Privacy Policy

2.1 Personal Information

We collect the following personal information:

• Account Information: Name, email address, professional credentials
• Payment Information: Billing details processed through Stripe (we do not store payment card information)
• Professional Verification: Information provided during our manual verification process
• Communication Records: Support emails and correspondence

2.2 Usage Information

• Service Usage: AI queries, document analysis requests, and system interactions
• Technical Data: IP addresses, browser information, and system performance logs
• Conversation History: AI interactions and analysis results (user-deletable)

2.3 Document Data

• Uploaded Documents: Legal documents temporarily processed for AI analysis
• Document Metadata: File names, upload timestamps, and processing results
• Analysis Results: AI-generated summaries, research, and legal analysis

Important: Documents are processed but not permanently stored. Document management features are planned for future releases.

3.1 Service Provision

• Provide AI-powered legal analysis and research tools
• Process and analyze uploaded legal documents
• Maintain user accounts and authentication
• Process payments through Stripe
• Provide customer support and training

3.2 Communication

• Send service-related notifications and updates
• Provide customer support and technical assistance
• Send marketing communications (with consent)
• Notify users of policy changes and service updates

3.3 System Operations

• Monitor system performance and reliability
• Ensure data security and prevent unauthorized access
• Comply with legal obligations and regulatory requirements
• Improve service quality and user experience

4.1 Service Providers

We share information with trusted third-party service providers:

• Amazon Web Services (AWS): Cloud infrastructure with signed Business Associate Agreement (BAA)
• Stripe: Payment processing (PCI DSS compliant)
• EmailJS: Email communication services
• AWS Bedrock: AI model access with HIPAA-compliant BAA

4.2 Legal Requirements

We may disclose information when required by law:

• Court orders and subpoenas
• Regulatory investigations
• Law enforcement requests with proper legal authority
• Emergency situations involving immediate physical harm

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity with equivalent privacy protections.

4.4 No Cross-Client Sharing

Important: We never share client data between different law firms or users. Each client's data remains completely isolated.

5.1 Security Measures

• Encryption: AWS-provided encryption at rest and in transit
• Access Controls: Restricted access to authorized personnel only
• Infrastructure Security: AWS SOC 2 compliant infrastructure
• HIPAA Compliance: Business Associate Agreement with AWS ensuring PHI protection
• Regular Monitoring: Continuous security monitoring and threat detection

5.2 AI Model Security

• No Training Data: Your data is never used to train, fine-tune, or improve AI models
• Temporary Processing: Documents are processed in memory and not permanently stored
• Secure APIs: All AI processing through HIPAA-compliant AWS Bedrock services

6.1 Retention Period

• Account Information: Retained for 6 years after account closure (HIPAA compliance requirement), but can be deleted earlier upon user request subject to legal obligations
• Conversation History: Retained for 6 years for HIPAA compliance, but users can request deletion at any time (we will delete unless retention is required by law)
• Uploaded Documents: Retained for 6 years for HIPAA compliance, but users can request deletion at any time (we will delete unless retention is required by law)
• Audit Logs: Retained for 6 years as required by HIPAA regulations (cannot be deleted during retention period)
• Payment Records: Retained for 7 years for tax compliance and fraud prevention (managed by Stripe)
• Technical Logs: Retained for 90 days for security and troubleshooting purposes

Note: While we retain data for HIPAA compliance, users have the right to request deletion at any time. We will honor deletion requests except where retention is required by law, regulation, or for fraud prevention.

6.2 User Control

• Conversation Deletion: Users can delete individual conversations through the platform interface
• Account Deletion: Email [email protected] with subject line "Privacy Request - Account Deletion"
• Data Portability: Request a copy of your data by emailing [email protected] with subject line "Privacy Request - Data Export"
• Data Correction: Email [email protected] to correct inaccurate personal information
• Processing Restriction: Request limitation of data processing by emailing [email protected]

Response Time: We will respond to all privacy requests within 45 days as required by law.

7.1 Access Rights

• Review your account information and usage history
• Request copies of your personal data
• Update or correct inaccurate information
• Request deletion of your account and associated data

7.2 Communication Preferences

• Opt out of marketing communications
• Control service notification preferences
• Update contact information and preferences

7.3 California Privacy Rights (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

7.4 Other State Privacy Rights

Residents of Virginia, Colorado, Connecticut, and Utah have similar privacy rights under their respective state laws:

• Virginia (CDPA): Right to access, delete, correct, and opt-out of targeted advertising and sales
• Colorado (CPA): Right to access, delete, correct, opt-out, and universal opt-out recognition
• Connecticut (CTDPA): Right to access, delete, correct, and opt-out
• Utah (UCPA): Right to access, delete, and opt-out

We honor privacy rights for residents of all U.S. states. To exercise your rights, email [email protected] with subject line "Privacy Request".

10.1 Legal Professional Focus

While not required, Atticus is designed for legal professionals including attorneys, paralegals, legal clerks, and legal assistants. Our security measures and data handling practices are designed to support professional legal work.

10.2 Attorney-Client Privilege

We implement measures to help preserve attorney-client privilege:

• Complete data isolation between different law firms
• No cross-contamination of client information
• Secure processing of potentially privileged communications
• HIPAA-compliant handling of protected health information

14.1 AWS Services (Infrastructure Provider)

Our infrastructure is provided by Amazon Web Services under a signed Business Associate Agreement ensuring HIPAA compliance and data protection.

• Services Used: EC2 (compute), RDS (database), S3 (storage), CloudTrail (audit logs)
• Data Shared: All platform data (encrypted at rest and in transit)
• Purpose: Cloud infrastructure and data storage
• Location: United States data centers only

14.2 AWS Bedrock (AI Model Provider)

AI analysis is powered by AWS Bedrock, Amazon's HIPAA-compliant AI service covered under our Business Associate Agreement.

• Services Used: Large language models for legal analysis
• Data Shared: Legal queries and documents submitted for AI analysis (temporarily processed, not stored)
• Purpose: Generate AI-powered legal research and document analysis
• Data Usage: Your data is NEVER used to train or improve AI models

Future AI providers will be disclosed in this section and will be required to sign equivalent data protection agreements.

14.3 Stripe (Payment Processing)

Stripe processes all payments. We do not store credit card information on our servers.

• Data Shared: Name, email, billing information
• Purpose: Process subscription payments
• Compliance: PCI DSS Level 1 certified

Please review Stripe's Privacy Policy for their data handling practices.

14.4 EmailJS (Email Communications)

EmailJS facilitates transactional emails (welcome messages, password resets, notifications).

• Data Shared: Email address, name, message content
• Purpose: Deliver service-related emails
• Limitation: We do not share legal documents or sensitive content via EmailJS

14.5 No Other Third Parties

We do not share data with:

• Analytics providers (no Google Analytics, Mixpanel, etc.)
• Advertising networks or data brokers
• Social media platforms
• Marketing automation tools