Privacy

Purpose
The purpose of this privacy statement is to define "Personal Information" and explain how TrueLaw handles such information. "Personal Information" includes any data that relates to an individual who may be identified from that data alone or in combination with other information held by TrueLaw, including any electronic Protected Health Information (ePHI) subject to the HIPAA Privacy Rule.

‍Scope
‍This privacy notice applies to data collected from business customers and third-party service providers in connection with the use of our AI Studio Platform and other services provided by TrueLaw.

Policy
‍
What Personal Information We May Collect
‍We may collect Personal Information provided by our business customers when using our AI Studio Platform, including but not limited to customer names, business contact information, and any data uploaded by our customers to the platform for processing by our services.
‍
‍Why We Collect, Use and Store the Personal Information
‍We collect Personal Information necessary to provide customers with access and support their intended use of our AI Studio Platform. Customers may upload data required for their operational needs, which may include Personal Information. Additionally, we collect contact details, such as email addresses and user profile information, to facilitate onboarding and the management of customer accounts. TrueLaw uses this information solely to deliver our services effectively.
‍
‍Where We store the Personal Information
Personal Information is mainly stored within Google Cloud Platform (GCP) operating out of ISO 27001 compliant data centers. If we transfer or store Personal Information outside this primary location, we take steps to ensure continued protection of privacy rights, as outlined in this privacy policy and in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), HIPAA Privacy Rule, and other applicable local privacy regulations.
‍‍
‍Processing Purposes
For customers using our services, data processing for GDPR compliance is governed by our Data Processing Agreement (DPA), which includes provisions addressing CCPA data handling requirements. When TrueLaw engages third-party subprocessors that may access Personal Information, these subprocessors are required to adhere to the terms of our DPA to protect data privacy and security in line with GDPR and CCPA requirements.

For HIPAA-covered data, TrueLaw has Business Associate Agreements (BAAs) in place with any third parties, including subprocessors, who may handle or access Protected Health Information (PHI) to ensure compliance with HIPAA requirements. TrueLaw adheres to the minimum necessary standard when handling HIPAA-covered data to protect privacy.

‍Disclosure to Third Parties
To the extent permitted by law and to fulfill the purpose, we may share Personal Information with our expressly authorized staff. The staff is restricted from using this information in any way other than for the purpose for which it is collected. We may, for example, provide your Personal Information to our corporate services department, our security department, and/or contractors and our internal or external auditors. We reserve the right to share Personal Information to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state, or company security is at issue, we reserve the right to share our entire database of visitors with appropriate governmental authorities. We may also be required to disclose your Personal Information in the event of a legal investigation or any such other process where we are required to do so by applicable law or where we have to establish our legal rights, or where disclosure is required to prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person. We will process, disclose, or share your Personal Information only if required to do so by law or in good faith belief that such action is necessary to comply with our contractual obligations, legal requirements, or legal process served on us. Unless restricted by applicable law, we will notify you about such government access requests to take all the requisite measures.

Third-Party Data Subprocessors
TrueLaw maintains a list of third-party data subprocessors that may process Personal Information on behalf of our customers. Each subprocessor is reviewed for compliance based on the type of Personal Information they may process or have access to. This list is available upon request.

‍Third-Party Data Collection
TrueLaw confirms that any third parties from whom we collect Personal Information (that is, sources other than the individual) are reliable sources that adhere to fair and lawful data collection practices. We conduct due diligence to ensure that these third parties comply with applicable data protection laws and standards. This includes reviewing their data privacy policies and practices to ensure that all information provided is collected and processed fairly, lawfully, and in accordance with TrueLaw’s privacy commitments.

‍Your Choices and Rights
As a data processor, TrueLaw manages Personal Information on behalf of our customers, who are typically the data controllers for the data they upload to our platform. If you are a user of one of our customer’s services, your rights regarding your Personal Information—including the rights to access, correct, delete, or restrict processing—are generally managed by the data controller (our customer). We advise you to contact the data controller directly with any requests concerning your Personal Information.

TrueLaw will work with data controllers to support the fulfillment of these requests, as required by GDPR, CCPA, HIPAA Privacy Rule, and other applicable regulations. If TrueLaw receives a request directly, we will notify the appropriate data controller and assist in facilitating a response in compliance with our contractual obligations and applicable laws.

In cases where TrueLaw is the data controller (such as for business contact information used to facilitate your account), you may ask us for a copy of your Personal Information, to correct or delete it, or to restrict processing. In certain circumstances, you can also object to the processing of Personal Information where it is not necessary for contractual or legal requirements. Please note that these rights may be limited, for example, if fulfilling your request would reveal Personal Information of another person, or if you request deletion of information that we are required to retain by law or have compelling legitimate interests to keep.If you have unresolved concerns, you have the right to complain to the relevant data protection authority.

‍How Long We Retain Your Personal Information
Personal Information that may be uploaded by customers to AI Studio, including HIPAA-covered Personal Information, may be retained for the duration of the contract or service period, or as required by HIPAA, GDPR, and applicable laws. After this period, data may be securely deleted or de-identified unless otherwise agreed with the customer.
‍
‍Compliance with Browser Signals (CPRA)
‍True Law does not track any Personal Information or activity on its website. We do not sell, share, or otherwise track user activity for marketing or any other purposes. As such, we do not respond to Do Not Track (DNT) or Global Privacy Control (GPC) signals.

‍Security
‍We take the protection of your data and privacy with utmost seriousness. For a comprehensive overview of our security measures, please visit truelaw.ai/security.

‍Updates to this Privacy Notice
‍This privacy notice will be updated periodically. We will update the date at the top of this privacy notice accordingly and encourage you to follow our privacy policy on truelaw.ai/privacy detailed view of how we handle Personal Information from our customers.

‍Contact Us
‍If there is a question about this privacy notice or wish to contact us for any reason in relation to the processing of Personal Information, please contact privacy@truelaw.ai.