Privacy Policy
Last updated: 20 April 2026
1. Data Controller
Legal OS ("legals.mu") is operated by Tamak Group. We are the data controller for personal data processed through this platform, in accordance with the Mauritius Data Protection Act 2017 ("DPA 2017").
Data Protection Officer: To be appointed. Contact: dpo@legals.mu
2. Personal Data We Process
We process the following categories of personal data:
- Identity data: Name, date of birth, nationality, occupation, NIC number, passport number
- Contact data: Email address, phone number, residential address
- Identity documents: Scanned copies of National ID cards, passports, proof of address
- Company data: Company name, BRN, registered office, share structure, officer appointments
- Account data: Email, password (hashed), organisation name
- Usage data: Actions performed, documents generated, login timestamps
3. Purpose & Legal Basis
| Purpose | Legal Basis (DPA 2017) |
|---|
| Company secretarial filings | Contractual necessity |
| KYC document management | Legal obligation (FIAMLA 2002) |
| ID card extraction (AI) | Explicit consent |
| CBRIS company lookup | Legitimate interest (public register) |
| Account management | Contractual necessity |
| Audit logging | Legal obligation (DPA 2017) |
4. Data Security
- Sensitive personal data (NIC numbers, passport numbers, dates of birth, residential address) is encrypted at rest using AES-256 (pgcrypto)
- All data is transmitted over HTTPS (TLS 1.3)
- Uploaded identity documents are stored in encrypted storage (AES-256-GCM)
- Access is controlled via Row Level Security — each organisation can only access its own data
- All data access and modifications are recorded in an immutable audit log
5. Your Rights (DPA 2017)
Under the Mauritius Data Protection Act 2017, you have the right to:
- Access your personal data held by us
- Rectify inaccurate or incomplete data
- Erase your data (subject to legal retention obligations)
- Restrict processing in certain circumstances
- Data portability — receive your data in machine-readable format
- Object to processing
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with the Data Protection Commissioner
To exercise any of these rights, contact us at dpo@legals.muor submit a request through the platform's Settings page.
6. Data Retention
| Data Category | Retention Period | Legal Basis |
|---|
| KYC documents | 5-7 years after end of relationship | FIAMLA 2002 |
| Company filings | 7 years | Companies Act 2001 |
| Audit logs | Indefinite | DPA 2017 |
| Consent records | Indefinite | DPA 2017 |
| User accounts | Until deletion + 30 days | DPA 2017 |
7. International Data Transfers
Processing your data involves transfers outside Mauritius:
- Infrastructure hosting: Your data is stored on servers in the European Union (Ireland) via our infrastructure provider Supabase. The EU provides a level of data protection recognised as adequate under DPA 2017.
- AI processing:Identity-document extraction and generative features are processed via OpenAI's API (United States) under a data processing agreement. OpenAI states it does not use API data to train its general models.
- Email delivery: Outgoing platform email uses Resend (United States) under a data processing agreement.
- Payments: Billing is processed by Paddle (United Kingdom / United States) as a merchant of record; payment card data is handled by Paddle under PCI-DSS, not stored by us.
- CDN & edge: Vercel and Cloudflare serve requests from globally distributed edge locations.
Each sub-processor is bound by a data processing agreement with appropriate safeguards. The full list of sub-processors is available on request at dpo@legals.mu.
8. AI Processing
We use AI (currently OpenAI GPT-4o) for the following features:
- Identity-document extraction (NIC, passport, proof of address)
- Meeting-minutes structuring from recorded audio transcripts
- Draft-generation for communications (emails, chase letters, resolutions)
- Classification of uploaded documents in the intake pipeline
AI processing of identity documents happens only with your explicit consent. You may choose to enter data manually instead. No automated decisions are made based solely on AI processing — all extracted data is reviewed and confirmed by a human before being relied upon. We do not use your data to train general AI models.
For on-premise / enterprise deployments where OpenAI cannot be used, the platform supports local-AI alternatives that keep all processing within your infrastructure.
9. Data Breach Notification
In the event of a personal data breach, we will notify the Data Protection Commissioner within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.
10. Contact & Complaints
Data Protection Officer: dpo@legals.mu
Data Protection Commissioner: Data Protection Office, 5th Floor, SICOM Tower, Wall Street, Ebene, Mauritius. Tel: +230 460 0251. Website: dataprotection.govmu.org