Updated

Privacy and Data Use Policy

Effective November 16, 2025

This policy explains how we collect, use, store and protect data when you use Conseloria.

1. Controller and scope

The controller is the owner of Conseloria identified in the billing information.
This Policy applies to lawyers, law firms and authorized staff who use Conseloria.
By using the Service you accept the data processing described here and in applicable laws.

Account data: full name, professional email, hashed password, billing data and plan preferences.
Uploaded content: documents, case files, notes and messages that may include third-party data.
Usage metadata: activity logs, IP, device type, processed volume, queries and technical logs.
Payment information: handled by certified providers; we do not store full card details.

Provide, maintain and improve the Service (contract performance).
Manage onboarding, billing, payments and legal obligations (contract and legal compliance).
Monitor usage, prevent fraud and security incidents (legitimate interest).
Offer support and communicate relevant changes (contract and legitimate interest).
Where required we will request your consent for specific processing activities.

To generate answers we send the relevant fragments of your documents to AI model providers: OpenAI (embeddings and chat models) and Anthropic (Claude models), under their respective Data Processing Agreements (DPA) in enterprise API mode, which prohibit the use of that content for training.
For OCR on scanned PDFs we use OpenAI Vision API under the same DPA.
For data hosting, file storage and authentication we use Supabase (PostgreSQL database, Auth and Storage).
For application hosting and edge network we use Vercel.
For document queue processing, rate limiting and caching we use Upstash (Redis and QStash).
For transactional emails we use Resend.
For payments and subscription management we use Stripe.
For error monitoring we use Sentry.
For aggregated web analytics we use Google Analytics 4 (anonymized data).
We list all our subprocessors in this section and update the list when changes occur. We will notify material changes with reasonable advance notice.
We do not reuse your identifiable documents to train public or proprietary models.
We may use aggregated and anonymized data to evaluate platform performance.

We retain account data while the subscription remains active and for a reasonable period afterward for legal obligations (typically up to 6 years for accounting records).
When you delete a document from the application, it is immediately removed from our primary database and Supabase-managed storage.
Automatic backups from our infrastructure provider (Supabase) rotate according to their policy: the last 7 days on Free plans, up to 30 days on paid plans. During that window, deleted data may persist in encrypted backups until rotation.
After account cancellation, we will delete documents and case files within a maximum of 30 days, including backup rotation.
We may retain minimal records (billing logs, audit trails) to address claims or legal requirements.

Only the subprocessors listed in section 4 access the data necessary to operate the Service, under protection agreements including confidentiality and security clauses.
We may share information with professional advisors (accountants, legal counsel) when strictly necessary.
We will disclose information if compelled by a competent authority through a valid legal request.
We do not sell databases or share your documents for third-party marketing purposes.

Communications: TLS 1.3 in transit (HSTS with preload) between the browser and our infrastructure.
Storage: AES-256 at-rest encryption managed by Supabase (database) and its Storage buckets.
Per-account isolation: we apply Row Level Security (RLS) policies at the database level so each user only accesses their own documents, chats and case files.
Internal access: authorized personnel with multi-factor authentication and least-privilege principle.
Monitoring: errors and anomalous activity are reported to Sentry. Logs do not include document contents.
Incidents: we maintain response and notification procedures aligned with applicable regulations. Report vulnerabilities to security@conseloria.com.
We do not (yet) hold formal certifications such as SOC 2 or ISO 27001; we will publicly communicate if we begin a certification process.

We use essential cookies for authentication and session management.
We may use analytics cookies to improve the experience, mainly on aggregated data.
You can configure your browser to reject cookies, although some features might be affected.
Where required we will seek consent before enabling non-essential cookies.

We may host data in data centers located in different countries with adequate safeguards.
When required we will implement valid transfer mechanisms such as Standard Contractual Clauses.
We contractually require our providers to offer protection levels equivalent to the origin jurisdiction.

The Service is intended solely for professional legal organizations and not for minors.
We do not knowingly collect data from minors; if we detect it, we will delete it.

We may update this Policy to reflect changes in the Service, providers or regulations.
We will notify active customers about relevant updates.
Continued use after the effective date constitutes acceptance.
For privacy inquiries contact hola@conseloria.com.

Assistant outputs may contain errors, be incomplete or lack context.
We are not responsible for decisions made solely on automated outputs.
Review and validate generated texts before sharing them with clients or authorities.