CHRONOLAW PRIVACY POLICY

Effective Date: December 5, 2025

Last Updated: December 5, 2025

Privacy Policy

How we collect, use, disclose, and safeguard your information

1. INTRODUCTION

ChronoLaw LLC ("ChronoLaw," "we," "us," or "our") operates the ChronoLaw platform (the "Platform"), an artificial intelligence-powered litigation management and document analysis service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.

Company Information:

  • Legal Entity: ChronoLaw LLC
  • Address: 358 E 250 N, Vineyard, UT 84059
  • Email: legal@chrono-law.com
  • Jurisdiction: Utah, United States

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Platform.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Information:

  • Name and email address
  • Professional credentials (law firm, bar number, practice area)
  • Billing and payment information
  • Organization details (for Team and Enterprise tiers)

Content You Upload:

  • Legal documents (PDFs, DOCX, XLSX, CSV, TXT, EML, MSG, MBOX files)
  • Case information and metadata
  • Notes, annotations, and comments
  • Queries and conversations with the AI assistant
  • Search history and saved searches

Communications:

  • Support tickets and correspondence
  • Feedback and survey responses
  • Email communications with our team

2.2 Information Collected Automatically

Usage Data:

  • Log files (IP address, browser type, operating system)
  • Device information (device type, unique device identifiers)
  • Pages visited and features used
  • Time, frequency, and duration of activities
  • Clicks, scrolls, and navigation patterns
  • Error logs and performance data

Cookies and Similar Technologies:

  • Authentication cookies (essential)
  • Session management cookies (essential)
  • Analytics cookies (with consent)
  • Preference cookies (with consent)

2.3 Information from Third-Party Services

When you connect third-party integrations, we may receive:

Cloud Storage Services (Google Drive, Dropbox, OneDrive):

  • File names, sizes, and metadata
  • Folder structure and organization
  • Access timestamps
  • OAuth tokens (encrypted and stored securely)

Legal Practice Management (Clio, Relativity One):

  • Matter information and case metadata
  • Document metadata and access logs
  • User permissions and roles

Legal Research Services (WestLaw, LexisNexis):

  • Citation verification data
  • Legal authority information
  • Research history (anonymized)

AI Service Providers (Anthropic Claude, OpenAI, Google Gemini):

  • API request logs (no content stored by providers per our agreements)
  • Usage metrics and token counts
  • Error and performance data

Development and Monitoring Tools (LangSmith):

  • Application performance metrics
  • Error tracking and debugging data
  • Feature usage analytics

3. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

3.1 Service Delivery

  • Provide, maintain, and improve the Platform
  • Process and analyze legal documents using AI
  • Generate chronologies, summaries, and insights
  • Enable document search and citation tracking
  • Facilitate cloud storage integrations
  • Provide customer support and respond to inquiries

3.2 Account Management

  • Create and manage user accounts
  • Authenticate users and maintain security
  • Process subscription payments and billing
  • Enforce usage limits based on subscription tier
  • Manage team and enterprise account features

3.3 Platform Improvement

  • Analyze usage patterns and trends
  • Improve AI model performance and accuracy
  • Develop new features and capabilities
  • Identify and fix technical issues
  • Conduct research and development

3.4 Communications

  • Send service-related notifications
  • Provide technical support
  • Send security alerts and important updates
  • Respond to user inquiries
  • Send marketing communications (with consent, opt-out available)

3.5 Legal and Security

  • Comply with legal obligations
  • Enforce our Terms of Use and EULA
  • Detect and prevent fraud, abuse, and security incidents
  • Protect the rights, property, and safety of ChronoLaw, users, and others
  • Respond to legal requests and prevent harm

4. LEGAL BASIS FOR PROCESSING (GDPR)

For users in jurisdictions with data protection laws (including GDPR), our legal bases for processing include:

  • Contract Performance: Processing necessary to provide the Platform services
  • Legitimate Interests: Improving our services, security, fraud prevention
  • Legal Obligation: Compliance with laws and regulations
  • Consent: Marketing communications and optional features (withdrawable)

5. DATA SHARING AND DISCLOSURE

We do not sell your personal information. We share information only as described below:

5.1 Third-Party Service Providers

We share data with service providers who perform services on our behalf:

Infrastructure and Hosting:

  • Render: Backend hosting and computing (US-only data centers)
  • Vercel: Frontend hosting and CDN (US-only data centers)

Database and Storage:

  • PostgreSQL (hosted on Render): Structured data storage
  • Pinecone: Vector database for semantic search (data encrypted at rest and in transit)

AI Processing:

  • Anthropic (Claude API): Natural language processing and generation
  • OpenAI (GPT models): Document analysis and summarization
  • Google (Gemini API): Additional AI capabilities

Authentication and Authorization:

  • Google OAuth: User authentication services

Cloud Storage Integrations (when you connect them):

  • Google Drive, Dropbox, OneDrive: Document import functionality
  • We only access files you explicitly select for import

Legal Platform Integrations (when you connect them):

  • Clio, Relativity One: Legal practice management integration
  • We only access matters and documents you explicitly select

Legal Research Services (when you use them):

  • WestLaw, LexisNexis: Citation verification and legal research
  • Queries may be sent to these services for validation

Development and Monitoring:

  • LangSmith: Application performance monitoring and debugging
  • Only metadata and anonymized logs are shared

Payment Processing:

  • Payment processors for subscription billing (not storing credit card data directly)

All third-party service providers are bound by confidentiality obligations and process data only as directed by ChronoLaw.

5.2 Legal Requirements

We may disclose information when required by law or in response to:

  • Court orders, subpoenas, or other legal processes
  • Requests from law enforcement or government agencies
  • Protection of our legal rights or property
  • Prevention of fraud, security threats, or illegal activity
  • Protection of safety of our users or the public

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on the Platform before any such transfer.

5.4 Aggregate and De-identified Data

We may share aggregate, de-identified, or anonymized data that cannot reasonably be used to identify you for research, analytics, marketing, and other purposes.

6. DATA SECURITY

We implement comprehensive security measures to protect your information:

6.1 Technical Safeguards

Encryption:

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for sensitive OAuth tokens
  • Field-level encryption for payment information

Access Controls:

  • Multi-factor authentication support (passkeys, biometric authentication)
  • Role-based access control (RBAC) for team and enterprise accounts
  • Least-privilege principle for system access
  • Regular access reviews and audits

Infrastructure Security:

  • Isolated production and development environments
  • Automated security patching and updates
  • DDoS protection and rate limiting
  • Web application firewall (WAF)
  • Intrusion detection and prevention systems

Application Security:

  • Input validation and sanitization
  • OWASP Top 10 vulnerability prevention
  • Regular security code reviews
  • Dependency vulnerability scanning
  • Secure coding practices and training

Monitoring and Logging:

  • Comprehensive audit logging of data access
  • Real-time security monitoring and alerting
  • Automated anomaly detection
  • Regular security log reviews
  • Incident response procedures

6.2 Organizational Safeguards

  • Employee background checks and security training
  • Confidentiality agreements with all staff and contractors
  • Documented security policies and procedures
  • Regular security awareness training
  • Incident response plan and team

6.3 SOC 2 Compliance Roadmap

ChronoLaw is actively pursuing SOC 2 Type II certification, expected within 24 months. Our compliance program includes:

  • Risk assessment and management
  • Security policy development and enforcement
  • Vendor security reviews
  • Regular penetration testing
  • Business continuity and disaster recovery planning
  • Annual third-party audits

6.4 Limitations

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. Users are responsible for maintaining the confidentiality of their account credentials.

7. DATA RETENTION

7.1 Active Account Data

We retain your information for as long as your account remains active or as needed to provide services.

7.2 Deleted Account Data

When you delete your account:

  • Immediate deletion: Account credentials and access are terminated immediately
  • 30-day retention: Your data is retained for 30 days to allow for account recovery
  • After 30 days: All personal data and uploaded documents are permanently deleted from production systems
  • Backup retention: Data in backup systems is deleted within 90 days following our backup rotation schedule

7.3 Legal and Compliance Retention

We may retain certain information for longer periods when:

  • Required by law or regulation
  • Necessary for litigation, investigations, or audits
  • Needed to enforce our agreements or protect our legal rights
  • Required for tax, accounting, or business records

7.4 Anonymized Data

We may retain anonymized, de-identified data indefinitely for research, analytics, and service improvement.

8. YOUR RIGHTS AND CHOICES

8.1 Access and Portability

You have the right to:

  • Access your personal information
  • Request a copy of your data in a structured, machine-readable format
  • Export your documents and case data from the Platform

Contact us at legal@chrono-law.com to exercise these rights.

8.2 Correction and Deletion

You can:

  • Update your account information through the Platform settings
  • Request correction of inaccurate data
  • Delete your account and data (subject to 30-day retention period)

8.3 Consent Withdrawal

For processing based on consent:

  • Opt out of marketing emails via unsubscribe links
  • Disable analytics cookies through Platform settings
  • Disconnect third-party integrations at any time
  • Withdraw consent for non-essential data processing

8.4 Additional Rights (GDPR/CCPA)

If you are located in the EU, EEA, UK, California, or other jurisdictions with enhanced privacy rights, you may have additional rights:

GDPR Rights:

  • Right to restriction of processing
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority
  • Right to withdraw consent without affecting prior lawful processing

CCPA Rights (California Residents):

  • Right to know categories and specific pieces of personal information collected
  • Right to know categories of sources from which information was collected
  • Right to know business or commercial purpose for collecting information
  • Right to know categories of third parties with whom information is shared
  • Right to non-discrimination for exercising CCPA rights

How to Exercise Your Rights:

  • Email: legal@chrono-law.com
  • Mail: ChronoLaw LLC, 358 E 250 N, Vineyard, UT 84059
  • Response time: Within 30 days (45 days for complex requests)
  • Verification: We may require verification of your identity before processing requests

8.5 Do Not Track

Our Platform does not currently respond to "Do Not Track" signals from browsers due to lack of industry consensus on implementation standards.

9. ATTORNEY-CLIENT PRIVILEGE

9.1 No Legal Advice

ChronoLaw provides technology tools for legal professionals. We do not provide legal advice, and use of the Platform does not create an attorney-client relationship between you and ChronoLaw.

9.2 Preservation of Privilege

We understand the critical importance of attorney-client privilege. Our security measures and confidentiality practices are designed to help you maintain privilege over your confidential legal documents and communications.

However, you are responsible for:

  • Determining whether using the Platform is appropriate for privileged communications
  • Obtaining necessary client consent for cloud-based storage and processing
  • Maintaining appropriate security practices (strong passwords, account security)
  • Complying with applicable rules of professional conduct

9.3 Waiver Considerations

While we maintain strict confidentiality, consider whether:

  • Using third-party AI services could constitute waiver of privilege in your jurisdiction
  • Your clients need to consent to cloud-based processing
  • Your ethics rules permit use of AI tools for legal work
  • Additional safeguards are needed for highly sensitive matters

Consult your bar association's ethics guidance regarding technology use.

10. INTERNATIONAL DATA TRANSFERS

10.1 US-Based Service

ChronoLaw operates from the United States, and all data is stored and processed on US-based servers (Render and Vercel US data centers only).

10.2 International Users

If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

10.3 GDPR Considerations

For EU/EEA users, this transfer is based on:

  • Your explicit consent
  • Necessity for contract performance
  • Standard contractual clauses (when applicable)

The United States may not provide the same level of data protection as your home jurisdiction. We implement appropriate safeguards as described in this Privacy Policy.

11. CHILDREN'S PRIVACY

The Platform is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at legal@chrono-law.com, and we will delete such information promptly.

12. THIRD-PARTY LINKS

The Platform may contain links to third-party websites, services, or resources not operated by ChronoLaw. This Privacy Policy does not apply to third-party sites. We are not responsible for the privacy practices or content of third parties. We encourage you to review the privacy policies of any third-party services you access.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last Updated" date at the top of this policy
  • For material changes, we will provide prominent notice via email or Platform notification
  • Continued use of the Platform after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

Previous versions: Available upon request at legal@chrono-law.com

14. CALIFORNIA-SPECIFIC DISCLOSURES

14.1 California Consumer Privacy Act (CCPA)

This section applies to California residents.

Categories of Personal Information Collected (last 12 months):

  • Identifiers (name, email, IP address)
  • Commercial information (subscription details, usage data)
  • Internet activity (browsing, search history, interactions)
  • Professional information (law firm, practice area)
  • Geolocation data (approximate location from IP)

Categories of Sources:

  • Directly from you (account creation, uploads)
  • Automatically (usage data, logs)
  • Third-party integrations (with your authorization)

Business Purposes for Collection:

  • Service delivery and improvement
  • Security and fraud prevention
  • Legal compliance
  • Communications

Categories of Third Parties We Share With:

  • Service providers (hosting, AI processing, analytics)
  • Cloud storage and legal platforms (when you connect them)
  • Legal authorities (when required)

Sale of Personal Information:

  • We do NOT sell personal information
  • We do NOT share personal information for cross-context behavioral advertising

14.2 California Shine the Light Law

California residents may request information about disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

15. NEVADA PRIVACY RIGHTS

Nevada residents have the right to opt out of the sale of certain covered information. We do not sell covered information as defined by Nevada law. If you are a Nevada resident and have questions, contact legal@chrono-law.com.

16. DATA BREACH NOTIFICATION

In the event of a data breach that compromises the security of your personal information:

Our Response:

  • Immediate investigation and containment
  • Assessment of scope and impact
  • Notification to affected users within 72 hours (or as required by law)
  • Notification to relevant authorities as required
  • Implementation of remedial measures
  • Post-incident review and security improvements

Notification Will Include:

  • Nature of the breach
  • Types of information involved
  • Steps taken to mitigate harm
  • Contact information for questions
  • Recommended actions for affected users

17. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

  • Email: legal@chrono-law.com
  • Mail:
    ChronoLaw LLC
    Privacy Officer
    358 E 250 N
    Vineyard, UT 84059
    United States
  • Response Time: We aim to respond to all privacy inquiries within 10 business days (30 days for formal data subject requests).

18. DISPUTE RESOLUTION

For privacy-related disputes:

Informal Resolution:

Contact us first at legal@chrono-law.com. We will work in good faith to resolve concerns.

Formal Dispute Resolution:

See our Terms of Use for binding arbitration provisions.

Regulatory Complaints:

You may file complaints with:

  • Utah Division of Consumer Protection
  • Federal Trade Commission (FTC)
  • Your state attorney general
  • EU/EEA residents: Your local data protection authority

Document Version: 1.0

Effective Date: December 5, 2025

Governing Law: Utah law (see Terms of Use)

© 2025 ChronoLaw LLC. All rights reserved.