Privacy
AI MCP Connector — Privacy Notice
Effective: 4 June 2026
1. Identity of data controller and processor
Section titled “1. Identity of data controller and processor”Your organization controls the personal data in your Consilio account (as the data controller). Consilio LLC (“Consilio”) processes that data as your data processor solely to operate the AI Connector. The third-party AI provider you have connected (the “AI Provider”) processes data within its environment as a separate processor directly appointed by your organization under your enterprise agreement with that AI Provider.
2. What data is processed and why
Section titled “2. What data is processed and why”When you submit a query via the AI Connector, Consilio retrieves the matter data relevant to your request (including document text, custodian details, metadata, and review annotations) from your account and transmits it to the AI Provider’s environment on your instruction. This data is processed solely to generate AI-assisted responses to your queries. Your acceptance of this notice, together with your identity, IP address, timestamp, and the notice version, is logged and retained for compliance purposes. For further information on the personal data processed by Consilio, see our Privacy Policy.
3. Lawful basis
Section titled “3. Lawful basis”Your organization, as controller, is responsible for identifying the applicable lawful basis under Article 6 GDPR (typically legitimate interests or performance of a legal task) and, where special category data is involved, a condition under Article 9 GDPR (typically the legal claims basis under Article 9(2)(f)). Where processing is also subject to applicable local data protection laws, your organization is responsible for identifying and documenting any additional or alternative legal bases required.
4. International transfers
Section titled “4. International transfers”The AI Provider may process data outside your jurisdiction, including in the United States. Your enterprise agreement with the AI Provider should include an appropriate transfer mechanism where applicable, which may include: (i) the EU Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, together with the UK Addendum issued by the ICO, where transfers are subject to UK and/or EU GDPR; or (ii) an applicable adequacy decision for the destination country. Consilio transfers data in accordance with your instructions and in the jurisdiction you designate.
5. Retention
Section titled “5. Retention”Consilio retains matter data in accordance with your organization’s Consilio Master Services Agreement. Data transmitted to the AI Provider is subject to that AI Provider’s retention terms. Where your organization has a zero data retention (ZDR) arrangement with the AI Provider, inputs and outputs are deleted immediately after each response is returned. Consilio strongly recommends a ZDR (or equivalent no-retention, no-training) arrangement for all clients processing live matter data.
6. Your rights
Section titled “6. Your rights”Data subjects have rights under their applicable privacy laws, which may include rights of access, rectification, erasure, and objection under the GDPR. Requests relating to data held by Consilio should be directed to your organization in the first instance. Requests relating to the AI Provider’s processing should be directed to that AI Provider using the contact details in its privacy notice. You have the right to lodge a complaint with the ICO (ico.org.uk) for UK GDPR matters, or with the competent supervisory authority in your jurisdiction.
7. Contact
Section titled “7. Contact”Your personal data will be processed by Consilio in accordance with our Privacy Policy. For data protection queries, contact: privacy@consilio.com.