Effective Date: [DATE] | Last Updated: [DATE]
[ENTITY NAME] (“Company,” “we,” “us,” or “our”) operates FLexlaw, an AI-assisted legal research platform (“the Service”). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you use the Service. It also explains your rights regarding your information and how to exercise them.
We understand that users of legal research platforms may process sensitive, confidential, and privileged information in the course of their work. We have designed our data practices with this reality at the forefront, and we encourage you to read this Policy carefully.
1. Information We Collect
1.1 Information You Provide Directly
Account Information. When you create an account, we collect your name, email address, and password. If you subscribe to a paid plan, we collect billing information (processed by our third-party payment processor; see Section 5).
Research Queries and Inputs. When you use the Service, you submit search queries, natural-language research questions, and other inputs (“User Inputs”). User Inputs may contain information about legal matters, clients, case strategies, or other sensitive professional content.
Communications. If you contact us for support, provide feedback, or otherwise communicate with us, we collect the contents of those communications.
1.2 Information Collected Automatically
Usage Data. We automatically collect information about how you interact with the Service, including pages visited, features used, search queries executed, timestamps, session duration, and referring URLs.
Device and Connection Information. We collect your IP address, browser type and version, operating system, device identifiers, and general geographic location (derived from IP address).
Cookies and Similar Technologies. We use cookies and similar technologies as described in Section 8.
1.3 Information We Do Not Collect
We do not knowingly collect biometric data, Social Security numbers, financial account numbers (other than through our payment processor), health information, or other categories of sensitive personal information beyond what is described in this Policy.
2. How We Use Your Information
2.1 Providing the Service
- Processing your research queries and delivering search results and AI-generated analysis
- Maintaining your account and authenticating your identity
- Processing payments and managing subscriptions
- Providing customer support
2.2 Improving the Service
- Analyzing aggregated, de-identified usage patterns to improve search quality, interface design, and feature development
- Monitoring system performance and diagnosing technical issues
- Conducting internal research and development
2.3 Safety and Compliance
- Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues
- Enforcing our Terms of Service
- Complying with applicable legal obligations
2.4 Communications
- Sending service-related notices (e.g., account verification, billing, security alerts, policy changes)
- With your consent, sending product updates or information we believe may be relevant to your use of the Service
3. How We Handle Research Queries and AI Processing
3.1 AI Processing Architecture
The Service uses artificial intelligence, including large language models provided by third-party AI providers (currently Anthropic, via their commercial API), to process research queries and generate analysis. When you submit a query, it is transmitted to our AI provider for processing.
3.2 No Training on Your Data
Your research queries and the AI-generated responses are not used to train AI models. Our agreement with our AI provider operates under commercial API terms that contractually prohibit the use of customer inputs and outputs for model training. This is distinct from consumer-grade AI products, which may use interactions for training purposes.
3.3 AI Provider Data Retention
Under our commercial API agreement, our AI provider retains inputs and outputs for a limited period (currently no more than thirty (30) days) solely for trust and safety purposes (e.g., detecting abuse), after which they are automatically deleted. We are pursuing zero-data-retention arrangements where available. We will update this Policy to reflect any changes to these arrangements.
3.4 Our Retention of Query Data
We retain your research query history in your account to enable you to revisit prior research sessions. You may delete individual queries or your entire query history at any time through your account settings. When you delete query data, it is removed from our active systems within thirty (30) days and from backup systems within ninety (90) days.
3.5 Privilege and Confidentiality Considerations
We recognize that legal professionals may submit queries that implicate attorney-client privilege, work product protections, or other confidentiality obligations.
What we do to protect you:
- We use enterprise-grade AI provider agreements with contractual confidentiality protections and prohibitions on using your data for model training.
- We do not review, access, or analyze the contents of individual user queries except as necessary for system administration, to investigate specific reported incidents, or as required by law.
- We do not disclose the contents of your queries to third parties except as described in Section 5 or as compelled by valid legal process.
What you should understand:
- While we implement strong contractual and technical safeguards, no system is perfectly secure. You should evaluate whether your use of any cloud-based research tool is appropriate given the confidentiality obligations governing your specific matter.
- Recent case law — including United States v. Heppner, No. 1:24-cr-00584 (S.D.N.Y. Feb. 10, 2026) — has examined the confidentiality implications of using AI platforms. The Heppner court’s analysis focused on consumer-grade AI tools whose terms permit data use for training and disclosure to third parties. Our commercial-grade architecture and contractual protections are designed to provide stronger confidentiality safeguards, but we cannot and do not guarantee that use of the Service will preserve privilege in all circumstances. You should consult the applicable ethics rules and case law in your jurisdiction to assess your own obligations.
4. Data Retention
4.1 Account Information
We retain your account information for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. If you delete your account, we will delete or de-identify your personal information within ninety (90) days, except where retention is required by law.
4.2 Research Query Data
As described in Section 3.4, query history is retained until you delete it or until your account is terminated. You may delete query data at any time.
4.3 Usage and Analytics Data
Aggregated, de-identified usage data may be retained indefinitely for analytical purposes. This data cannot be used to identify individual users.
4.4 Payment Records
Transaction records are retained as required by applicable tax and financial reporting laws (generally seven (7) years).
4.5 Communications
Support communications are retained for up to three (3) years after resolution of your inquiry.
5. How We Share Your Information
5.1 AI Processing Providers
Your research queries are transmitted to our AI provider (currently Anthropic) for processing under commercial terms that prohibit use of your data for model training and include confidentiality obligations. See Section 3 for details.
5.2 Payment Processors
Payment information is collected and processed by our third-party payment processor (currently Stripe). We do not store your full credit card number or payment account details on our systems. Your payment information is subject to the payment processor’s privacy policy.
5.3 Infrastructure and Service Providers
We use third-party providers for hosting, data storage, analytics, email delivery, and other operational functions. These providers process your information only on our behalf and are bound by contractual obligations to protect your data and use it only for the purposes for which it was disclosed.
5.4 Analytics
We may use analytics services to understand how the Service is used. Analytics data is collected in aggregated or de-identified form. We do not share the contents of your research queries with analytics providers.
5.5 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process (such as a subpoena, court order, or government request). Where permitted by law, we will provide you with notice before disclosing your information in response to legal process.
5.6 Business Transfers
If we are involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
5.7 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Your Rights and Choices
6.1 All Users
Regardless of where you are located, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate personal information
- Delete your personal information (subject to legal retention requirements)
- Delete query history at any time through your account settings
- Export your data in a portable format
- Opt out of marketing communications at any time
- Close your account at any time
To exercise these rights, contact us at [PRIVACY EMAIL] or use the controls available in your account settings. We will respond to requests within thirty (30) days, or within the timeframe required by applicable law.
6.2 California Residents
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected (CCPA Disclosure):
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Commercial information | Subscription records, transaction history | Yes |
| Internet/electronic activity | Usage data, search queries, interaction logs | Yes |
| Geolocation data | Approximate location from IP | Yes |
| Professional information | Bar number, firm name (if provided) | If provided |
| Inferences | Research topics, usage patterns | Yes |
Disclosure of Personal Information for Business Purposes: We disclose personal information to service providers (AI processing, hosting, payment processing, analytics) for the business purposes described in this Policy. We do not sell personal information.
6.3 Residents of Other U.S. States with Privacy Laws
If you reside in Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia (or any other state that enacts comprehensive privacy legislation), you may have rights similar to those described in Section 6.2, including the right to access, correct, delete, and obtain a portable copy of your data, and the right to opt out of targeted advertising, the sale of personal information, and certain profiling activities. To exercise these rights, contact us at [PRIVACY EMAIL].
6.4 European Economic Area, United Kingdom, and International Users
If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.
If you are located in the European Economic Area (EEA) or the United Kingdom, you may have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing your personal data is:
- Contract performance — for data necessary to provide the Service
- Legitimate interests — for analytics and service improvement (balanced against your rights)
- Legal obligation — where required by law
- Consent — for marketing communications (which you may withdraw at any time)
7. Data Security
We implement technical and organizational measures designed to protect your personal information, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access controls limiting employee access to personal information on a need-to-know basis
- Regular security assessments and monitoring
- Secure authentication mechanisms
- Incident response procedures
Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk.
In the event of a data breach that is likely to affect your rights, we will notify you and applicable regulatory authorities as required by law.
8. Cookies and Tracking Technologies
8.1 What We Use
| Type | Purpose | Duration |
|---|---|---|
| Essential cookies | Authentication, session management, security | Session / up to 1 year |
| Analytics cookies | Understanding usage patterns and improving the Service | Up to 2 years |
8.2 What We Do Not Use
We do not use advertising cookies, cross-site tracking pixels, or social media tracking widgets. We do not engage in cross-context behavioral advertising.
8.3 Your Choices
Most browsers allow you to control cookies through their settings. You may also use browser-based opt-out mechanisms such as the Global Privacy Control (GPC) signal, which we honor where required by law. Disabling essential cookies may impair the functionality of the Service.
9. Automated Decision-Making
The Service uses AI to generate research results and analysis in response to your queries. This constitutes automated processing of your inputs.
Important distinctions:
- The Service does not make legal decisions about you or on your behalf. It provides research output for your independent evaluation and use.
- The Service does not engage in profiling that produces legal or similarly significant effects concerning you.
- AI-generated output is provided as a research aid. You are responsible for independently evaluating all output before relying on it.
If applicable law in your jurisdiction grants you the right to opt out of automated decision-making or to obtain human review of automated decisions, and you believe such rights apply to your use of the Service, please contact us at [PRIVACY EMAIL].
10. Children’s Privacy
The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under eighteen. If we learn that we have collected personal information from a child under eighteen, we will promptly delete that information. If you believe a child under eighteen has provided us with personal information, please contact us at [PRIVACY EMAIL].
11. Third-Party Links and Services
The Service may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by posting a prominent notice on the Service at least thirty (30) days before the changes take effect. We encourage you to review this Policy periodically.
The “Last Updated” date at the top of this Policy indicates when the most recent changes were made.
13. How to Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
[ENTITY NAME]
Attn: Privacy Inquiries
[ADDRESS]
[PRIVACY EMAIL]
For data subject access requests or other privacy rights requests, please email [PRIVACY EMAIL] with the subject line “Privacy Rights Request.”
14. Additional Disclosures
14.1 Do Not Track
Some browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no common industry standard for interpreting DNT signals, we do not currently alter our data practices in response to DNT signals. We do, however, honor Global Privacy Control (GPC) signals where required by applicable law.
14.2 Data Processing Addendum
Enterprise or institutional customers may request a Data Processing Addendum (DPA) that provides additional contractual commitments regarding data handling. Contact us at [PRIVACY EMAIL] for details.
14.3 Sub-Processors
A current list of our sub-processors (third-party service providers who process personal data on our behalf) is available upon request by emailing [PRIVACY EMAIL].
This Privacy Policy was last updated on [DATE].