Lawgical Privacy Policy

1. Roles and scope

1.1 When we act as a Controller

We act as a data controller (or equivalent under applicable law) when we decide how and why to process Personal Data, for example when we:

• Operate our public website and marketing pages,
• Manage our own business contacts, prospective customers, and firm decision-makers,
• Run our social media accounts and advertising campaigns, and
• Administer billing, support requests, and product analytics for Lawgical accounts.

This Privacy Policy applies directly to that processing.

1.2 When we act as a Processor for law firms

When a law firm uses Lawgical, the firm is typically the Controller and we are the Processor for:

• Lead intake and qualification (web forms, SMS, WhatsApp, social DMs, etc.),
• AI voice assistants and receptionists (phone calls, recorded audio, transcripts),
• Case and matter information, notes, and uploaded documents,
• Automated follow-up, reactivation campaigns, and social posting on the firm's behalf.

In those situations, we process Personal Data solely on the law firm's instructions, as described in the applicable service agreement and our DPA. If you have questions about how your data is handled in connection with a specific law firm, you should contact that firm directly.

2. Personal Data we collect

2.1 Data you provide to us directly

Account and firm information (law firm users). When a law firm or its staff create an account or sign a contract with us, we collect information such as:

• Firm name, address, and contact details,
• User names, job titles, email addresses, and phone numbers,
• Login identifiers and authentication preferences (for example, email for magic-link sign-in),
• Billing contacts, tax details, and payment-related metadata (handled by our payment processor).

Lead, client, and contact information (processed for law firms). Through the Product we may process, on behalf of a law firm:

• Contact details (name, phone, email, social media handle),
• Intake responses and questionnaires,
• Case details and background information,
• Uploaded documents and files (for example, IDs, forms, evidence),
• Notes entered by law firm staff relating to your matter or inquiry.

AI voice assistants and telephony. When you call a phone number or speak with an AI assistant powered by Lawgical for a participating firm, we may process:

• Caller phone number and call metadata (time, duration, routing),
• Audio recordings of the call, subject to local law and firm instructions,
• Transcripts of the conversation,
• AI-generated summaries, follow-up notes, and lead-qualification scores.

Web, SMS, and messaging intake. When you engage with a law firm's intake flows via:

• Web forms or landing pages powered by Lawgical,
• SMS, WhatsApp, or similar messaging channels,
• Social media direct messages (for example through ManyChat-powered flows),

we collect the content you send (messages, answers to questions, attachments) and any contact information you choose to share.

Social media engagement and content tools. When law firms use Lawgical to:

• Schedule and publish content on social platforms,
• Respond to comments or direct messages,
• Generate scripts or captions using AI,

we may process the content they provide and certain identifiers or metadata made available by the relevant social platform's APIs.

Communications with us. If you contact us by email, support ticket, or social media, we collect the contents of your message, your contact details, and any other information you choose to provide.

Other information you provide. We may collect other data you intentionally submit, such as responses to surveys, event registrations, or product feedback.

2.2 Data we collect automatically

When you use our websites or Product, we automatically collect certain information, including:

• Log and usage data: IP address, browser type, device settings, language preferences, pages you visit, features you use, timestamps, referring/exit pages, and crash or performance data.
• Device information: Device type, operating system, unique identifiers, and approximate screen size or device model.
• Approximate location: We may infer a general location (for example city or region) from your IP address to help with security, fraud detection, and localization. We do not use precise GPS location unless you explicitly permit it through your device.
• Cookies and similar technologies: We use cookies and similar tracking technologies to remember your settings, keep you logged in, analyze how our Services are used, and improve performance.

2.3 Data from third parties and integrations

Depending on how a law firm configures Lawgical, we may receive data from third-party services such as:

• Telephony and messaging providers (for example Twilio),
• Social media and messaging tools (for example Instagram, Facebook, ManyChat),
• Email delivery and marketing platforms,
• CRM or case-management systems connected via API or integrations.

The data we receive from these providers is limited to what is needed to deliver the relevant feature (for example, message content and metadata for intake flows or campaign reporting).

We may also receive contact or firm information from referral partners, events, or publicly available sources (for example, your law firm's website) to help us identify and contact potential customers, in line with applicable laws.

3. How we use Personal Data

3.1 To provide and operate the Product

We use Personal Data to:

• Register and authenticate users,
• Deliver intake, lead-qualification, and follow-up services on behalf of law firms,
• Power AI voice assistants that answer calls, ask intake questions, and route inquiries,
• Manage multi-channel communications (phone, SMS, messaging, email, and social media),
• Generate summaries, scripts, suggested responses, and other AI-assisted outputs,
• Store and retrieve documents, call recordings, transcripts, and case-related information,
• Operate dashboards, analytics, and reporting features for our customers.

Where we act as a Processor, we perform these activities strictly under the law firm's documented instructions.

3.2 To maintain security and prevent misuse

We process data to:

• Detect and prevent fraud, abuse, and unauthorized access,
• Secure accounts and infrastructure (for example anomaly detection, rate limiting, and audit logging),
• Investigate incidents and enforce our terms of service.

3.3 To improve and develop our Services

We use usage data, diagnostics, and de-identified or aggregated information to:

• Understand how the Services are used and prioritize improvements,
• Develop new features (for example better call flows or reporting views),
• Benchmark and improve accuracy and performance of AI-powered features.

For data we process on behalf of law firms, we do not use identifiable Client content to train general-purpose external machine-learning models. Any use of Client data for model improvement is:

• scoped and isolated to that Client's own environment,
• performed only on de-identified or aggregated data that cannot reasonably be linked back to an individual, or
• used only in ways that are expressly permitted under our contract or service agreement with the Client.

We do not sell Personal Data.

3.4 To communicate with you

We may use contact details to:

• Send onboarding information, product updates, and security notices,
• Respond to support requests and technical questions,
• Provide training materials and best practice content,
• Send transactional communications (for example billing notices, login emails, or changes to our terms).

If you opt in, we may send marketing or promotional emails about new features, events, or content. You can opt out of marketing at any time by contacting us.

3.5 To comply with legal obligations

We may process Personal Data as needed to:

• Comply with applicable laws and regulations,
• Respond to lawful requests from public authorities,
• Establish, exercise, or defend legal claims.

4. How we share Personal Data

We share Personal Data only as reasonably necessary for the purposes described above:

4.1 Subprocessors and service providers

We engage carefully selected third-party providers to support our infrastructure, communications, storage, AI features, and internal operations. These subprocessors are bound by written agreements that require them to:

• Use Personal Data only to provide contracted services,
• Maintain appropriate security controls,
• Comply with applicable data-protection requirements.

A detailed and current list of our core subprocessors is maintained in the Lawgical Subprocessors List.

4.2 Law firms and organizational administrators

If you interact with Lawgical in the context of a specific law firm (for example you call a number, complete an intake questionnaire, or respond to a message), your information and related AI outputs will be shared with that firm and its authorized users.

If you use an account associated with an organization, your firm's administrators may access data related to your use of the Product.

4.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, Personal Data may be transferred as part of that transaction, subject to appropriate confidentiality protections and continued safeguards consistent with this Policy.

4.4 Legal and safety reasons

We may disclose Personal Data to third parties if we believe in good faith that such disclosure is reasonably necessary to:

• Comply with a legal obligation, law, regulation, or valid legal process,
• Protect the rights, property, or safety of Lawgical, our users, or the public,
• Detect, investigate, and help prevent fraud or security issues.

4.5 Aggregated or de-identified information

We may share aggregated or de-identified information that cannot reasonably be used to identify an individual, for example to publish usage trends or benchmark performance. We will not re-identify such data without a lawful basis.

We do not sell Personal Data.

5. Data retention

We retain Personal Data for as long as reasonably necessary to fulfill the purposes described in this Policy and our DPA, including:

• Providing the Product and related services to law firms,
• Maintaining business and financial records,
• Meeting legal, regulatory, tax, or accounting requirements,
• Resolving disputes and enforcing agreements.

Our detailed Data Retention & Deletion Policy describes typical retention windows for specific categories (such as call recordings, transcripts, system logs, and billing records). In general:

• Law firms control when to archive or delete many categories of data within the Product,
• Deleted data is removed from active systems and then expires from encrypted backups on a rolling basis managed by our cloud providers,
• We may retain limited records (for example invoices and basic account history) for a longer period when required by law.

6. International data transfers

We are based in the United States and our core systems are hosted there. If you access our Services from outside the U.S., your information may be transferred to and processed in the U.S. and other countries that may have different data-protection laws than your home jurisdiction.

Where required, we use appropriate safeguards for international transfers, such as standard contractual clauses or equivalent mechanisms, and we contractually require our subprocessors to do the same.

7. Security

We use technical, administrative, and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures include, among other things:

• TLS 1.3 for data in transit,
• AES-256 encryption for data at rest,
• Full-disk and column-level encryption at the infrastructure and database levels,
• Multi-tenant isolation enforced via application logic and Row-Level Security (RLS),
• Role-based access controls and least-privilege principles,
• Daily automated backups and disaster-recovery procedures,
• Logging, monitoring, and anomaly detection.

More detail is available in our Lawgical Data Security documentation.

No security system is perfectly secure. We cannot guarantee absolute security of information transmitted or stored using our Services. However, we are committed to maintaining robust safeguards and improving them over time.

8. Your rights and choices

Depending on your location and applicable law, you may have some or all of the following rights regarding your Personal Data:

• Access: Request confirmation that we process your Personal Data and obtain a copy.
• Correction: Request that we correct or update inaccurate or incomplete data.
• Deletion: Request deletion of your Personal Data, subject to certain legal or contractual limitations.
• Restriction: Request that we limit processing in certain circumstances.
• Portability: Request a machine-readable copy of certain data you provided.
• Objection: Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time.

If we process your information on behalf of a law firm, we may need to refer your request to that firm, which is responsible for handling it under applicable law.

You can exercise your rights by contacting us at support@lawgical.app. We may need to verify your identity before fulfilling your request, and we may not be able to comply with requests that conflict with legal obligations or overriding legitimate interests. If we decline a request, we will explain why, subject to any legal restrictions.

You may also have the right to lodge a complaint with your local data-protection authority.

9. Children

Our Services are designed for law firms and their adult staff and clients. We do not knowingly offer accounts directly to children or intentionally collect Personal Data from children under 13 (or a higher age threshold where required by local law) outside of a law firm context.

Law firms may, in some cases, provide information about minors (for example, dependents in a case matter). In those situations, the law firm is responsible for obtaining any necessary consents and ensuring that its use of Lawgical complies with applicable laws.

If you believe we have collected Personal Data directly from a child without appropriate consent, please contact us at support@lawgical.app so we can investigate and take appropriate action.

10. Additional U.S. state disclosures

Certain U.S. state privacy laws (for example, in California, Colorado, Virginia, and others) may grant residents specific rights and require specific disclosures.

In general:

• We collect the categories of Personal Data described in Section 2,
• We use and disclose Personal Data for the purposes described in Sections 3 and 4,
• We do not sell Personal Data or share it for cross-context behavioral advertising in the sense defined by many of these laws,
• We may engage in B2B marketing and analytics using contact information of firm personnel, subject to your rights to opt out.

If you are a resident of a jurisdiction with specific statutory privacy rights, you can exercise them by contacting support@lawgical.app and indicating your state of residence and the right you wish to exercise. We will not discriminate against you for exercising any privacy rights.

11. Cookies and tracking technologies

We use cookies and similar technologies to:

• Keep you logged into secure areas of the Product,
• Remember your preferences and settings,
• Analyze traffic and usage to improve performance,
• Support limited, privacy-respecting marketing and attribution.

Where required by law, we will request your consent before setting certain cookies (for example analytics or advertising cookies) and will honor your preferences. You can manage cookie settings through your browser or device, though disabling certain cookies may impact functionality.

12. AI-specific disclosures

Our Product includes AI-powered functionality, including but not limited to:

• AI voice assistants and receptionists that answer calls and ask intake questions,
• AI-generated summaries, scripts, and suggested responses for law firm staff,
• Automated or semi-automated social media posts, captions, and follow-ups,
• Lead-scoring or likelihood-to-convert estimates.

Key points about these features:

• AI outputs are generated using models that rely on patterns in data. They may be imperfect and should be reviewed by qualified humans, especially where legal rights are at stake.
• We design these tools for business and operational support, not to replace licensed legal advice. Law firms remain responsible for reviewing outputs and advising their clients.
• When AI interacts directly with individuals (for example via phone or messaging), we make reasonable efforts, together with our customers, to ensure clear disclosure that the caller or chatter is an AI assistant.
• We do not use identifiable Client content from one law firm to build or fine-tune a general-purpose model that benefits unrelated third parties.

If you have questions about a specific AI-enabled interaction, you can contact the relevant law firm or reach us at support@lawgical.app.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. When we make material changes, we will:

• Update the "Last updated" date at the bottom of this page, and
• Provide additional notice where required (for example by email to account holders or in-product notifications).

Your continued use of our Services after a revised Privacy Policy becomes effective indicates that you have read and understood the updated version.

14. How to contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

Lawgical Security & Privacy Team

support@lawgical.app

We will do our best to respond promptly and address your concerns in a transparent and respectful manner.