May 25, 2018

This document describes how Legal Robot, Inc. (“Legal Robot”) collects and uses data about you.

We are serious about your privacy

Many companies say this as a marketing line, but we offer a bounty program - similar to our security bug bounty program - that pays people when they find issues with our algorithms or work with us to substantially improve privacy for our users.

We already use end-to-end encryption for your most sensitive data like legal documents, we were the first company to make a public commitment to algorithmic transparency, and we offer advanced security features like 2-factor authentication with either Google Authenticator or Universal Second Factor (U2F). However, there is always room to improve and we know that with your help we can do even better.

If you find issues with our algorithms (bias, lack of transparency, adversarial misclassifications, etc) or our privacy practices (over-collection, missing/bundled/un-informed consent, data misuse, etc), please let us know here on our HackerOne bug bounty page. Using our bug bounty program on HackerOne lets us work together to understand and correct the issue and compensate you for your effort.

As a researcher, if there are any tools or information we can provide to help you investigate our algorithms or privacy practices, please reach out to us by emailing [email protected]

Legal Robot collects data about you:

  • when you visit the our websites or use our App
  • when you create or update your account and profile information
  • when you purchase a Legal Robot service
  • when you verify your profile information in Legal Robot
  • when you authorize a partner integration, like file storage
  • when you send support, privacy, legal, and other requests to our team
  • when you send an email to [email protected]

When you visit www.legalrobot.com, app.legalrobot.com, or use the Legal Robot App, we use client-side JavaScript, server logs, and other methods to collect data about what pages you visit, and when. We also collect technical information about the software and computer you use, like:

  • your IP address
  • your preferred language
  • the web browser software you use
  • the kind of computer or device you use
  • the website that referred you

We use data about how you use the website to:

  • optimize the website, so that it is quick and easy to use
  • diagnose and debug technical errors
  • defend the website from abuse and technical attacks
  • compile statistics on public document popularity
  • compile statistics on the kinds of software and computers visitors use
  • compile statistics on visitor searches and needs, to guide development of new website pages and functionality
  • decide who to contact about about product announcements, service changes, and new features

We only retain website log entries with identifiable information for visitors that already have Legal Robot accounts.

We may preserve log entries for all kinds of visitors longer, as needed in specific cases, like investigation of specific incidents. We store aggregate statistics indefinitely, but those statistics don’t include data identifiable to you personally.

Almost all features of Legal Robot services require an account. For example, you must have an account to purchase a service from us, message other users, or analyze documents.

To create an account, we need a working email address. We uses this data to provide you access to features and identify you across our services.

By default, Legal Robot does not publish account data, however you may choose to make your profile public in order to connect and collaborate with others.

Legal Robot uses your email to:

  • reset your password and help keep your account secure
  • contact you in special circumstances related to your account or packages
  • contact you about support requests
  • contact you about legal requests, like DMCA takedown requests and privacy complaints
  • announce new Legal Robot product offerings, service changes, and features

Legal Robot stores account data as long as the account stays open, or as long as there is a legal hold.

To sign up for paid services, we require your billing data. We do not collect or store enough information to charge your card itself. Rather, Stripe collects that data on Legal Robot’s behalf, and gives Legal Robot security tokens that allow us to create charges and subscriptions.

We use your payment card data only to charge for Legal Robot services.

We instruct Stripe to store your payment card data only as long as you use paid Legal Robot services.

Legal Robot collects data about you when you call us, send us support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address or phone number, and may include your company or other affiliation.

Legal Robot uses contact data to:

  • respond to you
  • compile aggregate statistics about correspondence
  • train support staff and other Legal Robot personnel
  • review the performance of Legal Robot personnel who respond
  • defend Legal Robot from legal claims

Legal Robot stores correspondence as long as it may be useful for these purposes.

How can I make choices about data collection?

Pseudonym

You do not have to give your legal name to create a Legal Robot account. You can use a pseudonym instead. You can also open more than one account. However, if you want to publish documents we require a real name as well as profile verification, see the publishing section for detail.

Disposable or Privacy-respecting Email

Legal Robot may be used with disposable email account (like Mailinator.com) or privacy-respecting email account (like ProtonMail.com).

Disposable Payment Card

Feel free to use a disposable payment card service (like Privacy.com) or a prepaid MasterCard or Visa card to pay for Legal Robot services. Sometimes our payment processor (Stripe) will assign a higher risk score to these payment cards that could result in a declined transaction when paired with other risk factors. Learn more about Stripe’s risk evaluation.

Legal Robot no longer accepts Bitcoin because Stripe stopped accepting Bitcoin.

User Profile

User profile data is always private by default, but you may choose to make it public (or change it back to private) from your account profile page at app.legalrobot.com/settings/profile in order to connect and collaborate with others. Beware that once data is public, 3rd parties like search engines and web archivers may index or copy the data.

Integrations

If you authorize a partner file storage service like Box, DocumentCloud, Dropbox, Microsoft OneDrive, or Google Drive, you may disconnect the service from your Legal Robot account to remove the account data we received from the partner.

Do Not Track

Legal Robot does not respond to the Do Not Track HTTP header.

Legal Robot stores account data, data about website use, and documents on servers in the United States of America.

Legal Robot stores documents for Enterprise accounts that Legal Robot hosts, plus metadata about them, in AWS zones of customers’ choosing.

We respect privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires Legal Robot to give can be found throughout these privacy questions and answers. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.

GDPR does not apply to everyone worldwide. However, our policy is to do our best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.

How can I access data about me?

You can access your account data at any time by visiting your account settings page on app.legalrobot.com. From your account settings page, you can also download all of your data in standard JSON format.

How can I change or erase data about me?

You can change your personal account data and payment card data at any time by visiting your billing settings page at app.legalrobot.com/settings/billing.

You can close your Legal Robot account by visiting your account settings page at app.legalrobot.com/settings/account. Closing your account starts a reversible 30 day process of erasing Legal Robot’s records of your account data. Closing your account does not automatically erase documents published under your account.

If you have questions or problems using the website or App to change or delete data about you, email [email protected]. If another user improperly publishes personal data about you, in a document or otherwise, email [email protected].

Please note that while Legal Robot publishes notices about published data that’s been erased, Legal Robot can’t make everyone who has downloaded published documents erase that data on your behalf.

Does the right to be forgotten cover unpublishing documents?

We don’t believe either the letter or the spirit of the right to be forgotten require changes to our our policy on document removal or our Terms of Service.

GDPR gives users the right to erase some data collected about them by others. GDPR also defines “personal data” broadly enough to cover information about document publishers as well as individuals mentioned in documents. But GDPR requires a balance between privacy rights, other rights, and the public interest. The law itself makes a start, limiting the right to be forgotten to specific situations that don’t apply to most published documents, and making exceptions that do.

If you accidentally publish a document that threatens your privacy, or discover someone else has published a document that does, email [email protected] immediately. Legal Robot can and will take down documents in specific, exceptional situations to protect you, especially if others violate your privacy. Using Legal Robot to violate others’ privacy is against the Terms of Service.

However, beware that public documents, even if removed from public view on Legal Robot’s website may be accessible in the cached versions held by search engines and web archivers.

Legal Robot takes a couple steps to notify others who may be copying data from the Legal Robot public website that published data has been erased:

  • Legal Robot publishes new placeholder versions of erased documents, with a notice that mentions the document has been erased, and why.

  • Legal Robot’s API provides update messages about documents that have been erased.

Account Verification

In order to access some of Legal Robot’s more sensitive capabilities, we require account verification through a 3rd party. During the verification process, you will be asked to provide identifying information, which is sent to the verification service. The verification service then returns Knowledge Based Authentication (KBA) questions that only you should be able to answer. Legal Robot does not store the questions or your answers, but sends them back to the 3rd party verification service for scoring.

Payments

We use a risk scoring and fraud reduction service called Radar, which is provided by our payment processor, Stripe. More information about their risk scoring process may be found in their online documentation.

Publishing Moderation

Making a document public on the Legal Robot website requires some care because legal documents so often contain sensitive information. Legal Robot is not intended as an anonymous publishing service. In order to deter “Doxing”, we require account verification before publishing and document owners must be associated with an organization or publication.

When you request to publish a document, you are initially sharing the document with an algorithmic review process before it becomes public. Legal Robot uses data extracted from the document along with information about how you use the service to make a decision about releasing the document and whether it contains spam, promotes a scam, abuses others, or otherwise violates the Terms of Service. When the algorithm flags that a document is likely in violation, Legal Robot temporarily blocks publishing of the document and notifies you of the block.

If you think your document has been wrongly blocked, email [email protected] to reach a Legal Robot team member who can review the decision.

Legal Robot may share account data (only for those accounts with a public profile) with other Legal Robot users as mentioned in the section about account data in order to enable collaboration.

Even without a public profile, a user that already knows your email address may invite you their team or invite you to review or collaborate on a document. Legal Robot does not disclose to the requestor whether the email address is associated with an existing account.

Emergencies and Abuse

We may also share data in an emergency, for safety purposes, and in situations involving abuse of our Code of Conduct. This includes protecting the safety of our employees and agents, our customers, or any person.

Lawful Requests

We may share data to comply with laws and to respond to lawful requests or legal processes (see our Transparency Report for details). If we receieve a subpoena or similar demand for user data, we will promptly notify the user of the request unless we are legally prohibited from doing so. If we are legally required to provide the requested data, we will provide it no sooner than 30 days after notifying the user, unless we are legally required to provide it sooner.

3rd Parties

Legal Robot does not sell information about you to others. However, Legal Robot uses services provided by other companies to provide Legal Robot services. Some of those 3rd party services may collect data about you independently, for their own purposes. All of the companies are based in the United States.

Some of these 3rd party services may collect information about your online activities across different websites.

Service Providers

Amazon Web Services

Legal Robot uses Amazon Web Services servers and services, in service regions across the United States, to power Legal Robot’s website and other services. You can read the privacy policy for AWS online.

Blockscore

Legal Robot uses Blockscore to verify customer profile data when you request verification. You can read the privacy policy for Blockscore online.

Google Analytics

Legal Robot’s website uses Google Analytics to collect and analyze data about visitors to its websites. You can read the privacy policy for Google Analytics online. You can opt out of Google Analytics by installing a free browser extension.

Gravatar

Legal Robot uses Gravatar, a free service from Automattic for hosting user avatar pictures. When you sign in to your account, Legal Robot sends a request to Gravatar to retrieve your latest avatar picture. You can read the privacy policy for Gravatar online.

Mailgun

Legal Robot uses Mailgun to send account update and transactional emails as well as feature and update emails. You can read the privacy policy for Mailgun online.

Meteor Galaxy

Legal Robot uses the Meteor Galaxy application service to manage some of our AWS application deployments. You can read the privacy policy for Meteor online.

MongoDB

Legal Robot uses MongoDB as a database hosting provider to store data generated through use of Legal Robot. You can read the privacy policy for MongoDB online.

Stripe

Legal Robot uses Stripe to collect and use payment card payment data. You can read the privacy policy for Stripe online.

Twilio

Legal Robot uses Twilio to power phone and SMS applications. You can read the privacy policy for Twilio online.

Optional Integrations

Box

At your request, Legal Robot can authenticate with your Box account to access documents stored on their servers. You can read the privacy policy for Box online.

Dropbox

At your request, Legal Robot can authenticate with your Dropbox account to access documents stored on their servers. You can read the privacy policy for Dropbox online.

Google Drive

At your request, Legal Robot can authenticate with Google account to access documents stored in your Google Drive. You can read the privacy policy for Google online.

Microsoft Office 365

At your request, Legal Robot can authenticate with your Microsoft Office 365 account to connect to various Microsoft services like OneDrive, where documents may be stored. You can read the privacy statement for Microsoft online.

Salesforce.com

At your request, Legal Robot can authenticate with your Salesforce.com account to access documents stored on their servers. You can read the privacy policy for Salesforce.com online.

The Legal Robot service and any content that our users upload or make public is intended for adults. We do not knowingly collect personal information from children under 13 years old. If you are a parent or legal guardian of a child under age 13 who you believe has submitted personal information to Legal Robot, please email us at [email protected] immediately. If we discover that we have the personal information of a child under 13, we will delete such information from our systems.

We welcome your comments or questions about this privacy policy. You may email [email protected], or our address is below:

Legal Robot, Inc.
548 Market Street #28970
San Francisco, California 94104

For complaints under GDPR more generally, European Union users may submit complaints to their local data protection supervisory authorities.

How can I find out about changes?

We will likely change this privacy policy over time. When we make changes, we will change the date on this page. We will also maintain a history of the changes to this policy, at the bottom of this page.

History

  The text of this page is released into the Public Domain under the Creative Commons Zero license.