Privacy Policy
Last Updated: November 30, 2025
Effective Date: November 30, 2025
Privacy at a Glance
- Zero Training Data: Your documents are NEVER used to train AI models
- Data Isolation: Your data is isolated and encrypted at rest (AES-256)
- Secure Infrastructure: Hosted on enterprise-grade cloud infrastructure
- Your Control: Export or delete your data anytime
1. Scope and Application
This Privacy Policy describes how Picard.Law (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use our AI-powered legal document analysis platform (the “Service”).
This policy applies to all users of our web application, API services, and any related services we provide. By using our services, you agree to the collection and use of information in accordance with this policy.
Legal Basis for Processing (GDPR): We process your data based on:
- Contract Performance: To provide the services you've subscribed to
- Legitimate Interests: To improve our services and prevent fraud
- Consent: For marketing communications (opt-in only)
- Legal Obligation: To comply with applicable laws
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
| Data Type | Purpose | Retention |
|---|---|---|
| Full name | Account identification, personalization | Until account deletion |
| Email address | Authentication, communications | Until account deletion |
| Company/Organization name | Workspace organization | Until account deletion |
| Password (hashed with bcrypt) | Authentication | Until account deletion |
2.2 Document Data
When you upload documents to our platform, we process and store:
- Document Content: The full text content of uploaded documents for AI analysis
- Document Metadata: File names, file types (PDF, DOCX, etc.), upload timestamps
- Extracted Entities: Parties, dates, clauses, and other structured information extracted by AI
- Knowledge Graph Data: Relationships and connections between entities stored in Neo4j
- Vector Embeddings: Mathematical representations of text for semantic search (768-3072 dimensions)
- Processing Status: Document processing state and any error logs
2.3 Usage Information
We automatically collect usage data to improve our service:
- Session Data: Session IDs, login timestamps, session duration
- Device Information: Browser type/version, operating system, device type, viewport dimensions
- IP Address: For security monitoring and approximate geolocation
- Pages Visited: Navigation patterns within the application
- Feature Usage: Which features you use and how often
- AI Queries: Questions asked to the AI assistant (stored for quality improvement)
- Search Queries: Search terms used within the platform
2.4 Payment Information
For subscription and credit purchases:
- Transaction Records: Plan type, billing period, transaction IDs, amounts paid
- Payment Provider IDs: Stripe/PayPal customer IDs for recurring billing
- Billing History: Invoice records and payment status
Note: We do NOT store credit card numbers, CVV codes, or full bank account details. All sensitive payment information is handled directly by our PCI-compliant payment processors (Stripe, PayPal).
2.5 Activity Logs
For security and audit purposes, we maintain detailed activity logs:
- Document uploads and deletions
- AI query submissions
- Authentication events (login, logout, failed attempts)
- Subscription changes
- Administrative actions
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Service Delivery | Documents, account info, queries | Contract |
| AI Document Analysis | Document content, metadata | Contract |
| Billing & Subscriptions | Payment info, usage data | Contract |
| Service Communications | Email, name | Legitimate Interest |
| Security & Fraud Prevention | IP, device info, activity logs | Legitimate Interest |
| Service Improvement | Aggregated usage analytics | Legitimate Interest |
| Legal Compliance | All data as required | Legal Obligation |
4. AI Processing and Large Language Models
Your documents are NEVER used to train AI models. All AI inference is performed in real-time for your queries only. No document content is retained by AI providers after processing.
4.1 AI Models We Use
Our service utilizes multiple AI models for different tasks, all accessed via secure API connections through OpenRouter and dedicated cloud infrastructure:
| Model | Use Case | Provider |
|---|---|---|
| Kimi K2 | Primary document analysis and Q&A | Moonshot AI via OpenRouter |
| Llama 3.2 (3B) | Citation validation, entity extraction | Meta via OpenRouter |
| Llama 3.3 (70B) | Complex document extraction | Meta via Together AI |
| Llama 3.1 (8B) | Spam detection, validation | Meta via OpenRouter |
| Qwen 2.5 (7B) | Specialized classification tasks | Alibaba via OpenRouter |
| Gemini 2.5 Flash | Agent-based tasks, embeddings | Google via OpenRouter |
4.2 AI Data Processing Guarantees
- No Training: Document content sent to AI models is processed for inference only and is NOT used to train or fine-tune any models
- Encrypted Transit: All data sent to AI providers is encrypted using TLS 1.3
- Secure Cloud Infrastructure: We use Ollama-based cloud servers and OpenRouter's enterprise API for 100% secure and accurate LLM inferencing
- No Persistent Storage: AI providers do not retain your document content after processing completes
- Enterprise DPAs: We maintain Data Processing Agreements with all AI service providers ensuring GDPR compliance
4.3 How AI Processes Your Documents
When you upload a document or ask a question:
- Document text is extracted and chunked into smaller segments
- Chunks are converted to vector embeddings for semantic search
- Entities (parties, dates, clauses) are extracted and stored in a knowledge graph
- When you query, relevant chunks are retrieved and sent to the LLM
- The LLM generates a response with citations to source documents
- The response is validated for accuracy before being shown to you
5. Data Security
5.1 Technical Security Measures
- Encryption at Rest: All data encrypted using AES-256
- Encryption in Transit: TLS 1.3 for all network communications
- Database Security: PostgreSQL with Row Level Security (RLS) policies
- Access Control: Role-based access control (RBAC) with organization isolation
- Authentication: Secure token-based authentication via Supabase Auth
- API Security: Rate limiting, CORS protection, Helmet.js security headers
5.2 Infrastructure Security
- Cloud Hosting: Supabase (PostgreSQL), Azure Container Apps, AWS S3
- Knowledge Graph: Neo4j AuraDB with encrypted connections
- File Storage: AWS S3 with private ACLs and encrypted buckets
- CDN: Netlify with HTTPS enforcement
- Background Processing: Azure Container Apps with Celery workers
- Message Queue: Redis with TLS encryption
5.3 Organizational Security
- Regular security audits and vulnerability assessments
- Employee access limited on a need-to-know basis
- Incident response procedures in place
- Security logging and monitoring via structured logging (Pino)
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account Data | Until account deletion + 30 days | Hard delete with cascade |
| Documents | Per subscription plan or until deleted | S3 deletion + database cleanup |
| Knowledge Graph Data | Until document deletion | Neo4j node/relationship deletion |
| Activity Logs | 365 days (configurable) | Soft delete, then purge |
| Usage Analytics | Aggregated: 2 years | Anonymization after retention |
| Payment Records | 7 years (legal requirement) | Archived, then deleted |
You may request immediate deletion of your data at any time by contacting us at privacy@picard.law. We will process deletion requests within 30 days as required by GDPR.
9. Your Rights (GDPR/CCPA/LGPD)
Depending on your location, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal data | Email privacy@picard.law |
| Rectification | Correct inaccurate or incomplete data | Account settings or email us |
| Erasure | Request deletion of your data | Email privacy@picard.law |
| Portability | Export data in machine-readable format | Dashboard export or email us |
| Restriction | Limit how we process your data | Email privacy@picard.law |
| Objection | Object to certain processing | Email privacy@picard.law |
| Withdraw Consent | Revoke previously given consent | Account settings or email us |
Response Time: We will respond to all requests within 30 days. Complex requests may require an additional 60 days, in which case we will notify you.
CCPA Notice (California Residents): You have the right to know what personal information we collect, request deletion, and opt-out of the “sale” of personal information. We do not sell your personal information.
10. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including:
- United States: Cloud infrastructure (AWS, Supabase)
- European Union: Some processing services
- Various: AI model providers may process in multiple regions
We ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with all third-party processors
- Adequacy decisions where applicable
- Encryption of all data in transit and at rest
11. Children's Privacy
Our service is intended for business and professional use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18.
If you believe we have inadvertently collected information from a child under 18, please contact us immediately at privacy@picard.law, and we will take steps to delete such information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
We will notify you of changes by:
- Posting the updated policy on this page with a new “Last Updated” date
- Sending an email notification for material changes
- Displaying a prominent notice in the application
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
Privacy Inquiries: privacy@picard.law
General Support: support@picard.law
Data Protection Officer: dpo@picard.law
Website: https://picard.law
Supervisory Authority: If you are in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
14. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, etc.)
- Data Controller: Picard.Law, which determines the purposes and means of processing
- Data Processor: Third parties that process data on our behalf
- Service: The Picard.Law AI-powered legal document analysis platform
- LLM: Large Language Model - AI systems used for natural language processing
- Knowledge Graph: A database structure that stores relationships between entities
- Vector Embeddings: Mathematical representations of text used for semantic search
© 2025 Picard.Law. All rights reserved.
This Privacy Policy was last reviewed and updated on November 30, 2025.