Legal
Privacy Policy
Last updated · April 2026
Muyisho (operated by Hendrik M. Wendland, “Muyisho”, “we”, “us”) respects your privacy and is committed to protecting personal data we hold about you. This Privacy Policy explains what we collect, why, how we use it and the rights you have under the GDPR and other applicable data protection laws.
01
Roles and scope
Muyisho is offered to law firms and other legal entities for professional use under a written subscription agreement (each, a “Subscriber Agreement”).
This Privacy Policy applies where Muyisho acts as the data controller — for example, in relation to user account information or website usage data. It does not cover the case data, transaction documents, party information or revenue figures uploaded into the platform (“Content”), which we process as a data processor on behalf of the relevant Subscriber under a Data Processing Agreement. Any rights requests concerning Content should be addressed to the relevant Subscriber.
02
Information we collect
Information you provide
- Account information: name, business email address, role, language preference and authentication credentials (passwords are stored only as salted hashes).
- Communication information: messages you send us via email, the demo request form or support channels, and any details you choose to share.
- Profile details: for local counsel and M&A counsel users, the law firm, title and contact details that identify you to lead counsel within a matter.
Information we collect automatically
- Log data: IP address, browser type, request time, URL accessed, HTTP status, operating system and browser version. Required to deliver the service over the internet (Art. 6 (1) (f) GDPR).
- Session data: device fingerprint, user agent and IP address are stored alongside each NextAuth session token to support concurrent session management and security audit logging.
- Usage data: the actions you take in the platform, the features you use, login times and access patterns. Used to operate, secure and improve the service.
- Security audit log: every sign-in, sensitive decryption, decision change, role grant and similar event is recorded with a risk score for security and compliance purposes.
Cookies
We use only strictly necessary cookies to keep you signed in (NextAuth session cookie) and to remember that you have completed the alpha-access check. We do not use advertising or third-party analytics cookies. Where additional cookies are introduced in the future, we will update this Privacy Policy and, where required, obtain your consent.
03
How we use your data
- To provide, administer, maintain and improve the platform.
- To authenticate you, manage your sessions and enforce role-based access.
- To respond to support requests, demo enquiries and other communications you initiate.
- To safeguard the platform, detect and prevent unauthorised access, fraud or misuse.
- To comply with legal, regulatory and bar association obligations applicable to us.
- To enforce our Terms of Service and protect our rights and the rights of Subscribers.
The legal bases we rely on are: performance of a contract (Art. 6 (1) (b) GDPR), our legitimate interests in operating and securing the service (Art. 6 (1) (f) GDPR), and compliance with legal obligations (Art. 6 (1) (c) GDPR). Where we rely on consent (e.g. for optional product communications), you may withdraw it at any time without affecting the lawfulness of prior processing.
04
Sensitive financial data
Revenue figures and any financial amounts entered into the platform are encrypted at rest using AES-256-GCM with PBKDF2 key derivation. Business units can be additionally password-protected per matter; in that case the encryption key is derived from a password supplied by the user and is not retained by us. We do not log or store decrypted values.
05
Sharing your data
We do not sell personal data. We share data only as follows:
- Within a matter: your name, email and role are visible to other authorised users on the same matter (lead counsel, local counsel, M&A counsel and client portal users) so that you can collaborate.
- Service providers: hosting and infrastructure providers, transactional email providers and similar processors acting on our documented instructions under a written data processing agreement.
- Legal obligations: where we are required to disclose data to comply with law, regulation, court order or to protect our rights or those of users.
- Business changes: in the event of a merger, acquisition or sale of all or part of our business, personal data may be transferred as part of the transaction subject to equivalent privacy commitments.
06
International transfers
We process personal data within the European Economic Area wherever possible. Where data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR — in particular adequacy decisions, the European Commission's Standard Contractual Clauses, or applicable certification schemes such as the EU-US Data Privacy Framework — and supplementary technical and organisational measures where required.
07
Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Account information is retained for the duration of the Subscriber Agreement and deleted (or anonymised) on termination, subject to the timelines set out in the relevant agreement.
- Security audit logs are retained for as long as necessary to meet our security, compliance and bar association obligations, typically up to 24 months.
- Communication records (e.g. support emails) are retained only as long as necessary to address your enquiry and any related legal claims.
- Where we are subject to a statutory retention obligation (e.g. tax or bookkeeping), data is retained for the period required by law.
08
Your rights
Under the GDPR and equivalent laws you have the following rights in relation to personal data we hold about you:
- Right of access — to obtain confirmation that we process your data and a copy of it.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure — to ask us to delete your data, subject to exceptions provided by law.
- Right to restriction of processing — to limit how we use your data while a request is being assessed.
- Right to object — to processing that is based on our legitimate interests, including profiling.
- Right to data portability — to receive your data in a structured, machine-readable format.
- Right to withdraw consent — where we rely on consent, you may withdraw it at any time.
- Right to lodge a complaint — with your local data protection supervisory authority.
To exercise any of these rights, please contact privacy@muyisho.com. We may need to verify your identity before processing your request and we will respond within one month of receipt, in line with Art. 12 GDPR.
09
Security
We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to it. These include encryption in transit (TLS 1.2+), encryption at rest (AES-256-GCM) for sensitive financial data, role-segregated access, configurable lockout and rate-limit policies, multi-factor authentication where enabled, and an immutable security audit log.
You are responsible for safeguarding your access credentials and for promptly reporting any suspected unauthorised access to security@muyisho.com.
10
Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “last updated” date at the top of this page and, where the changes are material, notify you through the platform or by email.
11
Contact
If you have questions about this Privacy Policy or how we process personal data, please contact us at privacy@muyisho.com, or by post:
Hendrik M. Wendland
Neusser Str. 339
50733 Köln
Germany