SoundLegal, Inc. ("SoundLegal," "we," "us") provides AI-enabled contract analysis and contract generation services (the "Service"). We are privacy-first: no default training on your uploads, encryption in transit and at rest, and clear user controls.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

What We Collect

• Account & Identity: Name, email, organization, role, billing metadata.

• Content: Documents you upload and the Outputs generated by the Service.

• Usage & Device: IP address, device/browser type, pages/actions, timestamps, diagnostics, crash logs.

• Payments: Processed by Stripe; we retain transaction metadata (not full card numbers).

• Cookies/Analytics: Functional cookies; limited analytics (e.g., Google Analytics). IPs may be anonymized where supported.

We do not target or knowingly collect data from children under 13 (or under 16 in the EEA/UK).

How We Use Data

• Operate the Service: Process uploads to generate Outputs, provide history, search, collaboration, and support.

• Security: Monitor, prevent, and investigate fraud, abuse, or security incidents.

• Product Improvement: Aggregate/ de-identify telemetry to improve reliability and UX.

• AI Training (Opt-In Only): We will never train on your uploads unless you explicitly enable Training Consent. You can revoke at any time; revocation is prospective.

• Communications: Service notices, security alerts, support responses, optional product updates.

• Legal Compliance: As required by applicable law, court orders, or to protect rights/safety.

We do not sell personal data.

Lawful Bases (GDPR/UK GDPR, where applicable)

• Contract: To deliver the Service.

• Legitimate Interests: Security, troubleshooting, service analytics (balanced and privacy-protective).

• Consent: AI training (opt-in), certain cookies/marketing.

• Legal Obligation: To comply with law or lawful requests.

Sharing

• Subprocessors (Processors):

  • Google Cloud Platform (GCP): hosting, storage, backups, logging.

  • Google Vertex AI / Gemini: model inference.

  • Stripe: billing & payments.

  See current list at https://soundlegal.ai/subprocessors.

• Affiliates/Corporate Transactions: Only as necessary and subject to equivalent protections.

• Legal: To comply with law, enforce Terms, or protect rights/safety.

• At Your Direction: Integrations you connect.

Retention & Deletion

• Uploads/Outputs: Retained for your use and controls; you can delete anytime.

• Operational caching: Typically <24h; security/abuse telemetry up to 7 days.

• Backups: Rotating encrypted backups; deleted by rotation schedule.

• Verified deletion requests: Processed within 72 hours, subject to legal holds.

International Transfers

We are U.S.-based. For EU/UK data, we rely on SCCs (Module 2) and the UK IDTA (or Addendum) and implement supplementary safeguards (e.g., encryption).

Your Rights

• Access / Portability / Correction / Deletion.

• Restriction / Objection (where applicable).

• Withdraw Consent (e.g., training, marketing).

• CCPA/CPRA (California): Right to know/delete/correct; no sale or sharing of personal info.

Request at info@soundlegal.ai. We will verify your identity before fulfilling.

Security

• Encryption: TLS 1.3 in transit; AES-256 at rest.

• Access Controls: Role-based, least privilege, MFA for admin access.

• Monitoring & Testing: Centralized logging, vulnerability scans, annual third-party testing.

• Vendor Management: Contractual DPAs; security due diligence; subprocessor list public.

Cookies & Analytics

We use essential cookies for login/session and limited analytics to improve UX. You may control cookies in your browser; some features may not work without them.

Changes

We may update this Policy. Material changes will be announced in-product or by email ≥15 days before effectiveness (unless security/legal urgency requires sooner).