Privacy Policy

Definitions

• User Content: Data entered by you into the Service, including documents, document titles, files, conversations, prompts, and AI responses.
• Personal Information: Information that can be used to identify you as a person, such as your name, email address, IP address, and other information that you provide to us.
• Metadata: Data about your User Content, such as the number of documents you have uploaded, the total size of your User Content, the number of conversations you have had, the number of prompts you have sent, or the number of AI responses you have received.

1. Our Role as a Service Provider

Lawful Good acts as a data processor (or “service provider” under the California Consumer Privacy Act) on behalf of the attorneys and law firms that use our Service. The attorneys and law firms who use Lawful Good are the data controllers (or “businesses” under the CCPA) with respect to any client data they upload to or create within the Service.

This means that if you are an attorney or law firm using Lawful Good, you remain responsible for your obligations to your clients regarding their personal information, including responding to any requests from individuals to access, correct, or delete their personal data. Lawful Good will assist you in fulfilling these obligations through the functionality of the Service.

If you are a client of an attorney who uses Lawful Good, any questions about how your personal information is handled should be directed to your attorney, not to Lawful Good. We process your data solely on your attorney’s instructions.

2. Information We Collect

We collect information that you provide directly to us, as well as information that is automatically collected when you use our Service.

a. Information You Provide to Us

• Account Information: When you register for an account, we collect your name, email address, and possibly a profile picture as provided by you or your authentication provider.
• User Content: We collect and store the files and documents you upload, create, or otherwise provide to the Service (“User Content”). All User Content is encrypted using AES-256-GCM encryption with a unique key for each user, so it cannot be read by Lawful Good staff.

b. Information We Collect Automatically

• Technical Information: When you access the Service, we automatically collect certain technical information, including your IP address, browser type and version, device identifiers, operating system, and referring URL. Under California law, some of this information (such as IP addresses) is considered personal information.
• Usage Information: We may collect aggregated, anonymized performance metrics to understand how our services are being used and to improve them. This data does not identify individual users.
• Cookies: We use cookies and similar tracking technologies solely to manage user sessions and maintain your authenticated state. We do not use cookies for advertising or cross-site tracking.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Maintain the Service: To operate our Service, including authenticating you, providing access to your documents, and enabling the features you use.
• To Improve the Service: To understand how the Service is used in aggregate and to develop new features and improvements.
• For Security and Fraud Prevention: To protect the security of our Service and our users, and to detect and prevent unauthorized access or use.
• To Communicate With You: To provide you with customer support or to send you information about our Service, such as notices about changes to our terms or policies.

We do not use your User Content for any purpose other than providing and securing the Service. We do not use your data to train AI models. We do not use your data for advertising purposes.

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may share your information in the following limited circumstances:

• With Third-Party Infrastructure Providers: We use Google Cloud Platform to host and operate the Service. Our use of Google Cloud is governed by a Business Associate Agreement (BAA) and a Cloud Data Processing Addendum (CDPA) that require Google to process your data only as we instruct, to maintain appropriate security measures, and to not use your data for any purpose other than providing the services to us.
• With AI Model Providers: To provide AI-powered features, we send your User Content to third-party Large Language Model (LLM) providers. All AI model providers we use operate under agreements that prohibit them from storing your data after processing (Zero Data Retention) and from training their models on your data. We will not integrate any AI provider that does not meet these requirements.
• With Our Payment Processor: We use Stripe to process payments. When you provide payment information, your credit card details and billing address are transmitted directly to Stripe and are never received, stored, or processed by Lawful Good’s servers. Stripe is PCI DSS Level 1 certified. Lawful Good stores only the subscription metadata necessary to manage your account, such as your Stripe customer identifier, subscription status, and subscription dates. Credit card numbers, billing addresses, and other payment details are held exclusively by Stripe and are not stored in our database. Stripe’s handling of your payment information is governed by Stripe’s Privacy Policy.
• With Our Email Provider: We use Postmark (operated by ActiveCampaign, LLC) to send transactional and marketing emails. When we send you an email, Postmark processes your email address and the content of that email on our behalf. We do not include User Content in emails.
• For Legal Reasons: We may disclose your information if we are required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, such as a valid court order or subpoena. However, we recognize that User Content uploaded by licensed attorneys may be protected by attorney-client privilege, work product doctrine, or other legal protections. Lawful Good does not waive, and its use does not constitute a waiver of, any privilege or protection that applies to your User Content. We will not produce User Content in response to third-party discovery requests, civil subpoenas, or other legal process directed at Lawful Good without first providing you with reasonable notice and an opportunity to assert applicable privileges or seek a protective order, except where we are prohibited by law from doing so (such as in the case of certain government investigations or sealed court orders).
• Business Transfers: If we are involved in a merger, acquisition, sale of all or a portion of our assets, or other business transfer, your information will be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any such change in ownership or control of your personal information. You will be given a reasonable period to opt out of the transfer by deleting your account and data before the transaction is finalized.

5. Data Security

We take the security of your data very seriously and have implemented robust measures to protect it.

• Encryption at Rest: All of your User Content and personal information stored in our databases and file systems is encrypted using AES-256-GCM encryption. Each user is assigned a unique encryption key derived from their account information and system-level secrets. Our systems are designed so that decryption occurs only during your active, authenticated sessions. In the normal course of business, Lawful Good staff do not access and cannot casually browse your data. This is our “Zero-Knowledge Storage” commitment. Administrative decryption is technically possible but would require deliberate, extraordinary action and would be logged.
• Encryption in Transit: All data transferred between you and our servers is encrypted using Transport Layer Security (TLS).
• Decryption During Processing: Your data is only decrypted in memory during an active, authenticated session when you use the Service. No decrypted data is stored persistently.
• No Logging of Sensitive Data: We do not log any User Content, prompts, AI responses, or other sensitive data. Our system logs contain only technical metadata such as user identifiers and document identifiers in non-reversible UUID format.
• Infrastructure Compliance: Our infrastructure operates under a HIPAA Business Associate Agreement with Google Cloud Platform. The Service is designed to support workflows involving sensitive and privileged information, including information that may be subject to HIPAA, attorney-client privilege, or other legal protections.
• Audit Controls: We maintain audit logs of access to our infrastructure in accordance with applicable regulatory requirements.

6. Data Retention

We retain your personal information and User Content for as long as your account is active. You may request to delete your account and all associated data at any time by contacting us at support@lawfulgood.us or through your account settings.

Upon receiving a deletion request, we will permanently remove your User Content and personal information from our active systems. Please note the following:

• Encrypted backups containing your data may persist for up to 30 days after deletion before they are permanently removed.
• Technical metadata in our system logs (such as user IDs and document IDs in UUID format) may be retained for up to six years in accordance with our audit log retention obligations. These logs do not contain User Content or any information that can be used to reconstruct your documents.
• If we are required by law to retain certain information, we will do so for the period required and will then delete it.

7. Your Rights and Choices

You have certain rights regarding your personal information. Some of these rights apply to all users, while others are specific to residents of certain states.

a. All Users

• Access and Update: You can review and update your account information through your account settings.
• Data Deletion: You can request the deletion of your account and all your data by contacting us at support@lawfulgood.us.
• Data Export: You can export your User Content from the Service at any time.
• Cookies: Most web browsers are set to accept cookies by default. You can usually choose to set your browser to remove or reject browser cookies. However, refusing cookies will make it impossible to authenticate and therefore use the Service.

b. California Residents (CCPA Rights)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting it, and the categories of third parties with whom we shared it.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell your personal information and we do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Submit a Request: To exercise any of these rights, please contact us at support@lawfulgood.us. We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days. If we need additional time, we will notify you of the extension and the reason for it. We may need to verify your identity before fulfilling your request.

Categories of Personal Information We Collect: In the preceding 12 months, we have collected the following categories of personal information:

We collect this information directly from you and automatically through your use of the Service. We do not collect personal information from third-party sources.

c. Residents of Other U.S. States

Several other states, including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others, have enacted privacy laws that grant their residents rights similar to those described above, such as the right to access, correct, and delete personal information, and the right to opt out of the sale of personal information or targeted advertising. If you reside in a state with applicable privacy legislation, we will honor your rights as required by that state’s law. To exercise any such rights, please contact us at support@lawfulgood.us. We do not sell personal information, use personal information for targeted advertising, or engage in profiling in furtherance of decisions that produce legal or similarly significant effects, under any state’s definition of these terms.

8. International Data Transfers

Our Service is hosted on Google Cloud Platform, which may process data in data centers located in the United States and other countries. By using the Service, you acknowledge that your data may be transferred to and processed in the United States or other jurisdictions where our infrastructure providers maintain facilities. Our Cloud Data Processing Addendum with Google includes Standard Contractual Clauses to support lawful data transfers where required by applicable law.

9. Do Not Track Signals

Our Service does not currently respond to “Do Not Track” (DNT) signals sent by web browsers. However, because we do not engage in cross-site tracking or use cookies for advertising purposes, our data practices remain the same regardless of whether a DNT signal is received.

10. Eligibility and Professional Use

Our Service is intended exclusively for use by licensed attorneys in the United States and individuals directly employed by and under the supervision of such attorneys (e.g., paralegals, legal assistants). The Service is not intended for use by minors, and we do not knowingly collect personal information from individuals under the age of 18.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the “Last Updated” date, and, where appropriate, sending you an email notification. Your continued use of the Service after any such changes constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of your rights described above, please contact us at:

• General inquiries and privacy requests: support@lawfulgood.us
• Security concerns: security@lawfulgood.us