Privacy Policy

Effective Date: April 2, 2026

Paralegal AI, Inc. ("Paralegal AI," "we," "us," or "our") operates the useparalegal.ai platform (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Full name
  • Email address
  • Password (stored as a bcrypt hash; we never store plaintext passwords)
  • Organization name and details
  • Billing information (processed and stored by Stripe; we do not store full payment card numbers)

1.2 Documents and Content

When you use the Service, you may upload legal documents for review, editing, or analysis. We store:

  • Uploaded document files (stored in encrypted S3-compatible object storage)
  • Extracted text content used for AI processing
  • AI-generated analysis results, including review issues, research memos, citations, and edit suggestions
  • Research queries you submit

1.3 Usage Data

We automatically collect:

  • IP address and approximate geolocation
  • Browser type, operating system, and device information
  • Pages visited, features used, and timestamps
  • AI token usage per request (for billing and rate limiting)
  • Error logs and performance metrics

1.4 Cookies and Session Data

We use server-side sessions backed by Redis to maintain your authenticated state. A session cookie is set in your browser to identify your session. We do not use third-party tracking cookies or advertising pixels.

2. How We Use Your Information

We use the information we collect to:

  • Operate the Service: authenticate your identity, process document uploads, run AI-powered analysis, and deliver results
  • AI Processing: send document text and queries to AI providers (see Section 4) to generate reviews, research memos, and editing suggestions
  • Billing: calculate usage, enforce plan limits, and process subscription payments through Stripe
  • Improve the Service: analyze aggregate usage patterns to enhance features and fix bugs
  • Communications: send transactional emails related to your account (password resets, billing receipts, service notifications)
  • Security: detect and prevent fraud, abuse, and unauthorized access
  • Legal Compliance: comply with applicable laws, regulations, and legal processes

3. Data Storage and Security

We take the security of your data seriously and implement the following measures:

  • Encryption in Transit: all data transmitted between your browser and our servers is encrypted via TLS (HTTPS)
  • Encryption at Rest: uploaded documents are stored in encrypted S3-compatible object storage
  • Tenant Isolation: all database queries are scoped by organization ID, ensuring that your data is isolated from other organizations
  • Password Security: passwords are hashed using bcrypt with an appropriate work factor before storage
  • Session Security: sessions are stored server-side in Redis with expiration timeouts; session tokens are transmitted via secure, HTTP-only cookies
  • Access Controls: role-based access controls (owner, admin, member) restrict who can view and modify data within your organization
  • Infrastructure: our application, database (PostgreSQL), and caching layer (Redis) are hosted on secure, professionally managed infrastructure

4. AI Data Processing

To provide AI-powered document review, legal research, and document editing, we transmit portions of your document text and queries to third-party AI providers, currently including:

  • Anthropic (Claude API)
  • OpenAI (GPT API)

Important information about AI data processing:

  • We use API agreements with AI providers that include no-training clauses — your documents and queries are not used to train AI models
  • Data sent to AI providers is transmitted over encrypted connections and is processed in real-time; it is not retained by AI providers beyond the duration needed to generate a response, except as required for abuse monitoring (typically 30 days)
  • We send only the minimum document content necessary for the requested analysis
  • AI-generated outputs (reviews, memos, edit suggestions) are stored in our database and are accessible only to authorized members of your organization

5. Third-Party Services

We integrate with the following third-party services, each of which has its own privacy policy:

  • Stripe — payment processing and subscription management. Stripe receives your billing information directly. See Stripe's Privacy Policy.
  • Anthropic — AI language model provider for document analysis. See Anthropic's Privacy Policy.
  • OpenAI — AI language model provider. See OpenAI's Privacy Policy.
  • Brave Search — web search API used for legal research queries. See Brave's Privacy Policy.
  • Cloud Infrastructure Provider — hosting, database, and storage services.

We do not sell your personal information to third parties.

6. Data Retention and Deletion

  • Active Accounts: we retain your data for as long as your account is active and as needed to provide the Service
  • Deleted Documents: when you delete a document through the Service, the file is removed from object storage and associated records (reviews, edits, extracted text) are deleted from our database
  • Account Deletion: upon request, we will delete your account and all associated data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records)
  • Backups: data may persist in encrypted backups for up to 90 days after deletion, after which it is permanently purged
  • Usage Logs: aggregated, non-personally-identifiable usage statistics may be retained indefinitely for service improvement

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Deletion: request deletion of your personal data, subject to legal retention requirements
  • Export: request a machine-readable export of your data
  • Restriction: request that we limit processing of your data in certain circumstances
  • Objection: object to processing of your data for certain purposes

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information promptly.

9. International Data Transfers

Your data may be processed and stored in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your country of residence.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective Date" above. For significant changes, we may also notify you via email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: