We collect this so we can identify you, communicate with you about your account, and verify your identity for support requests.

(b) Authentication information: your password (which we store only as a one-way cryptographic hash, never in plaintext), and any second-factor authentication data (such as a TOTP secret).

(c) Billing information (when subscriptions become available): the billing name, address, and ABN you provide. We do not store payment card numbers; payments will be processed by a third-party payment provider that handles card data directly.

(d) Usage data: IP address, login timestamps, browser type, and basic technical logs that we generate as a result of you using the Service.

(e) Support communications: the content of any support emails or messages you send us.

We do not collect sensitive information about you in the course of normal account use. If you voluntarily provide sensitive information about yourself in a support communication, we will handle it in accordance with this policy and only use it for the purpose for which you provided it.

2.3 What is in your account database

The Service is a practice-management application. Once logged in, you may enter information about your clients, your matters, your contacts, your tasks, your invoices, and your expenses. That information is held in a database that is encrypted at rest and is logically separated from other users' databases.

The information in your account database may include personal information about third party individuals (your clients, opposing parties, witnesses, your professional contacts, and others). It may also include sensitive information, particularly where the matter type involves health information, criminal record information, or other sensitive categories.

We do not read, analyse, or otherwise access the substantive content of your account database in the ordinary course of operating the Service. We may need to access it in narrow circumstances described in section 5 (such as a critical bug fix that you have asked us to investigate, or a lawful production order). When we do, we treat that access as confidential and apply the safeguards described in section 6.

2.4 What we collect via the marketing site

If you submit a form on the LexBrief COUNSEL marketing site (lexbrief.au) — including the alpha-access request form or the contact form — we collect:

(a) Your name — to address replies.

(b) Your email address — to respond to your inquiry.

(c) Your chambers or firm (if provided) — for context.

(d) The free-text content of your message or inquiry — including any details you choose to share about your practice.

This information is transmitted to us via our email delivery provider (see section 5.1(a)) and delivered to the operator's inbox. We do not store this information in the application database. We use it solely to respond to your inquiry and, with your consent, to add you to the alpha trial. We do not use it for marketing profiling. In accordance with APP 5.2, this clause constitutes notice of the kinds of personal information collected through those forms.

2.5 What we collect from third party individuals directly

We do not collect personal information directly from third party individuals (such as your clients) at all. They never interact with the Service. Their information reaches us only because you, the user, enter it.

2.6 What we do not collect

We do not:

(a) profile users for advertising purposes; (b) sell personal information to anyone, ever; (c) use the content of your account database to train any machine-learning model, of ours or anyone else's; (d) collect biometric information; (e) track you across other websites; (f) use third-party advertising cookies; (g) require you to disclose information about yourself other than what is strictly necessary to provide the Service.

3. How we collect personal information

3.1 Direct collection from users

The bulk of personal information we hold is collected directly from you when you sign up and use the Service. Specifically:

(a) you enter your name and email address through the signup form; (b) you set a password (which we hash); (c) you set up two-factor authentication if you choose to; (d) you enter your billing details (when applicable); (e) you enter information about your contacts, clients, and matters; and (f) you upload receipts and other documents.

3.2 Collection through use of the Service

When you use the Service, we automatically collect technical information such as your IP address, browser version, and the timestamps of your interactions. We collect this for security, debugging, and audit purposes.

3.3 Collection from third parties

We do not currently collect personal information from third parties about you, except for:

(a) email delivery logs: our email providers (Resend and Postmark) generate logs that record whether emails we sent to you were delivered, bounced, or marked as spam. We use this only to operate the Service.

(b) CSV import from BarBooks: if you choose to import your existing data from BarBooks, you upload a CSV that you have downloaded. Although the data originates from BarBooks, it reaches us via you, not directly from BarBooks.

3.4 Unsolicited personal information

If we receive personal information that we did not solicit, we will deal with it in accordance with APP 4. If we determine that we could not have collected the information lawfully under APP 3, we will destroy or de-identify it as soon as practicable, unless doing so would be unlawful or unreasonable.

4. Why we collect, hold, use and disclose personal information

4.1 Primary purposes

We collect, hold, use and disclose personal information for the primary purpose of providing the Service. Specifically:

(a) to create and authenticate your account; (b) to allow you to use the practice-management features of the Service; (c) to send you service-related communications (account verification, password resets, security alerts, scheduled maintenance notices); (d) to bill you (when subscriptions become available); (e) to provide support; (f) to keep the Service secure, including by detecting and responding to abuse; (g) to back up your data so we can restore it if something goes wrong; and (h) to comply with our legal obligations.

4.2 Secondary purposes

We may use or disclose personal information for the following secondary purposes, each of which is either related to the primary purpose and within your reasonable expectations, or required or authorised by law:

(a) responding to a lawful request from a court, tribunal, or regulator; (b) responding to a serious threat to life, health, or safety of an individual, or to public health or safety; (c) investigating or responding to a suspected unlawful activity or serious misconduct; (d) defending ourselves against a legal claim or complaint; (e) protecting our rights, property, or safety, or those of users or others; and (f) any other purpose that you have consented to.

4.3 What we do not use personal information for

We do not use personal information for:

(a) direct marketing to you, except to send service-related communications about features, pricing, and improvements to the Service. You can opt out of feature and improvement messages at any time without losing access to service-essential communications; (b) profiling for advertising; (c) training machine-learning models; (d) sale to any third party.

5. When we disclose personal information

5.1 To service providers

We disclose personal information to a small number of service providers who help us operate the Service. Each is bound by a written agreement that includes confidentiality and data-protection obligations. Currently they are:

(a) Resend, Inc. (United States-headquartered; mail infrastructure in Japan via Amazon Web Services ap-northeast-1 / Tokyo region). Resend is our primary transactional email provider. We disclose your email address and the content of service-related emails (such as account verification codes, password reset links, and notifications) to Resend so it can deliver those emails. Resend is not authorised to use this information for any other purpose. Resend's privacy policy is available at resend.com.

(b) Postmark (ActiveCampaign LLC) (United States). Postmark is our backup transactional email provider. The same terms as Resend apply.

(c) Cloudflare, Inc. (global edge infrastructure). Cloudflare provides DNS, content delivery, and DDoS protection for our marketing site and login portal. Cloudflare receives your IP address and the URLs you request as part of routing your traffic, but does not receive disclosures of personal information stored in your account database. Routing in transit through Cloudflare's infrastructure (which may be located outside Australia) is treated as a "use" rather than a "disclosure" under the Privacy Act 1988 (Cth), consistent with the Office of the Australian Information Commissioner's APP Guidelines Chapter 1, paragraph 1.30.

(d) Google LLC (United States). We currently use Google Drive to store encrypted backups of the Service database. The backups are encrypted with a key that we hold; Google does not have access to the unencrypted contents. Google is in this list because we want to be transparent that the encrypted blob is held on Google's infrastructure, which is predominantly located in the United States. We are working towards moving backups to Australian-only infrastructure (see section 7.4).

5.2 To regulators, courts, and law enforcement

We may disclose personal information to a regulator, court, tribunal, or law enforcement agency where:

(a) we are required to do so by an Australian law or court or tribunal order; (b) the disclosure falls within an exception in APP 6.2 (such as enforcement-related activities by an enforcement body); or (c) we reasonably believe disclosure is necessary to address a serious threat to life, health, or safety.

If we receive a request that may engage the legal professional privilege or confidentiality of one of our users or their clients, we will, where practicable and lawful, notify the user before disclosure so they can take steps to protect privilege or confidentiality. We will not voluntarily waive privilege on behalf of any user.

5.3 To advisors

We may disclose personal information to our own legal, accounting, or insurance advisors where reasonably necessary to obtain professional advice. Each such advisor is bound by their own professional confidentiality obligations.

5.4 In a corporate transaction

If LexBrief is reorganised, sold, or merged in whole or in part, we may transfer personal information to the acquiring or successor entity. We will notify users in advance and the successor entity will be required to handle the information in accordance with this policy or a policy that is at least as protective.

5.5 What we do not disclose, and to whom

We do not disclose:

(a) the substantive content of your account database to anyone, except as set out above; (b) personal information to overseas recipients other than those listed in section 5.1; (c) personal information to advertisers or data brokers, ever; and (d) personal information for purposes unrelated to operating the Service.

6. How we hold personal information securely

6.1 Our approach

We take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure, in accordance with APP 11.1. Following the Privacy and Other Legislation Amendment Act 2024 (Cth), this expressly includes implementing technical and organisational measures.

6.2 Technical measures

Our current technical measures include:

(a) Encryption at rest: the Service database is encrypted at rest. The encryption key is held separately from the encrypted data.

(b) Encryption in transit: all connections to the Service use TLS 1.2 or higher. The login portal and the Service use HTTPS exclusively.

(c) Authentication and access control: passwords are stored only as one-way cryptographic hashes. Two-factor authentication is available and is recommended.

(d) Network segmentation: the production database is hosted on infrastructure that is not directly exposed to the public internet. Access is mediated by a reverse proxy and an authentication middleware.

(e) Cross-site request forgery protection: all state-changing requests in the Service require a CSRF token.

(f) Encrypted backups: backups of the Service database are encrypted using a strong symmetric cipher before being uploaded to backup storage.

(g) Logical separation: each user's data is stored in a separate logical database, so that it is not possible for one user to access another user's data through the application.

6.3 Organisational measures

(a) Access to production data is restricted to the operator and is logged. (b) The operator does not access the substantive content of user databases except in the narrow circumstances described in section 2.3. (c) Any contractor or service provider engaged in connection with the Service is bound by written confidentiality obligations. (d) We periodically review our security posture and update our practices. (e) Detailed implementation specifics are deliberately not published in this policy because doing so would jeopardise their effectiveness, consistent with the OAIC's APP Guidelines Chapter 1, paragraph 1.20.

6.4 Limits of security

No security measure is perfect. We do not promise that personal information held by us is immune from compromise. What we do promise is that we will take reasonable steps to protect it, and that we will respond appropriately if something goes wrong (see section 8).

6.5 Destruction and de-identification

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and is not contained in a Commonwealth record or required by law to be retained, we take reasonable steps to destroy or permanently de-identify it, in accordance with APP 11.2. Specifically:

(a) when a user terminates their account, we delete all personal information in the account, including from primary storage and from backups, within 30 days of termination becoming effective; (b) email delivery logs and access logs are retained for no longer than is reasonably necessary for security and audit purposes, and in any event no longer than 12 months; (c) backups containing deleted accounts are pruned on a rolling basis so that the 30-day deletion commitment is met across all storage locations.

7. Where personal information is held

7.1 Primary storage

Primary storage of the Service database is on infrastructure controlled by us located in Australia. We do not currently use any cloud hosting provider that may transfer customer content outside Australia for primary storage.

7.2 Backups

Encrypted backups are currently uploaded to Google Drive. Google's infrastructure is global and predominantly located in the United States. The backups are encrypted with a key that we hold and Google cannot access. We treat this as an offshore disclosure for completeness even though the encryption substantially mitigates the privacy risk.

7.3 Email infrastructure

Transactional emails are sent through Resend (United States-headquartered; mail infrastructure in Japan via AWS ap-northeast-1 / Tokyo region) and, as a fallback, Postmark (United States).

7.4 Future state

We are working towards a state where:

(a) primary storage will move to Australian-region cloud infrastructure (specifically, Amazon Web Services in the Sydney region, ap-southeast-2, with cross-region replication disabled and content pinned to Australia); (b) backups will move to Australian infrastructure; (c) email infrastructure may remain offshore where no equivalent Australian provider exists, and in that case the same disclosure obligations under APP 8 will continue to apply and be honoured.

We will update this policy when each of those transitions occurs.

8. Data breaches

8.1 Our commitment

If we become aware of a data breach that affects personal information held by us, we will:

(a) immediately take steps to contain the breach and limit further unauthorised access; (b) assess whether the breach is an "eligible data breach" within the meaning of Part IIIC of the Privacy Act 1988 (Cth) (broadly, a breach likely to result in serious harm to one or more individuals that we are unable to prevent through remedial action); (c) carry out that assessment within 30 calendar days, consistent with section 26WH of the Privacy Act; (d) if the breach is an eligible data breach, notify affected individuals and, to the extent the Privacy Act applies to us, the Office of the Australian Information Commissioner, as soon as practicable, in accordance with sections 26WK and 26WL; (e) where the breach affects information held in a user's account database, notify the user without delay so that the user can meet their own confidentiality and notification obligations to their clients; and (f) provide affected individuals with information about the breach, the kinds of information involved, and recommended steps they should take in response.

8.2 If you suspect a breach

If you become aware of, or suspect, a data breach affecting personal information held by us, please tell us immediately by emailing support@lexbrief.au with "DATA BREACH" in the subject line.

9. Access to your personal information

9.1 Your right to access

You have a right to request access to the personal information we hold about you (APP 12). For users, the bulk of this information is already accessible through the Service: you can view, export, and download your account data from within the application at any time. For information that is not accessible through the application (for example, support communications, server logs, or billing records), you can request access by contacting us.

9.2 How to request access

Send a request to support@lexbrief.au including:

(a) the email address associated with your account; (b) a clear description of the personal information you are requesting; and (c) any preferred form of access (electronic copy, summary, etc).

9.3 Verification

To protect your information, we will verify your identity before providing access. For account holders, we will verify by sending a verification code to the email address on the account, or by another reasonable method. For third party individuals (such as a client of one of our users), we will typically direct you in the first instance to the user (the practitioner) who controls the account, because the user is the appropriate first point of contact for the information they have collected from you. We will also work with you directly where appropriate.

9.4 Timeframe and form

We will respond to access requests within a reasonable time, generally 30 days. Access will normally be provided free of charge. If we are unable to provide access (for example, because of an exception in APP 12.3), we will tell you why in writing, and we will tell you how you can complain about the decision.

10. Correction of personal information

10.1 Your right to correct

You have a right to ask us to correct personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).

10.2 How to request correction

For users, you can correct your own profile information through the Service at any time. For information you cannot correct yourself, contact us at support@lexbrief.au.

10.3 Our response

If we agree the information is inaccurate, we will correct it. If we do not agree, we will tell you why, and we will, at your request, take reasonable steps to associate a statement from you with the information so that future readers know your view.

11. Anonymity and pseudonymity

To the extent practicable, we will allow individuals to deal with us anonymously or by pseudonym (APP 2). This is generally not practicable for account holders, because we need to be able to identify you for billing and security purposes. It is more readily practicable for general inquiries, where we are happy to respond to a pseudonymous email address.

12. Automated decision-making

Currently, the Service does not make any automated decisions about individuals that could reasonably be expected to significantly affect their rights or interests. The Service performs computational tasks (such as calculating GST, generating invoice numbers, computing work-in-progress totals, and rendering documents), but these are not decisions about individuals in the sense contemplated by APP 1.7, 1.8 and 1.9 (which commence on 10 December 2026 under the Privacy and Other Legislation Amendment Act 2024 (Cth)).

If we add a feature in future that makes or substantially contributes to a decision about an individual using their personal information, we will update this policy in advance to disclose:

(a) the kinds of personal information used in the operation of the computer program; (b) the kinds of decisions made solely by the operation of computer programs; and (c) the kinds of decisions for which a thing substantially and directly related to making the decision is done by the operation of such computer programs.

13. Contact us, complaints, and the OAIC

13.1 Privacy contact

For any question or request relating to this policy, including access, correction, complaints, or to opt out of feature communications, please contact:

Email: support@lexbrief.au Subject line: PRIVACY

We aim to acknowledge privacy contacts within five business days and to provide a substantive response within 30 days.

13.2 Complaints

If you think we have breached this policy, the APPs, or any other applicable privacy law, please tell us first by sending a complaint to support@lexbrief.au with "PRIVACY COMPLAINT" in the subject line. Your complaint should include:

(a) your name and contact details; (b) what you say we did or failed to do; (c) when and how it happened; (d) what outcome you are seeking.

We will acknowledge receipt within seven days. We will investigate and provide a substantive response within 30 days unless the matter is more complex, in which case we will tell you and provide regular updates.

13.3 Escalation to the OAIC

If you are not satisfied with our response (or we have not responded within 30 days), you may complain to the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner GPO Box 5288, Sydney NSW 2001 Phone: 1300 363 992 Online: oaic.gov.au

The OAIC generally requires you to have first complained to us, consistent with section 40(1A) of the Privacy Act 1988 (Cth).

13.4 Other forums

Depending on the circumstances, you may also have rights under:

(a) the statutory tort of serious invasions of privacy in Schedule 2 to the Privacy and Other Legislation Amendment Act 2024 (Cth), which commenced on 10 June 2025, allowing individuals to sue for serious intentional or reckless invasions of privacy; (b) the Australian Consumer Law, including its protections against misleading or deceptive conduct and unfair contract terms; (c) the equitable doctrine of breach of confidence.

Nothing in this policy is intended to limit any of those rights.

14. Changes to this policy

We may update this policy from time to time. When we do:

(a) we will update the "Last updated" date at the top of the policy; (b) where the change is material (for example, a new category of personal information collected, a new offshore service provider, or a change to retention periods), we will notify users in advance, normally by email and by an in-app notice, before the change takes effect; and (c) we will preserve previous versions of the policy on request.

You can always find the current version of this policy at lexbrief.au and within the Service.

15. Definitions

In this policy:

"APP" means an Australian Privacy Principle in Schedule 1 to the Privacy Act 1988 (Cth).

"OAIC" means the Office of the Australian Information Commissioner.

"personal information" has the meaning given in section 6(1) of the Privacy Act 1988 (Cth).

"sensitive information" has the meaning given in section 6(1) of the Privacy Act 1988 (Cth).

"Service" means LexBrief COUNSEL, including the web application, the marketing site at lexbrief.au, and any associated services.

"user" means a person who has registered for an account with the Service.