This document describes how Legal Robot, Inc. (“Legal Robot”) collects and uses data about you.
Many companies say this as a marketing line, but we offer a bounty program - similar to our security bug bounty program - that pays people when they find issues with our algorithms or work with us to substantially improve privacy for our users.
We already use end-to-end encryption for your most sensitive data like legal documents, we were the first company to make a public commitment to algorithmic transparency, and we offer advanced security features like 2-factor authentication with either Google Authenticator or Universal Second Factor (U2F). However, there is always room to improve and we know that with your help we can do even better.
If you find issues with our algorithms (bias, lack of transparency, adversarial misclassifications, etc) or our privacy practices (over-collection, missing/bundled/un-informed consent, data misuse, etc), please let us know here on our HackerOne bug bounty page. Using our bug bounty program on HackerOne lets us work together to understand and correct the issue and compensate you for your effort.
As a researcher, if there are any tools or information we can provide to help you investigate our algorithms or privacy practices, please reach out to us by emailing [email protected]
Legal Robot collects data about you:
We use data about how you use the website to:
We only retain website log entries with identifiable information for visitors that already have Legal Robot accounts.
We may preserve log entries for all kinds of visitors longer, as needed in specific cases, like investigation of specific incidents. We store aggregate statistics indefinitely, but those statistics don’t include data identifiable to you personally.
Almost all features of Legal Robot services require an account. For example, you must have an account to purchase a service from us, message other users, or analyze documents.
To create an account, we need a working email address. We uses this data to provide you access to features and identify you across our services.
By default, Legal Robot does not publish account data, however you may choose to make your profile public in order to connect and collaborate with others.
Legal Robot uses your email to:
Legal Robot stores account data as long as the account stays open, or as long as there is a legal hold.
To sign up for paid services, we require your billing data. We do not collect or store enough information to charge your card itself. Rather, Stripe collects that data on Legal Robot’s behalf, and gives Legal Robot security tokens that allow us to create charges and subscriptions.
We use your payment card data only to charge for Legal Robot services.
We instruct Stripe to store your payment card data only as long as you use paid Legal Robot services.
Legal Robot collects data about you when you call us, send us support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address or phone number, and may include your company or other affiliation.
Legal Robot uses contact data to:
Legal Robot stores correspondence as long as it may be useful for these purposes.
You do not have to give your legal name to create a Legal Robot account. You can use a pseudonym instead. You can also open more than one account. However, if you want to publish documents we require a real name as well as profile verification, see the publishing section for detail.
Feel free to use a disposable payment card service (like Privacy.com) or a prepaid MasterCard or Visa card to pay for Legal Robot services. Sometimes our payment processor (Stripe) will assign a higher risk score to these payment cards that could result in a declined transaction when paired with other risk factors. Learn more about Stripe’s risk evaluation.
Legal Robot no longer accepts Bitcoin because Stripe stopped accepting Bitcoin.
User profile data is always private by default, but you may choose to make it public (or change it back to private) from your account profile page at app.legalrobot.com/settings/profile in order to connect and collaborate with others. Beware that once data is public, 3rd parties like search engines and web archivers may index or copy the data.
If you authorize a partner file storage service like Box, DocumentCloud, Dropbox, Microsoft OneDrive, or Google Drive, you may disconnect the service from your Legal Robot account to remove the account data we received from the partner.
Legal Robot does not respond to the Do Not Track HTTP header.
Legal Robot stores account data, data about website use, and documents on servers in the United States of America.
Legal Robot stores documents for Enterprise accounts that Legal Robot hosts, plus metadata about them, in AWS zones of customers’ choosing.
We respect privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires Legal Robot to give can be found throughout these privacy questions and answers. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.
GDPR does not apply to everyone worldwide. However, our policy is to do our best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.
You can access your account data at any time by visiting your account settings page on app.legalrobot.com. From your account settings page, you can also download all of your data in standard JSON format.
You can change your personal account data and payment card data at any time by visiting your billing settings page at app.legalrobot.com/settings/billing.
You can close your Legal Robot account by visiting your account settings page at app.legalrobot.com/settings/account. Closing your account starts a reversible 30 day process of erasing Legal Robot’s records of your account data. Closing your account does not automatically erase documents published under your account.
If you have questions or problems using the website or App to change or delete data about you, email [email protected]. If another user improperly publishes personal data about you, in a document or otherwise, email [email protected].
Please note that while Legal Robot publishes notices about published data that’s been erased, Legal Robot can’t make everyone who has downloaded published documents erase that data on your behalf.
GDPR gives users the right to erase some data collected about them by others. GDPR also defines “personal data” broadly enough to cover information about document publishers as well as individuals mentioned in documents. But GDPR requires a balance between privacy rights, other rights, and the public interest. The law itself makes a start, limiting the right to be forgotten to specific situations that don’t apply to most published documents, and making exceptions that do.
If you accidentally publish a document that threatens your privacy, or discover someone else has published a document that does, email [email protected] immediately. Legal Robot can and will take down documents in specific, exceptional situations to protect you, especially if others violate your privacy. Using Legal Robot to violate others’ privacy is against the Terms of Service.
However, beware that public documents, even if removed from public view on Legal Robot’s website may be accessible in the cached versions held by search engines and web archivers.
Legal Robot takes a couple steps to notify others who may be copying data from the Legal Robot public website that published data has been erased:
Legal Robot publishes new placeholder versions of erased documents, with a notice that mentions the document has been erased, and why.
Legal Robot’s API provides update messages about documents that have been erased.
In order to access some of Legal Robot’s more sensitive capabilities, we require account verification through a 3rd party. During the verification process, you will be asked to provide identifying information, which is sent to the verification service. The verification service then returns Knowledge Based Authentication (KBA) questions that only you should be able to answer. Legal Robot does not store the questions or your answers, but sends them back to the 3rd party verification service for scoring.
We use a risk scoring and fraud reduction service called Radar, which is provided by our payment processor, Stripe. More information about their risk scoring process may be found in their online documentation.
Making a document public on the Legal Robot website requires some care because legal documents so often contain sensitive information. Legal Robot is not intended as an anonymous publishing service. In order to deter “Doxing”, we require account verification before publishing and document owners must be associated with an organization or publication.
When you request to publish a document, you are initially sharing the document with an algorithmic review process before it becomes public. Legal Robot uses data extracted from the document along with information about how you use the service to make a decision about releasing the document and whether it contains spam, promotes a scam, abuses others, or otherwise violates the Terms of Service. When the algorithm flags that a document is likely in violation, Legal Robot temporarily blocks publishing of the document and notifies you of the block.
If you think your document has been wrongly blocked, email [email protected] to reach a Legal Robot team member who can review the decision.
Legal Robot may share account data (only for those accounts with a public profile) with other Legal Robot users as mentioned in the section about account data in order to enable collaboration.
Even without a public profile, a user that already knows your email address may invite you their team or invite you to review or collaborate on a document. Legal Robot does not disclose to the requestor whether the email address is associated with an existing account.
We may also share data in an emergency, for safety purposes, and in situations involving abuse of our Code of Conduct. This includes protecting the safety of our employees and agents, our customers, or any person.
We may share data to comply with laws and to respond to lawful requests or legal processes (see our Transparency Report for details). If we receieve a subpoena or similar demand for user data, we will promptly notify the user of the request unless we are legally prohibited from doing so. If we are legally required to provide the requested data, we will provide it no sooner than 30 days after notifying the user, unless we are legally required to provide it sooner.
Legal Robot does not sell information about you to others. However, Legal Robot uses services provided by other companies to provide Legal Robot services. Some of those 3rd party services may collect data about you independently, for their own purposes. All of the companies are based in the United States.
Some of these 3rd party services may collect information about your online activities across different websites.
At your request, Legal Robot can authenticate with your Microsoft Office 365 account to connect to various Microsoft services like OneDrive, where documents may be stored. You can read the privacy statement for Microsoft online.
The Legal Robot service and any content that our users upload or make public is intended for adults. We do not knowingly collect personal information from children under 13 years old. If you are a parent or legal guardian of a child under age 13 who you believe has submitted personal information to Legal Robot, please email us at [email protected] immediately. If we discover that we have the personal information of a child under 13, we will delete such information from our systems.
Legal Robot, Inc.
548 Market Street #28970
San Francisco, California 94104
For complaints under GDPR more generally, European Union users may submit complaints to their local data protection supervisory authorities.