Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create an account, we collect your name, email address, and a hashed password. We never store your password in plain text.
• Chat Conversations: Messages you send to LISA, including questions and follow-up responses.
• Document Data: Information you enter into document templates (e.g., names, addresses, dates, legal details).
• Research Notes: Any notes or research pins you save within the workspace.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, session duration, and interaction patterns.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, referring URLs, and error logs.
• Cookies & Similar Technologies: Session cookies necessary for authentication and Service functionality. See Section 7 for details.

1.3 Information from Third-Party Sources

• Web Search Results: When LISA performs real-time web searches on your behalf, search results from third-party search engines are processed to provide you with current legal information. We do not store these search results beyond the active session.

1.4 Information We Do NOT Collect

• Social Security numbers or government-issued identification numbers
• Financial account numbers, credit card numbers, or banking information
• Health or medical information (unless voluntarily provided in chat)
• Biometric data
• Information from children under 13 years of age

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To operate the platform, process your legal questions, generate documents, and deliver search results.
• Account Management: To create and manage your account, authenticate your identity, and maintain session security.
• Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the accuracy and functionality of the Service.
• AI Model Improvement: Anonymized and aggregated data may be used to improve the quality of AI responses. Individual conversations are not used to train third-party AI models.
• Security: To detect, prevent, and address fraud, abuse, and security threats.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Communications: To send you essential service-related notifications (e.g., security alerts, account updates). We do not send marketing emails.

3. How We Share Your Information

We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.

We may share your information in the following limited circumstances:

• AI Processing: Your chat messages and document inputs are sent to AI language model providers (via secure API calls) for processing. These providers process data according to their own data processing agreements and do not retain your data for training purposes.
• Service Providers: We may share information with trusted service providers who assist us in operating the Service (e.g., hosting providers, database services), subject to confidentiality obligations.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.
• With Your Consent: We may share information for any other purpose with your explicit consent.

4. Data Retention

• Account Data: Retained for as long as your account is active. You may request deletion at any time (see Section 6).
• Chat Conversations: Stored in your account for your reference. You may delete individual conversations at any time through the Service interface.
• Generated Documents: Stored in your account until you delete them or your account is closed.
• Usage & Log Data: Retained for up to 12 months for security and analytics purposes, then automatically deleted or anonymized.
• Web Search Data: Not retained beyond the active session. Search queries and results are processed in real-time and not permanently stored.

5. Data Security

We implement industry-standard technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Secure password hashing (bcrypt) — we never store plain-text passwords;
• Access controls and authentication requirements;
• Regular security assessments and monitoring;
• Secure, isolated database infrastructure.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

6. Your Privacy Rights

6.1 All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete information;
• Delete your account and associated data;
• Delete individual conversations and documents through the Service;
• Export your data in a portable format.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share information.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information, you may direct us to limit its use to what is necessary for the Service.

To exercise these rights, contact us through the LISA platform or via the contact information in Section 13. We will respond to verifiable consumer requests within 45 days.

6.3 Virginia Residents (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a copy of personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling. We do not engage in targeted advertising, sale of personal data, or profiling as defined by the VCDPA.

6.4 Colorado Residents (CPA)

Colorado residents have rights similar to Virginia residents under the Colorado Privacy Act, including the right to access, correct, delete, and opt out of targeted advertising and sale of personal data.

6.5 Connecticut Residents (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act, including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling.

6.6 Utah Residents (UCPA)

Utah residents have the right to access and delete personal data, as well as the right to opt out of targeted advertising and sale of personal data under the Utah Consumer Privacy Act.

6.7 Other State Privacy Laws

We are committed to complying with all applicable state privacy laws, including but not limited to those enacted in Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, and Rhode Island. If your state provides specific privacy rights, you may exercise them by contacting us as described in Section 13.

7. Cookies & Tracking Technologies

7.1 Essential Cookies

We use strictly necessary cookies to:

• Authenticate your identity and maintain your session;
• Remember your security preferences;
• Ensure the proper functioning of the Service.

These cookies are essential for the Service to operate and cannot be disabled.

7.2 Analytics

We may use privacy-respecting analytics to understand how the Service is used. We do not use third-party advertising trackers or cookies for cross-site tracking.

7.3 Do Not Track

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not engage in any non-essential tracking.

8. Children's Privacy

The Service is not directed to individuals under 13 years of age (or under 16 in jurisdictions where applicable). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have collected information from a child under 13, please contact us immediately.

9. International Users

The Service is primarily designed for users in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country. By using the Service, you consent to the transfer of your information to the United States.

10. Third-Party Services

The Service may contain links to third-party websites or integrate with third-party services (e.g., search engines, AI providers). This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last Updated” date. For significant changes, we may provide additional notice (e.g., a banner on the Service). Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities in accordance with the data breach notification laws of your state. All 50 U.S. states have data breach notification laws, and we comply with each applicable statute, including notification timelines and requirements.

13. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint regarding our data practices, please contact us:

LISA Legal AI
Legal Information Support Assistant
Phone: 800-934-4939
Email: Available through the platform
Privacy Requests: Use the “Contact” feature in the LISA platform

For California residents: You may also submit CCPA/CPRA requests through the platform. We will respond to verifiable consumer requests within 45 days, as required by law.