Privacy & Data Protection

Privacy Policy

Last updated: March 2026

JuristVault is committed to protecting the confidentiality of your legal documents and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform.

Documents are never shared with third parties.

1. Data We Collect

We collect the following categories of data: (a) Account information — your name, email address, organization name, and billing details provided during registration; (b) Uploaded documents — legal documents, contracts, and due diligence materials you upload for analysis; (c) Analysis data — AI-generated reports, risk assessments, and structured outputs derived from your documents; (d) Usage data — log files, session metadata, feature interactions, and platform activity used to improve service quality.

2. How Your Data Is Used

Your data is used exclusively to provide the JuristVault service. Uploaded documents are processed solely to generate your requested legal analysis. We do not use your documents to train AI models, share them with third parties, or use them for any commercial purpose beyond delivering your analysis. Account information is used for authentication, billing, and support communications.

3. Data Storage & Infrastructure

All documents and analysis data are stored on Supabase (PostgreSQL database and object storage), hosted on Google Cloud Platform infrastructure. Google Cloud is SOC 2 Type II certified and maintains ISO 27001 accreditation. Documents are encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through Google Cloud KMS with hardware security module (HSM) backing.

4. AI Processing

Document analysis is powered by Google Gemini 2.5 Flash via the Google AI API. Your documents are transmitted to Google's API under enterprise data processing terms that prohibit Google from using your data to train its models. No document content is stored by Google beyond the duration of a single API call. JuristVault does not use Anthropic or any other AI provider for document processing.

5. Data Retention

Documents and analysis results are retained for as long as your account remains active. If you delete a document or deal, it is permanently removed from our storage within 30 days. If you close your account, all associated data is deleted within 90 days unless longer retention is required by applicable law. Billing records are retained for 7 years as required by financial regulations.

6. GDPR Compliance

JuristVault complies with the General Data Protection Regulation (GDPR), UK GDPR, and CCPA. The legal bases for processing your data are: (a) Contract performance — to deliver the analysis service you subscribed to; (b) Legitimate interest — to improve platform security and detect abuse; (c) Legal obligation — to maintain billing records. Data Processing Agreements (DPAs) are available for enterprise clients upon request.

7. Your Rights

Under GDPR and applicable law, you have the right to: (a) Access — request a copy of all personal data we hold about you; (b) Rectification — correct inaccurate personal data; (c) Erasure — request deletion of your personal data (right to be forgotten); (d) Portability — receive your data in a structured, machine-readable format; (e) Restriction — limit how we process your data in certain circumstances; (f) Objection — object to processing based on legitimate interest. To exercise any of these rights, contact us at contact@juristvault.com.

8. Third-Party Sub-Processors

JuristVault does not sell, rent, or share your documents or personal data with any third party for commercial purposes. The following sub-processors are engaged solely to deliver the JuristVault service: Google Gemini (AI document analysis), Anthropic Claude (AI assistance), Clerk (user authentication and identity management), Dodo Payments (subscription billing and payment processing), Resend (transactional email delivery), Supabase (database and file storage), Vercel (application hosting and edge delivery). All sub-processors operate under data processing agreements with strict confidentiality obligations and are prohibited from using your data for any purpose other than delivering the requested service.

9. Security Measures

We implement the following security controls: AES-256 encryption at rest and TLS 1.3 in transit; multi-factor authentication for all user accounts; role-based access control within organizations; automated intrusion detection and anomaly monitoring; regular security audits and penetration testing; a 72-hour breach notification policy in compliance with GDPR Article 33.

10. Contact

For privacy-related inquiries, data access requests, or to exercise your rights under GDPR, contact our Privacy team at: contact@juristvault.com. We will respond to all requests within 30 days as required by applicable law.

Privacy Contact

contact@juristvault.com