This policy describes what personal information legaltoplain.com ("we," "us") collects, how we use it, and your rights. The Service is operated by [LEGAL ENTITY NAME].
What we collect
- Documents you upload: stored temporarily in private storage to be processed by our AI pipeline.
- Account information: your email address (always required for delivery), and if you create an account, a Supabase-managed user record with that email and (if you sign in via Google) the basic profile fields Google returns.
- Payment information: handled entirely by Stripe; we never see your credit card number. Stripe gives us back a customer ID, payment intent ID, and amount.
- Usage information: the result page you opened, the PDF you downloaded, the date and IP address — logged in our compliance audit table for one year.
- Behavioral analytics: page views, file uploads, payment events. Sent to PostHog for product analytics. Honors Global Privacy Control (GPC) — if your browser sends GPC, we don't load analytics for you.
How we use it
- Process the document and produce your summary.
- Deliver the result via email and the result link.
- Charge you for the Service and process refunds.
- Audit access to your data (compliance and security).
- Detect and prevent fraud, abuse, and rate-limit violations.
- Improve the Service in aggregate (test new prompt versions against curated, anonymized eval documents — never your actual documents).
We do not sell your personal information. We do not use your documents to train AI models. The AI processor (Anthropic) does not retain your document content beyond the API call and does not train on input data per Anthropic's policy.
Data retention
- Uploaded documents: deleted from storage 24 hours after delivery, by default. You may opt to save a document by clicking "Save this for next time" on the result page, in which case it remains accessible to your account until you delete it.
- Result pages and PDFs: accessible via your unique link for 30 days, then expire.
- Account data: kept while your account is active. Deleted within 30 days of account deletion request, except where retention is required by law or to defend legal claims.
- Refund records: retained for 7 years (legal hold for tax / chargeback / dispute purposes).
- Compliance audit logs (
access_log): retained for 1 year.
Your rights
Depending on where you live, you have rights including:
- Access: request a copy of the personal information we have about you. Available self-serve at /account → "Export my data."
- Deletion: request that we delete your account and associated data. Self-serve at /account → "Delete my account."
- Correction: ask us to correct inaccurate information.
- Opt-out of marketing: unsubscribe via the link in any marketing email or toggle the marketing preference at /account/email-prefs.
- Universal opt-out signal: we honor Global Privacy Control. If your browser sends a GPC signal, we automatically opt you out of analytics non-essentials.
State-specific rights (United States)
| State | Notable rights |
|---|---|
| California (CCPA/CPRA) | Right to know, delete, correct, opt-out of "sale" or "sharing" (we do neither). Do Not Sell My Personal Information link in the footer is required even for non-sellers. |
| Colorado (CPA), Connecticut (CTDPA), Virginia (CDPA), Utah (UCPA) | Substantially similar rights to CCPA: access, deletion, correction, portability, universal opt-out. |
| Texas (DPSA) | Effective 2024. Similar rights. Universal opt-out honored as of January 2025. |
To exercise any of these rights, use the self-serve buttons at /account, or email us at the privacy contact below if you can't access your account.
European Union / United Kingdom (GDPR / UK-GDPR)
You have the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing under GDPR / UK-GDPR. Same self-serve mechanisms apply. The legal basis for our processing is (a) contract performance for paid users and (b) legitimate interest for security and fraud prevention.
If you believe we are not handling your data correctly, you have the right to file a complaint with your national supervisory authority.
Canada (PIPEDA / Quebec Law 25)
You have the right of access and correction. Quebec residents additionally have the right to data portability and detailed information about automated decision-making.
Sub-processors
We use the following third-party services to operate the Service. Each is bound by its own privacy and security commitments. The full, maintained list is at /legal/sub-processors. Material changes to this list (new vendors with access to your data) are announced 30 days in advance.
- Anthropic (USA) — AI model that processes your document text and produces summaries.
- Supabase (USA / various) — database, authentication, file storage.
- Vercel (USA) — application hosting.
- Stripe (USA / Ireland for EU) — payment processing.
- Resend (USA) — transactional email delivery.
- Sentry (USA) — error monitoring.
- PostHog (USA / EU available) — product analytics.
- Cloudflare (USA / global) — DNS, bot protection (Turnstile).
- Upstash (USA) — rate limiting.
- BetterStack (USA) — uptime monitoring + log aggregation.
Cookies
- Essential (always on): session cookie for authentication, payment session cookie during checkout. These are required for the Service to function.
- Analytics (opt-in via cookie banner): PostHog product analytics. Disabled by default if your browser sends a GPC signal.
Children
The Service is not directed at children under 13 (or under 16 in jurisdictions where that's the applicable age of digital consent). We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.
Security
We use industry-standard security: HTTPS everywhere, encrypted-at-rest storage, scoped service-role keys, rate limiting, kill-switches, and audit logging. Despite our best efforts, no system is 100% secure; if you become aware of a security issue, please report it to security@legaltoplain.com.
Changes to this policy
We may update this policy. The "Last updated" date reflects the most recent change. Material changes will be communicated by email.
Contact
- Privacy questions: privacy@legaltoplain.com
- Data subject requests (DSAR): self-serve at /account, or email privacy@legaltoplain.com
- DMCA: /legal/dmca
[LEGAL ENTITY NAME], [PHYSICAL MAILING ADDRESS]