Legal
Privacy Policy
Last updated: February 24, 2026
Note for law firm administrators: This Privacy Policy covers how KrisLegal processes personal data as a platform operator. Your firm's clients' personal data is processed on your behalf under our Data Processing Addendum. Your firm is the data controller for your clients' data; KrisLegal acts as your processor.
1. About This Policy
KrisLegal ("we," "our," or "us") operates a white-label legal document automation and AI assistant platform for law firms. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access krislegal.com or use the KrisLegal platform (collectively, the "Services").
This policy applies to:
- Law firm administrators, attorneys, and staff who use the platform ("Users")
- Law firm clients who access the client portal ("Clients")
- Visitors to krislegal.com
2. Information We Collect
2.1 Account and User Information
When a law firm subscribes to KrisLegal, we collect:
- Names and email addresses of firm administrators, attorneys, and staff
- Professional information (title, bar number)
- Role within the firm
- Login and session activity
2.2 Matter and Case Data
Law firms create, upload, and generate case-related information through the platform. This may include case names, docket numbers, court information, names and contact details of parties and counsel, legal documents (complaints, notices, agreements, summons, releases, and others), case notes, and attorney work product.
2.3 Client Portal Data
Through the client portal, we collect on your behalf:
- Client names, email addresses, phone numbers, and mailing addresses
- Client portal communications
- Consent records and acknowledgment timestamps
2.4 AI Interaction Data
When you use AI features, we process:
- The text of your queries and instructions to the AI assistant
- Case context you provide (case names, party information, case numbers)
- Full text of documents you upload for AI-assisted field extraction or analysis
- Audio recordings submitted via the dictation feature
- Clio matter, contact, and document data pulled into AI context when you invoke Clio-related tools through the assistant (when the Clio integration is enabled)
- Search queries submitted to CourtListener for case law research, which may include case names, party names, or citation strings
2.5 Technical and Usage Data
We automatically collect IP addresses (retained 90 days for security purposes), browser and device information, platform usage activity, and session timestamps.
2.6 Payment and Billing Data
Billing is handled by Stripe, our payment processor. We store only a Stripe customer ID and subscription status. We do not store payment card numbers, bank account information, or full billing addresses. Stripe holds those directly under its PCI-DSS compliance program.
3. How We Use Information
We use the information we collect to:
- Provide and maintain the KrisLegal platform and its features
- Process document generation requests and AI assistant interactions
- Authenticate users and maintain account security
- Send transactional communications (login links, team invitations, billing receipts)
- Detect and prevent fraud, abuse, and security incidents
- Generate aggregated, de-identified analytics to improve our services
- Comply with applicable law and respond to lawful requests
We do not sell your personal information. We do not use attorney-client matter data to advertise to you or your clients.
4. AI Services
4.1 Anthropic Claude
Anthropic's Claude powers all AI features: the AI assistant, document generation, and document field extraction (auto-populating form fields from an uploaded PDF). KrisLegal uses the Anthropic commercial API exclusively.
AI assistant (bring your own key, BYOK): Your firm configures its own Anthropic commercial API key (via console.anthropic.com) in platform Settings. The AI assistant transmits your queries and case context to Anthropic using your firm's own API credentials. Your firm has a direct contractual relationship with Anthropic; that data flow is governed by your firm's Anthropic commercial API agreement.
Document field extraction (platform key): When you upload a document to a document generator for AI-assisted field extraction, KrisLegal's own Anthropic commercial API account processes the OCR-extracted text. In this flow, KrisLegal is the Anthropic contracting party.
Under Anthropic's commercial API terms, Anthropic does not use data submitted via its API to train AI models. KrisLegal stores your firm's Anthropic API key encrypted at rest (AES-256-GCM) and transmits it only to Anthropic's API endpoint.
4.2 OpenAI Whisper (Dictation Only)
OpenAI is used for one purpose only: dictation transcription via the Whisper API. When you record a dictation, the audio file is transmitted to OpenAI for transcription and then deleted. OpenAI does not use API data to train its models. OpenAI is not involved in document generation, document extraction, or the AI assistant.
Attorneys should consider whether applicable professional responsibility rules require client disclosure before using the dictation feature for specific client matters.
4.3 No Training on Customer Data
KrisLegal does not use your data or your clients' data to train any AI models. Under their respective commercial API terms, neither Anthropic nor OpenAI uses API-submitted data for model training.
5. Third-Party Service Providers
We share data with the following service providers ("subprocessors") solely to deliver the Services. Each is bound by data protection agreements consistent with this policy.
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic, Inc. | AI assistant (via firm's own API key); document field extraction (via KrisLegal platform key). All uses are under Anthropic's commercial API. Anthropic does not use API data to train models. | Query text, case context, document text |
| OpenAI, LLC | Dictation transcription (Whisper API) only. Not used for document generation or the AI assistant. | Audio recordings (deleted after transcription) |
| Stripe, Inc. | Payment processing | Billing contact; subscription data |
| DigitalOcean, LLC | Cloud hosting and file storage | All platform data (encrypted at rest) |
| Resend, Inc. | Transactional email delivery | Recipient email; authentication links |
| Clio (Themis Solutions Inc.) | Practice management integration (optional, when enabled by firm). KrisLegal accesses firm's own Clio account via OAuth; data may also be written back to Clio at user direction. | Matter, contact, and attorney data synced from Clio and stored locally; notes, tasks, and time entries written back at user direction |
| Free Law Project (CourtListener) | Public case law and federal court docket research. Built into the platform; receives search queries only. No client data is sent to CourtListener. | Search queries (case names, citation strings, legal issue descriptions) |
6. Clio Integration
Clio is an optional practice management integration. When your firm enables it, KrisLegal connects to your firm's existing Clio account via OAuth and acts as an authorized application on your behalf. KrisLegal has no independent Clio account; all access is through your firm's credentials and subject to your firm's Clio subscription terms.
6.1 Data Accessed from Clio
Through the integration, the platform may access:
- Matters (cases): name, number, status, description, dates, practice area
- Contacts: name, email, phone, address, and their relationship to matters
- Attorneys and staff: name, email, title, bar number
- Matter documents: metadata and document content stored in Clio
- Communications, notes, and tasks associated with matters
- Time entries and billing reference data
- Calendar events associated with matters
6.2 Data Written Back to Clio
When authorized users direct the AI assistant to do so, the integration can also create data in your Clio account, including case notes, tasks, and time entries. KrisLegal will only write to your Clio account when an authorized user explicitly instructs the AI assistant to take that action.
6.3 Local Storage of Synced Data
To improve performance, matter, contact, and attorney data synced from Clio is stored in KrisLegal's database alongside your other platform data. This locally stored data is subject to all protections in this Privacy Policy and is deleted with your account upon termination. Clio OAuth tokens are stored encrypted at rest (AES-256-GCM). You may disconnect the integration and revoke KrisLegal's access at any time from your Settings page.
7. CourtListener Integration
The AI assistant has built-in access to CourtListener, operated by the Free Law Project, for public federal court opinions, dockets, and case law. The assistant can search for relevant case law, look up citations, and retrieve publicly available federal court filings on your behalf.
What we send: Search queries, which may include case names, party names, citation strings, or descriptions of legal issues. We do not send attorney-client privileged content to CourtListener.
What is returned: Publicly available court records, opinions, docket information, and citation data. No client PII is returned from or stored as a result of CourtListener queries.
8. Data Security
We implement the following to protect your information:
- All data transmitted over encrypted HTTPS/TLS connections
- Sensitive credentials (API keys, OAuth tokens) encrypted at rest using AES-256-GCM
- Session cookies are HttpOnly, Secure, and SameSite-protected
- Multi-tenant data isolation: each law firm's data is strictly separated
- Access to customer data restricted to employees who require it to provide the Services
- All employees with access to customer data are bound by confidentiality obligations
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Active subscription data (cases, documents, contacts) | Duration of subscription |
| AI conversation history (chat sessions and messages) | Duration of subscription |
| Account data after termination | 30 days following subscription end, then deleted |
| Security and audit logs | 90 days (automatically purged) |
| AI tool usage logs (token counts, tool call records) | 90 days |
| Audio recordings (dictation) | Deleted after transcription is delivered |
| Billing records | 7 years (accounting obligation) |
Upon termination, your data remains accessible for 30 days to allow export. We will permanently delete all customer data within 30 days after that export period, and provide written certification of deletion upon request.
10. Your Rights
You or your firm's users may have the right to:
- Access: request a copy of personal data we hold about you
- Correction: request correction of inaccurate personal information
- Deletion: request deletion of your personal data, subject to legal retention requirements
- Portability: export your account and case data in machine-readable format through your account settings
To exercise these rights, contact us at hello@krislegal.com. We will respond within 30 days. Law firm clients (those using the client portal) should direct data rights requests to their attorney or law firm, which controls their case-related data.
11. Data Breach Notification
In the event of a security breach affecting personal information, we will notify affected law firm customers consistent with applicable law, including the 45-day notification requirement under Tennessee law (T.C.A. § 47-18-2107). Where feasible, we will provide initial notice within 72 hours of becoming aware of a confirmed breach.
12. Cookies
The KrisLegal platform uses a single authentication session cookie (lp-session) to
maintain your logged-in state. This cookie is required for platform functionality, does not track
you across third-party websites, is HttpOnly (inaccessible to JavaScript), and expires after 7
days or 4 hours of inactivity.
We do not use advertising cookies, tracking pixels, or third-party analytics on the platform. This website (krislegal.com) does not currently use analytics cookies.
13. Children's Privacy
The KrisLegal platform is intended for use by legal professionals and is not directed to individuals under 18. We do not knowingly collect personal information from children.
14. International Users
KrisLegal is operated in the United States and is intended for US-based law firms. All data is stored and processed in the United States. Users outside the United States access the platform at their own discretion and subject to applicable local law.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify law firm administrators by email at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
16. Contact
For privacy questions, data rights requests, or to report a security concern:
KrisLegal
Email: hello@krislegal.com
Website: krislegal.com