Xenco Labs Inc. ("Xenco Labs," "we," "us," or "our") operates the LegalCraft platform at legalcraft.app (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website or use our Service.
LegalCraft processes legal documents that may contain sensitive, privileged, and confidential information. We take this responsibility seriously and have designed our architecture, policies, and procedures with the security of attorney-client privileged data as the primary constraint.
1. Information We Collect
1.1 Account Information
When you create an account or request a demo, we collect information you provide directly, including your name, email address, phone number, law firm name, job title, and billing information (processed by our third-party payment processor).
1.2 Client Data (Legal Documents)
When you use the Service, you upload or connect legal documents including PDFs, Word documents, emails (.eml and .msg files), images, and other case-related files. This Client Data may contain attorney-client privileged information, work product, personally identifiable information of third parties, protected health information, and other sensitive content. We process this data solely to provide the Service to you and do not use Client Data for any other purpose.
1.3 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, search queries within the platform (for performance optimization only), browser type and version, device information, IP address, and timestamps of access.
1.4 Cookies and Similar Technologies
We use cookies and similar tracking technologies to operate and improve the Service. See our Cookie Policy section below for details on the types of cookies we use and your choices.
2. How We Use Your Information
2.1 Account and Usage Data
We use your account and usage data to:
- Provide, maintain, and improve the Service
- Process transactions and send related information (invoices, receipts)
- Send technical notices, updates, security alerts, and administrative messages
- Respond to your requests, comments, and questions
- Monitor and analyze usage trends to improve the Service
- Detect, investigate, and prevent fraudulent transactions and unauthorized access
2.2 Client Data
We process Client Data exclusively to provide the Service you have engaged us to deliver. This includes:
- Optical character recognition (OCR) of scanned documents
- Text extraction, parsing, and metadata indexing
- Vector embedding generation for semantic search functionality
- AI-powered analysis, chat responses, and report generation
We do not use Client Data to train machine learning models, improve our algorithms, develop new products, serve advertising, or for any purpose other than providing the Service to the specific firm that uploaded the data.
3. AI Processing and Zero-Data-Retention
LegalCraft uses third-party large language model (LLM) providers to power AI features including semantic search, case chat, memo generation, and report drafting. Our AI processing operates under the following principles:
- Zero-data-retention agreements: We maintain contractual agreements with our LLM providers ensuring that prompts, document content, and AI responses are processed ephemerally. Your data is not stored by the LLM provider and is not used for model training or improvement.
- Scoped context: AI queries are limited to the specific case and documents you have selected. Data from one case is never used to inform AI responses about another case, and data from one firm is never accessible to another firm.
- No persistent AI memory: The AI does not retain information between sessions. Each interaction is independent and draws only from the documents in the selected case scope.
4. Data Isolation and Security
LegalCraft's architecture is designed for tenant isolation. Each law firm operates in a logically separated environment:
- Separate databases: Each firm's data is stored in an isolated database instance, not in shared tables with row-level filtering.
- Isolated vector stores: Document embeddings for semantic search are stored in tenant-specific namespaces. One firm's search results never include another firm's documents.
- Per-tenant encryption keys: Each firm's data is encrypted with unique encryption keys, ensuring that even in a theoretical infrastructure compromise, data remains individually protected.
- Encryption standards: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
5. Data Sharing and Disclosure
We do not sell, rent, or share your personal information or Client Data with third parties for their marketing purposes. We may share information only in the following circumstances:
- Service providers: We engage trusted third-party service providers to perform functions on our behalf (hosting, payment processing, AI processing). These providers are contractually bound to use data only as directed by us and to maintain appropriate security measures.
- Legal requirements: We may disclose information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such action is necessary to comply with legal obligations, protect our rights, protect your safety or the safety of others, or investigate fraud.
- Business transfers: If Xenco Labs Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
We do not sell personal information as defined under the California Consumer Privacy Act (CCPA). We do not share personal information for cross-context behavioral advertising.
6. Data Retention
We retain different categories of data for different periods:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of your account plus 30 days after deletion request, or as required by law |
| Client Data (uploaded documents) | Duration of your subscription. Raw files may be purged after processing at your election. All data deleted within 60 days of account termination. |
| Vector embeddings | Duration of your subscription. Deleted within 60 days of account termination or case deletion. |
| AI interaction logs | Not retained by the LLM provider. Platform-side audit logs retained per your firm's configured retention policy. |
| Usage analytics | 26 months, then aggregated or deleted |
| Billing records | As required by applicable tax and accounting laws (typically 7 years) |
Upon termination of your subscription, we provide a 30-day window to export your data. After this period, all Client Data, including documents, vector embeddings, extracted text, and associated metadata, is permanently deleted from all systems, including backups, within 60 days. We will provide written certification of deletion upon request.
7. Your Privacy Rights
7.1 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
- Right to limit use of sensitive personal information: To the extent we process sensitive personal information, you may request that we limit its use to that which is necessary to perform the Service.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, contact us at [email protected] or by mail at the address below. We will verify your identity before processing your request and respond within 45 days.
7.2 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email, phone number, IP address | Account management, service delivery |
| Commercial information | Subscription plan, billing history | Payment processing, service provisioning |
| Internet/electronic activity | Pages visited, features used, search queries within the platform | Service improvement, security monitoring |
| Professional/employment information | Firm name, job title, bar number (if provided) | Account setup, service customization |
We disclose personal information to service providers (hosting, payment processing, analytics) for business purposes as described in Section 5. We do not sell personal information to third parties.
7.3 All Users
Regardless of your location, you may:
- Access and update your account information through your account settings
- Request a copy of your data
- Request deletion of your account and associated data
- Opt out of non-essential communications
8. Cookie Policy
8.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. They help the website remember information about your visit, which can make your next visit easier and the site more useful to you.
8.2 Cookies We Use
| Category | Purpose | Examples | Can You Opt Out? |
|---|---|---|---|
| Strictly Necessary | Essential for the Service to function. These cookies enable authentication, security features, and core platform functionality. | Session cookies, authentication tokens, CSRF protection | No — required for the Service to operate |
| Functional | Remember your preferences such as theme selection (light/dark mode), language, and display settings. | Theme preference, sidebar state, selected case context | Yes, but some features may not work correctly |
| Analytics | Help us understand how visitors interact with the Service so we can improve it. Data is aggregated and anonymized. | Google Analytics (if implemented), page view counts, feature usage | Yes |
We do not use advertising cookies, tracking pixels for remarketing, or any third-party cookies that track you across other websites for advertising purposes.
8.3 Managing Cookies
When you first visit our website, a cookie consent banner will allow you to accept or decline non-essential cookies. You can change your preferences at any time by clicking "Cookie Preferences" in the footer of any page. You can also control cookies through your browser settings, though disabling strictly necessary cookies may prevent the Service from functioning.
9. Children's Privacy
The Service is designed for legal professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.
10. International Data Transfers
LegalCraft is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers are located and our databases are operated. By using the Service, you consent to the transfer of your information to the United States.
11. Third-Party Services
The Service may contain links to third-party websites or integrate with third-party services (such as document management systems). This Privacy Policy does not apply to third-party services, and we encourage you to review their privacy policies before providing any information to them.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated policy on this page with a new effective date. For significant changes, we will provide additional notice via email or an in-app notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us:
Xenco Labs Inc.
Attn: Privacy
4000 Pimlico Dr #114-321
Pleasanton, CA 94588
Email: [email protected]
Phone: (408) 372-8884
For CCPA-specific requests, you may also submit a verifiable consumer request to [email protected] with the subject line "CCPA Request." We will respond within 45 days of receipt.