GDPR Compliance

Legitimate Interests Assessment

Article 6(1)(f) UK GDPR — Three-Part Test Documentation

ICO Registered Data Controller — ZB812547

This Legitimate Interests Assessment (LIA) documents CourtCraft Advocate Ltd's three-part test for each processing activity relying on Article 6(1)(f) UK GDPR as its legal basis. This document was prepared in May 2026 and must be reviewed annually or when processing activities change.

What is a Legitimate Interests Assessment?

Under Article 6(1)(f) UK GDPR, processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

The ICO requires controllers relying on legitimate interests to conduct a three-part test:

1

Purpose Test

Is there a legitimate interest? The interest must be real, present, and not trivial.

2

Necessity Test

Is the processing necessary? Could the same purpose be achieved with less privacy impact?

3

Balancing Test

Do the individual's interests override the legitimate interest? Consider impact, expectations, and safeguards.

⚠️ Important Note on Special Category Data

Legitimate interests cannot be used as the legal basis for processing special category data under Article 9 UK GDPR. All processing of special category data (health, domestic abuse, etc.) relies on Article 9(2)(a) explicit consent, Article 9(2)(f) legal claims, and/or Article 9(2)(g) substantial public interest. This LIA covers only Article 6 processing activities.

LIA 01

Platform Security & Fraud Prevention

✓ Passes

Purpose

Protecting the platform and its users from unauthorised access, scraping, abuse, and fraud

1. Purpose Test

CourtCraft has a legitimate interest in maintaining the security and integrity of its platform. This protects both the business and the data subjects who use the service. Security monitoring is a recognised legitimate interest under Recital 47 UK GDPR.

2. Necessity Test

Processing IP addresses, session fingerprints, access timestamps, and usage patterns is necessary to detect and prevent security threats. No less privacy-intrusive alternative would achieve the same security outcome. Data is processed at the minimum level required for threat detection.

3. Balancing Test

Data subjects have a reasonable expectation that a platform handling their sensitive legal data will implement security monitoring. The processing is limited to security purposes only and is not used for profiling or marketing. The benefit to data subjects (protection of their sensitive data) outweighs the minimal privacy intrusion of security logging.

Safeguards in Place

Security logs retained for 12 months onlyAccess to logs restricted to authorised personnelLogs not used for any purpose other than securityData subjects informed in Privacy Policy

LIA 02

Platform Improvement via Anonymised Analytics

✓ Passes

Purpose

Improving platform features and user experience through analysis of anonymised usage patterns

1. Purpose Test

CourtCraft has a legitimate interest in improving its service. Better features directly benefit data subjects who rely on the platform for legal case preparation. This is a standard and widely recognised legitimate interest.

2. Necessity Test

Anonymised usage data (feature usage counts, navigation patterns, error rates) is the minimum necessary to identify improvement opportunities. Individual user data is not required for this purpose — aggregate anonymised data is sufficient.

3. Balancing Test

Data subjects benefit directly from platform improvements. Analytics data is anonymised before analysis. Data subjects can opt out of analytics via GDPR settings. The processing does not involve special category data and does not create individual profiles.

Safeguards in Place

Analytics data anonymised before processingOpt-out available via GDPR Compliance CentreGoogle Analytics configured with IP anonymisationNo cross-site tracking

LIA 03

Transactional Email Communications

✓ Passes

Purpose

Sending account verification, court date reminders, booking confirmations, and service notifications

1. Purpose Test

CourtCraft has a legitimate interest in communicating with users about their account and service. Court date reminders in particular serve a direct benefit to data subjects who may miss critical court deadlines without them.

2. Necessity Test

Email is the minimum necessary channel for transactional communications. Users cannot receive court date reminders or booking confirmations without providing an email address. No less intrusive alternative achieves the same outcome.

3. Balancing Test

Data subjects have a reasonable expectation of receiving transactional communications when they create an account and book services. These communications are directly requested by or directly benefit the data subject. Marketing emails require separate consent and are not covered by this LIA.

Safeguards in Place

Transactional emails only — no marketing without consentUnsubscribe option in all emailsEmail addresses not shared with third parties for marketingResend (processor) bound by DPA

LIA 04

Session Fingerprinting for Account Security

✓ Passes

Purpose

Detecting account takeover and session hijacking by comparing session characteristics

1. Purpose Test

CourtCraft has a legitimate interest in protecting user accounts from takeover. Given the sensitive nature of family law data (including domestic abuse disclosures), account security is particularly important.

2. Necessity Test

Session fingerprinting (browser characteristics, IP, device type) is necessary to detect anomalous access patterns that may indicate account compromise. Standard authentication alone is insufficient to detect session hijacking.

3. Balancing Test

The processing involves technical session data only — not content data. Data subjects benefit directly from account protection. The sensitivity of the data processed by CourtCraft (special category data) means the security benefit is proportionate to the privacy intrusion. Data subjects are informed in the Privacy Policy.

Safeguards in Place

Fingerprint data used for security onlyNot used for tracking, profiling, or advertisingRetained for session duration plus 30 daysData subjects informed in Privacy Policy

LIA 05

Abuse Prevention & Rate Limiting

✓ Passes

Purpose

Preventing automated abuse, scraping, and API misuse that could harm the platform and other users

1. Purpose Test

CourtCraft has a legitimate interest in preventing abuse of its AI systems and API. Automated abuse could degrade service quality for legitimate users and expose the platform to financial and reputational harm.

2. Necessity Test

Rate limiting and abuse detection require processing request metadata (IP, request frequency, patterns). This is the minimum necessary to identify and block abusive behaviour.

3. Balancing Test

Legitimate users are not affected by abuse prevention measures in normal use. The processing is limited to technical metadata and does not involve content data. The benefit to all users (maintained service quality) outweighs the minimal privacy intrusion.

Safeguards in Place

Rate limit data retained for 24 hours onlyNo content data processed for abuse detectionBlocks are temporary and reviewableData subjects informed in Terms of Service

LIA 06

AI Conversation History Retention (30 days)

⚠ Borderline

Purpose

Retaining AI conversation context to provide continuity of legal guidance across sessions

1. Purpose Test

CourtCraft has a legitimate interest in providing a coherent, contextual AI experience. Without conversation history, users must re-explain their case at every session, reducing the quality of legal guidance.

2. Necessity Test

Short-term retention (30 days) of conversation history is necessary to provide contextual AI responses. Longer retention is not necessary for this purpose. Users can delete their conversation history at any time.

3. Balancing Test

This is a borderline case because conversation history may contain special category data. The 30-day retention limit and user control (deletion on demand) mitigate the privacy risk. However, CourtCraft also relies on Article 9(2)(a) explicit consent for special category data in conversations, which provides an additional legal basis.

Safeguards in Place

Conversation history deleted after 30 daysUsers can delete history at any time via GDPR settingsHistory not used for AI model trainingEncrypted at rest with row-level securityArticle 9(2)(a) explicit consent also obtained for special category data

Review Schedule

This LIA must be reviewed:

  • Annually (next review: May 2027)
  • When a new processing activity relying on legitimate interests is introduced
  • When the nature of an existing processing activity changes significantly
  • Following a data breach or ICO investigation
  • When relevant ICO guidance or case law changes
First prepared: May 2026Next review: May 2027ICO Reg: ZB812547