Legalis logo
+1 (305) 686-9720 Make an inquiry
Printed legal document on a desk.

Discretion by Design: Privacy Policy

Last updated: June 1, 2026

Part A - General Information (applies to all users and clients)

A1. Controller

LEGALIS CONSULTANTS LLC

Florida Limited Liability Company

7901 4th Street North #300

St. Petersburg

FL 33702

USA

Florida Document Number: L26000140135

Represented by: Dr. Mathias Kunze (Authorized Member)

E-Mail: gdpr@legalis.biz

A2. Applicability and Governing Law

LEGALIS CONSULTANTS LLC is established in Florida, USA. The processing of personal data is generally governed by the law of the USA and of the State of Florida.

For clients and users located in the European Union, the requirements of the General Data Protection Regulation (GDPR) apply in addition. The provisions relevant to this are set out in Part B of this Policy and apply exclusively to those persons.

This Policy concerns the processing of personal data of natural persons. In the case of corporate clients, this concerns the natural persons acting for them or associated with them (e.g., legal representatives, contact persons, beneficial owners); a company as such has no personal data.

A3. Data Processed

Via the contact and intake form, the following are collected: first name, last name, company (optional), e-mail address, business activity, and a case description. Documents relating to the matter may additionally be uploaded as PDF. For identity verification (KYC), a valid official identity document (passport, national identity card, or an equivalent document) must additionally be presented.

In addition, the following are processed in particular:

  • identification data (name; ID/passport data; for legal entities, details of beneficial owners, authority to represent, and registration),
  • contact data (e-mail address),
  • company and business data (company name, business activity),
  • content data relating to the matter (case description and uploaded documents),
  • payment data,
  • usage and technical data (e.g., IP address, time of access, browser and device information, cookie data).

A4. Purposes of Processing

The data are processed for the purpose of:

  • operating, maintaining the stability of, and securing the website,
  • handling inquiries via the contact/intake form and preparing the Pre-Assessment,
  • conducting the Initial Consultation (including review of documents, advisory session, and written follow-up),
  • identity verification and screening with regard to money laundering, terrorist financing, and sanctions/embargo requirements (KYC),
  • processing payments,
  • reach and usage analysis of the website (solely on the basis of consent),
  • AI-supported analysis and preparation of the matter for the advisory,
  • the integration and use of social media plugins (solely on the basis of consent).

A5. Recipients and Service Providers

Access to data is granted only to persons and service providers to the extent necessary for the stated purposes. These include in particular:

  • a hosting/server provider for the website,
  • an e-mail provider,
  • the provider of the video conferencing service used for the advisory session,
  • Google (Google Analytics),
  • providers of embedded social networks (see Section A7),
  • an AI/analytics service provider supporting case handling,
  • payment service providers (Wise for sent payment links and/or a payment service provider for card payments) and the account-holding bank,
  • where necessary, engaged licensed professionals (attorneys, tax advisors, auditors),
  • IT and security service providers.

A6. Cookies and Web Analytics

The website uses technically necessary cookies and - following active consent via the cookie banner - Google Analytics for reach and usage analysis. Analysis takes place only after consent has been given; consent may be withdrawn at any time with effect for the future via the cookie settings. Google Analytics is provided by Google; data may be transferred to the USA in this context.

A7. Social Media Plugins and Links

The website contains plugins or links to the social networks Facebook, Instagram, X, LinkedIn, YouTube, and TikTok. If these are activated, personal data (e.g., IP address, usage information) may be transmitted to the respective providers, which are independently responsible for such processing and process the data under their own terms. A transfer of data to the USA is possible in this context. Where integration requires consent, it takes place only after consent has been given via the consent banner; consent may be withdrawn at any time with effect for the future.

A8. Processing in the USA and Internationally

As the Controller is established in the USA, personal data are processed in the USA. Individual service providers may also process data in further countries. For clients in the EU, the supplementary provisions in Part B (Section B4) apply in this respect.

A9. Retention Periods

Personal data are stored only for as long as is necessary for the respective purposes or as long as statutory retention obligations exist.

  • Server log files: no longer than 30 days.
  • Inquiries without a subsequent engagement: deletion as soon as no longer required, at the latest after 6 months.
  • Mandate- and advisory-related data: for the duration of the business relationship and, after its end, within the scope of any retention obligations.
  • Identity document data (KYC): in accordance with internal anti-money-laundering/compliance policies, for the duration of the business relationship and for five (5) years after its end.
  • Web analytics data: in accordance with the retention period configured in Google Analytics.

A10. Data Security

The Controller takes appropriate technical and organizational measures to protect personal data. The handling of information follows the standards of the information security management system (ISO 27001:2022).

A11. Rights of Users

Irrespective of place of residence, every user may request information about the data processed concerning them, the rectification of such data, and its deletion, and may object to the analytics by withdrawing the cookie consent. Requests are to be directed via the contact form or in writing to the above address. Further statutory rights of persons in the EU are set out in Part B (Section B5).

A12. Contact for Data Protection Matters

Inquiries regarding data protection are to be directed via the contact form on this website or in writing to the above address. Clients in the EU may additionally contact the EU representative (Section B2).

A13. Changes to this Privacy Policy

This Privacy Policy may be amended with effect for the future. The version published at the relevant time is authoritative (see "Last updated" above).

A14. Language

This Privacy Policy is executed in the English language. Only the English version is legally binding.

Part B - Supplementary Provisions for Clients in the European Union (GDPR)

B1. Scope of this Part

This Part B applies exclusively to natural persons located in the European Union and supplements Part A. To the extent that provisions conflict, Part B prevails for those persons.

B2. EU Representative (Art. 27 GDPR)

As the Controller is established outside the EU, a representative in the EU has been designated:

LEGALIS Associates LTD

87 Prilep Street, 3rd Floor, Office 30

9000 Varna, Bulgaria

Contact: via the contact form on this website or in writing to the above address

Data subjects in the EU may contact both the Controller and the EU representative in data protection matters.

B3. Legal Bases for Processing

For the purposes set out in Part A, the following legal bases apply with respect to persons in the EU:

  • operation and security of the website and server log files: legitimate interest (Art. 6(1)(f) GDPR).
  • contact/intake form and Pre-Assessment: pre-contractual measures (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).
  • conducting the Initial Consultation: performance of a contract (Art. 6(1)(b) GDPR).
  • identity verification and money-laundering/sanctions screening (KYC): legitimate interest in risk and abuse prevention (Art. 6(1)(f) GDPR) and pre-contractual or contractual necessity (Art. 6(1)(b) GDPR).
  • payment processing: performance of a contract (Art. 6(1)(b) GDPR).
  • AI-supported analysis and preparation of the matter: performance of a contract (Art. 6(1)(b) GDPR) or legitimate interest (Art. 6(1)(f) GDPR).
  • web analytics (Google Analytics) and social media plugins: consent (Art. 6(1)(a) GDPR).

B4. Transfers to Third Countries

Personal data of persons in the EU are transferred to and processed in the USA and, where applicable, in further third countries, in particular by the US-based Controller and by individual service providers (e.g., Google, social network providers, AI service providers). Where a third country does not offer a level of data protection recognized as adequate by the EU Commission, the transfer takes place on the basis of appropriate safeguards, in particular the EU Commission's Standard Contractual Clauses, or on the basis of explicit consent or the necessity for the performance of a contract (Art. 44 et seq. GDPR).

B5. Rights of the Data Subject

Persons in the EU have the following rights:

  • Access (Art. 15 GDPR): to learn whether and which personal data are processed and to receive a copy of such data.
  • Rectification (Art. 16 GDPR): to have inaccurate or incomplete data corrected or completed.
  • Erasure (Art. 17 GDPR): to request the deletion of the data, unless statutory retention obligations or other legal grounds preclude this.
  • Restriction (Art. 18 GDPR): to have the processing temporarily restricted under certain conditions.
  • Data portability (Art. 20 GDPR): to receive the data provided in a structured, commonly used, and machine-readable format, or to have it transferred.
  • Objection (Art. 21 GDPR): to object, on grounds relating to the particular situation, to processing based on a legitimate interest; processing will then cease unless compelling legitimate grounds override.
  • Withdrawal of consent (Art. 7(3) GDPR): to withdraw consent given (e.g., for web analytics or social media plugins) at any time with effect for the future.
  • Complaint (Art. 77 GDPR): to lodge a complaint with the competent data protection supervisory authority.

A notification to the Controller or the EU representative is sufficient to exercise these rights.

B6. Obligation to Provide Data

Certain data are necessary for the provision of the services. In particular, the provision of an identity document is required because LEGALIS performs identity verification to prevent fraud, money laundering, and breaches of sanctions requirements, thereby fulfilling its own compliance and due-diligence obligations. Without successful identity verification, no fee-based advisory is provided; without the required information, a service cannot be provided.

B7. No Automated Decision-Making

Solely automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place. Where AI-supported tools are used in preparation, this is done solely in a supporting capacity; the decision is made by LEGALIS itself.