Controller and data protection contact
Controller
top.legal GmbH
Data protection contact
top.legal GmbH – data protection contact
Please direct data protection enquiries to top.legal to the responsible internal office using the email address above.
Competent supervisory authority
Bavarian State Commissioner for Data Protection (BayLfD)
Under Article 77 GDPR you have the right to lodge a complaint with the supervisory authority at any time if you believe that the processing of your personal data infringes the GDPR.
Purpose and legal basis of processing
top.legal processes your personal data as a processor on behalf of your employer or the company that has licensed the top.legal platform (the “Client”). The Client is the controller under data protection law for the content you process within the platform.
top.legal is independently responsible for the technical provision of the platform and the associated processing of usage data. The legal bases are:
- Article 6(1)(b) GDPR – performance of a contract (provision of the platform to the Client)
- Article 6(1)(f) GDPR – legitimate interests (operation, security and improvement of the platform, troubleshooting)
- Article 6(1)(c) GDPR – compliance with legal obligations
Categories of data processed
Personal master data
Salutation, last name, first name, address, title – collected at registration or when invited by the Client.
Communication data
Email address, phone number – for user communication, notifications and support.
Contract master data
Contractual relationships and product or contract interests captured and managed in the course of using the platform.
Technical usage data
Login time, IP address, device used, browser, location, MAC address and information about the product version in use – this data is collected automatically when the platform is accessed and serves secure operation and troubleshooting.
Content within the platform
Categories of data subjects
- Employees of the Client who use the top.legal platform
- Clients and business customers of the Client whose data is captured and managed within the platform
Storage period and deletion
top.legal stores your personal data only for as long as is necessary to fulfil the purposes of the contract or as long as statutory retention obligations exist.
Upon termination of the main contract between top.legal and the Client, all data is returned or deleted at the Client's request. The applicable periods and the procedure are documented in the top.legal deletion concept: www.top.legal/loeschkonzept
Technical usage data (log files) is deleted after 30 days at the latest, unless statutory retention obligations require otherwise.
Subprocessors (approved processors)
top.legal uses the subprocessors listed below to operate the platform. Data processing agreements pursuant to Article 28 GDPR are in place with all subprocessors. All data is processed and stored within the European Union. Personal data is, in principle, not transferred to third countries. Where subprocessors use group-internal sub-processors in third countries, the European Commission's Standard Contractual Clauses (SCCs) are additionally in place as a supplementary safeguard.
| Company | Purpose | Registered office / hosting | Transfer |
|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Platform operation (app.top.legal), automated email dispatch, data storage; AI-assisted contract analysis (AWS Bedrock) | Frankfurt, Germany (eu-central-1)AWS EMEA SARL, Luxembourg | EEASCCs suppl. |
| HubSpot Ireland Limited | Management of user data for support requests (no end-customer data) | 2nd Floor, 30 North Wall Quay, Dublin 1, Ireland (EU) | EEASCCs suppl. |
| Google Germany GmbH | Dispatch of transactional emails (user notifications); AI-assisted contract analysis | ABC-Straße 19, 20354 Hamburg, Germany (EU) | EEASCCs suppl. |
| PostHog GmbH | Error tracking (error logs, stack traces) and product analytics (user behaviour, pseudonymised) | Oskar-von-Miller-Ring 20, 80333 MunichHosting: Frankfurt (eu-central-1) | EEASCCs suppl. |
| Crisp IM SAS | Real-time customer support (live chat within the application) | 2 Boulevard de Launay, 44100 Nantes, France (EU) | EEASCCs suppl. |
| Product Fruits s.r.o. | User onboarding, web-based platform features, transactional emails as part of onboarding | Rozdělovská 1999/7, 169 00 Prague 6, Czech Republic (EU)Hosting: AWS Ireland (EU) | EEASCCs suppl. |
| SatisMeter s.r.o. | Collection of user feedback and rating of platform features | Česká 1113/1, Prague 5, 158 00, Czech Republic (EU) | EEA |
The current list of approved subprocessors is available in the DPA at www.top.legal/avv-saas (Appendix 1). Changes are communicated to the Client in good time.
Anonymisation
top.legal is entitled to anonymise the personal data processed in the course of platform use. Fully anonymised data – from which conclusions about individual persons are excluded – may be processed and used by top.legal for its own purposes such as statistical analyses, benchmarking, product improvements and the development of new products.
Your rights as a data subject
Article 15 GDPR
Right of access
Article 16 GDPR
Right to rectification
Article 17 GDPR
Right to erasure
Article 18 GDPR
Right to restriction of processing
Article 20 GDPR
Right to data portability
Article 21 GDPR
Right to object
For requests regarding the usage data that top.legal processes independently: datenschutz@top.legal
The right to lodge a complaint with the supervisory authority is described in section 02.
Technical and organisational measures
top.legal takes comprehensive technical and organisational measures pursuant to Article 32 GDPR to protect your data, including measures for physical access, system access, data access, transfer, input, instruction, availability and separation control.
The technical and organisational measures currently in force can be viewed at: www.top.legal/toms
Reservation of changes
top.legal reserves the right to amend this privacy policy at any time in order to adapt it to changed legal situations or changes to the platform. Changes are communicated to users in good time via the platform or by email. The current version is always available within the platform and at www.top.legal/datenschutz.
As of June 2026 · top.legal GmbH · Munich