Privacy controls and data handling

Privacy design principles

Teams evaluating legal workflow automation privacy controls need implementation details, not policy slogans. The principles below map directly to product behavior: what is collected, how it is processed, who can access it, and how quickly it can be removed.

Data lifecycle in legal operations workflows

Regulatory references

Privacy workflows are designed with common legal obligations in mind. For regulatory context, see GDPR guidance and California CCPA information.

Related pages: Security and Compliance.

Privacy operations checklist

• Capture explicit consent before AI processing or lawyer handoff.
• Expose retention settings at vault level and respect immediate delete requests.
• Record deletion events with purge verification for compliance traceability.
• Review disclosures against actual data flows before publishing policy changes.

Privacy risk scenarios to monitor

• Disclosure language promises retention or deletion behavior that is not enforced by runtime policy.
• Access permissions remain broader than required after guest-to-user upgrades or workflow role changes.
• Escalation packets include unnecessary personal data fields beyond review and legal decision scope.
• Policy updates are published without validating downstream queues, storage jobs, and audit events.

Disclosure review checklist

• Confirm product behavior and policy language still match after workflow or retention updates.
• Verify consent text versions are reflected in all relevant user-action screens.
• Check that deletion and retention language reflects current background purge behavior.
• Document owner and review date for each major disclosure section.

Policy-to-product alignment checks

Privacy pages become unreliable when policy language and runtime behavior drift apart. After any workflow update, confirm that consent prompts, retention controls, and deletion behavior still match public disclosures. Treat mismatches as release blockers, not documentation cleanup tasks.

Teams should also verify that internal training material and support responses match public privacy language. Misalignment between external policy text and internal instructions is a common source of operational privacy drift.

Reviewing these scenarios monthly helps teams catch privacy drift early, especially when product workflows evolve quickly. Tie each observed issue to a named owner and remediation timeline so privacy posture improves as part of normal release operations.

LegalDoc.app Privacy Policy

Effective date: 2026-02-24 · Last updated: 2026-05-11

This Privacy Policy explains how LegalDoc.app ("we", "us") collects, uses, shares, and safeguards information when you use our legal workflow automation services. Capitalized terms not defined here have the meaning given in our terms of service.

Information we collect

• Account information: name, work email, organization, role, and authentication identifiers used to create and manage your account.
• Contract content: documents, clauses, prompts, and metadata you upload, generate, or process through drafting, review, vault, and assistant workflows.
• Usage data: feature interactions, request and response logs, error and performance telemetry used to operate and improve the service.
• Payment data: billing contact details and subscription records. Card data is collected and stored by our payment processor; we do not retain full card numbers.
• Cookies and analytics: session cookies, preference cookies, and aggregated analytics signals used to keep you signed in and measure product usage.

How we use your information

• Service provision: deliver drafting, review, vault, and assistant features you request.
• Security: detect, investigate, and prevent abuse, fraud, and unauthorized access.
• Billing: process subscriptions, invoices, refunds, and tax records.
• Communications: send transactional notices, product updates, and support responses.
• Legal compliance: meet recordkeeping, tax, and other obligations and respond to lawful requests.

Legal bases for processing (GDPR)

• Contract necessity: processing required to provide the service you signed up for.
• Legitimate interests: securing the platform, preventing abuse, and improving features, balanced against your rights.
• Consent: for optional processing such as certain analytics or marketing communications, where consent applies.
• Legal obligation: retaining records required by tax, accounting, or other applicable law.

How we share information

• Sub-processors: we use vendors in the following categories to operate the service — cloud hosting and storage, payment processing, transactional email delivery, customer support tooling, and product analytics. We require contractual safeguards with each category.
• Legal disclosures: we may disclose information when required by law, valid legal process, or to protect rights, safety, and the integrity of the service.
• Business transfers: in the event of a merger, acquisition, financing, or asset sale, information may be transferred subject to this policy.

Data retention

We retain personal data only as long as needed to provide the service, comply with legal obligations, or resolve disputes. You can adjust workspace and document retention settings in product. See the document retention workflow for in-product retention controls and our approach to deletion verification.

Your rights

Subject to applicable law (including the EU GDPR, UK GDPR, and CCPA), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Request deletion of your personal data, subject to legal exceptions.
• Receive a portable copy of personal data you provided to us.
• Object to or restrict certain processing.
• Withdraw consent for processing that relies on your consent.

How to exercise your rights

Send your request to privacy@legaldoc.app. We aim to acknowledge receipt promptly and substantively respond within 30 days. We may need to verify your identity before fulfilling certain requests.

International transfers

Where personal data is transferred internationally, we rely on recognized safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other equivalent transfer mechanisms permitted by applicable law.

Children

The service is intended for business use and is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us so we can take appropriate action.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated through the service, by email to your account contact, or by updating the effective date above. Continued use of the service after the effective date constitutes acceptance of the updated policy where permitted by law.

Contact

Questions or requests: privacy@legaldoc.app

Mailing address: [Address — update before publishing]

Privacy FAQ

This page explains platform controls and should be combined with your own counsel guidance for policy decisions.

Teams should revisit this framework whenever retention policy, AI processing scope, or external handoff behavior changes so privacy controls remain synchronized with actual workflow implementation.

Include data subject request handling in privacy operations reviews, including ownership, response timelines, and evidence retention for completed requests. This strengthens day-to-day privacy readiness and reduces reactive policy work during high-pressure periods.

Documenting response outcomes also improves repeatability for future privacy request handling.

Repeatable workflows are critical for demonstrating privacy control reliability during internal and external reviews.