Privacy Policy

This Privacy Policy explains how CounselCrest Technologies Inc. and its affiliates (collectively, "CounselCrest", "we", "us", or "our") collect, use, disclose, and protect information in connection with our AI-powered legal software-as-a-service platform and related websites, applications, APIs, and services (the "Services").

1. Who We Are

CounselCrest provides AI-enabled tools for legal research, document analysis, case management, and related legal technology workflows for law firms and legal professionals. Some services are provided by or in collaboration with our affiliates and service providers, including LawyerDesk Advocacy Pvt Ltd.

2. Scope

This Policy applies to information we process about users of the Services, including organization administrators, team members, end-users, and visitors of our websites. Where we act as a processor on behalf of our customers (the "Customer"), we process personal data pursuant to our agreement and our Data Processing Addendum ("DPA"). See our DPA and sub-processor list at Data Processing Addendum.

3. Information We Collect

• Account & Profile Data: name, email, phone, firm/organization, role, bar number, preferences, settings.
• Authentication Data: hashed passwords, multi-factor details, OAuth identifiers.
• Usage & Telemetry: feature usage, device info, IP address, browser/OS, session metadata, performance metrics, error logs.
• Content You Provide: case files, documents, notes, emails, chat prompts, annotations, extracted text, and uploads.
• AI Inputs/Outputs: prompts, intermediate chain-of-thought artifacts (not retained unless explicitly saved), model responses, and tool calls. We store full JSON responses for compatibility and auditability.
• Billing: subscription status, invoices, payment status via our payment processor; we do not store full card numbers.
• Support: support tickets, feedback, and communications.

Some legal matters may include sensitive data (e.g., health, financial, criminal). Customers are responsible for ensuring they have a lawful basis to process such data within our Services.

4. How We Use Information

• Provide, secure, and maintain the Services (account management, authentication, access control).
• Enable AI-powered features (legal research, document analysis, search, translation, summarization).
• Ensure reliability and quality (monitoring, debugging, error tracking, observability).
• Improve and develop our Services (research, features, UX) using aggregated, anonymized, or de-identified data where possible.
• Communicate with you (service updates, billing, security notices, support).
• Comply with legal obligations and enforce our agreements, including fraud prevention and abuse detection.

5. AI Processing and Model Use

• We orchestrate multiple AI providers and runtimes (e.g., Google Gemini/Vertex AI, OpenRouter, Ollama), depending on your configuration and task.
• Unless you opt-in or configure otherwise, we do not use your Customer Content to train third-party foundation models. Some providers may use transient data for safety or abuse prevention according to their policies.
• We maintain AI observability through Langfuse (self/managed) for quality, safety, and performance tracing.
• We use vector databases (e.g., Qdrant) to enable semantic search/embeddings. Content may be chunked, embedded, and indexed for retrieval.

6. Data Storage and Sub-processors

We use reputable infrastructure and service providers. Key categories include:

• Database & Auth: Supabase (database, auth, storage)
• Infrastructure & Hosting: Google Cloud Platform, Vercel, Cloudflare
• AI/ML: Google Vertex AI/Gemini, OpenRouter, Ollama; orchestration via LiteLLM/LangChain; memory via Mem0 (if enabled)
• Vector Search: Qdrant
• Storage: MinIO / Google Cloud Storage
• Observability: Langfuse (self/managed), Sentry
• Messaging: Twilio (SMS), SendGrid (email)
• Payments: Stripe

The current sub-processor list and purposes are maintained in our DPA at Data Processing Addendum.

7. Legal Bases (EEA/UK/India)

Where applicable, we rely on the following bases under GDPR/UK GDPR/DPDPA:

• Performance of a contract (to deliver the Services);
• Legitimate interests (to secure, improve, and provide our Services);
• Consent (where required, e.g., certain analytics/communications);
• Legal obligation (e.g., compliance, law enforcement requests).

8. Data Retention

We retain personal data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Our platform includes an archival system with a default 7-year retention policy for certain records to support legal and compliance needs. Customers may configure retention or request deletion subject to legal holds and applicable law.

9. Data Sharing

• Service Providers/Sub-processors: We share information with vendors who process data on our behalf under contractual safeguards (SCCs, DPAs).
• Affiliates: We may share within our corporate group to provide and improve Services.
• Legal: We may disclose when required by law, regulation, legal process, or to protect rights, safety, or security.
• Business Transfers: In the event of a merger, acquisition, or sale, data may be transferred in accordance with this Policy.

10. International Transfers

We operate globally and may transfer, store, or process information in countries other than your own. Where required, we use appropriate safeguards, including Standard Contractual Clauses and data localization when feasible.

11. Security

We employ technical and organizational measures including encryption in transit and at rest, access controls (RBAC), MFA, network segmentation, intrusion detection, logging and audit trails, and regular security reviews. See Schedule 1 of our DPA for details on our security program.

12. Your Rights

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. You may also have rights under CCPA/CPRA (California), GDPR/UK GDPR (EEA/UK), LGPD (Brazil), and DPDPA (India). We will respond to verifiable requests within the timelines required by law.

13. Cookies and Similar Technologies

We use essential cookies to operate the Services and, where permitted, limited analytics to improve performance and reliability. You can control cookies through your browser settings. Disabling certain cookies may impact functionality.

14. Children's Privacy

Our Services are not directed to children under 16 (or as defined by local law). We do not knowingly collect personal data from children.

15. Customer Responsibilities

• Configure access controls and retention according to your obligations.
• Ensure a lawful basis for processing case-related personal data.
• Avoid uploading data that violates law or third-party rights.
• Implement appropriate internal policies for handling sensitive legal data.

16. Model Training and Data Use Clarifications

• We do not use Customer Content to train public, third-party foundation models.
• We may store full JSON responses from AI providers for compatibility, auditability, safety review, and to provide features you enable. These are retained per your settings and our retention policies.
• We may anonymize, de-identify, or aggregate data for improving our Services and safeguards.

17. Third-Party Links

Our Services may contain links to third-party sites or services. Their privacy practices are governed by their own policies.

18. Do Not Sell or Share (California)

We do not sell or share personal information as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not engage in cross-context behavioral advertising. If this changes, we will update this Policy and provide required opt-out mechanisms.

19. Data Subject Requests

To exercise your rights or submit a request (access, deletion, correction, portability, restriction, or objection), contact us at privacy@counselcrest.com. We will take reasonable steps to verify your identity before responding.

20. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via the Services or email. The "Last Updated" date associated with this document reflects the latest version.

21. Contact Us

For questions, requests, or complaints, contact: privacy@counselcrest.com.
Address: CounselCrest Technologies Inc., Attn: Privacy, [Company Address]