AI Usage Policy

“Zika Group” Ltd operates Legas.ai, registered in Bulgaria under UIC 200383579, VAT BG200383579, Plovdiv, Bulgaria. This Policy explains how artificial intelligence is used on the platform, what it does and does not do, and what users can expect from AI-generated outputs. It is published under Article 50 of Regulation (EU) 2024/1689 (the EU AI Act).

Legas.ai uses the Claude API, developed by Anthropic PBC, USA. The model is Claude Sonnet 4.6 (claude-sonnet-4-6), a large language model. The Claude API receives the user’s intake questionnaire answers and generates a GDPR compliance document based on that information. Anthropic PBC processes this data as a data processor under a Data Processing Agreement.

The AI is used for two things: generating GDPR compliance documents (Privacy Policy, Cookie Policy, Employee Privacy Notice, Data Processing Agreement, Records of Processing Activities, Data Breach Response Plan, DSAR Procedure, DPIA Template) and generating GDPR & Cybersecurity Recommendations Reports.

The AI does not:

• make legal decisions or provide legal advice
• access external data during generation
• store user data for training
• apply automated decision-making with significant effects on users under Article 22 of Regulation (EU) 2016/679

Legas.ai is a limited risk AI system under Regulation (EU) 2024/1689. It does not fall within the prohibited practices in Article 5 or the high-risk categories in Annex III. Under Article 50, the Company discloses that all documents are AI-generated.

Article 6 reserves the high-risk classification for AI systems that make or substantially influence decisions about natural persons in specific areas: employment screening, creditworthiness assessment, biometric identification, law enforcement, justice administration, and access to essential private services.

Legas.ai generates compliance documentation. The user reads the output, edits it if needed, and decides whether to publish. Nothing is sent anywhere without a human making a deliberate choice to do so.

Article 50 covers AI systems that produce content for natural persons. The requirement is disclosure. This Policy, the intake form, the document preview, and the footer of every generated document carry that disclosure.

The AI-generated nature of every document is disclosed:

• on the intake form before submission
• on the document preview page before download
• in the footer of every generated document (“Generated by Legas.ai — for review by qualified legal counsel before publication”)
• in the Terms and Conditions

AI-generated documents should be reviewed by a qualified lawyer before use.

Every document is generated from the user’s own answers. Incomplete or inaccurate answers produce incomplete or inaccurate documents. The AI cannot verify facts.

System prompts were written by a certified GDPR specialist with 8+ years of experience and 15+ years of legal practice, and are updated when guidance changes. The platform does not warrant that any document is legally complete or fit for a specific purpose.

Each document type has a dedicated system prompt covering the GDPR articles it must address. The Privacy Policy prompt covers Articles 13 and 14. The DPA covers Article 28. The ROPA covers Article 30. Each prompt is written and maintained by a specialist and a team of legal practitioners.

Prompts are reviewed when the EDPB publishes new guidelines, when a supervisory authority decision clarifies the interpretation of an article, or when a user identifies a gap in a generated document. The platform checks edpb.europa.eu weekly. When guidance changes, the relevant prompt is updated and subscribers receive an email describing what changed and which documents they may want to regenerate.

The platform records the date each document was generated. Users can regenerate any document at any time.

Do not use the platform to:

• generate documents based on false information
• generate documents for businesses you do not represent
• attempt to extract the underlying prompts
• treat AI output as final legal advice without independent review

User answers are sent to the Anthropic Claude API via HTTPS. This is a transfer of personal data to a processor in the USA, covered by Standard Contractual Clauses under Article 46 of Regulation (EU) 2016/679. Anthropic does not use API data to train its models and does not retain data beyond the API request.

Full details are in the Privacy Policy at legas.ai/privacy-policy.

Questions or complaints about the AI system:

“Zika Group” Ltd
UIC 200383579, VAT BG200383579
Plovdiv, Bulgaria
Email: contact@legas.ai
Website: legas.ai

This Policy is updated when the AI system changes, when applicable law changes, or when supervisory authority guidance requires it.

Is AI-generated legal content legally valid?

AI-generated content is not inherently invalid. A document built from accurate information about your business, covering the required legal elements, and reviewed before publication can satisfy the same legal standard as one drafted by a lawyer. The problem is not the source of the output — it is inaccuracy. If the inputs are wrong, the document will be wrong. You are responsible for the accuracy of what you submit and for reviewing the output before use.

Can I rely on an AI privacy policy without independent review?

This policy and the document footer both recommend having a lawyer review the output before publication. That recommendation is not a disclaimer formality. A lawyer reviewing a well-structured document takes less time than drafting from scratch, because the structure is correct and the legal basis analysis is already done. The recommendation is to review it, not to publish it and hope it holds up.

How is Legas.ai different from a GDPR template generator?

Template generators put your name on a pre-written document. Every business using that template gets the same policy, regardless of what they actually process, which processors they use, or which legal basis applies to each activity. Legas.ai generates from your answers. A SaaS company using PostHog for analytics under legitimate interests gets a different policy than an e-commerce store using Google Analytics under consent. The output describes your data processing, not a hypothetical business’s.

What should I do after downloading my document?

Read it. Confirm that the processing activities, legal bases, and processor names match your actual setup. If something is wrong, update your answers and regenerate — regeneration is included in your subscription. Have a lawyer review it if you have any doubts. Then publish it somewhere permanently accessible on your website, and update it when your processing activities change or new guidance requires it.