Legal

Privacy & Data Protection Policy

Effective May 22, 2026 · Last updated May 22, 2026

This policy describes how LegalAI, Inc. ("LegalAI," "we," "us," "the Service") processes, protects, and handles data for legal professionals using our platform. It applies to all workspace data, including confidential client information and sensitive legal-matter details. If anything is unclear, please contact us.

Important. LegalAI is designed exclusively for legal professionals managing confidential client data. By using the Service you acknowledge that you may be processing Protected Health Information (PHI) and other privileged information subject to federal regulations including HIPAA.

1. Scope and applicability

This policy applies to the LegalAI website, the LegalAI application, and any API or supporting service we provide. It governs all data you upload, generate, or share through LegalAI, as well as account, authentication, and audit data the Service generates while operating.

2. Business Associate Agreement (BAA)

LegalAI operates under a signed Business Associate Agreement with Google Cloud that extends HIPAA protections to the Service.

  • All PHI and HIPAA-regulated data processed by LegalAI receives HIPAA-level protections.
  • A copy of our BAA with Google Cloud is available upon request.
  • LegalAI certifies compliance with the HIPAA Security Rule (45 CFR §§ 164.300–318).
  • You may request evidence of our HIPAA compliance status at any time.

If your firm handles HIPAA-regulated client data, your use of LegalAI is permitted only under the terms of the BAA. If you have not executed a BAA with us, contact our Data Protection Officer at info@legalai.com.

3. Data categories we handle

Protected Health Information (PHI)

Medical records, treatment plans, diagnoses, medications, mental-health notes, medical bills and insurance information, and any information that could identify a client when combined with health information.

Privileged / confidential legal information

Client names, contact information, case numbers and parties, legal theories, attorney work product, litigation strategy, settlement discussions, expert opinions, investigation notes, and case-related financial information.

Operational data

Authentication and login metadata (timestamps, IP addresses, access attempts), system audit logs (what data was accessed, by whom, when), and error logs required for troubleshooting and security.

LegalAI encrypts all of these categories at rest and in transit. You retain control of access to all data.

4. Data we process

Uploaded by users

Client documents (contracts, pleadings, evidence, correspondence), medical records and expert reports, financial records, witness statements, deposition transcripts, and any other confidential files you store.

Generated by users

Document classifications and annotations, case notes, matter summaries, task lists, agent-generated drafts and analysis, and your custom prompts and instructions to agents.

Metadata generated by the Service

Document titles, upload and modification dates, file sizes, document types, user account information, and access logs.

What we do not process

  • Audio/video recordings of your sessions.
  • Your password (only hashed authentication tokens).
  • Third-party data unrelated to your matters.

5. Infrastructure and data storage

Where your data lives

  • Documents and files: Google Cloud Storage (encrypted, replicated).
  • Metadata and structured data: Google Cloud Firestore and Firebase (encrypted, replicated).
  • Audit logs: Google Cloud Logging (encrypted, 90-day retention).

Geographic redundancy

All data is automatically replicated across Google's geographically separated US regions. Data is not intentionally moved outside US data centers.

Encryption

  • At rest: AES-256 encryption (Google Cloud managed).
  • In transit: TLS 1.2+ (all connections HTTPS).
  • Key management: Google Cloud manages encryption keys under HIPAA-compliant protocols. Keys are not accessible to LegalAI employees.

6. Purpose of processing

We process your data only to:

  • Provide the Service features you request (document storage, agent analysis, research).
  • Maintain the security and integrity of your data.
  • Provide technical support and troubleshooting.
  • Comply with legal obligations (subpoenas, law-enforcement requests).
  • Conduct audit and compliance verification (SOC 2, HIPAA).

We do not:

  • Use your data for model training or AI improvement.
  • Sell, rent, or share your data with third parties.
  • Use your data for marketing, advertising, or analytics.
  • Share data between customers or workspaces.

7. Data minimization and least privilege

  • Authentication-based access: Users can only access data within their workspace.
  • Role-based controls: Administrators define who in your firm can access what data.
  • Minimal retrieval: Agents retrieve only the fields required for the requested operation.
  • No cross-workspace data: Each customer's data is logically and physically isolated.

8. Data retention and deletion

Default retention

  • Active workspace data: retained while your account is active.
  • Audit logs: retained for 90 days, then permanently deleted.
  • Deleted items: moved to trash and permanently deleted after 30 days (if not recovered).

Deletion on request

You can request permanent deletion of any data in your workspace. Deletion is processed within 5 business days and removed from production and backups (residual backups deleted per Google Cloud's standard 90-day backup retention). We will provide written confirmation upon request.

Termination of service

Upon account termination, all workspace data is marked for deletion and fully removed after 30 days. After that window, data is permanently removed and cannot be recovered.

Legal hold / litigation

If your data is subject to a subpoena, legal hold, or court order, deletion requests are suspended. We will notify you immediately of any legal process requesting your data.

9. Data-breach notification

If LegalAI discovers unauthorized access to your data, we will:

  • Notify you within 24 hours by email and phone.
  • Provide details: what data was accessed, how, for how long, and which safeguards failed.
  • Recommend actions you should take (including client notifications).
  • Cooperate with your investigation and provide logs, forensics, and evidence.

You are responsible for notifying affected clients within the timeline required by your state, HIPAA, or other applicable law.

10. Access controls and audit

Administrative access

Only LegalAI operations staff can access Google Cloud systems. All administrative access is logged and audited. LegalAI employees cannot decrypt or view your data without your encryption keys.

User access

Users can review an audit log of who accessed their workspace data and when. Logs include timestamp, user, action (viewed/edited/deleted), and data identifier; they are downloadable and admissible as evidence.

Compliance audits

  • Annual SOC 2 Type II audits (Security, Availability, Processing Integrity, Confidentiality, Privacy).
  • ISO 27001 certification (Information Security Management).
  • Audit reports available upon execution of an NDA.

11. User controls

  • View: access all data in your workspace at any time.
  • Download: export data in bulk (legal-hold format available).
  • Modify: update case information, classifications, and settings.
  • Delete: remove individual items or entire matters.
  • Share: grant or revoke access for team members.
  • Audit trail: download audit logs in CSV or JSON.

12. Third-party infrastructure

LegalAI is hosted entirely on Google Cloud Platform, which holds:

  • SOC 2 Type II certification.
  • ISO 27001 certification.
  • HIPAA compliance (BAA signed, HIPAA Security Rule implemented).

Google Cloud's physical security, network security, and encryption infrastructure are documented in their Security Whitepaper and publicly available compliance reports.

13. Data-subject rights (GDPR / CCPA)

If you are subject to GDPR or CCPA, you have the right to:

  • Access the data we hold about you or your clients.
  • Correction of inaccurate data.
  • Deletion (subject to legal hold and retention obligations).
  • Portability in a portable, machine-readable format.
  • Objection to processing.

To exercise any of these rights, contact our Data Protection Officer at info@legalai.com.

14. Data protection by design

  • Encryption first: all data encrypted at rest and in transit.
  • Access logs: complete audit trail of all data access.
  • Role-based permissions: fine-grained control over access.
  • Data minimization: agents retrieve only necessary data.
  • Automated deletion: old data is removed per retention policies.
  • No tracking: we do not profile your activity for analytics.

15. Contact & privacy requests

Data Protection Officer
Email: info@legalai.com

We acknowledge requests within 2 business days and provide a substantive response within 10 business days (or notify you if more time is needed). For day-to-day technical support, reach us at info@legalai.com, or contact your workspace administrator for routine data-handling questions.

16. Policy changes

We may update this policy to reflect changes in our infrastructure, compliance requirements, or legal obligations. We will notify you of material changes by email at least 30 days in advance. Your continued use of LegalAI indicates acceptance of the updated terms.

17. Compliance and accountability

LegalAI is committed to HIPAA compliance, SOC 2 and ISO 27001 certification, and ongoing investment in safeguards that protect privileged client data. For our security controls, see the Trust & Security page.