LegalPoint

Privacy Policy

Effective Date: February 1, 2026 · Last Updated: February 10, 2026

LegalPoint, Inc. (“LegalPoint,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access or use the LegalPoint platform, including our website, web application, and related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, email address, password (hashed using Argon2id), firm name, bar number, and professional role when you create an account or complete onboarding.
  • Client and Case Data: Case details, client contact information, billing records, time entries, documents, communications, and other data you enter into the platform in the course of managing legal matters.
  • Billing Information: Payment method details processed through our third-party payment processors (Stripe and LawPay). We do not store full credit card numbers on our servers.
  • Communications: Messages, emails, and other content you send or receive through the platform, including emails synced from connected Gmail or Outlook accounts.
  • Support Requests: Information you provide when contacting our support team.

1.2 Information Collected Automatically

  • Usage Data: Pages viewed, features used, actions taken, session duration, and navigation patterns within the Service.
  • Device and Connection Information: IP address, browser type and version, operating system, device identifiers, and referring URLs.
  • Authentication Events: Login timestamps, IP addresses associated with login attempts (successful and failed), session tokens, and account lockout events for security monitoring.
  • Cookies and Similar Technologies: We use essential cookies to maintain your session (e.g., better-auth.session_token). We do not use third-party tracking cookies.

1.3 Information from Third-Party Services

  • OAuth Providers: If you sign in using Google or Microsoft, we receive your name, email address, and profile picture from those providers. We do not receive or store your Google or Microsoft password.
  • Connected Email Accounts: If you connect a Gmail or Outlook account for email integration, we access email metadata and content as authorized by your OAuth consent. Access tokens are encrypted using AES-256-GCM before storage.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve the LegalPoint platform, including case management, billing, document management, and client communication features.
  • Authentication and Security: To verify your identity, maintain session integrity, enforce rate limiting, detect unauthorized access, and protect against brute-force attacks through account lockout mechanisms.
  • Notifications: To send transactional emails related to your account (password resets, security alerts, account lockout notifications) and platform activity (case updates, billing notifications, deadline reminders).
  • Audit Trail: To maintain comprehensive audit logs of all significant actions taken within the platform for E&O risk reduction, regulatory compliance, and dispute resolution.
  • Multi-Tenancy Enforcement: To ensure that data belonging to your organization is segregated from and inaccessible to users of other organizations.
  • Analytics and Improvement: To understand how the Service is used and to improve its functionality, performance, and reliability.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

  • Within Your Organization: Data you enter into the platform may be visible to other authorized users in your organization based on their role and permissions (Partner, Associate, Paralegal).
  • Client Portal Users: Information you designate for client access (e.g., documents marked for “Client Review,” case status updates, invoices) is shared with authenticated client portal users linked to the relevant client record.
  • Insurance Carrier Portal: For insurance defense matters, case and billing information may be visible to authorized carrier portal users as configured by your organization.
  • Service Providers: We engage trusted third-party service providers to perform functions on our behalf, including:
    • Vercel (hosting and deployment)
    • Neon (PostgreSQL database hosting)
    • Cloudflare R2 (document storage)
    • Resend (transactional email delivery)
    • Stripe (subscription payment processing)
    • Inngest (background job processing)
    These providers are contractually obligated to use your information only as necessary to perform services for us and to maintain appropriate security measures.
  • Legal Obligations: We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

4. Data Security

We implement industry-standard administrative, technical, and physical safeguards to protect your information, including:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, enforced via HSTS headers.
  • Encryption at Rest: Database storage is encrypted at rest. OAuth tokens for connected email accounts are encrypted using AES-256-GCM with application-level encryption keys.
  • Password Security: Passwords are hashed using Argon2id (memory-hard, GPU-resistant) and are never stored in plaintext. We enforce a minimum 12-character password requirement.
  • Access Controls: Role-based access control (RBAC) restricts access to data based on user roles. All database queries enforce organization-level data isolation (multi-tenancy).
  • Brute-Force Protection: IP-based rate limiting and per-account lockout after consecutive failed login attempts protect against unauthorized access.
  • Security Headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are enforced on all responses.
  • Audit Logging: All authentication events and data mutations are logged with timestamps, user identifiers, and IP addresses for SOC 2 compliance readiness.
  • Multi-Factor Authentication: TOTP-based two-factor authentication is available for all user accounts.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

  • Account Data: We retain your account information for as long as your account is active or as needed to provide the Service. Upon account deletion, we will delete or anonymize your personal data within 90 days, subject to legal retention obligations.
  • Client and Case Data: Given the nature of legal practice management, case data and associated records are retained for the duration of your subscription plus any retention period required by applicable rules of professional conduct and record-keeping obligations.
  • Audit Logs: Authentication and activity logs are retained for a minimum of seven (7) years to support E&O insurance claims, regulatory audits, and compliance requirements.
  • Backup Data: Database backups are retained for up to 30 days and are automatically purged thereafter.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention obligations and the rights of other parties whose data you have entered into the platform.
  • Data Portability: Request export of your data in a structured, commonly used, machine-readable format.
  • Opt-Out of Non-Essential Communications: You may opt out of marketing communications at any time. Transactional and security-related communications cannot be opted out of.
  • Session Management: You can view and revoke active sessions from your account settings.

To exercise any of these rights, please contact us at privacy@legalpoint.io.

7. Attorney-Client Privilege and Confidentiality

LegalPoint acknowledges that the data stored on our platform may include information protected by attorney-client privilege, work product doctrine, or other applicable legal privileges. We do not access, review, or analyze the content of your legal files, case data, or client communications for any purpose other than providing the Service as directed by you.

Our employees and contractors are bound by confidentiality obligations. We will not disclose privileged information except as required by law or with your explicit consent.

8. Children's Privacy

The Service is not directed to individuals under the age of 18 and is intended for use by licensed attorneys, legal professionals, and authorized business personnel. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete such information.

9. International Data Transfers

LegalPoint is based in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination.

We do not sell or share personal information as defined under the CCPA/CPRA. To exercise your California privacy rights, please contact us at privacy@legalpoint.io.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page with a revised “Last Updated” date and, where appropriate, by sending an email notification to the address associated with your account.

Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: