Privacy Policy

1. Information We Collect

We collect several types of information in connection with your use of the Service:

1.1 Account and Registration Information

When you create an account, we collect:

• Name
• Email address
• Phone number
• Law firm or organization name
• Bar number and jurisdiction
• Job title and role
• Billing and payment information (processed through third-party payment processors)

1.2 User Content and Matter Data

You, your firm, and any AI agents acting on your behalf upload, generate, or submit documents and information to the Service, including but not limited to:

• Case complaints, pleadings, and other legal filings
• Discovery requests, responses, and related materials
• Client documents and evidence
• Attorney work product
• Notes, annotations, comments, and agent-generated outputs
• Queries, prompts, and instructions issued to the Service (including those issued by AI agents on your behalf)
• Any other documents or information you choose to upload

We treat all User Content as highly confidential and subject to attorney-client privilege. We do not access, review, or use User Content except as necessary to provide the Service to you or as required by law.

1.3 Usage and Technical Information

We automatically collect certain technical information when you use the Service:

• IP address and device identifiers
• Browser type and version
• Operating system
• Access times and dates
• Pages viewed and features used
• Search queries and prompts entered into the Service
• Error logs and diagnostic information
• Cookies and similar tracking technologies (see Section 9)

1.4 Communications

We collect information when you communicate with us, including:

• Support requests and correspondence
• Feedback and survey responses
• Messages sent through the Service

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide and Operate the Service

• Creating and managing your account
• Processing your User Content through AI models, agents, and tools to support ingestion, search, analysis, and drafting workflows you or your agents initiate
• Exposing tools, data, and resources through the MCP server and API so that AI agents you authorize can act on your behalf
• Storing and organizing your documents, matters, and collections
• Providing search, analysis, and document management functionality
• Authenticating users and enforcing account security

2.2 To Improve and Develop the Service

• Analyzing usage patterns to improve Service functionality
• Identifying and fixing technical issues
• Developing new features and capabilities
• Conducting research and development on AI-assisted legal technology

IMPORTANT: We do not use your User Content (case documents, client information, or attorney work product) to train or improve AI models. Your confidential case materials remain confidential and are used solely to provide services to you.

2.3 To Communicate with You

• Sending service announcements and updates
• Responding to your support requests
• Providing security alerts and notifications
• Notifying you of changes to our Terms of Service or Privacy Policy
• Sending billing statements and payment confirmations

2.4 To Ensure Security and Compliance

• Detecting and preventing fraud, abuse, or unauthorized access
• Enforcing our Terms of Service
• Complying with legal obligations and court orders
• Protecting our rights, property, and safety

3. How We Share Your Information

We implement strict limitations on information sharing to protect attorney-client privilege and maintain confidentiality.

3.1 Third-Party Service Providers

We share information with third-party service providers who perform services on our behalf:

AI Services Operated by Inquisita. To deliver core platform features, Inquisita uses third-party cloud and AI infrastructure providers under our own enterprise agreements. These services support functions such as document extraction, embedding generation, and automated pipeline analysis. Under our agreements with these providers, your User Content is not used to train their foundation models, is processed solely to generate outputs for your benefit, and is subject to enterprise-grade encryption and access controls. Our specific provider relationships may change over time; we will update this Privacy Policy to reflect material changes.

Agent-Operated AI Services. Inquisita is a Model Context Protocol (MCP) server. Reasoning, drafting, and analytical work performed via the Service is typically executed by the AI agent platform you authorize — for example, Claude Desktop, ChatGPT, Microsoft Copilot, Google Gemini, or a custom agent operated by you or your firm. When you connect such an agent, that agent retrieves User Content from Inquisita's MCP server and may transmit it to the underlying model provider operated by your agent platform. Inquisita has no contractual relationship with the model provider behind your chosen agent and does not control how that provider stores, retains, logs, or otherwise processes the data the agent sends to it. Your use of an agent platform is governed by your separate agreement with that platform. We strongly recommend that, before connecting an agent to the Service for use with confidential client information, you review the data-handling, retention, and training policies of both your agent platform and the underlying model it uses.

Cloud Infrastructure Providers: We use AWS cloud hosting services to store and process data. These providers are bound by confidentiality obligations and security standards.

Payment Processors: We use Stripe to handle billing and payment information. We do not store full credit card numbers on our systems.

3.2 Law Firm Administrators

If you are part of a law firm account, the firm administrator may access information about your account usage, including activity logs and billing information.

3.3 Cross-Firm Data Isolation

We maintain strict tenant isolation. We will never share your User Content with other law firms, including firms adverse to you in litigation. Our technical architecture prevents any cross-firm data access.

3.4 Legal Requirements

We may disclose information if required by law, including:

• In response to valid subpoenas, court orders, or other legal process
• To comply with regulatory requirements
• To protect our rights, property, or safety, or the rights, property, or safety of others
• In connection with the investigation of fraud, security breaches, or illegal activity

We will notify you of legal demands for your information unless prohibited by law or court order, and we will provide you an opportunity to challenge such demands where legally permissible.

3.5 Business Transfers

If Inquisita is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.6 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

3.7 We Do Not Share, Sell, or Rent Information

We never sell, rent, or share your information for marketing purposes or with data brokers. We do not allow third parties to use your User Content for their own purposes.

4. Data Retention

4.1 User Content

We retain your User Content for as long as your account remains active. Closing or archiving a matter within the Service does not automatically delete the associated User Content; firm administrators may delete specific matters or documents at any time through the Service interface. Upon termination of your account:

• Inquisita will provide written notice of account termination not less than thirty (30) days in advance of the effective termination date (except in cases of material breach, in which case termination may be immediate).
• You have thirty (30) days following the effective termination date to download your User Content.
• After thirty (30) days, we delete User Content from our production systems.
• We may retain copies in encrypted backup systems for up to ninety (90) days for disaster recovery purposes, after which all copies are permanently deleted.

4.2 Account Information

We retain account registration information for the duration of your active account plus three (3) years following account termination, for business record-keeping, legal compliance, and dispute resolution purposes.

4.3 Usage and Technical Information

We retain usage logs and technical information for up to two (2) years for security monitoring, debugging, and Service improvement purposes. These logs do not contain the substance of uploaded documents.

4.4 Billing Records

We retain billing records, payment confirmations, and transaction histories for seven (7) years from the date of the transaction, in compliance with applicable financial recordkeeping requirements.

4.5 Legal Holds

If we receive a litigation hold notice or preservation demand, we will preserve relevant information as required by law, even if it would otherwise be deleted under our normal retention schedule. Firm administrators may also designate specific matters or User Content as subject to an internal litigation hold through the Service interface; such content will be preserved until the hold is released by the firm administrator.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information:

5.1 Encryption

• Data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256 encryption or equivalent
• Database encryption using AWS KMS with tenant isolation via IAM ABAC

5.2 Access Controls

• Attribute-Based Access Control (ABAC) for tenant isolation
• Role-based access controls for internal personnel
• Principle of least privilege for all system access

5.3 Network Security

• Firewall protection and intrusion detection systems
• Regular security audits and penetration testing
• Automated vulnerability scanning
• Network segmentation and isolation

5.4 Personnel Security

• Background checks for employees with access to systems
• Confidentiality agreements for all personnel
• Security awareness training
• Immediate revocation of access upon employee termination

5.5 Compliance Framework

We are designing our security architecture with HIPAA and SOC 2 compliance standards in mind, though we do not yet certify compliance with these frameworks. We continuously assess our security posture against industry best practices.

5.6 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we use commercially reasonable efforts to protect your information, we cannot guarantee absolute security. You acknowledge this inherent risk when using the Service.

5.7 Attorney Professional Responsibility Disclosure

Inquisita's user base consists primarily of licensed attorneys subject to professional responsibility rules governing client confidentiality. We have prepared the following summary to assist attorneys in satisfying the due diligence requirements of ABA Formal Opinion 512 (July 2024) and applicable state bar ethics guidance before submitting client information to the Service.

• Use of Client Data for Training: Inquisita does not use User Content held by us — including case documents, client information, attorney work product, or AI prompts — to train AI models. The third-party providers Inquisita uses to operate the platform (see Section 3.1) are bound by their own enterprise terms, under which your User Content is not used to train their foundation models. Inquisita does not control the model provider used by the AI agent platform you connect to the Service via MCP. Before transmitting client information through any MCP client, you should review your agent platform's training, retention, and confidentiality policies.
• Data Security Summary: We encrypt all User Content in transit (TLS 1.2 or higher) and at rest (AES-256). We use AWS KMS with Attribute-Based Access Control (ABAC) for tenant isolation, ensuring no two law firms' data is co-mingled or accessible cross-firm. We conduct regular security audits, penetration testing, and vulnerability scanning.
• Confidentiality Obligations: We and all third-party service providers are contractually bound by confidentiality obligations prohibiting use of User Content for any purpose other than providing the Service to you.
• Breach Notification: In the event of a confirmed security breach affecting User Content, we will notify you within the timeframes required by applicable law. See Terms of Service, Section 7.
• Legal Process Response: If we receive a subpoena, court order, or other legal demand for your User Content, we will notify you before complying unless prohibited by law or court order, and we will provide you an opportunity to seek a protective order.
• Attorney-Client Privilege: See Terms of Service, Section 14 (Attorney-Client Privilege Protection) for a full description of our agency relationship and privilege-preservation framework.

An attorney's decision to use the Service should be made in consultation with applicable state bar ethics opinions and the attorney's own professional judgment regarding the requirements of their specific jurisdiction.

6. International Data Transfers and GDPR

Our Service is operated in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. U.S. data protection laws may differ from those in your jurisdiction.

6.1 European Economic Area — GDPR Notice

Inquisita's Service is designed for use by U.S. attorneys and law firms. If you use the Service to process personal data of individuals located in the European Economic Area ("EEA"), the following provisions apply:

• Data Controller / Processor: For any EEA personal data you upload to the Service, you (the law firm) act as the data controller, and Inquisita acts as the data processor on your behalf, processing such data only as instructed by you in connection with providing the Service.
• Lawful Basis: Inquisita processes EEA personal data on the basis of the legitimate interests of the data controller (you) in connection with active legal proceedings or legal advice, or on the basis of your instructions as data controller.
• Data Subject Rights: EEA individuals whose personal data you upload to the Service may have rights under GDPR, including the right to access, rectification, erasure, restriction of processing, and data portability. We will assist you in responding to verified data subject requests within the timeframes required by GDPR.
• International Transfers: User Content is stored and processed in the United States. Inquisita relies on Standard Contractual Clauses or other appropriate safeguards under Chapter V of the GDPR to legitimize transfers of EEA personal data to the U.S., where applicable.

6.2 Data Processing Agreements

Enterprise customers and law firms that require a Data Processing Agreement ("DPA") — whether to satisfy GDPR Article 28, CCPA/CPRA service provider agreement requirements, Colorado Privacy Act processor obligations, or their own internal governance requirements — may request our standard DPA by contacting privacy@inquisita.ai. Our standard DPA addresses the nature and purpose of processing, data security obligations, subprocessor management, audit rights, and breach notification procedures. The DPA covers Personal Data while it is processed by Inquisita; it does not cover data transmitted by an AI agent you authorize to that agent's own model provider, which is governed by your separate agreement with your agent platform. For customers subject to HIPAA, we offer a Business Associate Agreement ("BAA") upon request, subject to our assessment of whether the Service involves protected health information as defined by HIPAA.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information:

7.1 Access and Correction

You may access and update your account information at any time through your account settings. You may also contact us to request access to other personal information we hold about you.

7.2 Data Portability

You may download your User Content at any time through the Service interface. We will provide your data in a commonly used, machine-readable format.

7.3 Deletion

You may delete your account at any time, which will trigger our data deletion procedures described in Section 4. You may also request deletion of specific information by contacting us at privacy@inquisita.ai.

7.4 Opt-Out of Communications

You may opt out of promotional communications by following the unsubscribe instructions in those messages. You cannot opt out of transactional or service-related communications (account notifications, security alerts, etc.).

7.5 Cookie Management

You can manage cookie preferences through your browser settings (see Section 9).

7.6 State-Specific Rights

For California Residents — CCPA/CPRA Rights:

California residents have the following rights regarding their personal information:

• Right to Know: You have the right to know what categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Data Portability: You have the right to receive a copy of your personal information in a portable, machine-readable format.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. You may submit a "Do Not Sell or Share My Personal Information" request, though we have no such activity to opt you out of.
• Right to Limit Use of Sensitive Personal Information: We collect certain sensitive personal information as defined by CPRA, including professional license numbers (bar number) and payment account information. You have the right to limit our use of such information to uses reasonably necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California rights, submit a verifiable consumer request to privacy@inquisita.ai. We will respond within forty-five (45) days of receipt, extendable by an additional forty-five (45) days where reasonably necessary.

For Colorado Residents — Colorado Privacy Act (CPA) Rights:

Colorado residents have the following rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.):

• Right to Access: You have the right to confirm whether we process your personal data and to access that data.
• Right to Correct: You have the right to correct inaccurate personal data we hold about you.
• Right to Delete: You have the right to request deletion of personal data provided by or obtained about you.
• Right to Data Portability: You have the right to obtain a copy of your personal data in a portable, readily usable format.
• Right to Opt Out of Profiling: You have the right to opt out of the processing of personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.
• Right to Opt Out of Targeted Advertising: We do not use personal data for targeted advertising as defined by the CPA.
• Right to Appeal: If we decline to act on a request to exercise your rights, you may appeal our decision by submitting an appeal request to privacy@inquisita.ai within thirty (30) days of receiving our decision. We will respond within forty-five (45) days. If we uphold the denial on appeal, we will provide you with a method to contact the Colorado Attorney General to submit a complaint.

To exercise your CPA rights, submit a request to privacy@inquisita.ai. We will respond within forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary.

For Virginia, Connecticut, and Other Applicable States: You may have similar rights to access, correct, delete, and obtain copies of your personal information, as well as rights to opt out of certain processing activities. Contact us at privacy@inquisita.ai to exercise any applicable rights.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, contact us immediately at privacy@inquisita.ai, and we will delete such information.

9. Cookies and Tracking Technologies

9.1 What We Use

We use cookies, web beacons, and similar technologies to:

• Authenticate your login session
• Remember your preferences and settings
• Analyze Service usage and performance
• Detect and prevent fraud

9.2 Types of Cookies

Essential Cookies: Required for the Service to function (authentication, security, load balancing). These cannot be disabled.

Analytics Cookies: Help us understand how users interact with the Service. We use these to improve functionality and user experience.

9.3 Your Choices

You can configure your browser to refuse all cookies or indicate when a cookie is being sent. However, if you disable essential cookies, you may not be able to use the Service.

9.4 Do Not Track

Some browsers transmit "Do Not Track" signals. We do not currently respond to Do Not Track signals because there is no industry standard for how to interpret them.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page with a new "Last Updated" date
• Sending you an email notification to the address associated with your account
• Displaying a prominent notice within the Service

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service and terminate your account.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us:

For data subject requests (access, deletion, correction) or to request a Data Processing Agreement or Business Associate Agreement, please use privacy@inquisita.ai and include:

• Your full name
• Email address associated with your account
• Law firm name
• Specific nature of your request
• Any information that will help us verify your identity

We will respond to verified requests within the timeframes required by applicable law.