Privacy Policy

Version 3.0 | Effective Date: February 1, 2025

1. Introduction

VUGA Enterprises LLC d/b/a LegalPrizm ("LegalPrizm," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our website, mobile applications, and related services (collectively, the "Service").

By using LegalPrizm, you consent to the data practices described in this Privacy Policy.

For users in the European Economic Area, United Kingdom, or Switzerland ("EU Users"), additional provisions apply as detailed in Section 10.

2. Information We Collect

2.1 Information You Provide

Account Information

  • Name, email address, phone number
  • Bar number and jurisdiction (for attorneys)
  • Firm name and address
  • Billing information (processed securely by Stripe)
  • Password (stored as encrypted hash using bcrypt with 10+ rounds)

Service Data

  • Documents you upload (encrypted at rest)
  • Case information and client data (field-level encryption for PII)
  • Notes, annotations, and tags
  • Calendar events and deadlines
  • Communications within the Service

Sensitive Personal Information (Encrypted)

The following fields are encrypted using AES-256-CBC with per-firm encryption keys:

  • Social Security Numbers (SSN)
  • Passport numbers
  • Driver's license numbers
  • Date of birth
  • Alien registration numbers
  • Financial account numbers

2.2 Information Collected Automatically

Usage Data

  • Features used and actions taken
  • Search queries
  • Page views and clicks
  • Time spent on pages
  • Error logs and performance data

Device Information

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Mobile network information
  • Session identifiers

Cookies and Tracking

  • Session cookies (essential)
  • Authentication tokens
  • Preference settings
  • Analytics cookies (with consent)

For details, see our Cookie Policy.

2.3 Information from Third Parties

  • Payment processors: Transaction data from Stripe
  • Legal databases: Public case information
  • Identity verification: Bar admission verification
  • Single Sign-On: Profile data from SSO providers

3. How We Use Your Information

3.1 Provide and Maintain the Service

  • Create and manage your account
  • Process transactions and billing
  • Provide customer support
  • Send service notifications
  • Enable collaboration features

3.2 Improve the Service

  • Analyze usage patterns to enhance user experience
  • Develop new features and functionalities
  • Fix bugs and resolve technical issues
  • Optimize performance and scalability
  • Train and improve AI models for document classification (with anonymization)

3.3 Legal and Security

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Detect and prevent fraud, abuse, or security threats
  • Protect rights, property, and safety
  • Respond to lawful requests from authorities

3.4 Marketing (with consent)

  • Send promotional emails about LegalPrizm services
  • Announce new features or updates
  • Share legal industry insights and trends
  • Provide educational content

You can opt out of marketing communications at any time via email footer links or account settings.

4. Legal Basis for Processing (GDPR)

For EU Users, we process personal data based on the following legal grounds:

  • Contract (Article 6(1)(b)): To provide and maintain the Service as agreed in our Terms of Service
  • Legitimate Interest (Article 6(1)(f)): To improve the Service, ensure security, prevent fraud, and conduct business operations
  • Consent (Article 6(1)(a)): For marketing communications, non-essential cookies, and optional features
  • Legal Obligation (Article 6(1)(c)): To comply with applicable laws, regulations, and legal processes

5. How We Share Your Information

5.1 We DO NOT Sell Your Personal Information

We never sell, rent, or trade your personal information to third parties for monetary consideration.

5.2 Service Providers and Sub-Processors

We share limited information with trusted service providers to operate the Service. All providers are bound by data protection agreements compliant with GDPR, CCPA, and other applicable laws.

A complete list of sub-processors is available on our Sub-Processors page.

5.3 Legal Requirements

We may disclose information if required by court order, subpoena, government or regulatory investigation, law enforcement request, or legal proceedings.

For EU Users: We will notify you of such disclosures unless prohibited by law.

5.4 Business Transfers

If LegalPrizm is acquired, merged, or undergoes a restructuring, your information may be transferred. We will notify you at least 30 days before the transfer and ensure the acquirer maintains equivalent data protection standards.

5.5 Aggregated and Anonymized Data

We may share aggregated or anonymized data that cannot identify you for research or marketing purposes.

6. Data Residency and International Transfers

6.1 Data Classification by Jurisdiction

EU Data (GDPR-regulated): Data subjects located in the EEA, UK, or Switzerland

US Data: Data subjects located in the United States

6.2 Data Storage Locations

For EU Users:

  • Primary Data Centers: Frankfurt (Germany)
  • Backup Storage: Within EU/EEA regions only
  • Database Hosting: MongoDB Atlas EU regions (Frankfurt)

EU data is NEVER transferred to the United States or other non-EEA jurisdictions without appropriate safeguards.

For US Users:

  • Primary Data Centers: New York
  • Backup Storage: New York (backup)
  • Database Hosting: MongoDB Atlas US regions

6.3 Cross-Border Data Transfers (EU Users)

When EU personal data must be transferred outside the EEA, we use European Commission-approved Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs).

7. Data Retention

Data Type Retention Period Legal Basis
Account data Duration of account + 7 years Tax compliance
Documents As directed by you or until account deletion + 90 days User control
Payment records 7 years Tax and accounting obligations
Audit logs 7 years Security compliance
Session data 90 days Security monitoring
Marketing data Until opt-out + 90 days Marketing preferences
Support tickets 3 years Quality assurance

After retention periods, data is securely deleted or irreversibly anonymized using NIST SP 800-88 standards.

8. Data Security

We implement comprehensive security measures aligned with GDPR Article 32, DORA, NIS2 Directive, and SOC 2 requirements:

8.1 Technical Safeguards

  • Encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit, field-level encryption for sensitive PII
  • Access Controls: Multi-factor authentication, role-based access control, session management
  • Network Security: Network segmentation, WAF, DDoS protection, IDS/IPS, 24/7 SOC monitoring
  • Application Security: Secure SDLC, vulnerability scanning, annual penetration testing

8.2 Organizational Safeguards

  • Background checks for all employees with data access
  • Annual security awareness training
  • Confidentiality and non-disclosure agreements
  • 24/7 incident response team

8.3 Compliance

  • Data Protection Officer (DPO) appointed
  • SOC 2 Type II audits (target: Q4 2025)
  • ISO 27001:2022 certification (target: Q2 2026)
  • ISO 27701:2019 privacy certification (target: Q2 2026)

9. Your Rights and Choices

9.1 Access and Portability

  • Access your personal information via account settings
  • Download your data in machine-readable formats (CSV, JSON, PDF)
  • Request a detailed report of data we process
  • Receive data portability exports within 30 days

9.2 Correction and Deletion

  • Update incorrect or incomplete information in your account
  • Delete your account and associated data (90-day grace period)
  • Request erasure of personal data ("Right to be Forgotten")

9.3 Objection and Restriction

  • Object to processing based on legitimate interests
  • Restrict certain uses of your data
  • Withdraw consent for optional processing
  • Object to automated decision-making

9.4 Exercising Your Rights

To exercise any privacy right:

  1. Email [email protected] or [email protected] (for EU Users)
  2. Provide verification information
  3. Specify the right you wish to exercise
  4. We will respond within 30 days

10. California Privacy Rights (CCPA/CPRA)

California residents have additional rights:

  • Know: What personal information is collected, used, disclosed, or sold
  • Access: Request a copy of personal information (up to 12 months)
  • Delete: Request deletion of personal information
  • Correct: Request correction of inaccurate personal information
  • Opt-Out: Opt out of sale or sharing (we do not sell or share)
  • Non-Discrimination: Exercise rights without discrimination

To exercise rights: Email [email protected] or call 786-967-6544

11. European Privacy Rights (GDPR)

For residents of the EEA, UK, and Switzerland:

  • Access (Article 15): Obtain confirmation of processing and copy of personal data
  • Rectification (Article 16): Correct inaccurate or incomplete data
  • Erasure (Article 17): Request deletion
  • Restriction (Article 18): Limit processing
  • Data Portability (Article 20): Receive data in machine-readable format
  • Objection (Article 21): Object to processing based on legitimate interests
  • Automated Decision-Making (Article 22): Not be subject to solely automated decisions

Data Protection Officer

Contact: [email protected]

Supervisory Authority

You may lodge complaints with your local data protection authority:

  • Ireland: Data Protection Commission (DPC) - dataprotection.ie
  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • Germany: BfDI - bfdi.bund.de
  • France: CNIL - cnil.fr

12. Children's Privacy

LegalPrizm is not intended for children under 18. We do not knowingly collect information from children. If we discover such data, we will delete it immediately.

If you are a parent or guardian and believe we have collected data from a child, contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

We will notify you of material changes via:

  • Email to your registered address (at least 30 days before effective date)
  • In-Service announcement
  • Website banner

For EU Users, material changes require explicit consent.

14. Contact Us

Data Protection Inquiries

Privacy Team
Email: [email protected]
Phone: +1-786-967-6544

Data Protection Officer (EU Users)
Email: [email protected]

Security Incidents
Email: [email protected]
24/7 Hotline: +1-786-967-6544 (option 9)

General Contact

VUGA Enterprises LLC d/b/a LegalPrizm
18117 Biscayne Blvd Unit 1039
Aventura, FL 33160
United States

Effective Date: February 1, 2025
Version: 3.0

Copyright © 2025 VUGA Enterprises LLC. All rights reserved.