Privacy Policy

DRAFT - REQUIRES LEGAL COUNSEL REVIEW BEFORE USE

Effective Date: [EFFECTIVE_DATE] Last Updated: [LAST_UPDATED_DATE]

Your Privacy Matters

At LegalPixel, we understand that you're trusting us with sensitive legal information. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights to control your information.

This policy applies to:

The LegalPixel website and platform
All communications with LegalPixel
Data collected from clients and lawyers

By using LegalPixel, you agree to this Privacy Policy. If you don't agree, please don't use our platform.

1. What Information We Collect

1.1 Information You Provide Directly

When you create an account:

Name (full legal name)
Email address
Phone number (optional)
Password (encrypted and never stored in plain text)
Account type (client or lawyer)

Clients provide:

Case description (your legal issue, in your own words)
Case documents (court orders, contracts, messages, receipts, etc.)
Contact preferences (email, phone)
Location (city, state, country)

Lawyers provide:

Bar number and jurisdictions
Practice areas and specialties
Years of experience
Professional biography
Profile photo
Malpractice insurance information
Payment information (for commission processing)

1.2 Information We Collect Automatically

Usage data:

Pages you visit on LegalPixel
Features you use (case upload, lawyer search, messaging)
Time spent on the platform
Device information (browser type, operating system, device ID)
IP address and approximate location

Cookies and tracking:

We use cookies to keep you logged in, remember preferences, and analyze site performance
Analytics cookies (PostHog, Hotjar) track how you use the platform
Advertising cookies (if applicable) may track you across sites
See Section 9 for cookie details

1.3 Information from Third Parties

AI services:

Claude AI (Anthropic) processes your case documents to extract facts
Voyage AI generates embeddings for lawyer matching
These services receive your case content but are bound by strict confidentiality agreements

Payment processors:

Stripe processes lawyer commission payments
Stripe may collect payment information (bank accounts, tax IDs)

Background checks (lawyers only):

We verify lawyer credentials with state bar associations
Bar associations may provide disciplinary history

2. How We Use Your Information

2.1 Core Platform Services

We use your data to:

Create and manage your account
Match clients with appropriate lawyers (using AI analysis)
Generate AI-powered case summaries for lawyer review
Facilitate communication between clients and lawyers
Process payments and commission fees
Provide customer support

2.2 AI Processing

Claude AI (Anthropic):

We send your case documents to Claude AI for fact extraction
Claude analyzes text, identifies key details, and generates summaries
Claude does NOT store your data long-term (per our agreement with Anthropic)
See Section 4 for third-party data sharing details

Voyage AI:

We use Voyage AI to create vector embeddings of case summaries
Embeddings help us match you with relevant lawyers
Embeddings are mathematical representations (not readable text)

2.3 Platform Improvement

We use anonymized data to:

Improve AI accuracy (by analyzing which summaries were accurate)
Optimize lawyer matching algorithms
Identify bugs and technical issues
Understand user behavior (which features are used most)

2.4 Communication

We may email you about:

Account activity (new case matches, messages from lawyers)
Platform updates and new features
Legal tips and resources (if you opt in to marketing)
Security alerts and policy changes

You can opt out of marketing emails at any time (see Section 7.3).

2.5 Legal Compliance

We use your data to:

Comply with legal obligations (subpoenas, court orders, tax reporting)
Prevent fraud and abuse
Enforce our Terms of Service
Protect the rights and safety of users

3. Who We Share Your Information With

3.1 Lawyers (Client Data Sharing)

When you upload a case, we share your information with 3-5 matched lawyers:

Your name and contact information
AI-generated case summary
Uploaded case documents (if lawyer accepts the case)
Communication history (once you start messaging)

Important:

Lawyers only see cases they are matched with
Lawyers cannot access other clients' data
If you don't hire a lawyer, they lose access to your full case file (summary remains for recordkeeping)

3.2 AI Service Providers

Claude AI (Anthropic):

Receives: Your case documents, uploaded files
Purpose: Fact extraction and case summary generation
Retention: Not stored long-term by Anthropic (per our agreement)
Privacy Policy: [ANTHROPIC_PRIVACY_URL]

Voyage AI:

Receives: Case summaries (after AI processing)
Purpose: Generate embeddings for lawyer matching
Retention: Embeddings stored for platform functionality
Privacy Policy: [VOYAGE_PRIVACY_URL]

3.3 Infrastructure and Service Providers

Supabase (database and authentication):

Stores all user data, case files, messages
Provides secure database with encryption at rest
Privacy Policy: [SUPABASE_PRIVACY_URL]

Vercel (hosting):

Hosts the LegalPixel website and application
Collects server logs (IP addresses, request data)
Privacy Policy: [VERCEL_PRIVACY_URL]

Stripe (payment processing):

Processes lawyer commission payments
Collects bank account information and tax IDs (lawyers only)
Privacy Policy: [STRIPE_PRIVACY_URL]

3.4 Analytics and Monitoring

PostHog (product analytics):

Tracks user behavior (page views, clicks, feature usage)
Data is anonymized and aggregated
Privacy Policy: [POSTHOG_PRIVACY_URL]

Hotjar (session recording - if used):

Records user sessions (mouse movements, clicks)
Sensitive data is masked (passwords, payment info)
Privacy Policy: [HOTJAR_PRIVACY_URL]

3.5 Legal Obligations

We may disclose your information to:

Law enforcement (in response to valid subpoenas or court orders)
Regulatory agencies (if required by law)
Legal counsel (in connection with disputes or litigation)

We will notify you of legal requests unless:

Prohibited by law (e.g., national security letters)
Notification would compromise an investigation
Emergency situations requiring immediate disclosure

3.6 Business Transfers

If LegalPixel is acquired or merged:

Your data may be transferred to the new owner
You will be notified via email and prominent site notice
The new owner must honor this Privacy Policy (or give you a chance to opt out)

3.7 With Your Consent

We may share your data with other parties if you explicitly consent (e.g., sharing your case with additional lawyers beyond the initial 3-5).

4. Data Security

We take security seriously and implement industry-standard measures to protect your data:

4.1 Technical Safeguards

Encryption:

All data in transit is encrypted using TLS 1.3 (HTTPS)
All data at rest is encrypted using AES-256
Passwords are hashed using bcrypt (never stored in plain text)

Access controls:

Role-based access control (RBAC) ensures users only see data they're authorized to access
Row-level security (RLS) in Supabase prevents unauthorized database access
Multi-factor authentication (MFA) available for all accounts

Monitoring:

Automated security scans for vulnerabilities
Audit logs track all data access and changes
Real-time alerts for suspicious activity

4.2 Organizational Safeguards

Employee access:

Only authorized employees can access user data
Access is logged and audited
Employees sign confidentiality agreements

Vendor agreements:

All third-party vendors (Anthropic, Voyage, Supabase) sign data processing agreements (DPAs)
Vendors must comply with GDPR, CCPA, and other privacy laws
We audit vendors regularly for compliance

4.3 Incident Response

If a data breach occurs:

We will investigate and contain the breach immediately
Affected users will be notified within 72 hours (as required by GDPR)
We will notify regulatory agencies as required by law
We will provide guidance on protective measures (e.g., password resets)

5. Data Retention

5.1 How Long We Keep Your Data

Active accounts:

We retain your data as long as your account is active
Case files and communications are kept for platform functionality

Deleted accounts:

After you delete your account, we retain data for 7 years for legal and regulatory reasons:
- Legal document retention requirements
- Potential disputes or litigation
- Tax and financial reporting (for lawyer commissions)
After 7 years, data is permanently deleted (unless required by ongoing legal hold)

Exceptions:

Anonymized data (no personal identifiers) may be kept indefinitely for analytics and AI training
Data subject to legal hold (e.g., pending lawsuit) is kept until the hold is lifted

5.2 Data Minimization

We delete or anonymize data when it's no longer needed:

Unused draft cases (after 90 days of inactivity)
Old session logs (after 1 year)
Marketing email lists (after 2 years of non-engagement)

6. International Data Transfers

LegalPixel operates in multiple countries (US, Canada, UK, Australia). Your data may be transferred to and stored in:

United States (primary servers)
European Union (if GDPR applies)
Other jurisdictions where our service providers operate

How we protect international transfers:

We use Standard Contractual Clauses (SCCs) approved by the EU Commission
Our vendors (Supabase, Anthropic) comply with GDPR and other international privacy laws
We ensure adequate data protection regardless of location

If you're in the EU:

You have additional rights under GDPR (see Section 7)
Your data is protected by GDPR regardless of where it's stored

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of location, you have the right to:

Access your data: Request a copy of all personal data we hold about you
Correct your data: Update inaccurate or incomplete information
Delete your data: Request account deletion and data removal (subject to legal retention requirements)
Opt out of marketing: Unsubscribe from promotional emails
Withdraw consent: Revoke consent for data processing (where consent is the legal basis)

7.2 Additional Rights (GDPR - EU Users)

If you're in the EU, you also have:

Right to data portability: Receive your data in a machine-readable format (JSON, CSV)
Right to restrict processing: Limit how we use your data (e.g., only for legal compliance)
Right to object: Object to data processing based on legitimate interests
Right to lodge a complaint: File a complaint with your local data protection authority

7.3 Additional Rights (CCPA - California Users)

If you're in California, you also have:

Right to know: Request details about what data we collect, use, and share
Right to opt out of data sale: We do NOT sell your data, but you can opt out just in case
Right to non-discrimination: We won't discriminate against you for exercising your rights

7.4 How to Exercise Your Rights

To request data access, deletion, or correction:

Log into your account and go to Settings → Privacy
Or email [PRIVACY_EMAIL] with your request
We will verify your identity (to prevent fraud)
We will respond within 30 days (45 days for complex requests)

To opt out of marketing emails:

Click "Unsubscribe" at the bottom of any marketing email
Or go to Settings → Communications and disable marketing emails

To file a complaint:

EU users: Contact your local supervisory authority (list at [EU_DPA_LIST_URL])
California users: Contact the California Attorney General (oag.ca.gov)

8. Children's Privacy (COPPA Compliance)

LegalPixel is NOT intended for children under 18.

We do not knowingly collect personal information from anyone under 18. If we discover that a child under 18 has created an account:

We will delete the account and all associated data immediately
Parents/guardians may contact us at [PRIVACY_EMAIL] to report underage accounts

Why we require age 18:

Legal contracts require age of majority (18 in most jurisdictions)
Sensitive legal content is not appropriate for minors
COPPA (Children's Online Privacy Protection Act) compliance

Exception for minors with legal representation:

Parents/guardians may create accounts on behalf of minors (with parental consent)
The parent/guardian is the account holder (not the minor)

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us:

Keep you logged in
Remember your preferences
Analyze site usage
Personalize your experience

9.2 Types of Cookies We Use

Essential cookies (required):

Authentication cookies (keep you logged in)
Security cookies (prevent fraud)
Session management (remember your actions across pages)
You cannot opt out of essential cookies (the platform won't work without them)

Analytics cookies (optional):

PostHog (tracks page views, clicks, feature usage)
Hotjar (session recordings, heatmaps)
Google Analytics (if used)
Purpose: Understand how users interact with the platform to improve it

Marketing cookies (optional):

Google Ads, Facebook Pixel (if used)
Purpose: Show you relevant ads on other sites
We currently do NOT use marketing cookies (but may in the future)

9.3 Managing Cookies

To control cookies:

Go to Settings → Privacy → Cookie Preferences
Or use your browser settings to block third-party cookies

Browser-level cookie controls:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data

What happens if you block cookies:

Essential cookies: The platform will not work properly
Analytics cookies: We won't track your usage (but the platform still works)
Marketing cookies: You won't see personalized ads

9.4 Do Not Track (DNT)

Some browsers send "Do Not Track" signals. We currently do not respond to DNT signals because there is no industry standard for how to handle them.

If you want to opt out of tracking:

Use cookie settings in your account (Settings → Privacy)
Or use browser extensions like Privacy Badger or uBlock Origin

10. Third-Party Links

LegalPixel may contain links to external websites (e.g., lawyer websites, legal resources, bar associations).

Important:

We are NOT responsible for the privacy practices of third-party sites
Third-party sites have their own privacy policies
We encourage you to read their policies before sharing data

11. Marketing Communications

11.1 What We Send

Transactional emails (cannot opt out):

Account creation and verification
Password resets
New case matches (for lawyers)
Messages from lawyers (for clients)
Payment confirmations
Security alerts

Marketing emails (can opt out):

Legal tips and resources
New features and platform updates
Special offers or promotions
User surveys and feedback requests

11.2 How to Opt Out

To unsubscribe from marketing emails:

Click "Unsubscribe" at the bottom of any marketing email
Or go to Settings → Communications and disable marketing emails

You will still receive transactional emails (account security, case updates, etc.) even if you opt out of marketing.

11.3 CAN-SPAM Compliance

We comply with the CAN-SPAM Act (US email law):

We include our physical address in all emails
We honor unsubscribe requests within 10 business days
We never sell or rent email lists

12. California Privacy Rights (CCPA)

12.1 What Information We Collect (CCPA Categories)

Category	Examples	Do We Collect?
Identifiers	Name, email, IP address	✅ Yes
Personal records	Case documents, court orders	✅ Yes
Commercial information	Payment history (lawyers only)	✅ Yes
Internet activity	Browsing history, page views	✅ Yes
Geolocation data	City, state (approximate location)	✅ Yes
Professional information	Bar number, practice areas (lawyers)	✅ Yes
Sensitive personal info	Race, religion, health (if mentioned in case files)	⚠️ Potentially (in case documents)

12.2 How We Use Your Information (CCPA)

Business purposes:

Platform operations and service delivery
AI processing for case summarization
Lawyer matching and communication facilitation
Fraud prevention and security

We do NOT sell your personal information.

12.3 Your CCPA Rights

Right to Know:

Request what categories of data we collect
Request specific pieces of data we hold about you
Request sources of data, purposes, and third parties we share with

Right to Delete:

Request deletion of your personal information (subject to legal exceptions)

Right to Opt-Out of Sale:

We don't sell data, but you can opt out just in case

Right to Non-Discrimination:

We won't charge different prices or provide different service levels based on exercising your rights

To exercise CCPA rights: Email [PRIVACY_EMAIL] with your request.

12.4 Authorized Agents

You may designate an authorized agent to make CCPA requests on your behalf. The agent must:

Provide proof of authorization (power of attorney or signed letter)
Verify your identity (to prevent fraud)

13. European Privacy Rights (GDPR)

13.1 Legal Basis for Processing

We process your data under the following legal bases:

Contract performance: To provide the platform services you requested
Consent: For marketing emails and optional analytics (you can withdraw consent anytime)
Legitimate interests: Fraud prevention, platform improvement, security
Legal obligation: Compliance with laws (tax reporting, court orders)

13.2 Your GDPR Rights

See Section 7.2 for your full GDPR rights (access, rectification, erasure, portability, restriction, objection).

13.3 Data Protection Officer (DPO)

Contact our DPO for privacy concerns:

Email: [DPO_EMAIL]
Mail: [DPO_ADDRESS]

13.4 Supervisory Authority

If you're not satisfied with our response, contact your local data protection authority:

List of EU supervisory authorities: [EU_DPA_LIST_URL]

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

We will post the updated policy on this page with a new "Last Updated" date
For material changes, we will notify you by email or prominent site notice
Continued use of the platform after changes means you accept the new policy

If you don't agree with changes:

Stop using the platform
Delete your account
Contact [PRIVACY_EMAIL] to discuss concerns

15. Contact Us

For privacy questions or requests:

Email: [PRIVACY_EMAIL]
Mail: [COMPANY_ADDRESS]
Phone: [PHONE_NUMBER]

For data access/deletion requests:

Email: [PRIVACY_EMAIL] with subject "GDPR/CCPA Request"
We will respond within 30 days

For EU users (GDPR):

Contact our Data Protection Officer: [DPO_EMAIL]