Privacy Policy

1.1  Account and Registration Data. When a Firm creates an account or an Authorized User is invited, we collect the name, email address, firm name, subscription tier, and assigned platform role of each Authorized User. We use this information to authenticate users, route access correctly within the firm structure, and communicate about the Service.

1.2  Matter and Research Data. When Authorized Users create matters and Research Sessions, we receive and store legal questions, matter names and numbers, party names submitted for conflict checks, citations, quoted passages, attorney annotations, checklist attestations, and Compliance Certificates (collectively, "Matter Data"). Matter Data may include information subject to attorney-client privilege or work-product protection. We treat all Matter Data as confidential and do not review, analyze, or use it for any purpose other than providing the Service to your Firm, except as described in Section 3.3 (Analytics, with Firm consent) and Section 5 (AI Processing).

1.3  Usage and Platform Data. We automatically collect certain technical information when you use the Service, including IP addresses, browser and device type, pages visited, features used, session durations, error logs, and verification navigation click events (which legal research service was accessed and when). We use this data to operate, secure, and improve the Service.

1.4  Payment Data. Billing and payment information is collected and processed directly by our payment processor, Stripe, Inc. We do not receive or store full credit card numbers. We retain only subscription status, tier, and Stripe customer and subscription identifiers necessary to manage your account.

1.5  Communications. If you contact us for support or send us feedback, we collect the content of your communications and any information you voluntarily provide. We use this to respond to your inquiry and improve the Service.

3.1  Default Posture. By default, we do not collect, retain, or analyze individual matter-level research data for platform improvement purposes. Usage and platform data (Section 1.3) is used only for service operation and security.

3.2  Analytics Consent. Firm Administrators may enable an optional analytics consent toggle in the firm settings panel. When enabled, we may collect and retain additional structured data, including: the citation correction type when an attorney removes or corrects a citation; and session-level accuracy summaries (aggregate counts, not full citation text). This data is used solely to improve AI research governance models and is never shared with third parties in identifiable form.

3.3  Revocation. A Firm may revoke analytics consent at any time by disabling the toggle in firm settings. Revocation applies prospectively; data collected prior to revocation is retained in de-identified, aggregated form for up to two (2) years and then deleted.

4.1  How Matter Data Flows to AI Providers. When an Authorized User initiates a Research Session or requests passage analysis, the Service transmits relevant portions of your legal research query and, where applicable, cited text to a third-party large language model provider (currently Anthropic, PBC) to generate AI Output. This transmission is necessary to provide the core functionality of the Service.

4.2  AI Provider Data Handling. Anthropic's API usage policies govern how Anthropic processes data transmitted to its API. As of the Effective Date, Anthropic does not use API inputs or outputs to train its models by default. We encourage you to review Anthropic's API data usage policy independently. Orthodoxy is not responsible for the data practices of Anthropic or any other AI provider.

4.3  Prompt Caching. For efficiency and cost reduction, we implement prompt caching on static, non-matter-specific portions of our AI prompts. Matter-specific content (your legal question and context) is not cached across Research Sessions.

4.4  Sensitive Information. We recommend that Authorized Users avoid submitting information that is not necessary for the legal research question at hand, particularly highly sensitive personal information about clients, witnesses, or third parties. The Service is designed for citation governance, not for processing sensitive personal data of third parties.

6.1  Subprocessors. As described in Section 5, to the extent necessary for subprocessors to deliver services on our behalf.

6.2  Legal Requirements. If required by law, subpoena, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Orthodoxy, our customers, or the public. Where legally permissible, we will provide the Firm with prior notice of any such disclosure involving its data.

6.3  Business Transfers. In connection with a merger, acquisition, reorganization, or sale of assets, in which case we will notify affected Firms before their data is transferred or becomes subject to a different privacy policy, and we will require any successor to honor the commitments made in this Policy.

6.4  With Firm Consent. For any purpose with the Firm's prior written consent.

7.1  Technical Measures. We implement industry-standard security controls, including: (a) AES-256 encryption of data at rest via Supabase's database encryption; (b) TLS 1.2 or higher for all data in transit; (c) row-level security policies enforcing firm-scoped data isolation at the database level; (d) role-based access controls within the platform; (e) cryptographic hash verification for Compliance Certificates (SHA-256); and (f) sliding-window rate limiting on all AI and export endpoints.

7.2  Access Controls. Access to Customer Data by Orthodoxy personnel is limited to personnel who need it to provide the Service or respond to support requests. We do not access matter-specific data without Firm authorization, except as required by applicable law.

7.3  Breach Notification. In the event of a confirmed security breach involving Customer Data, we will notify the Firm Administrator without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, to the extent we can identify which Firms are affected. We will provide information about the nature of the breach and the steps we are taking to address it.

7.4  No Absolute Security. No security measure is perfect. We cannot guarantee that unauthorized parties will never be able to defeat our security controls. The Firm is responsible for maintaining the security of its account credentials and for promptly notifying us of any suspected unauthorized access.

9.1  Confidential Treatment. We recognize that Matter Data may be protected by attorney-client privilege, the work-product doctrine, or other legal protections. We treat all Matter Data as confidential and have implemented technical and contractual controls designed to support the confidentiality of that data.

9.2  Firm's Responsibility. The Firm is solely responsible for determining whether its use of the Service is consistent with its privilege and confidentiality obligations to its clients under applicable rules of professional conduct, including any obligations relating to disclosure of client information to third-party service providers. Orthodoxy does not represent that use of the Service preserves privilege or satisfies any particular ethical obligation.

9.3  No Waiver Representation. Orthodoxy makes no representation regarding whether transmitting Matter Data to the Service or to third-party AI providers constitutes a waiver of any privilege or protection. The Firm should consult independent counsel regarding these questions.

10.1  General Rights. Subject to applicable law, Authorized Users may request: (a) access to personal information we hold about them; (b) correction of inaccurate personal information; (c) deletion of personal information (subject to our retention obligations and legitimate interests); and (d) a copy of their personal information in a portable format. To exercise these rights, contact us at support@orthodoxyapp.com. We will respond within the timeframe required by applicable law.

10.2  California Residents (CCPA / CPRA). California residents have the right to: (a) know the categories and specific pieces of personal information collected about them; (b) request deletion of personal information, subject to certain exceptions; (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under the CCPA); and (e) non-discrimination for exercising their privacy rights. To submit a verifiable consumer request, contact us at the address above. We will verify your identity before responding. You may designate an authorized agent to submit requests on your behalf.

10.3  EEA and UK Residents (GDPR / UK GDPR). If you are located in the European Economic Area or United Kingdom, you have rights under the GDPR or UK GDPR, including the right to access, rectify, erase, restrict processing of, and port your personal data, and to object to processing based on our legitimate interests. Our legal bases for processing are: performance of a contract (service delivery and billing); legitimate interests (security, fraud prevention, platform improvement); compliance with legal obligations; and consent (analytics). You may also lodge a complaint with your local data protection authority. Orthodoxy's processing of personal data for EEA or UK users involves international transfers to the United States; we rely on Standard Contractual Clauses or equivalent transfer mechanisms where required.

10.4  Note on Firm-Controlled Data. Where personal information is processed by Orthodoxy at the direction of the Firm (i.e., Customer Data submitted by Authorized Users), the Firm acts as the data controller and Orthodoxy acts as a data processor. Requests from individual Authorized Users regarding such data should be directed to the Firm in the first instance; we will cooperate with the Firm in responding to verifiable requests.

11.1  Authentication Cookies. The Service uses session cookies set by our authentication provider (Supabase) to maintain your logged-in state. These cookies are strictly necessary for the Service to function and cannot be disabled without preventing access to the Service.

11.2  No Third-Party Tracking. We do not use third-party advertising cookies, cross-site tracking cookies, or behavioral advertising technologies on the Service. We do not participate in any ad networks or data brokers.

11.3  Browser Controls. You may configure your browser to reject or delete cookies, but doing so will likely prevent you from logging into or using the Service.