Privacy Policy

Account information: When you create an account, we collect your email address and the password you create. If you join an organization, we also store your organizational affiliation and role.

Research data: We collect the legal research queries you submit, the jurisdiction selections you make, and the AI-generated research results produced in response to your queries. This includes citation verification outcomes, agent confidence scores, consensus analysis, and any legal memoranda generated at your request.

Matter and organizational data: If you create client matters or join an organization, we store matter names, client identifiers, practice areas, jurisdictions, and the associations between research results and matters.

Usage data: We automatically collect information about how you interact with the Service, including pages visited, features used, research session duration, and general usage patterns. This data is collected in aggregate and is used to improve the Service.

Technical data: We collect your IP address, browser type and version, operating system, and device information when you access the Service. This information is used for security purposes and to ensure the Service functions properly.

Information we do not collect: We do not collect payment information during the preview period. We do not access, read, or store the contents of your email inbox. We do not collect biometric data, location data (beyond IP-based geolocation), or data from social media profiles.

We use the information we collect for the following purposes:

• Service delivery: To process your research queries, generate research results, verify citations, and produce legal memoranda.
• Account management: To authenticate your identity, manage your account settings, and process organizational memberships.
• Service improvement: To analyze usage patterns (in aggregate) and improve the accuracy, performance, and reliability of the Service. We may use anonymized and aggregated research data to evaluate and refine our AI models and verification processes.
• Security: To detect and prevent unauthorized access, fraud, abuse, and other security threats.
• Communications: To send you transactional emails (e.g., research completion notifications, password reset requests) and, with your consent, product updates. You may opt out of non-transactional communications at any time.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

We do not use your research queries or results to train third-party AI models. We do not sell your personal data to advertisers or data brokers.

Your research queries are transmitted to the following third-party LLM providers for processing as part of our multi-agent research pipeline:

Each provider processes your query data according to their own privacy policies and data handling agreements. We select providers that offer enterprise-grade data handling and do not use customer data for model training. However, you should review each provider's privacy policy for complete details.

We do not share your personal information, research queries, or results with any parties other than the service providers necessary to operate the platform, unless required by law or with your explicit consent.

In addition to LLM providers, the Service uses the following third-party services:

• Supabase (database and authentication): Stores your account data, research results, and organizational data. Hosted on Amazon Web Services (AWS), us-east-1 region. Supabase provides Row Level Security (RLS) to ensure data isolation between users.
• Vercel (hosting and deployment): Hosts the Service's web application. Vercel processes HTTP request data including IP addresses and browser information.
• Resend / Amazon SES (transactional email): Used to send account-related emails such as research completion notifications and password reset links. Your email address is shared with this service for delivery purposes.
• CourtListener / Free Law Project (legal data): Provides the legal case database used for citation verification. Research queries may be transmitted to CourtListener's API for case lookup. CourtListener is a 501(c)(3) nonprofit; their data is largely public domain.

We retain your data as follows:

• Account data: Retained for as long as your account is active. Upon account deletion, your account data is permanently removed within 30 days.
• Research queries and results: Retained for as long as your account is active or until you delete individual research sessions. Research data associated with a deleted account is permanently removed within 30 days.
• Matter data: Retained for as long as the associated organization or user account is active.
• Usage and technical data: Retained in aggregate form for up to 24 months for analytics purposes. Individual-level technical data is retained for up to 90 days.
• Backup data: Database backups containing your data may persist for up to 30 days after deletion from the live system.

We implement the following security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest: Data stored in our Supabase database is encrypted at rest using AES-256 encryption provided by AWS.
• Row Level Security: Supabase RLS policies ensure that each user can only access their own data. Organizational data is accessible only to members of the respective organization.
• Authentication: User passwords are hashed using bcrypt. We support secure session management via httpOnly cookies.
• Access controls: Access to production systems and databases is restricted to authorized personnel only, with audit logging enabled.

While we take commercially reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

Regardless of your location, you have the following rights regarding your personal data:

• Access: You can access your account data and research history through the Service at any time.
• Correction: You can update your account information through your account settings.
• Deletion: You can delete individual research sessions through the Service interface. You can request complete account deletion by contacting support@crebral.com.
• Export: You can request a machine-readable export of your data by contacting support@crebral.com.
• Opt-out: You can opt out of non-essential communications through your account settings.
• Restriction: You can request that we restrict processing of your data under certain circumstances.

To exercise any of these rights, contact us at support@crebral.com. We will respond to your request within 30 days.

The Service uses a minimal set of cookies necessary for operation:

• Authentication cookies: Supabase authentication session cookies are used to maintain your login state. These are httpOnly, secure, and SameSite cookies essential for the Service to function.
• Preference cookies: We may store minimal user preferences (e.g., notification settings) in secure cookies or server-side user metadata.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. We do not participate in ad networks or share cookie data with advertising platforms.

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at support@crebral.com.

The Service is hosted in the United States, and your data is processed and stored on servers located in the US (AWS us-east-1 region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and other lawful transfer mechanisms to ensure adequate protection of your personal data when it is transferred outside the EEA.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell your personal information. There is no need to opt out because no sale occurs.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to limit use of sensitive information: We only use sensitive personal information (if any) for purposes permitted under the CCPA.

To exercise your California privacy rights, contact us at support@crebral.com. We will verify your identity before processing your request.

If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

• Legal basis for processing: We process your personal data based on (a) your consent (account creation), (b) performance of a contract (providing the Service), (c) legitimate interests (improving the Service, ensuring security), and (d) legal compliance.
• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete data.
• Right to erasure: You can request deletion of your personal data ("right to be forgotten").
• Right to data portability: You can request a machine-readable copy of your data for transfer to another service.
• Right to object: You can object to processing based on legitimate interests.
• Right to restrict processing: You can request restriction of processing under certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you can withdraw consent at any time.

Data Protection Officer: For GDPR-related inquiries, contact our Data Protection Officer at dpo@crebral.com.

Supervisory authority: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email at the address associated with your account and by posting a prominent notice on the Service at least thirty (30) days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

If you have questions about this Privacy Policy or our data practices, please contact us: