Privacy Policy // Data Core

Effective Date: January 2026
System Status: PRIVACY-FIRST ACTIVE

PRIME DIRECTIVE: We are privacy-first. There is no default training on your uploads. Encryption is active in transit and at rest. You retain full control.

SoundLegal, Inc. ("SoundLegal," "we," "us") provides AI-enabled contract analysis and contract generation services (the "Service"). By accessing the Service, you agree to this Privacy Protocol.

1. Data Ingestion (What We Collect)

  • Account & Identity: Name, email, organization, role, billing metadata.
  • Content (Input): Documents you upload and the Outputs generated by the Service.
  • Usage & Telemetry: IP address, device/browser type, timestamps, diagnostics, crash logs.
  • Financial: Processed by Stripe; we retain transaction metadata only (no full card numbers).
  • Cookies: Functional cookies for session management; limited analytics (e.g., Google Analytics). IPs may be anonymized where supported.

>> NOTE: We do not knowingly collect data from children under 13 (or 16 in EEA/UK).

2. Processing Protocols (How We Use Data)

  • Service Operation: Processing uploads to generate Outputs, history, search, and collaboration.
  • Security Defense: Monitoring to prevent fraud, abuse, or security incidents.
  • System Optimization: Aggregated/de-identified telemetry to improve reliability and UX.
  • Legal Compliance: As required by applicable law or court orders.

// AI TRAINING (OPT-IN ONLY)

We will never train on your uploads unless you explicitly enable Training Consent. You can revoke this permission at any time; revocation is prospective.

3. Lawful Bases (GDPR / UK GDPR)

  • Contract: To deliver the Service (Core function).
  • Legitimate Interests: Security, troubleshooting, service analytics.
  • Consent: AI training (Opt-in), specific marketing/cookies.
  • Legal Obligation: Compliance with law or lawful requests.

4. External Connections (Sharing)

We do not sell personal data. We share data only with authorized nodes:

  • Subprocessors: Google Cloud (Hosting/Storage), Google Vertex AI (Inference), Stripe (Billing).
    >> VIEW FULL SUBPROCESSOR LEDGER
  • Affiliates: Only as necessary and subject to equivalent protections.
  • Legal Authorities: To comply with law, enforce Terms, or protect rights/safety.

5. Retention & Deletion Cycles

  • Uploads/Outputs: Retained for your use; you can delete anytime.
  • Operational Caching: Typically <24h; security telemetry up to 7 days.
  • Backups: Rotating encrypted backups; deleted by rotation schedule.
  • Deletion Requests: Processed within 72 hours, subject to legal holds.

6. Security Architecture

  • Encryption: TLS 1.3 in transit; AES-256 at rest.
  • Access Control: Role-based, least privilege, MFA for admin access.
  • Validation: Centralized logging, vulnerability scans, annual third-party testing.

7. International Transfers

We are U.S.-based. For EU/UK data, we rely on SCCs (Module 2) and the UK IDTA (or Addendum) and implement supplementary safeguards (e.g., encryption).

8. User Rights & Controls

General Rights: Access, Portability, Correction, Deletion, Restriction, Objection.
CCPA/CPRA (California): Right to know/delete/correct; no sale or sharing of personal info.

Execute Rights Request: info@soundlegal.ai
Identity verification required before fulfillment.

9. Protocol Updates

Material changes will be announced in-product or by email ≥15 days before effectiveness, barring security urgency.