Privacy Policy

1. Data Controller and Contact Information

Data Controller: AI Legal Support LLC d/b/a LegatiAI
Business Address: [Arkansas Business Address]
Email: info@legatiai.com
Governing Law: Arkansas, United States

This Privacy Policy is governed by Arkansas law, including the Arkansas Uniform Electronic Transactions Act (Ark. Code § 25-32-101 et seq.) and applicable federal privacy laws.

2. Information We Collect

2.1 Account and Billing Information

• Name, email address, and organizational affiliation
• Billing address and payment method information (processed by Stripe, Inc.)
• Bar admission information (for attorney verification purposes)
• Organization details for legal entity verification

2.2 Document and Case Information

• Legal documents uploaded for processing (including privileged communications)
• Case metadata (case numbers, dates, participant names as contained in documents)
• User-generated annotations, notes, and organizational structure
• Processing preferences and workflow configurations

2.3 Usage and Technical Information

• System access logs and audit trails (for security and compliance)
• Feature usage analytics (aggregated and anonymized)
• Error logs and performance metrics
• IP addresses and browser information (retained for 90 days maximum)

2.4 Information We Do NOT Collect

• Advertising or tracking data for marketing purposes
• Personal communications outside our platform
• Information from other websites or services
• Social media or third-party account information

3. How We Use Your Information

3.1 Primary Service Provision

• Document Processing: AI-powered analysis, organization, and search functionality
• Case Management: Organizing documents, maintaining case structure, and facilitating legal workflows
• User Authentication: Secure account access and authorization controls
• Billing and Payment: Processing subscription fees and usage-based charges

3.2 Security and Compliance

• Access Control: Ensuring only authorized users access specific documents and cases
• Audit and Monitoring: Maintaining comprehensive audit logs for legal compliance
• Threat Detection: Identifying and preventing unauthorized access or data breaches
• Backup and Recovery: Ensuring data availability and disaster recovery capabilities

3.3 Service Improvement (Anonymized Only)

• Performance Optimization: Improving system speed and reliability using anonymized metrics
• Feature Development: Understanding usage patterns to develop new features (no document content analyzed)
• Error Resolution: Identifying and fixing technical issues affecting service quality

4. AI Processing and Data Protection

4.1 Standard Cloud Infrastructure (Just Like OneDrive, Dropbox, etc.)

Important: We use the same type of enterprise cloud infrastructure that legal professionals already trust every day. Just like when you store documents in Microsoft OneDrive, Google Drive, Dropbox, or any other cloud service, your documents are stored securely on enterprise-grade infrastructure.

• Google Cloud Platform: Enterprise-grade infrastructure used by law firms worldwide (same security level as Google Workspace)
• US-Only Processing: All processing occurs within US data centers with data residency controls
• ZERO TRAINING - GUARANTEED: Your documents are NEVER, EVER used to train AI models. This is contractually guaranteed by Google.
• Processing Scope: AI only analyzes your documents when YOU specifically request it - just like any other document analysis tool

4.2 Zero-Knowledge Architecture

• Automated Processing: AI analysis occurs without human review of document content
• Encrypted Processing: Documents remain encrypted during AI analysis
• Temporary Processing: AI results processed and stored without retaining source content in AI systems
• Access Controls: No Legati AI personnel can access your document content without explicit authorization

5. Information Sharing and Disclosure

5.1 No Sharing of Document Content

We never share, sell, rent, or otherwise disclose the content of your legal documents to any third party for any purpose. This includes:

• Marketing or advertising purposes
• Data aggregation or analytics for third parties
• Training AI models (ours or third parties')
• Research or academic purposes

5.2 Standard Cloud Service Providers (Same as Every Law Firm Uses)

We use the same trusted enterprise cloud providers that legal professionals use daily. These are the same companies that host Microsoft OneDrive, Google Workspace, Dropbox Business, and countless other legal technology platforms.

• Google Cloud Platform: Document storage and AI processing (same infrastructure used by legal tech companies worldwide)
• Amazon Web Services (AWS): Additional infrastructure and security services (used by most major legal technology platforms)
• Stripe, Inc.: Payment processing only (PCI DSS compliant, no document access)

5.3 Legal Requirements

We may disclose information only when required by law, such as:

• Valid subpoenas or court orders (we will notify you unless legally prohibited)
• National security requests (with appropriate legal review)
• Law enforcement requests with proper judicial authorization
• We will challenge overly broad requests and seek protective orders when appropriate

6. Data Security

6.1 Encryption

• At Rest: AES-256 encryption for all stored data
• In Transit: TLS 1.3 for all data transmission
• In Processing: Encrypted processing environments for AI analysis
• Key Management: Hardware security modules (HSMs) for encryption key protection

6.2 Access Controls

• Multi-Factor Authentication: Required for all user accounts
• Role-Based Access: Granular permissions based on organizational roles
• Audit Logging: Comprehensive logs of all access and modifications
• Session Management: Automatic timeout and secure session handling

6.3 Infrastructure Security

• Google Cloud Security: SOC 2 Type 2, ISO 27001, and other enterprise certifications
• Network Security: Virtual private clouds, firewalls, and intrusion detection
• Physical Security: Google's enterprise-grade data center security
• Incident Response: 24/7 monitoring and automated threat response

7. Data Retention and Deletion

7.1 Active Subscription Data

• Document Storage: Retained for the duration of your active subscription
• Case Data: Maintained according to your retention preferences
• User Preferences: Stored while your account remains active

7.2 Account Termination

• Grace Period: 30-day retention period after subscription cancellation
• Data Export: Full data export available during grace period
• Secure Deletion: Complete deletion from all systems after grace period
• Verification: Deletion completion verification provided upon request

7.3 Legal Hold Requirements

• Litigation Hold: Data preserved when subject to legal proceedings
• Regulatory Requirements: Compliance with applicable legal retention requirements
• User Notification: Advance notice of any retention requirements affecting your data

7.4 Audit and Security Logs

• Access Logs: Retained for 2 years for security and audit purposes
• Billing Records: Retained for 7 years to comply with financial regulations
• Anonymized Analytics: Aggregated usage data retained indefinitely (no personal information)

8. Your Rights and Controls

8.1 Data Access and Portability

• Full Data Export: Download all your data in standard formats (PDF, CSV, JSON)
• Account Information: View and update all account and billing information
• Usage Reports: Detailed reports of all system usage and access
• API Access: Programmatic access to your data via our secure APIs

8.2 Data Modification and Deletion

• Document Management: Full control to add, modify, or delete documents
• Account Deletion: Complete account and data deletion available at any time
• Selective Deletion: Delete specific cases, documents, or data categories
• Correction Rights: Update or correct any personal information

8.3 Privacy Controls

• Processing Preferences: Control which AI features are enabled for your account
• Data Sharing: Granular controls over any optional data sharing
• Communication Preferences: Control all service and marketing communications
• Audit Access: Request detailed audit logs of all data access and processing

8.4 Response Timeframes

• Data Requests: Fulfilled within 5 business days
• Account Deletion: Completed within 48 hours of request
• Privacy Inquiries: Responded to within 2 business days
• Technical Issues: Immediate assistance for privacy-related concerns

9. International Transfers and Data Residency

All data processing occurs within the United States using Google Cloud Platform's US-based infrastructure. We utilize Google's enterprise data residency controls to ensure your data remains within US borders.

9.1 Data Transfer Safeguards

• US-Only Processing: All AI processing and data storage occurs in US data centers
• Enterprise Controls: Google Cloud's data residency and sovereignty controls enabled
• Transfer Restrictions: Contractual restrictions prevent data transfer outside the US
• Compliance Monitoring: Regular audits to verify data residency compliance

9.2 Legal Framework Compliance

• Standard Contractual Clauses: Enhanced protections for any data transfers
• Data Protection Impact Assessments: Regular assessments of transfer risks
• Government Access: Transparent reporting of any government data requests

10. Children's Privacy

Our services are designed exclusively for legal professionals and are not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at info@legatiai.com and we will take steps to remove such information from our systems.

11. State-Specific Privacy Rights

11.1 Arkansas Residents

Arkansas residents have specific rights under Arkansas law, including the Arkansas Personal Information Protection Act. You have the right to:

• Request disclosure of personal information collected about you
• Request deletion of personal information
• Receive notification of data breaches affecting your information
• File complaints with the Arkansas Attorney General's office

11.2 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Detailed information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale or sharing (not applicable - we don't sell data)
• Right to Non-Discrimination: Equal service regardless of privacy requests

12. Data Breach Notification

12.1 Incident Response

• Detection: 24/7 monitoring and automated threat detection
• Assessment: Immediate assessment of any potential security incidents
• Containment: Rapid containment and remediation procedures
• Investigation: Thorough investigation of incident scope and impact

12.2 Notification Procedures

• User Notification: Direct notification within 72 hours of discovery
• Regulatory Notification: Compliance with all applicable notification requirements
• Detailed Reporting: Comprehensive incident reports provided to affected users
• Remediation Support: Assistance with any necessary remediation steps

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, services, or applicable laws. We will notify you of any material changes in the following ways:

• Email Notification: At least 30 days advance notice of material changes
• In-App Notification: Prominent notice within the platform
• Website Notice: Updated privacy policy posted on our website
• Version Control: Clear versioning and change logs available

Your continued use of our services after any changes indicates your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may terminate your account at any time.

14. Contact Information

For any privacy-related questions, concerns, or requests, please contact us: