LegalAI Privacy Policy

Last Updated: April 21, 2026

---

This policy describes how LegalAI ("we," "us," "the Service") processes, protects, and handles data for legal professionals using our platform. This policy applies to all workspace data, including confidential client information and sensitive legal matter details.

Important: LegalAI is designed exclusively for legal professionals managing confidential client data. Users acknowledge that by using this Service, they are processing Protected Health Information (PHI) and other privileged/confidential information subject to federal regulations including HIPAA.

---

LegalAI operates under a signed Business Associate Agreement (BAA) with Google Cloud that extends HIPAA protections to our Service.

• All PHI and HIPAA-regulated data processed by LegalAI receives HIPAA-level protections
• A copy of our BAA with Google Cloud is available upon request
• LegalAI certifies compliance with HIPAA Security Rule (45 CFR Sections 164.300-318)
• Users may request evidence of our HIPAA compliance status at any time

If you handle HIPAA-regulated client data, your use of LegalAI is permitted only under the terms of the BAA. If you have not executed a BAA with us, contact our Data Protection Officer immediately.

---

### Protected Health Information (PHI)

• Medical records, treatment plans, diagnoses, medications, mental health notes
• Medical bills, insurance information, medical provider reports
• Any information that could identify a client combined with health information

### Privileged/Confidential Legal Information

• Client names, contact information, case numbers, parties
• Legal theories, attorney work product, litigation strategy
• Settlement discussions, expert opinions, investigation notes
• Financial information related to cases

### Operational Data

• Authentication and login metadata (timestamps, IP addresses, access attempts)
• System audit logs (what data was accessed, by whom, when)
• Error logs necessary for troubleshooting and security

LegalAI encrypts all categories of data at rest and in transit. You retain control of access to all data.

---

LegalAI processes the following categories of data on behalf of your law practice:

Uploaded by Users:

• Client documents (contracts, pleadings, evidence, correspondence)
• Medical records and expert reports
• Financial records, bank statements, tax returns
• Witness statements, interviews, deposition transcripts
• Any other confidential files or information you store

Generated by Users:

• Document classifications and annotations
• Case notes, matter summaries, task lists
• Agent-generated drafts and legal analysis
• Your custom prompts and instructions to agents

Metadata Generated by Service:

• Document titles, upload dates, modification dates
• File sizes, document types, classifications
• User account information (name, email, role)
• Access logs (which user viewed/modified what data, when)

We do not process:

• Audio/video recordings of your sessions
• Your own password (only hashed authentication tokens)
• Third-party data unrelated to your matters

---

### Where Your Data Lives

• Documents and Files: Google Cloud Storage (encrypted, replicated)
• Metadata and Structured Data: Google Cloud Firestore and Firebase (encrypted, replicated)
• Audit Logs: Google Cloud Logging (encrypted, 90-day retention)

### Geographic Redundancy

• All data is automatically replicated across Google's geographically separated regions
• You cannot restrict region, but all storage is within the US
• Data is never intentionally moved outside US data centers

### Encryption

• At Rest: AES-256 encryption (Google Cloud managed)
• In Transit: TLS 1.2+ encryption (all connections HTTPS)
• Key Management: Google Cloud manages encryption keys under HIPAA-compliant protocols
• Keys are NOT accessible to LegalAI employees; Google Cloud controls encryption

---

We process your data only for:

• Providing the Service features you request (document storage, agent analysis, research)
• Maintaining security and integrity of your data
• Providing technical support and troubleshooting
• Complying with legal obligations (subpoenas, law enforcement requests)
• Audit and compliance verification (SOC 2, HIPAA)

We do not:

• Use your data for model training or AI improvement
• Sell, rent, or share your data with third parties
• Use your data for marketing, advertising, or analytics
• Share data between customers or workspaces

---

• Authentication-Based Access: Users can only access data within their workspace
• Role-Based Controls: Administrators define who in your firm can access what data
• Minimal Retrieval: Agents retrieve only the fields required for the requested operation
• No Cross-Workspace Data: Data belonging to other customers is completely isolated from your workspace

Complete Data Segregation: Each customer's data is logically and physically separated. A misconfiguration affecting one customer's rules cannot expose another customer's data.

---

### Default Retention

• Active workspace data: Retained indefinitely while your account is active
• Audit logs: Retained for 90 days, then permanently deleted
• Deleted items: Moved to trash, permanently deleted after 30 days (if not recovered)

### Deletion on Request

• You can request permanent deletion of any data in your workspace
• Deletion is processed within 5 business days
• Deleted data is removed from production and backups (residual backups deleted per Google Cloud's standard 90-day backup retention)
• We will provide written confirmation of deletion upon request

### Termination of Service

• Upon account termination, all workspace data is marked for deletion
• Data is fully deleted after 30 days (allowing recovery if account is restored)
• After 30 days, data is permanently removed and cannot be recovered
• We will provide written confirmation of deletion within 5 business days of the 30-day window

### Legal Hold / Litigation

• If your data is subject to a subpoena, legal hold, or court order, deletion requests are suspended
• We will notify you immediately of any legal process requesting your data
• Data is retained as long as legally required, then deleted upon authorization

---

If LegalAI discovers unauthorized access to your data, we will:

1. Notify you immediately (within 24 hours) via email and phone 2. Provide details: What data was accessed, how, for how long, what safeguards failed 3. Recommend actions: What you should do (notify your clients, etc.) 4. Cooperate with investigation: Provide logs, forensics, and evidence

You are responsible for notifying affected clients within the timeline required by your state, HIPAA, or other applicable law.

---

### Administrative Access

• Only LegalAI operations staff can access Google Cloud systems
• All administrative access is logged and audited
• LegalAI employees cannot decrypt or view your data without your encryption keys
• Administrative access logs are available to you upon request

### User Access

• Users can review an audit log of who accessed their workspace data and when
• Audit logs include: timestamp, user, action (viewed/edited/deleted), and data identifier
• Audit logs are downloadable and admissible as evidence

### Compliance Audits

• LegalAI undergoes annual SOC 2 Type II audits (Security, Availability, Processing Integrity, Confidentiality, Privacy)
• LegalAI maintains ISO 27001 certification (Information Security Management)
• Audit reports are available upon execution of an NDA
• You have the right to request evidence of our compliance status

---

### Data Management

• View: Access all data in your workspace anytime
• Download: Export data in bulk (legal hold format available)
• Modify: Update case information, document classifications, settings
• Delete: Remove individual items or entire matters
• Share: Grant/revoke access to team members

### Preferences

• Configure workspace settings, user roles, and access policies
• Manage integrations and API access
• Set retention policies within your organization

### Audit Trail

• View logs of all access to your data
• Download audit reports for compliance purposes
• Export audit logs in CSV or JSON format

---

LegalAI is hosted entirely on Google Cloud Platform with the following security certifications:

• SOC 2 Type II Certified (Audit available upon NDA)
• ISO 27001 Certified (Information Security)
• FedRAMP Authorized (US Government standard)
• HIPAA-Compliant (BAA signed, HIPAA Security Rule implemented)

Google Cloud's physical security, network security, and encryption infrastructure are documented in their Security Whitepaper and publicly available compliance reports.

---

If you are subject to GDPR or CCPA, you have the right to:

• Access: Obtain a copy of all data we hold about you or your clients
• Correction: Request correction of inaccurate data
• Deletion: Request deletion (subject to legal hold and retention obligations)
• Portability: Receive data in a portable, machine-readable format
• Objection: Object to processing

To exercise any of these rights, contact our Data Protection Officer (see Section 15).

---

LegalAI implements privacy and security by design:

• Encryption First: All data encrypted at rest and in transit
• Access Logs: Complete audit trail of all data access
• Role-Based Permissions: Fine-grained control over who accesses what
• Data Minimization: Agents retrieve only necessary data
• Automated Deletion: Old data is automatically removed per retention policies
• No Tracking: We do not track your activity for analytics or profiling

---

### For Privacy, Security, or HIPAA Inquiries: Data Protection Officer Email: privacy@legalai.com Phone: [Your phone number] Mailing Address: [Your address]

Response Time: We will acknowledge your request within 2 business days and provide a substantive response within 10 business days (or notify you if more time is needed).

### For Technical Support: support@legalai.com

### Workspace Administrator Contact: Contact your workspace administrator for day-to-day data handling questions.

---

We may update this policy to reflect changes in our infrastructure, compliance requirements, or legal obligations. We will notify you of material changes by email at least 30 days in advance. Your continued use of LegalAI indicates acceptance of updated terms.

---

LegalAI is committed to:

• HIPAA Compliance: All PHI is handled in accordance with HIPAA Security a