Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Email address, name, organization name, role, phone number
• Documents: Documents you upload, including their content and metadata
• Chat Conversations: Questions you ask and conversations with our AI assistant
• Matter Information: Case details, client references, matter numbers, and related organizational data
• Payment Information: Billing details processed securely through Stripe (we do not store your full card number)

1.2 Information We Collect Automatically

• Usage Data: Pages visited, features used, search queries, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies: Session cookies, preference cookies, and analytics cookies (see our Cookie Policy)
• Log Data: Access times, error logs, performance metrics

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process and store your documents securely
• Generate AI-powered responses to your questions about your documents
• Provide semantic and keyword search across your documents
• Send service-related communications (password resets, system notifications, trial reminders)
• Process billing and payments through Stripe
• Analyze usage patterns to improve our platform
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations

We do NOT use your information to serve advertisements, build advertising profiles, or sell your data to third parties.

3. AI Processing and Third-Party Services

3.1 How AI Features Process Your Data

Our AI features use third-party model providers to deliver document search and conversational AI capabilities. Understanding how your data flows through these systems is important, particularly if your documents contain solicitor-client privileged information.

• Embedding generation: When you upload documents, we generate vector embeddings (mathematical representations of your document content) to enable semantic search. This processing is performed using Voyage AI models (voyage-law-2), which are specifically trained for legal text. The embeddings are stored in your isolated database tenant and are not shared with other customers.
• AI chat responses: When you ask questions through the AI assistant, your question and relevant excerpts from your documents are sent to Anthropic's Claude model (accessed through AWS Bedrock) to generate a response. The model provider processes this data in real-time and does not retain your inputs or outputs after the response is generated.
• Tenant isolation: All AI processing occurs within the context of your organization's isolated tenant. Your documents are never combined with those of other customers during any stage of AI processing, including embedding generation, search retrieval, or response generation.

3.2 AI Training Commitment

We do NOT use your data to train AI models.

We have contractual agreements with our AI providers that prohibit the use of your data for model training, fine-tuning, or improvement. Specifically:

• AWS Bedrock does not use customer inputs or outputs to train or improve its foundation models.
• Your documents, questions, and AI responses are not retained by model providers beyond the time needed to generate a response.
• We do not provide your data to any third party for the purpose of training, benchmarking, or evaluating AI models.

3.3 Privileged Information and AI Processing

We recognize that documents uploaded to the Service may contain information protected by solicitor-client privilege. Our AI processing architecture is designed with this in mind:

• Document content transmitted to AI model providers for processing is encrypted in transit using TLS 1.2 or higher.
• AI model providers are contractually prohibited from logging, storing, or accessing your document content beyond real-time processing.
• We do not review the content of your AI conversations except when investigating a security incident or when you explicitly request technical support.

However, we cannot provide legal advice on whether using AI tools with privileged documents affects the privilege itself. We recommend that you consult the Law Society of British Columbia's guidance on using technology in legal practice and seek independent legal advice if you have concerns about privilege implications.

3.4 AI Input Restrictions

While the AI features are designed to process the documents you upload to the Service, you agree not to use the AI features to:

• Process documents or content you do not have the legal right to use or that were obtained unlawfully
• Attempt to manipulate, exploit, or circumvent the AI system's safety controls or content policies
• Systematically extract AI outputs for the purpose of training competing AI systems or models
• Submit content unrelated to the documents stored in your account for purposes unrelated to the Service

3.5 Other Third-Party Services

In addition to AI providers, the Service relies on the following third-party services:

• Amazon Web Services (AWS): Cloud infrastructure, document storage (S3), database hosting, and AI model access (Bedrock) in the ca-central-1 (Montreal) region
• Stripe: Payment processing (see Stripe's Privacy Policy)
• Sentry: Error tracking and monitoring (configured to minimize personal data collection; does not capture document content)
• Microsoft Clarity: Analytics and session recording (anonymized; does not capture document content or AI conversations)

Each third-party provider processes data under a data processing agreement with Vector Doc. A current list of sub-processors is available upon request by contacting privacy@bclegaltech.ca. We will provide at least 30 days notice before adding new sub-processors that would process your document content or personal information in a materially different way.

4. Data Sharing and Disclosure

We do NOT sell your personal information or documents to third parties.

We may share your information with:

• Your Organization: Other authorized users within your organization (based on access controls you configure)
• Service Providers: AWS, AI providers, Stripe, and other providers listed in Section 3.5 (under strict data processing agreements)
• Legal Requirements: If required by law, court order, or government request. Where permitted by law, we will notify you before disclosing your information in response to a legal request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets. We will provide at least 30 days notice and your data will remain subject to the protections in this policy until a successor policy is adopted.
• With Your Consent: Any other sharing requires your explicit permission

5. Data Security

We implement the following security measures to protect your data:

• Encryption in Transit: All data is encrypted using TLS 1.2 or higher during transmission, including data sent to AI model providers
• Encryption at Rest: Documents and database data are encrypted using AES-256
• Database-Level Isolation: PostgreSQL Row-Level Security (RLS) ensures complete data separation between organizations. Each organization's data is logically isolated at the database level.
• Access Controls: Role-based access control within your organization, secure password requirements, and support for multi-factor authentication
• Secure Infrastructure: Hosted on AWS with infrastructure-level security, including network isolation, security groups, and automated patching
• Regular Backups: Automated encrypted backups for disaster recovery, stored in the same AWS region as your primary data

No system is 100% secure. While we take extensive precautions, we cannot guarantee absolute security of your data.

5A. Security Incident Notification

In the event that we become aware of a security breach or unauthorized access that affects your personal information or document content (a "Security Incident"), we will:

• Notify you promptly: We will notify affected customers without unreasonable delay and in any event within 72 hours of confirming a Security Incident, unless a law enforcement authority requests a delay. Notification will be sent to the email address associated with your account.
• Provide meaningful detail: Our notification will include, to the extent known: a description of the nature of the incident, the categories and approximate volume of data affected, the measures we have taken or plan to take to contain and remediate the incident, and a point of contact for further information.
• Take remedial action: We will take all reasonable steps to contain the Security Incident, prevent recurrence, and mitigate any harm to affected customers.
• Notify regulators: Where required by applicable Canadian federal or provincial privacy legislation (including PIPEDA and the British Columbia Personal Information Protection Act), we will notify the relevant privacy commissioner or regulatory authority.

You agree to notify us promptly at security@bclegaltech.ca if you become aware of any unauthorized access to your account, any suspected compromise of your credentials, or any other security concern related to the Service.

6. Data Retention

We retain your information according to the following schedule:

• Active Account: Data is retained while your account is active
• Account Cancellation: Upon cancellation, your documents are retained for 30 days to allow for data export, then permanently deleted
• Billing Records: Retained for 7 years as required for tax and accounting purposes
• Security Logs: Retained for 90 days for security and troubleshooting purposes
• Anonymized Usage Statistics: Retained indefinitely in aggregate form (platform interaction patterns only, not document content)

You may request immediate deletion of your documents at any time while your account is active. Upon receiving such a request, we will delete the specified documents from primary systems within 5 business days. Copies may persist in encrypted backups for up to 30 additional days before being purged.

We do not retain aggregated or anonymized versions of your document content after account termination.

6A. Beta Services and Data

From time to time, we may offer features designated as "beta," "preview," or "early access." When you use Beta Services:

• Your data is subject to the same privacy protections, security measures, and data isolation described in this policy. We do not apply a lower standard of data protection to Beta Services.
• We may collect additional usage telemetry (e.g., feature interaction patterns, error rates, performance metrics) to evaluate and improve Beta features. This telemetry does not include the content of your documents or AI conversations.
• If a Beta Service is discontinued, any data created exclusively through that feature will be exportable for at least 30 days before deletion, unless it is also accessible through generally available features.
• We will clearly label Beta Services within the platform so you can make informed decisions about whether to use them for sensitive work.

7. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal information and documents (subject to legal retention requirements and the retention schedule in Section 6)
• Export: Download your documents and data in standard formats at any time while your account is active, and for 30 days following cancellation
• Opt-Out: Opt out of marketing communications at any time
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
• Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner for British Columbia

To exercise these rights, contact us at privacy@bclegaltech.ca. We will acknowledge your request within 5 business days and respond substantively within 30 days. If we need additional time, we will notify you of the reason and the expected timeline.

8. Document Ownership and Confidentiality

You own your documents. We act solely as a data processor on your behalf.

• You retain all ownership rights to documents you upload
• We will not access your documents except as necessary to provide the Service or as required by law
• We will not share your documents with other customers or third parties
• We will not use your documents to train AI models
• Upon termination, you may export all your documents before deletion

We understand that uploaded documents may contain confidential, privileged, or sensitive information. We maintain strict access controls and do not review document contents except for technical support purposes when explicitly requested by you, or when investigating a confirmed or suspected Security Incident.

9. Children's Privacy

Our Service is designed for business use and is not intended for individuals under 18. We do not knowingly collect information from children. If we learn we have collected information from a child under 18, we will delete it promptly.

10. Geographic Availability and Data Transfers

Data Hosting: Your documents and database are hosted in AWS's ca-central-1 region (Montreal, Canada). Encrypted backups are stored in the same region.

Cross-Border Processing: Some data processing may occur in the United States, specifically AI model inference through AWS Bedrock and payment processing through Stripe. We ensure appropriate safeguards are in place through data processing agreements with these providers.

By using the Service, you consent to the transfer of your information as described in this policy. If you are located in a Canadian province with specific data residency requirements, please contact us to discuss your needs.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice in the Service at least 30 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

We will maintain an archive of previous versions of this policy, which you may request by contacting privacy@bclegaltech.ca.

12. Cookie Policy

We use the following categories of cookies:

• Essential Cookies: Required for the Service to function (e.g., authentication, session management). These cannot be disabled.
• Preference Cookies: Remember your settings and preferences (e.g., language, display options).
• Analytics Cookies: Help us understand how you use the Service (currently Microsoft Clarity). These collect anonymized interaction data and do not capture document content or AI conversations.

You may manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core Service functionality.

We do not use advertising cookies, tracking pixels for third-party advertising, or cross-site tracking technologies. We do not build advertising profiles from your usage data. For more detail, see our full Cookie Policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data: