Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Firm name, primary contact name, email address, phone number, billing address

• User Information: Names and email addresses of attorneys, paralegals, and staff granted access to your account

• Client Documents: Legal briefs, memos, templates, case files, and other documents you upload to the Service

• Prompts and Queries: Text you submit to the AI for drafting, research, or summarization

• Payment Information: Credit card or ACH details (processed by Stripe; we do not store full payment credentials)

1.2 Information Automatically Collected

• Usage Data: Number of queries, document upload timestamps, token usage, feature interactions

• Audit Logs: User ID, query timestamp, retrieved documents, AI output length (stored for compliance and privilege protection)

• Device and Browser Data: IP address, browser type, operating system, device identifiers (collected via standard web server logs)

1.3 Information We Do NOT Collect

• Client-Specific Data from AI Outputs: We do not read, analyze, or store the substance of your AI Outputs

• Client Matter Information: We do not collect client names, case numbers, or privileged communications unless you choose to upload them

2. How We Use Your Information

We use collected information to:

• Provide the Service: Process your queries, generate AI outputs, and maintain your isolated environment

• Billing and Payment: Calculate usage, generate invoices, process payments

• Security and Compliance: Monitor for unauthorized access, generate audit trails, respond to data breaches

• Support: Troubleshoot technical issues, respond to your inquiries

• Service Improvement: Analyze aggregated, anonymized usage patterns (e.g., "average queries per firm") to optimize infrastructure

We do NOT use your data to:

• Train AI models or improve VaultPoint's algorithms

• Market to your clients or opposing parties

• Share with third parties for their marketing purposes

3. How We Share Your Information

3.1 Service Providers (Sub-Processors)

We share data with trusted third-party service providers who assist in operating the Service under strict contractual obligations:

• Cloud Infrastructure Providers: Host your data in isolated, encrypted environments (SOC 2 Type II, ISO 27001, FedRAMP certified)

• AI Model Providers: Process queries with zero-data-retention guarantees (contractually prohibited from training on your data)

• Vector Database Providers: Store document embeddings for retrieval (SOC 2 Type II certified, encrypted at rest)

• Payment Processors: Handle billing and subscription management (PCI DSS Level 1 certified)

• Service Improvement: Analyze aggregated, anonymized usage patterns (e.g., "average queries per firm") to optimize infrastructure

• Email Services: Transactional email delivery for account notifications and support communications

All service providers:

• Sign Data Processing Agreements (DPAs) meeting GDPR Article 28 requirements

• Maintain security certifications equivalent to or exceeding industry standards

• Are contractually obligated to notify VaultPoint of any data breaches within 24 hours

Sub-Processor List: A current list of sub-processors is available upon written request to hello@vaultpoint.io. We will notify you 30 days before adding new sub-processors that handle Client Documents.

3.2 Legal Obligations

We may disclose your information if required by law, court order, subpoena, or government investigation. In such cases, we will:

• Notify you promptly (unless prohibited by law)

• Disclose only the minimum information legally required

• Challenge overbroad or inappropriate requests where feasible

3.3 Business Transfers

If VaultPoint is acquired, merges with another entity, or sells substantially all its assets, your information may be transferred to the successor entity. You will be notified via email 30 days before the transfer, and the new entity will be bound by this Privacy Policy.

3.4 With Your Consent

We may share your information with third parties if you explicitly authorize us to do so (e.g., granting access to a litigation support vendor).

We do NOT sell, rent, or trade your information to third parties for marketing purposes.

4. Data Security

We implement industry-standard security measures to protect your information:

4.1 Infrastructure Security

• Hosting on SOC 2 Type II and ISO 27001-certified U.S. cloud providers

• Isolated environments (each firm's data segregated in a private Virtual Private Cloud)

• End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)

• Zero-data-retention policies (AI models do not store or train on your data)

• We will notify affected clients within 24 hours of discovering a breach.

  
  

4.2 Access Controls

• Multi-factor authentication (MFA) required for all user accounts

• Role-based access controls (Admin, Attorney, Paralegal, Read-Only)

• AWS Identity and Access Management (IAM) with least-privilege permissions

4.3 Monitoring and Logging

• Immutable audit logs (all queries and outputs logged with timestamps and user IDs)

• Real-time intrusion detection and automated threat response

• Quarterly security audits and penetration testing

4.4 Data Retention

• Client Documents: Retained until you delete them or terminate your subscription

• AI Outputs: Retained until you delete them or for 30 days after termination (whichever is earlier)

• Audit Logs: Retained for 7 years (or as required by applicable bar rules)

• Payment Data: Retained by Stripe per PCI DSS requirements (we do not store full card numbers)

4.5 Automated Backups

• Daily automated backups with 7-day retention

• Point-in-time recovery available for data loss incidents

• Backups stored in encrypted, geographically separate locations

5. Your Data Rights

5.1 Access and Portability

• Request a copy of all data we hold about your firm

• Export Client Documents, AI Outputs, and audit logs at any time via your admin portal

• Receive data in machine-readable formats (CSV, JSON, PDF)

5.2 Correction and Deletion

• Correct inaccurate account information via your admin portal

• Delete Client Documents and AI Outputs at any time

• Request full account deletion (we will delete all data within 30 days)

5.3 Objection and Restriction

• Object to processing of your data for specific purposes

• Request temporary restriction of processing during disputes

5.4 Effect of Termination

Upon termination:

• Your access to the Service ceases immediately

• You may export all Client Documents and audit logs within 30 days via your admin portal

• After 30 days, VaultPoint will delete all Client Documents and AI Outputs from your isolated instance (irreversible)

5.5 Effect of Termination

You may withdraw consent for optional data uses at any time:

• Marketing communications: Opt out of product update emails and feature announcements by clicking "Unsubscribe" in any email or contacting hello@vaultpoint.io

• Aggregated analytics: Request exclusion from anonymized usage statistics (e.g., "average queries per firm") by contacting hello@vaultpoint.io

• Beta features: Opt out of early-access programs that may involve additional data collection

Note: Core service functions (document storage, query processing, audit logging) cannot be opted out of, as they are necessary to provide the Service. VaultPoint operates with zero-data-retention (ZDR) for AI processing—your queries and documents are not stored or trained on, regardless of consent settings.

To exercise withdrawal rights, contact hello@vaultpoint.io with subject line "Consent Withdrawal - [Your Firm Name]." We will process your request within 10 business days.

6. Data Location and Transfers

6.1 United States Operations

VaultPoint operates exclusively within the United States. All Client data is stored and processed in AWS data centers located in the United States (US-East or US-West regions).

• Your access to the Service ceases immediately

• You may export all Client Documents and audit logs within 30 days via your admin portal

• After 30 days, VaultPoint will delete all Client Documents and AI Outputs from your isolated instance (irreversible)

6.2 International Clients (If Applicable)

If you are located outside the United States and choose to use the Service:

• Your data will be transferred to and processed in the United States

• You acknowledge that U.S. privacy laws may differ from those in your jurisdiction

• VaultPoint provides the same security protections (SOC 2, encryption, zero-data-retention) regardless of your location

VaultPoint does not currently offer non-U.S. data residency options. If your organization requires data to remain within a specific country (e.g., EU data residency), contact hello@vaultpoint.io to discuss custom arrangements.

7. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact hello@vaultpoint.io and we will delete it promptly.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted at vaultpoint.io/privacy with an updated "Last Updated" date.

For material changes (e.g., new data uses, changes to sharing practices), we will notify you via email at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.

9. Contact Information

For privacy-related questions or to exercise your data rights, contact:

VaultPoint Data Protection

Email: hello@vaultpoint.io
Subject line: "Privacy Request - [Your Firm Name]"

For security incidents or data breaches:
Email: hello@vaultpoint.io
Subject line: "[SECURITY INCIDENT] - [Your Firm Name]"

We will respond within 72 hours for security incidents and within 30 days for general privacy inquiries.