Privacy Policy | LawLedgers

1. Introduction

LawLedgers Inc. ("LawLedgers," "we," "us," or "our") is committed to protecting the privacy of our users and the confidentiality of client trust accounting data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

This policy applies to all users of the LawLedgers platform, including law firm administrators, attorneys, and staff members. Given the sensitive nature of legal trust accounting data, we hold ourselves to the highest standards of data protection.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Name and email address
Organization name
Password (stored as a BCrypt hash; we never store plaintext passwords)
Role within your organization (Admin, Attorney, Staff)
Timezone preference

2.2 Trust Accounting Data

In the course of using the Service, you may enter or upload:

Trust account details (account names, bank information)
Client matter names and personal ledger records
Transaction records (deposits, checks, ACH transfers, wire transfers)
Payee and vendor information
PDF documents (checks, closing statements, payment instructions)
Reconciliation data

This data belongs to you. We process it solely to provide the Service and do not use it for any other purpose.

2.3 Bank Data (via Plaid)

If you connect a bank account through Plaid, we receive:

Account balances (current and available)
Transaction history (posted and pending transactions)
Account identifiers (masked account numbers)

We store Plaid access tokens in encrypted form. We do not store your bank login credentials. Plaid's handling of your data is governed by Plaid's End User Privacy Policy.

2.4 Accounting Data (via QuickBooks Online)

If you connect QuickBooks Online, we access:

Chart of accounts (to map trust accounts)
Journal entries (to sync trust transactions)
Company information (name, realm ID)

QBO OAuth tokens are stored encrypted. We sync data only when you initiate a sync or as configured in your settings.

2.5 Documents Processed by AI

When you upload documents for intelligent extraction, the following occurs:

AWS Textract: Document images are sent to AWS Textract for OCR (optical character recognition). Processing occurs in your configured AWS region.
OpenAI: Extracted text is sent to OpenAI's API for structured data extraction (identifying amounts, dates, payees, etc.). OpenAI's API data usage policy states that API inputs are not used to train their models.

We do not retain document content on third-party servers beyond the time needed for processing.

2.6 Usage and Analytics Data

We automatically collect:

IP addresses (for security and audit logging)
Login timestamps and session duration
Feature usage patterns (which pages and features you use)
Browser type and device information
Referral source and UTM parameters (for marketing attribution)

2.7 Payment Information

Subscription payments are processed by Stripe. We do not store credit card numbers or bank account details for payments. Stripe collects and processes payment information under Stripe's Privacy Policy. We receive only a Stripe customer ID and subscription status.

3. How We Use Your Information

We use your information to:

Provide the Service: Manage trust accounts, process transactions, generate reports, and run reconciliations
Maintain security: Authenticate users, prevent fraud, and maintain audit trails
Process payments: Bill your subscription and manage your account
Communicate with you: Send transactional emails (password resets, billing notices, system alerts)
Improve the Service: Analyze usage patterns to fix bugs and improve features
Comply with law: Respond to legal processes, enforce our Terms, and protect rights

We do not:

Sell your data to third parties
Use your trust accounting data for advertising
Share your data with other LawLedgers customers
Use your documents to train AI models
Mine your data for insights unrelated to providing the Service

4. Data Sharing and Subprocessors

We share your data only with the following categories of recipients, and only as necessary to provide the Service:

Subprocessor	Purpose	Data Shared
Amazon Web Services (AWS)	Infrastructure hosting, OCR (Textract), file storage (S3)	All platform data (encrypted at rest)
Plaid Inc.	Bank account connection and transaction feeds	Bank credentials (via Plaid Link), account/transaction data
Intuit (QuickBooks Online)	Accounting sync	Trust account transactions, chart of accounts
OpenAI	Document extraction (checks, closing statements)	Document text content (not used for model training)
Stripe	Subscription billing	Email, organization name, payment method (handled by Stripe)
SendGrid / Amazon SES	Transactional email delivery	Email address, email content
Datadog	Application monitoring and error tracking	System logs (PII redacted), performance metrics

We may also share information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of LawLedgers, our users, or the public.

5. Data Security

We implement multiple layers of security to protect your data:

Encryption in transit: All data transmitted between your browser and our servers uses TLS encryption
Encryption at rest: Database and file storage are encrypted at rest
Token encryption: Third-party API tokens (Plaid, QuickBooks) are encrypted before storage using application-level encryption
Password security: Passwords are hashed using BCrypt with salting
Access controls: Organization-level data isolation ensures no cross-tenant data access; role-based permissions restrict actions within organizations
Audit logging: All data modifications are logged with user, timestamp, IP address, and before/after snapshots
PII redaction: System logs automatically redact sensitive data patterns (SSNs, credit card numbers, API keys)
Immutable records: Cleared trust accounting transactions cannot be edited or deleted, preserving the audit trail

6. Data Retention

Trust accounting records are subject to professional responsibility rules that typically require retention for 5 or more years after the end of representation. Our retention practices reflect this:

Active accounts: All data is retained for the duration of your subscription
Canceled accounts: Your Data is available for export for 90 days after cancellation. After 90 days, data may be deleted unless retention is required by law
Audit logs: Retained for the life of the account and not subject to deletion
System logs: Retained for 90 days for operational purposes (PII redacted)
Payment records: Retained as required by tax and financial regulations

We do not automatically purge trust accounting records. If you need records deleted, contact us and we will work with you to balance your request against applicable retention obligations.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate personal data
Deletion: Request deletion of your personal data, subject to legal retention requirements
Portability: Request your data in a structured, machine-readable format
Restriction: Request that we limit processing of your data in certain circumstances
Objection: Object to processing of your data for specific purposes

To exercise any of these rights, contact us at privacy@lawledgers.com. We will respond within 30 days.

Note: Certain trust accounting data may not be deletable if retention is required by professional responsibility rules or applicable law. We will explain any such limitations in our response to your request.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to opt out of the sale of personal information — we do not sell personal information
The right to non-discrimination for exercising your privacy rights

9. Children's Privacy

The Service is intended for use by legal professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.

10. Cookies and Tracking

We use the following cookies and similar technologies:

Authentication cookie (lawledgers_token): HttpOnly session cookie for maintaining your login session. Essential for the Service to function.
UTM parameters: We capture marketing attribution data (utm_source, utm_medium, etc.) from URLs at signup. This data is stored in your account record, not in cookies.

We do not use third-party advertising cookies or cross-site tracking pixels.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms where required by GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The "Effective Date" at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

LawLedgers Inc.
Privacy inquiries: privacy@lawledgers.com
General support: support@lawledgers.com