Legal

Privacy Policy

Last updated: January 15, 2025 · Effective: January 15, 2025

Legalitize, Inc. (“Legalitize,” “we,” “us,” or “our”) is committed to protecting the privacy of law firms, attorneys, and the clients they serve. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with your use of the Legalitize legal practice management platform and related services.

1. Information We Collect

Account & Profile Data. When you register, we collect your name, email address, bar number (where provided), phone number, and firm affiliation. Billing contacts provide payment information, which is processed exclusively by our PCI-compliant payment processor (Stripe). Legalitize never stores raw payment card numbers.

Matter & Document Data. Documents, notes, case files, AI-generated drafts, billing records, and other content you upload or create within Legalitize (“Customer Content”) are stored on your behalf as a data processor. This content may include protected health information (PHI) and personally identifiable information (PII) belonging to your clients. We do not access this content except as necessary to provide the Service, resolve support requests, or comply with legal obligations.

Usage & Telemetry Data. We automatically collect information about how you interact with the platform: pages visited, features used, session duration, IP address, browser type, operating system, and device identifiers. This data is used exclusively for service improvement, security monitoring, and troubleshooting — never for advertising.

Communications. If you contact our support, sales, or compliance teams, we retain records of those communications to resolve issues and improve our services. We do not record phone calls without your consent.

2. How We Use Your Information

→Provide, maintain, secure, and improve the Legalitize platform and its features
→Process transactions and manage your subscription, including invoicing and payment collection
→Send transactional communications: account verification, password resets, security alerts, and service notices
→Monitor for security threats, abuse, unauthorized access, and platform integrity issues
→Generate anonymized, aggregated analytics to improve our AI models — no identifiable client data is used
→Comply with legal obligations, including responding to lawful court orders and regulatory requests
→Enforce our Terms of Service and other binding agreements with customers

We do not sell, rent, or trade your personal data or your clients' data to third parties for marketing or advertising purposes under any circumstances.

3. How We Share Information

Sub-Processors. We engage vetted third-party sub-processors — including cloud infrastructure (Cloudflare), AI services (Anthropic), payment processing (Stripe), and transactional email (Resend) — under written data processing agreements that restrict their use of your data to service delivery only. A current list of sub-processors is available upon request at privacy@legalitize.com.

Legal Requirements. We may disclose information when required by applicable law, regulation, valid court order, or lawful government request. Where legally permissible, we will notify you before disclosing and will seek to limit the scope of any required disclosure.

Business Transfers. In the event of a merger, acquisition, financing, or sale of all or substantially all of our assets, your data may be transferred to the successor entity, subject to equivalent privacy protections and prior notice to you.

With Your Consent. We will share your information with third parties when you have given us explicit consent to do so.

4. Data Security

Legalitize employs security measures appropriate to the sensitivity of legal and client data we handle:

→AES-256 encryption at rest for all stored data, with separate key management infrastructure
→TLS 1.3 encryption in transit with HSTS enforcement on all endpoints
→Role-based access control (RBAC) with immutable audit logging of all access events
→SOC 2 Type II certified infrastructure and annual third-party penetration testing
→Multi-factor authentication (MFA) available for all accounts, enforceable firm-wide
→Short-lived session tokens with automatic rotation to minimize breach exposure

No method of electronic transmission or storage is 100% secure. While we implement industry-leading safeguards, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for ensuring your firm users employ strong authentication practices.

5. Data Retention

Active Accounts. We retain your data for as long as your account is active. Firm administrators can configure document retention policies from the Compliance settings panel to align with applicable bar rules and jurisdiction-specific obligations.

After Termination. Upon account cancellation, we retain all data for 90 days to permit export or reactivation. After this grace period, data is permanently deleted within 30 days, with written confirmation provided upon request. Audit logs may be retained for up to 7 years to satisfy applicable regulatory and legal obligations.

6. Your Rights

Access

Request a copy of the personal data we hold about you

Rectification

Correct inaccurate or incomplete personal data

Erasure

Request deletion of your personal data subject to legal retention obligations

Portability

Receive your data in a structured, machine-readable format

Restriction

Restrict processing of your data in certain circumstances

Objection

Object to processing based on legitimate interests

GDPR (EEA / UK residents). You have all rights enumerated above under the General Data Protection Regulation. You may also lodge a complaint with your local supervisory authority if you believe your rights have been infringed.

CCPA (California residents). You have the right to know what personal information is collected about you, to delete personal information, to opt out of the sale of personal information (we do not sell personal information), and to receive non-discriminatory treatment for exercising these rights.

To exercise any of these rights, contact privacy@legalitize.com. We will respond within 30 days (or the applicable statutory deadline). We may need to verify your identity before processing a request.

7. Cookies

We use strictly necessary cookies for session management and security, and optional analytics cookies to understand platform usage patterns. You can manage your cookie preferences from our Cookie Policy page or via your browser settings. We do not use advertising or tracking cookies.

8. Children's Privacy

Legalitize is a professional platform intended exclusively for licensed attorneys and law firm staff. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided information to us, contact us immediately at privacy@legalitize.com and we will promptly delete the information.

9. International Data Transfers

Legalitize is operated from the United States. If you are located in the EEA, United Kingdom, or another jurisdiction with restrictions on international data transfers, your personal data may be transferred to and processed in the United States under appropriate safeguards. We use Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers. Our full Data Processing Agreement is available at /dpa.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and prominent in-platform notice at least 30 days before changes take effect. Continued use of the platform after the effective date of updated terms constitutes your acceptance. You may always request the previous version of this policy by contacting us.

11. Contact & Data Protection Officer

For privacy inquiries, data subject requests, or to reach our Data Protection Officer:

Legalitize, Inc.
Attn: Privacy Team / Data Protection Officer
123 Legal Tech Drive, Suite 400
San Francisco, CA 94105, United States
privacy@legalitize.com