Privacy Policy

We collect three categories of personal information:

Information you give us. Name, firm name, work email, phone number, bar number and admission jurisdiction, profile photo, billing address, and tax identifiers. Payment card details are submitted directly to our PCI-compliant payment processor; we never see or store full card numbers.

Information collected automatically. IP address, device and browser identifiers, operating system, referring URL, pages viewed, session duration, feature usage events, and error logs. We use first-party cookies for authentication and session continuity, and a privacy-respecting analytics service for aggregate traffic measurement. We do not use advertising cookies and do not participate in cross-context behavioral advertising.

Information from third parties. Subscription and payment status from our payment processor, email deliverability signals from our transactional email provider, and identity claims from any single sign-on provider you elect to use.

Hallucination Shield (free tier). Citation strings you submit for verification, an anti-abuse challenge token, your IP address (used only for abuse rate-limiting), and, where you provide it, an email address for results delivery.

We use personal information to:

• Provision and operate the Services, including creating each firm’s isolated vault_firm_{id} database schema.
• Authenticate users and enforce role-based access controls.
• Process subscription billing and meet our tax-reporting obligations.
• Send transactional messages (account verification, invites, password resets, billing receipts, security alerts, and product notifications you have opted into).
• Detect and prevent fraud, abuse, and security incidents, and enforce our Terms.
• Improve the product through aggregated and de-identified usage analytics.
• Comply with legal obligations, respond to lawful requests, and exercise or defend legal claims.

Lawless uses artificial intelligence to power research, drafting, and verification features. AI requests are routed to two enterprise AI providers:

• Anthropic, PBC — Claude Sonnet, Claude Opus, and Claude Haiku, used for research synthesis, document drafting, query expansion, and summarization, all via Anthropic’s commercial API.
• OpenAI, L.P. — the text-embedding-3-small model, used to generate vector embeddings that power semantic search.

All AI processing occurs on infrastructure located in the United States. Embeddings and AI-generated outputs are stored in the customer’s isolated database schema, never pooled across tenants. AI outputs are advisory only and require review by a licensed attorney before any reliance — see Section 6 of our Terms of Service.

Automated decision-making notice.AI features do not produce legal effects without human review by the licensed attorney using the Service. Where required by applicable law (including the California Consumer Privacy Act’s automated decision-making technology rules), you may request human review of, and an explanation for, any AI output produced about you.

We engage the following categories of sub-processors to deliver the Services. Each is contractually required to maintain confidentiality and security obligations consistent with this Policy.

A complete, named list of sub-processors is available to customers under non-disclosure agreement on request to privacy@trylawless.com. We will provide notice of material changes at least 30 days before a new sub-processor begins handling Customer Data, where required by your agreement with us.

We disclose personal information only in these circumstances:

• To the sub-processors identified above, under written contracts that limit their use to providing services to us.
• To affiliates and to a successor entity in connection with a merger, acquisition, financing, or sale of assets — subject to confidentiality terms at least as protective as this Policy.
• To comply with applicable law, valid legal process (subpoena, warrant, court order), or to protect the rights, safety, or property of Lawless, our users, or the public. Where legally permitted, we will give the affected firm prompt notice so it can seek a protective order or otherwise respond.
• With your direction or consent.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

• Account data: for the duration of your subscription plus 90 days after termination, then purged.
• Customer Data (vault contents): per your firm’s subscription agreement. After termination, your firm has 30 days to export, after which we delete the data and the firm’s isolated schema.
• Billing and tax records: seven years, as required by applicable tax law.
• Support tickets: two years after closure.
• Hallucination Shield logs: 30 days, then anonymized for aggregate analytics.
• Backups: rolling 30-day window; deleted records age out of backups within that window.

Per our architecture, vectors and metadata tied to a specificclient_idcan be purged on request when a client relationship ends.

We protect personal information using:

• Schema-level multi-tenant isolation. Every firm receives its own dedicated PostgreSQL schema. Cross-tenant queries are mathematically impossible at the database layer — not merely filtered at the application layer.
• Row-level security within each firm separates lawyer-private documents from firm-wide content.
• Encryption at rest (AWS KMS-backed AES-256) and in transit (TLS 1.2+). Share-link passwords are protected with AES-256-GCM.
• Access controls, including multi-factor authentication, role-based permissions, audit logging, and least-privilege staff access.
• Operational practices, including rate limiting, input validation, output sanitization, and continuous security review.

No system is perfectly secure. In the event of a confirmed personal-data breach, we will notify affected firms without undue delay and in accordance with applicable law, and within 72 hours where required.

Depending on where you reside, you may have rights to access, correct, delete, or port your personal information; to opt out of the sale or sharing of personal information (we do not sell or share for advertising); to limit the use of sensitive personal information; to withdraw consent; and to request human review of automated decision-making. We respond to verified requests within 45 days, with one 45-day extension where reasonably necessary, and we do not discriminate against users who exercise their rights.

To exercise a right, email privacy@trylawless.com. If your personal information is held within a firm’s vault, we will forward your request to that firm, which is the controller of that data.

Authorized agents may submit requests on your behalf with written authorization. Appeals: if we deny your request, you may appeal to privacy@trylawless.com with the subject line “Privacy Appeal.”

The Services are intended exclusively for licensed attorneys and authorized firm staff aged 18 or older. We do not knowingly collect personal information from anyone under 18, and the Services are not directed to children.

Lawless is operated from, and hosts data in, the United States. If you access the Services from outside the United States, you consent to the transfer of your information to the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses and the data-processing terms of our sub-processors.

We use strictly necessary cookies for authentication and session continuity, and analytics cookies to measure aggregate site usage. We do not use advertising cookies, and we honor the Global Privacy Control signal where applicable. You can control cookies through your browser settings.

We will post any changes to this Policy on this page and update the effective date above. For material changes that adversely affect your rights, we will give notice by email or in-app banner at least 30 days before the change takes effect.

Lawless AI LLC
privacy@trylawless.com
For all other inquiries: info@trylawless.com