Legal

Privacy Policy

Last updated: March 12, 2026 · Starboard Labs LLC · support@atticus-ai.com

01

Introduction

Starboard Labs LLC (“we,” “us,” or “our”) operates the Atticus AI platform (“Service”), a legal research and document analysis platform for attorneys and legal professionals. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

Contact Information

  • Company: Starboard Labs LLC
  • Email: support@atticus-ai.com
  • Phone: 850-501-2834
02

Information We Collect

2.1 Account Information

  • Name and email address
  • Professional role (attorney, paralegal, partner, staff)
  • Bar number (if provided)
  • Phone number (if provided)
  • Firm affiliation
  • Payment information (processed through Stripe -- we do not store card details)

2.2 Usage Information

  • AI research queries and conversations
  • Documents uploaded for analysis
  • Web search queries submitted through the platform (general legal research terms only)
  • Technical data: IP addresses, browser type and version, user agent, request timestamps
  • Authentication events: login attempts (successful and failed), session activity

2.3 Document Data

  • Documents you upload (PDF, DOCX, DOC, TXT, RTF -- 50 MB maximum)
  • Extracted text content from uploaded documents
  • File metadata: filename, file size, MIME type, upload date, page count, word count
  • SHA-256 file integrity hashes
  • Vector embeddings generated from document content for search and retrieval
  • AI-generated analysis and research results

2.4 Marketing Site Analytics

Our marketing website (atticus-ai.com) uses Vercel Analytics to collect page view and basic interaction metrics. This data is aggregated and does not track individual users across sessions. Vercel Analytics does not use third-party cookies. The application itself (app.atticus-ai.com) does not use analytics tracking.

03

How We Use Your Information

  • Provide the Service: Process your documents, execute AI-powered legal research, and store your data securely
  • AI analysis: Send document content and your queries to AWS Bedrock (Anthropic Claude) to generate research results and analysis -- your data is not retained by the AI provider and is never used to train models
  • Document indexing: Generate vector embeddings from your documents to enable semantic search within your firm's document library
  • Authentication and security: Verify your identity, enforce session timeouts, detect unauthorized access attempts, and maintain audit logs
  • Payment processing: Process subscription payments through Stripe
  • Customer support: Respond to your inquiries
  • Service notifications: Send account-related emails (verification, password reset, subscription changes)
  • Legal compliance: Maintain HIPAA-compliant audit trails and fulfill legal obligations
04

Information Sharing and Subprocessors

We share your data only with the third-party service providers necessary to operate the platform. We do not sell, rent, or trade your information. A complete list of subprocessors is maintained on our Security page.

4.1 Service Providers

  • Amazon Web Services (AWS): Cloud infrastructure for compute, database, storage, and AI inference. All data resides in US-East-1 (N. Virginia). We maintain a signed Business Associate Agreement with AWS covering EC2, RDS, S3, Bedrock, and CloudTrail.
  • AWS Bedrock (Anthropic Claude): AI model inference for legal research and document analysis. Your document content and queries are sent to Claude for processing via TLS. AWS does not retain your data after processing and does not use it to train models. Covered under our AWS BAA.
  • Stripe: Payment processing for subscriptions. Stripe receives your billing name, email, and payment method. Stripe is PCI-DSS Level 1 compliant. Stripe has no access to your legal documents, conversations, or case data.
  • Exa AI: Web search for general legal research. Only search query terms are transmitted -- never confidential client information, document content, or personal data. The platform runs automated PII detection on queries before transmission and blocks queries containing personal information. This service is not covered by a BAA.
  • Vercel: Hosts the marketing website and collects aggregated page view analytics on the marketing site only. No application data, documents, or conversations are accessible to Vercel.

4.2 Legal Requirements

We may disclose information when required by law:

  • Court orders and subpoenas
  • Regulatory investigations
  • Law enforcement requests with proper legal authority

4.3 Firm-Level Data Isolation

Every database query in the platform is scoped to your firm. There is no mechanism for cross-tenant data access. Your documents, conversations, and account data are completely isolated from other firms and users on the platform.

05

Data Security

5.1 Encryption

  • In transit: TLS 1.2 or higher with ECDHE-RSA-AES256-GCM-SHA512 cipher suites. HSTS enforced with one-year max-age.
  • At rest (storage): Documents are encrypted client-side with Fernet symmetric encryption (PBKDF2-SHA256, 100,000 iterations) before upload, then encrypted server-side with AES-256 on AWS S3.
  • At rest (database): AWS RDS encryption with AES-256 (AWS-managed keys).
  • Passwords: Hashed with bcrypt. We never store plaintext passwords.
  • Sessions: JWT tokens signed with HS256 and stored in HttpOnly, Secure, SameSite=Lax cookies.

5.2 Access Controls

  • Role-based access control (RBAC) with firm-level data isolation enforced at the database query level
  • Account lockout after 5 failed login attempts (30-minute lock duration)
  • Session timeout: 30-minute inactivity threshold, 8-hour absolute maximum
  • Rate limiting: 10 requests/second for API calls, 2 requests/second for file uploads, 3 requests/minute for registration

5.3 Infrastructure

  • AWS data centers in US-East-1 (N. Virginia) with SOC 2 Type II and ISO 27001 certifications
  • Isolated Docker network -- database and cache have no public internet access
  • SQL injection and XSS pattern detection via security middleware
  • File validation: type whitelist, MIME verification, malware scanning, 50 MB size limit
  • S3 bucket versioning and access logging enabled for audit trail integrity

5.4 AI Data Handling

Your data is never used to train or improve AI models. When you submit a query or document for analysis, the content is sent to AWS Bedrock (Anthropic Claude) via TLS for processing. AWS Bedrock does not retain your data after generating a response. This is covered under our Business Associate Agreement with AWS.

5.5 Caching Policy

We use Redis for rate limiting and caching non-sensitive data (user profiles, subscription status, conversation ownership). Document content, chat messages, AI analysis results, client details, and legal document content are never cached.

06

Data Retention and Deletion

6.1 Retention Periods

  • Audit logs: 7 years (2,555 days) as required by HIPAA
  • Documents: Retained until you delete them, or 7 years after account closure for legal compliance
  • Conversations and messages: Retained until you delete them, or upon account deletion
  • Deletion records: Retained permanently as CCPA compliance proof
  • Payment records: 7 years for tax compliance (managed by Stripe)
  • Temporary files: Automatically deleted after 24 hours
  • Inactive accounts: Soft-deactivated after 180 days of inactivity (data preserved, access suspended)

6.2 Your Control

  • Delete individual conversations and documents through the platform at any time
  • Request full account deletion: email support@atticus-ai.com
  • Request data export: email support@atticus-ai.com

6.3 Account Deletion Process

When you request account deletion, we verify your identity via password confirmation, then:

  • Delete all your documents from storage (S3 and database)
  • Delete all conversations and chat messages
  • Anonymize your personal information (email, name, phone, bar number)
  • Deactivate the account
  • Create an immutable deletion log for compliance proof

Audit logs are retained for the legally required 7-year period after deletion, with a documented compliance justification. Deletion records are retained permanently as CCPA compliance proof.

We respond to all privacy requests within 45 days.

07

Your Privacy Rights

7.1 All Users

  • Access and review your personal data
  • Correct inaccurate information
  • Request deletion of your data
  • Export your data in a portable format
  • Opt out of marketing communications

7.2 California Residents (CCPA/CPRA)

California residents have additional rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected (twice per 12 months)
  • Right to Delete: Request deletion, subject to legal retention requirements (HIPAA audit logs, CCPA compliance records)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Non-Discrimination: We will not penalize you for exercising your privacy rights

7.3 Other State Privacy Rights

Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with privacy laws have similar rights. Contact support@atticus-ai.com to exercise your rights.

08

We Do Not Sell Your Data

Starboard Labs LLC does not sell or share your personal information for monetary or other valuable consideration.

  • We never sell data to data brokers or advertisers
  • We do not share data for cross-context behavioral advertising
  • We do not participate in ad networks
  • Your legal research, documents, and conversations remain confidential

Because we do not sell or share personal information, there is no need to opt out.

09

Sensitive Personal Information

Legal documents you upload may contain sensitive information including financial data, health information, Social Security numbers, and private communications. We treat all uploaded document content as sensitive. This data is:

  • Encrypted at rest with dual-layer encryption (Fernet client-side + AES-256 server-side)
  • Scoped to your firm with no cross-tenant access
  • Never used for marketing, advertising, or AI model training
  • Processed only to provide the Service (research, analysis, search)
  • Tagged as HIPAA-protected in storage

Under California law (CPRA), you have the right to limit use of sensitive personal information. Because we only use it to provide the Service, there are no additional uses to limit.

10

Automated Processing and AI

Atticus uses AI (Anthropic Claude via AWS Bedrock) to analyze documents and generate legal research. Specifically:

  • Document analysis: When you submit a document for analysis, the extracted text is sent to the AI model for processing. The model does not retain your data after generating a response.
  • Research queries: Your questions and relevant document context are sent to the AI model to generate research results.
  • Document search: Vector embeddings (mathematical representations) are generated from your documents to enable semantic search within your firm's library. These embeddings are stored in your firm's isolated database space.
  • Web search: If you enable web search, general legal research queries are sent to Exa AI. Queries are screened for PII before transmission. Confidential client information is never included.

AI outputs are tools to assist your work -- they do not make decisions on your behalf. You retain full control over how to use or disregard any AI-generated content. All AI-generated content should be independently verified by a qualified legal professional.

11

Cookies and Tracking

The Atticus application (app.atticus-ai.com) uses only essential authentication cookies:

  • auth_token: HttpOnly, Secure, SameSite=Lax cookie containing your encrypted session token. Required for platform access. Expires after 24 hours (or 30 days with “remember me”).

We do not use third-party cookies, tracking pixels, or cross-site analytics on the application. The marketing website (atticus-ai.com) uses Vercel Analytics for aggregated page view metrics, which does not use cookies or track individual users across sessions.

12

International Data

All data is processed and stored within the United States in AWS US-East-1 (N. Virginia) data centers. We do not transfer data outside the United States.

13

Children's Privacy

Atticus is designed for legal professionals and is not intended for users under 18 years of age. We do not knowingly collect personal information from minors.

14

Data Breach Notification

In the event of a data breach involving your personal information, we will:

  • Notify you without unreasonable delay and no later than 72 hours after discovery
  • Notify state authorities as required by applicable law
  • Provide details on what happened, what data was affected, and what we are doing to address it
  • Conduct a risk assessment per HIPAA breach assessment requirements (45 CFR 164.402)
  • Offer appropriate remediation

We maintain a documented Incident Response Plan with severity classification, escalation procedures, and post-incident review processes.

15

Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify users of material changes via email at least 30 days before changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

16

Contact Us

For privacy questions or to exercise your rights:

  • Email: support@atticus-ai.com
  • Phone: 850-501-2834
  • Subject line: “Privacy Request” followed by your request type

We will respond within 45 days of receiving your verified request.

This Privacy Policy is effective as of March 12, 2026, and governs the collection, use, and protection of personal information through the Atticus platform operated by Starboard Labs LLC.