Privacy Policy

The data controller for personal data processed through the Advocata platform is the entity operating Advocata for the Cyprus pilot (the "Company", "we", "us"). The Company’s registered details and a contact address for data protection enquiries will be published here before commercial launch.

For questions about this policy or to exercise your rights, you can contact us at the email address published in the footer of advocata.erarta.ai.

Account data: name, email address, password (stored hashed), and the language you use the platform in.

Client data: the information you provide when requesting or booking a consultation, including the nature of your enquiry and any documents you choose to share with an advocate.

Advocate data: identity and credential information used for verification, including Cyprus Bar membership and practising licence details, practice areas, languages and rates.

Transaction data: records of bookings, consultations and payments. Card details are processed by our payment provider and are not stored by Advocata.

Technical data: IP address, device and browser information, and usage data collected to operate and secure the platform.

To provide the service (contract): creating your account, matching clients with advocates, enabling bookings, consultations and payments.

To verify advocates (legal obligation and legitimate interest): confirming Cyprus Bar membership and licence before an advocate can accept consultations.

To communicate with you (contract and legitimate interest): booking confirmations, reminders, receipts and service notices sent by email.

To secure and improve the platform (legitimate interest): fraud prevention, debugging and analytics in aggregated form.

With your consent: optional marketing communications, which you can withdraw at any time.

We use carefully selected service providers (data processors) who act on our instructions under data processing agreements:

Stripe — payment processing. Stripe handles card data directly; Advocata does not store full card numbers.

Resend — transactional email delivery (account, booking and payment notifications).

Supabase — database, authentication and file storage infrastructure.

We do not sell your personal data. Personal data is shared with an advocate only to the extent necessary to deliver a consultation you have requested.

Advocata is a booking and intake tool. Messages you send through the platform are not a privileged legal channel: platform administrators may be technically able to access stored content for security, support and legal compliance. For this reason, you should not share privileged or highly sensitive material in platform chat.

Legal advice itself, and any privileged communication, should take place in the consultation with your advocate through an appropriate channel. We apply technical and organisational measures to protect stored data and limit access to what is necessary to operate the service.

During the pilot, infrastructure may be hosted outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. Details of hosting locations will be confirmed before commercial launch.

We keep personal data only for as long as necessary for the purposes described in this policy, including to meet legal, accounting and regulatory obligations. Consultation records and transaction data may be retained for the period required by applicable law. When data is no longer needed, we delete or anonymise it.

Subject to applicable law, you have the right to access your personal data, to rectify inaccurate data, to erasure, to restrict or object to processing, to data portability, and to withdraw consent where processing is based on consent.

You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or your local supervisory authority.

To exercise any of these rights, contact us using the details in the footer. We will respond within the timeframes required by GDPR.

We use only the cookies and similar technologies necessary to operate the platform and keep you signed in, plus, where applicable, analytics with your consent. A separate cookie notice will be provided in the application before commercial launch.

We may update this policy as the platform evolves towards commercial launch. We will post the updated version here and update the "last updated" date.