CHRONOLAW PRIVACY POLICY

5.1 Third-Party Service Providers

We share data with service providers who perform services on our behalf. For a detailed list including data categories, locations, and data terms links, see our AI Sub-Processors page.

All third-party service providers are bound by confidentiality obligations and process data only as directed by ChronoLaw. When a BAA is in effect, subprocessors that may process PHI or ePHI are described in Section 6.4.

5.2 Legal Requirements

We may disclose information when required by law or in response to:

• Court orders, subpoenas, or other legal processes
• Requests from law enforcement or government agencies
• Protection of our legal rights or property
• Prevention of fraud, security threats, or illegal activity
• Protection of safety of our users or the public

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on the Platform before any such transfer.

5.4 Aggregate and De-identified Data

We may share aggregate, de-identified, or anonymized data that cannot reasonably be used to identify you for research, analytics, marketing, and other purposes.

6.1 Definitions

• BAA: A written Business Associate Agreement executed between you (or your organization) and ChronoLaw that incorporates or references the HIPAA Rules and governs our handling of PHI and ePHI on your behalf.
• Covered Entity: Has the meaning set forth in 45 C.F.R. § 160.103.
• PHI: Protected Health Information as defined in 45 C.F.R. § 160.103.
• ePHI: PHI that is maintained in or transmitted by electronic media, as described in 45 C.F.R. § 160.103 and the HIPAA Security Rule at 45 C.F.R. Part 164, Subpart C.
• HIPAA Rules: The Privacy Rule, Security Rule, and Breach Notification Rule at 45 C.F.R. Parts 160 and 164, Subparts A, C, D, and E, as amended from time to time.

6.2 When ChronoLaw Acts as a Business Associate

ChronoLaw is not a Covered Entity. ChronoLaw acts as your business associate under the HIPAA Rules only when you are a Covered Entity or a business associate of a Covered Entity, you submit PHI or ePHI to the Platform in a manner that makes ChronoLaw your business associate under 45 C.F.R. § 160.103, and a BAA between you and ChronoLaw is fully executed and in effect for your account.

Without a BAA in effect, you must not submit PHI or ePHI to the Platform. If a BAA is in effect, its terms control over this section to the extent of any conflict regarding PHI or ePHI. You may request a BAA at legal@chrono-law.com.

6.3 PHI and ePHI We May Process

When a BAA is in effect, PHI and ePHI you submit may include:

• Uploaded documents and extracted text
• Matter metadata, notes, and annotations
• Queries, prompts, and AI-generated outputs
• Access, authentication, and audit records relating to PHI or ePHI
• Support communications that contain PHI or ePHI

We use PHI and ePHI only to provide the Platform services described in this Privacy Policy and in the BAA. We do not use PHI or ePHI for model training, marketing, or product improvement except as expressly permitted in the BAA or required by law.

6.4 HIPAA Subprocessors

When a BAA is in effect, we may disclose PHI or ePHI to subprocessors that perform services on our behalf. We require written agreements with subprocessors that contain the restrictions and conditions required by 45 C.F.R. § 164.314(a) before the subprocessors create, receive, maintain, or transmit PHI or ePHI on our behalf.

A current list of subprocessors that may process PHI or ePHI is published on our AI Sub-Processors page. We will notify account holders of material changes to that list as described in our Terms of Use and EULA.

6.5 Your Responsibilities

You are responsible for executing a BAA before submitting PHI or ePHI, determining whether content contains PHI or ePHI, obtaining required authorizations, applying the minimum necessary standard, and managing account access and integrations. See Terms of Use §11.E for the allocation of responsibilities between you and ChronoLaw.

7.1 Technical Safeguards

7.2 Organizational Safeguards

• Employee background checks and security training
• Confidentiality agreements with all staff and contractors
• Documented security policies and procedures
• Regular security awareness training
• Incident response plan and team

7.3 SOC 2 Compliance Roadmap

ChronoLaw is actively pursuing SOC 2 Type II certification, expected within 24 months. Our compliance program includes:

• Risk assessment and management
• Security policy development and enforcement
• Vendor security reviews
• Regular penetration testing
• Business continuity and disaster recovery planning
• Annual third-party audits

7.4 Limitations

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. Users are responsible for maintaining the confidentiality of their account credentials.

8.1 Active Account Data

We retain your information for as long as your account remains active or as needed to provide services.

8.2 Deleted Account Data

When you delete your account:

• Immediate deletion: Account credentials and access are terminated immediately
• 30-day retention: Your data is retained for 30 days to allow for account recovery
• After 30 days: Personal data and uploaded documents are permanently deleted from production systems, except as described in Section 8.3
• Backup retention: Data in backup systems is deleted within 90 days following our backup rotation schedule, except as described in Section 8.3
• HIPAA and security compliance records: Notwithstanding the foregoing, we may retain limited records that do not remain available for ordinary Platform use, including access and authentication events, security and audit logs, BAA-related correspondence, subprocessors change notices, and deletion confirmations, when required to document access to PHI or ePHI, security monitoring, incident response, or compliance with the HIPAA Rules. Such records are restricted to compliance and security purposes and are not used for product development or marketing. They are retained for up to six (6) years from the date of creation or the date the record was last in effect, whichever is later, as described in Section 8.3.

8.3 Legal and Compliance Retention

We may retain certain information for longer periods when:

• Required by law or regulation
• Necessary for litigation, investigations, or audits
• Needed to enforce our agreements or protect our legal rights
• Required for tax, accounting, or business records
• Required to satisfy HIPAA Security Rule audit controls at 45 C.F.R. § 164.312(b) or documentation requirements at 45 C.F.R. § 164.316, including retention of audit and security records for up to six (6) years from the date of creation or the date the record was last in effect, whichever is later
• Required to demonstrate performance under a BAA, subprocessors compliance, or incident response obligations relating to PHI or ePHI

If a deletion request or the timelines in Section 8.2 conflict with a BAA, legal hold, or HIPAA retention obligations, the BAA and this Section 8.3 control for the minimum records necessary to meet those obligations.

8.4 Anonymized Data

We may retain anonymized, de-identified data indefinitely for research, analytics, and service improvement.

8.5 Legal Professional Accounts — Privileged Case Data

For subscribers who are licensed attorneys or who have designated a licensed Supervising Attorney on their account, a separate and more restrictive data handling regime applies to case-related data ("Privileged Case Data"). Privileged Case Data means all matter data, uploaded documents, queries, AI-generated outputs, and associated metadata processed in connection with a designated legal matter. ChronoLaw does not use Privileged Case Data for AI model training, human review, or product improvement. Privileged Case Data is retained only for the duration of the active subscription and up to 90 days following termination, and is subject to immediate deletion upon written request, subject to the retention exceptions in Sections 8.2 and 8.3 and any BAA in effect. PHI or ePHI within Privileged Case Data is also subject to Section 6. Full terms governing Privileged Case Data are set out in Terms of Use §§10.A through 10.E, which are incorporated into this Privacy Policy by reference for legal professional accounts.

9.1 Access and Portability

You have the right to:

• Access your personal information
• Request a copy of your data in a structured, machine-readable format
• Export your documents and case data from the Platform

Contact us at legal@chrono-law.com to exercise these rights.

9.2 Correction and Deletion

You can:

• Update your account information through the Platform settings
• Request correction of inaccurate data
• Delete your account and data (subject to 30-day retention period)

9.3 Consent Withdrawal

For processing based on consent:

• Opt out of marketing emails via unsubscribe links
• Disable analytics cookies through Platform settings
• Disconnect third-party integrations at any time
• Withdraw consent for non-essential data processing

9.4 Additional Rights (GDPR/CCPA)

If you are located in the EU, EEA, UK, California, or other jurisdictions with enhanced privacy rights, you may have additional rights:

9.5 Do Not Track

Our Platform does not currently respond to "Do Not Track" signals from browsers due to lack of industry consensus on implementation standards.

10.1 No Legal Advice

ChronoLaw provides technology tools for legal professionals. We do not provide legal advice, and use of the Platform does not create an attorney-client relationship between you and ChronoLaw.

10.2 Preservation of Privilege

We understand the critical importance of attorney-client privilege. Our security measures and confidentiality practices are designed to help you maintain privilege over your confidential legal documents and communications.

However, you are responsible for:

• Determining whether using the Platform is appropriate for privileged communications
• Obtaining necessary client consent for cloud-based storage and processing
• Maintaining appropriate security practices (strong passwords, account security)
• Complying with applicable rules of professional conduct

10.3 Waiver Considerations

While we maintain strict confidentiality, consider whether:

• Using third-party AI services could constitute waiver of privilege in your jurisdiction
• Your clients need to consent to cloud-based processing
• Your ethics rules permit use of AI tools for legal work
• Additional safeguards are needed for highly sensitive matters

Consult your bar association's ethics guidance regarding technology use.

11.1 US-Based Service

ChronoLaw operates from the United States, and all data is stored and processed on US-based servers (AWS and Vercel US data centers only).

11.2 International Users

If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

11.3 GDPR Considerations

For EU/EEA users, this transfer is based on:

• Your explicit consent
• Necessity for contract performance
• Standard contractual clauses (when applicable)

The United States may not provide the same level of data protection as your home jurisdiction. We implement appropriate safeguards as described in this Privacy Policy.

15.1 California Consumer Privacy Act (CCPA)

This section applies to California residents.

15.2 California Shine the Light Law

California residents may request information about disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Our Response:

• Immediate investigation and containment
• Assessment of scope and impact
• Notification to affected users within 72 hours (or as required by law)
• Notification to relevant authorities as required
• Implementation of remedial measures
• Post-incident review and security improvements