Privacy Policy | LaunchedIn10 Law

This privacy policy explains what data LaunchedIn10 Law collects, how it’s used, where it’s stored, who it’s shared with, and the controls available to you. It applies to law.launchedin10.co.uk, the audit service offered there, and any access granted to your Google Ads account through that service.

1. Who we are

The data controller is LaunchedIn10, trading as LaunchedIn10 Law for the purposes of this service.

Trading name: LaunchedIn10 Law
Registered office: 61 Bridge Street, Kington, Herefordshire, HR5 3DJ, United Kingdom
Website: law.launchedin10.co.uk
Privacy contact: privacy@launchedin10.co.uk
Hub: launchedin10.co.uk

2. What this service does

LaunchedIn10 Law provides a Google Ads audit and ongoing management service for UK law firms. To deliver an audit, the firm grants read-only access to its Google Ads account. The audit identifies wasted spend, broken tracking, and structural issues. Findings are walked through live on a review call.

3. Data we collect

3.1 Information you provide directly

Audit booking: firm name, your name, work email, firm website, preferred date and time
Concierge chat: messages you send to the on-page concierge, plus any name/email submitted via the chat’s lead form
Correspondence: emails and replies sent to or from law@launchedin10.co.uk or privacy@launchedin10.co.uk

3.2 Information accessed via the Google Ads API

When you grant access through Google’s consent screen, the service accesses the following Google user data via the https://www.googleapis.com/auth/adwords scope, in read-only capacity:

Account structure (campaigns, ad groups, ads, keywords, audiences)
Performance metrics (impressions, clicks, conversions, cost, quality scores)
Search terms and ad copy
Account settings (geo-targeting, schedules, bid strategies, ad extensions)

The service never accesses billing details, payment methods, account ownership controls, or anything outside the read-only Google Ads scope. The service does not request any other Google scope.

3.3 Information collected automatically

Standard server logs (IP address, browser, request timestamps) for security and debugging, retained for 30 days
No third-party advertising trackers, no cross-site behavioural tracking

4. Why each Google scope is requested

The adwords scope is the minimum scope necessary to deliver the audit. Read-only access is requested explicitly so that no changes can be made to your account during the audit phase.

Scope	Purpose	Mode
`https://www.googleapis.com/auth/adwords`	Run the 12-point audit against the firm’s Google Ads account: identify wasted spend, broken conversion tracking, weak campaign structure, and missed optimisations.	Read-only for audit; management access (write capability) is granted separately, only after a signed agreement, via Google’s standard MCC manager-account flow.

5. How we use the data

Deliver the audit — analyse the account against our 12-point checklist, generate a written report, walk you through findings on the review call
Communicate — confirm bookings, send reports, answer follow-up questions
Improve the service — identify common patterns across audited accounts, in aggregate and anonymised form only; no individual firm’s data is used to train any AI model or third-party system
Operate, secure, and improve the website — via standard server logs and integrity checks

6. Limited Use compliance (Google API Services User Data Policy)

LaunchedIn10 Law’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Google Ads data accessed via OAuth is:

Used only to provide and improve the audit and management features that are prominent in the LaunchedIn10 Law user-facing service
Not transferred or sold to AI models, third parties, advertisers, or for any other monetisation purpose
Not used to serve advertisements
Not read by humans except: with your explicit consent; for security and abuse investigations; to comply with applicable law; or for limited internal operations where the data has been anonymised and aggregated

7. AI processing

Parts of the audit pipeline use AI agents (proprietary, plus models from Anthropic and Google) to summarise findings and generate the written report. When AI processing is used:

Account data is sent to AI providers under their zero-retention enterprise agreements where available, and is not used by those providers to train their models
Output is reviewed by a human strategist before any client-facing report is sent
No Google user data is used to train any LaunchedIn10 model

8. Sharing & third parties

The service uses a small set of named processors. None of them sell or repurpose data:

Supabase — database hosting (booking records, OAuth tokens, audit metadata). EU region. Supabase privacy.
Cloudflare — static hosting and DNS for the website. Cloudflare privacy.
Google — Google Ads API access (via OAuth) and standard fonts. Google privacy.
Anthropic — AI processing for audit synthesis under zero-retention enterprise terms. Anthropic privacy.
n8n — workflow automation (concierge chat, follow-ups), self-hosted on our own infrastructure.

Data is never sold, rented, or transferred for advertising or model-training purposes.

9. Storage, security, retention

Encryption in transit — all data moves over TLS 1.2+
Encryption at rest — via Supabase’s managed Postgres and Cloudflare’s storage
Access control — role-based, principle of least privilege; row-level security on all client-facing tables
OAuth tokens — stored encrypted, scoped to a single firm’s booking, revocable by you at any time from your Google account at myaccount.google.com/permissions
Server logs — retained 30 days, then deleted
Audit data — retained for the duration of the engagement plus 12 months, then deleted, unless you request earlier deletion
Booking records — retained for 24 months for legal/accounting purposes, then deleted

10. Your rights (UK GDPR)

You have the right to:

Access the personal data we hold about you
Have inaccurate data corrected
Have your data deleted (“right to be forgotten”)
Restrict or object to processing
Data portability — receive a copy in machine-readable form
Withdraw consent at any time
Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk)

To exercise any right, email privacy@launchedin10.co.uk. We respond within 7 working days; your request is fulfilled within 30 days.

11. Revoking Google access

You can revoke our access to your Google Ads account at any time, from either side:

From your Google account: myaccount.google.com/permissions → LaunchedIn10 Law → Remove access
From your Google Ads account (if managed via MCC): Tools & Settings → Access and security → Managers → Remove
By emailing us: privacy@launchedin10.co.uk with “Revoke access” in the subject line. We action within 1 working day.

Revocation immediately invalidates the OAuth token. Any cached audit data is deleted within 7 days of revocation, unless retention is required by law.

12. International transfers

Most data stays within the UK and EU. Some processors (Anthropic, Google, Cloudflare) operate globally; data transferred outside the UK/EU is protected by Standard Contractual Clauses (SCCs) or equivalent UK GDPR-approved mechanisms.

13. Children

This service is for UK SRA-regulated law firms. It is not directed at, or intended for use by, anyone under 18.

14. Cookies & tracking

The site uses functional cookies only — for session state and form submission. No advertising, behavioural, or cross-site tracking cookies are set. No third-party analytics scripts are loaded by default.

15. Changes to this policy

We’ll update this page if our processing changes. The “Last updated” date at the top reflects the most recent revision. Material changes are communicated by email to affected clients at least 14 days before they take effect.

16. Contact

Privacy questions — privacy@launchedin10.co.uk
General — law@launchedin10.co.uk
Post — LaunchedIn10 Law, 61 Bridge Street, Kington, Herefordshire, HR5 3DJ, United Kingdom