Privacy Policy

Last updated: April 12, 2026

Plain English Summary

What we collect: Your name, email, and the documents you upload. We also track basic usage stats (how many analyses, etc.).
What we don't do: We never sell your data, never train AI on your documents, and never share your files with anyone except the AI providers that analyze them.
Document security: Everything is encrypted. Uploaded files auto-delete after 30 days. Pasted text is never saved to disk. You can delete your documents immediately after receiving your analysis.
Payments: Handled entirely by Polar.sh (via Stripe). We never see your credit card number.
Your rights: You can access, export, correct, or delete your data anytime from your dashboard or by emailing us.
Cookies: Only essential ones for login sessions. No tracking, no ads.
Analytics: Privacy-friendly, anonymized. No individual user tracking.

1. Introduction

LegalSimpler ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service at legalsimpler.com.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Full name
Email address
Authentication method (email/password or Google OAuth)
Account preferences (theme, notification settings)

If you sign in via Google OAuth, we receive your name and email from Google. We do not access your Google contacts, calendar, or other data.

2.2 Documents and Analysis Data

Uploaded files (PDF, DOCX, TXT): Stored encrypted on our servers. Automatically deleted after 30 days unless you configure a different retention period.
Pasted text: Processed in memory by our AI pipeline. Not written to persistent storage.
Analysis results: Stored in our database and linked to your account. Retained while your account is active.

2.3 Usage Data

We collect anonymized usage data including:

Number of analyses performed
Feature usage patterns
Performance metrics (analysis time, error rates)
Browser type and operating system (anonymized)

We do not collect IP addresses for analytics purposes. We may log IP addresses temporarily for rate limiting and abuse prevention.

2.4 Payment Information

Payment processing is handled entirely by Polar.sh (via Stripe) (our Merchant of Record). We do not receive, process, or store credit card numbers, bank account details, or other payment credentials. We receive only transaction confirmations and subscription status from Polar.sh (via Stripe).

2.5 Support Communications

If you contact us via email or the support widget, we collect your email address, message content, and any attachments. These are used solely to resolve your inquiry.

3. How We Use Your Information

To provide, maintain, and improve the Service
To process your document analyses using our AI pipeline
To manage your account, subscriptions, and billing
To send transactional emails (verification, password reset, billing receipts)
To send product updates and feature announcements (opt-in only)
To improve the Service based on anonymized, aggregated usage patterns
To detect, prevent, and respond to abuse, fraud, or security incidents
To comply with legal obligations

4. What We Do NOT Do

We do not sell, rent, or trade your personal data to third parties
We do not use your documents to train, fine-tune, or improve AI models
We do not share document content with third parties except for AI processing via OpenRouter
We do not store documents longer than 30 days without your explicit consent
We do not use advertising cookies or tracking pixels
We do not build marketing profiles from your usage data

5. AI Processing Disclosure

When you submit a document for analysis, the text content is sent to third-party AI model providers through OpenRouter (our AI gateway). These providers may include DeepSeek, Google (Gemini), and Meta (Llama). Key points:

Only the document text is sent — not your name, email, or account information
We select providers that contractually commit to not using customer data for training
AI providers process your data according to their own privacy policies
Results are returned to our servers, stored in your account, and the provider does not retain your data

6. Data Retention

Uploaded documents: Auto-deleted after 30 days (configurable in settings). Can be manually deleted immediately after analysis — you don't need to wait.
Analysis results: Retained while your account is active. Deleted when you delete your account.
Account data: Retained until you request deletion
Payment records: Retained for 7 years as required for tax compliance
Usage logs: Retained for 12 months, then permanently deleted
Support conversations: Retained for 24 months
Session data: Expires after 30 days of inactivity

7. Data Security

We implement industry-standard security measures including:

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest
Per-user document-level access controls
Password hashing with Argon2 (via Appwrite)
Rate limiting and brute-force protection
Regular security audits and dependency updates
Infrastructure hosted on Hetzner VPS (EU/Germany) with Appwrite

8. Third-Party Services

Appwrite (self-hosted): Authentication, database, file storage
OpenRouter: AI model inference gateway
Polar.sh (via Stripe): Payment processing (Merchant of Record)
Brevo: Transactional email delivery (SMTP)
Upstash Redis: Rate limiting and caching (no document data)
Sentry: Error tracking and monitoring (no document content)
Vercel: Frontend hosting and CDN

9. Your Rights

Regardless of your location, we provide the following rights to all users:

Access: Request a copy of all personal data we hold about you
Correction: Update inaccurate or incomplete data
Deletion: Request deletion of your account and all associated data
Export: Download your analysis data in a portable format
Opt-out: Unsubscribe from marketing emails at any time
Restriction: Request that we limit how we process your data

To exercise these rights, use your dashboard settings or contact us at support@legalsimpler.com. We will respond within 30 days.

10. GDPR Compliance

For users in the European Economic Area (EEA), we process your data under the following legal bases:

Contract: Processing necessary to provide the Service you signed up for
Consent: Marketing communications (opt-in only)
Legitimate interest: Service improvement, security, fraud prevention
Legal obligation: Tax records, legal compliance

You may file a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

11. International Data Transfers

Our infrastructure is hosted in Germany (Hetzner). AI processing may involve transfers to providers in other jurisdictions. We ensure appropriate safeguards are in place, including standard contractual clauses where applicable.

12. Cookies and Tracking

We use only essential cookies required for:

Authentication and session management
Theme preferences (light/dark mode)

We do not use advertising cookies, tracking pixels, or fingerprinting. If we implement analytics, we will use privacy-friendly, cookieless solutions that do not track individual users.

13. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

14. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach. We will also notify relevant data protection authorities as required by law.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

16. Contact

For privacy-related questions, data requests, or concerns:

Email: support@legalsimpler.com
Subject line: "Privacy Request" for data access/deletion requests