Privacy Policy

1. Information We Collect

Information you provide:

• Account email address
• U.S. state (for state-specific legal information)
• Conversations with the AI assistant
• Documents you upload for analysis
• Billing information (handled by Stripe; we do not store card numbers)

Information we collect automatically:

• Usage analytics (pages viewed, features used, errors encountered)
• Device type and browser (for responsive design and bug triage)
• Approximate geographic region (from your IP, for state-specific content)

2. How We Use Your Information

• Deliver AI-powered legal information relevant to your state
• Match you with licensed attorneys in your area when you request it
• Operate, secure, and improve the service (bug fixes, rate limiting, abuse prevention)
• Process payments and manage subscriptions
• Send transactional and, if you opt in, marketing emails

We do not: sell your personal information, share it with data brokers, or use it to train AI models.

3. Vault Encryption

Your Vault (uploaded documents and saved case files) is encrypted at rest using AES-256-GCM with HKDF-derived per-user keys. Decryption keys are bound to your authenticated session. We cannot decrypt your Vault without your active session. This means we cannot recover Vault contents if you lose access to your account.

4. Marketing Consent

Marketing emails are opt-in only. We record the timestamp of your consent and the page from which you opted in. Every marketing email includes a working unsubscribe link, and we honor unsubscribes within 10 business days as required by the U.S. CAN-SPAM Act. Transactional email (receipts, security alerts, account notices) is sent regardless of marketing status because it is required to operate the service.

5. Your Rights — United States

Depending on where you live, you may have the following rights:

• California (CCPA/CPRA): right to know what we collect, right to delete, right to correct, right to opt out of "sharing" for cross-context behavioral advertising (we do not share for that purpose), and the right not to be discriminated against for exercising your rights.
• Other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, Texas) — similar access, deletion, correction, and opt-out rights.

6. Your Rights — European Economic Area / United Kingdom

If you are in the EEA or the UK, you have the rights granted by GDPR Articles 15–22, including:

• Article 15 — access to your personal data
• Article 16 — rectification of inaccurate data
• Article 17 — erasure ("right to be forgotten")
• Article 18 — restriction of processing
• Article 20 — data portability (export in a machine-readable format)
• Article 21 — objection to processing, including direct marketing
• Article 22 — the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; you may request human review of any such decision

You also have the right to lodge a complaint with your local supervisory authority.

7. How to Exercise Your Rights

Use the in-app chat or your account settings to make access, deletion, correction, portability, or objection requests. We will verify your identity using your authenticated session before acting on a request. We respond within the timeframe required by applicable law (generally 30–45 days).

8. Data Retention

• Conversations: retained for 180 days unless you explicitly save them to your Vault, after which they persist until you delete them.
• Vault files: retained indefinitely until you delete them or close your account.
• Usage analytics: retained for 24 months in aggregated or pseudonymized form.
• Account records: retained for the life of the account plus up to 7 years for tax, billing, and legal-hold purposes.
• Backups: may contain copies for up to 90 additional days before they age out.

9. Subprocessors

We use the following subprocessors to deliver the service. Each has been evaluated for security and privacy practices and is bound by a written data-processing agreement where required by law:

• Cloudflare, Inc. — hosting, edge compute, database, object storage, DDoS protection, and DNS.
• Stripe, Inc. — payment processing and subscription management.
• WorkOS, Inc. — authentication (AuthKit) and identity provider connections.
• Resend (Resend Inc.) — transactional and marketing email delivery.

We will update this list as subprocessors change. Material changes will be reflected by an updated effective date.

10. International Transfers

Our service is operated from the United States. If you access myLegal from outside the United States, your data will be transferred to and processed in the U.S. and other countries where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

11. Cookies

See our Cookie Policy for details on the cookies we use and how to control them.

12. Security

We use HTTPS for all data in transit, enterprise DDoS protection, encrypted storage at rest, and AES-256-GCM Vault encryption with per-user keys. No system is perfectly secure; we will notify affected users of a confirmed breach in accordance with applicable law.

13. Children's Privacy

myLegal is not intended for users under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us through the in-app chat and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. Material changes will be reflected by an updated effective date at the top of this page and, where appropriate, by in-product notice.

15. Contact

Privacy questions or data requests: reach us through the in-app chat. Controller of record: Magic Life LLC (Delaware), operating as Aura Media Studios.