Skip to main content

Privacy Policy

Effective Date: June 3, 2026

This Privacy Policy explains how Attorney Toolkit ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our website, web application, browser extension, and related services (collectively, the "Service"). It also explains the choices and rights you have regarding your personal information. By using the Service, you agree to the practices described here. If you do not agree, do not use the Service.

This Policy should be read together with our Terms of Service and our Cookie Policy.

1. Who we are

Attorney Toolkit is an AI-powered legal research tool built for attorneys who rely on professional discussion groups, listservs, and archived knowledge sources — particularly California workers' compensation and consumer attorneys using the CAAA, CAALA, and similar listservs. The Service helps you search, filter, and synthesize information that already exists in those archives.

Our Service is offered for professional use. When you submit search queries, retrieve listserv messages, generate AI outputs, or otherwise interact with the Service, we may process that content and related metadata to provide, maintain, secure, enforce, analyze, support, defend, and improve the Service, and for other purposes described in this Policy or permitted by law.

When this Policy talks about "personal information," we mean information that identifies, relates to, or could reasonably be linked to a particular individual or household. When we talk about "the Service," we mean our website at the published domain, the web application (dashboard, search, results, account pages), our optional browser extension used to capture listserv session cookies, and the public APIs that power them.

2. Information we collect

2.1 Information you provide directly

  • Account information: your full name, email address, password authentication data (designed to be stored as a salted hash rather than plaintext), firm/organization name (optional), and any other profile fields you choose to provide.
  • Membership verification details: information you provide so we can verify your membership in an eligible association (e.g., CAAA, CAALA), such as your member ID, the association you belong to, and any verification screenshots or confirmations you upload.
  • Payment information: when you subscribe, billing details are generally submitted directly to our payment processor, Stripe. We may receive and retain Stripe customer IDs, plan information, subscription status, transaction records, and limited billing metadata such as card brand, last digits, and expiration month/year.
  • Search queries and inputs: the names, keywords, dates, listserv selections, and natural-language questions you submit when running searches.
  • Feedback and support content: messages you send through our contact form, support emails, the in-app feedback buttons (thumbs up/down on results), bug reports, and other communications you initiate with us.

2.2 Information collected automatically

  • Device and browser data: browser type and version, operating system, screen size, language, timezone, and other standard headers your browser sends with each request.
  • Network information: IP address, approximate geolocation derived from IP, and basic routing data.
  • Usage data: pages visited, features used, search counts, click events on results, time stamps, referrers, and similar product analytics needed to operate and improve the Service.
  • Cookies and similar technologies: small text files and browser-storage entries used to keep you signed in, remember preferences, and (in the case of the optional browser extension) capture listserv session cookies you authorize us to use. See our Cookie Policy for the full list.
  • Logs: server logs that include request paths, response codes, timing information, error stack traces, and similar diagnostic data, used for debugging and abuse prevention.

2.3 Information we receive from third parties

  • Listserv archives: when you run a search, we fetch messages from the listserv archive you are authorized to access (via the session cookies you supplied through the browser extension). The fetched content — including posters' names, message subjects, message bodies, dates, and any attachments listed in the archive — is processed to produce your results.
  • Stripe: subscription status, customer ID, payment events, and billing portal events delivered via webhook.
  • Email-deliverability and verification providers: bounce/spam-flag data, and email verification confirmations.
  • Your firm or organization: if your account is provided, paid for, or administered by a firm or organization, we may receive your name, email address, role, account status, and related administrative information from that organization.

2.4 Sensitive and restricted information

  • You should avoid submitting sensitive personal categories, client-confidential information, attorney-client privileged information, work product, sealed material, protected health information, or other restricted information into free-form search, prompt, support, or feedback fields unless you have determined that doing so is lawful and appropriate.
  • Information of this kind may appear incidentally in listserv archives or other sources you ask us to search. If it does, we may process it as necessary to provide, secure, troubleshoot, enforce, improve, or defend the Service, subject to applicable law.
  • We do not knowingly collect information from anyone under 18.

3. How we use your information

We use the information described above to:

  • Provide, maintain, and operate the Service — including authenticating you, running searches you initiate, returning results, generating AI synthesis, and storing your search history.
  • Verify your eligibility for an association's archive (e.g., that you are a current CAAA or CAALA member).
  • Process payments, manage subscriptions, and apply promo codes through Stripe.
  • Enforce subscription limits (e.g., monthly search counts per tier) and prevent abuse.
  • Communicate with you about your account, billing, the Service, and important changes — including transactional emails like password resets, payment receipts, and security notifications.
  • Respond to your support requests, feedback, and reports.
  • Analyze, evaluate, develop, and improve the Service, including search quality, AI prompts, relevance scoring, safety systems, abuse detection, billing operations, support workflows, and product functionality. This may include reviewing search inputs, outputs, retrieved message content, feedback, logs, and aggregated or de-identified usage patterns, subject to applicable law and our agreements with service providers.
  • Detect, prevent, and investigate fraud, security incidents, abuse, and violations of our Terms.
  • Comply with applicable law, legal process, and lawful requests from authorities.

If you are in a jurisdiction that requires a legal basis for processing personal data (e.g., the EEA, UK, or Switzerland), we rely on the following bases:

  • Performance of a contract: to deliver the Service you signed up for (running searches, returning results, providing your account).
  • Legitimate interests: to keep the Service secure and operational, prevent abuse, improve product quality, and communicate with you about your account.
  • Consent: where required, for example before installing the browser extension that captures listserv session cookies.
  • Legal obligation: to comply with laws, court orders, and regulatory requirements that apply to us.

5. Listserv session cookies (browser extension)

To search a listserv on your behalf, our optional browser extension captures the session cookies your browser holds after you log in to the listserv directly (e.g., to CAAA or CAALA). These cookies are how the listserv knows it is you and authorizes access to the archive. Because access cannot exist without them, they are the most sensitive piece of data we handle.

How we handle listserv cookies:

  • We use technical safeguards designed to protect listserv cookies, including encryption in transit and encryption at rest for stored session data.
  • We may use stored session data to authenticate searches, retrieve source material, troubleshoot requests, maintain the Service, investigate abuse, enforce our Terms, comply with law, and protect our rights and users.
  • We may disclose session-related data to service providers, advisors, authorities, or transaction counterparties where described in this Policy, required by law, or reasonably necessary to operate, secure, defend, or transfer the Service.
  • You may revoke listserv access by signing out of the listserv to invalidate the session or by deleting stored cookies in your account settings, subject to any backup, logging, legal, security, or recordkeeping retention described in this Policy.
  • Session data may be refreshed when a listserv issues new cookies during a session and may be retained or discarded according to operational, security, legal, and backup needs.

If you have reason to believe your listserv credentials have been misused, contact us at support@attorneytoolkit.com immediately so we can rotate or delete the stored session.

6. AI processing & what we send to language models

The Service uses large language models (LLMs) to score message relevance and synthesize results into readable summaries. To produce a result for you, we may send the following to the model provider:

  • The search query you submitted (the name, keywords, or natural-language question).
  • The text of the listserv messages we fetched on your behalf for that search.
  • Minimal context about the search task (e.g., "evaluate this doctor from a plaintiff's-attorney perspective").

We generally do not need to send the following to language model providers to produce ordinary search results:

  • Your password (we don't have it in plaintext anyway).
  • Your billing details (those live with Stripe).
  • Your stored listserv session cookies.
  • Information from other users.

AI providers' data-handling practices are governed by their applicable commercial terms and our agreements with them. We may use AI providers and other technical vendors to process inputs, retrieved messages, outputs, and related metadata to provide, monitor, evaluate, secure, troubleshoot, and improve the Service. We may change model providers, model configurations, and processing workflows over time.

7. How we share information

We may disclose information as described below, as disclosed to you elsewhere, with your consent, or as otherwise permitted by law.

  • Service providers (subprocessors): with vendors who help us run the Service (hosting, payment processing, email delivery, AI inference, monitoring). They are contractually bound to use your information only to provide services to us. See section 8.
  • Your firm or account administrator: if your account is part of an organization account, we may share account status, subscription status, usage counts, and administrative information with the person or organization responsible for managing that account.
  • Legal and safety: with law enforcement, regulators, or other parties when we believe in good faith that disclosure is necessary to (i) comply with applicable law or legal process; (ii) protect the rights, property, or safety of Attorney Toolkit, our users, or the public; or (iii) detect and prevent fraud or abuse.
  • Corporate transactions: in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our assets, with continued protection of your information.
  • With your consent or at your direction: for any other purpose disclosed to you at the time we collect the information.
  • Aggregated or de-identified information: information that has been aggregated or de-identified so it is not reasonably linked to you, which we may use or disclose for analytics, product development, security, benchmarking, business, or other lawful purposes.

8. Subprocessors and third-party services

We may share limited personal information with trusted third-party service providers who help us operate, secure, and improve Attorney Toolkit. These providers may only use the information as needed to provide services to us and are subject to contractual confidentiality and data protection obligations.

Service CategoryPurposeData Involved
Cloud hosting and infrastructure providersHost our backend systems, databases, and application servicesAccount information, searches, search results, encrypted listserv cookies, server logs, and related usage data
Frontend hosting and edge service providersDeliver the website, route requests, and improve site performancePage requests, IP address, device/browser information, and request metadata
Payment processorsProcess payments, manage subscriptions, and provide billing portalsBilling details, subscription status, payment identifiers, and customer account information
AI and search technology providersHelp process search queries, summarize or analyze results, and provide AI-assisted featuresSearch queries, fetched listserv messages or excerpts relevant to the search, and related prompt/output data
Email and communication providersSend transactional emails and service-related noticesEmail address, account identifiers, and message content, such as password reset or account notification emails
Security, logging, and error-monitoring providersProtect the service, detect abuse, troubleshoot errors, and maintain reliabilityIP address, device/browser information, error logs, usage events, and technical metadata

We do not sell personal information, and we do not authorize these providers to use personal information for their own independent marketing purposes.

9. Data retention

We retain personal information for as long as we determine is reasonably necessary for the purposes described in this Policy, including but not limited to operate the Service, maintain records, resolve disputes, enforce agreements, comply with law, protect rights, and support business operations.

10. Data security

We use industry-standard administrative, technical, and physical safeguards designed to protect your information, including:

  • TLS 1.2+ for all data in transit.
  • AES-256 encryption for sensitive data at rest (notably listserv session cookies).
  • Password authentication data designed to avoid storing plaintext passwords.
  • Principle of least privilege for staff and infrastructure access, audited periodically.
  • Network firewalls, intrusion-detection rules, and rate-limiting on authentication endpoints.
  • Regular dependency scanning and security patching.

No system can be guaranteed completely secure. You play an important role too: use a strong, unique password, enable any account-protection options we offer, and notify us immediately at support@attorneytoolkit.com if you suspect your account has been compromised.

11. Your rights and choices

Subject to applicable law, you may have the following rights with respect to your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to correct information that is inaccurate or incomplete.
  • Deletion: ask us to delete your account and associated personal information, subject to legal retention requirements.
  • Portability: request a machine-readable copy of information you provided to us.
  • Restriction or objection: ask us to restrict or stop certain processing, including processing based on legitimate interests.
  • Withdraw consent: withdraw consent for processing that depends on consent (e.g., uninstall the browser extension).
  • Marketing opt-out: opt out of marketing emails using the unsubscribe link in any such email. Transactional emails (e.g., security alerts) cannot be opted out of while your account is active.

To exercise any of these rights, email us at support@attorneytoolkit.com. We may need to verify your identity before acting on certain requests.

12. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with specific rights regarding your personal information. In the past 12 months, we have collected the categories of personal information described in section 2 (identifiers, customer-account information, commercial information, internet activity, geolocation derived from IP, and inferences drawn from any of the above).

You have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Request deletion of your personal information, subject to certain exceptions.
  • Request correction of inaccurate personal information.
  • Limit the use and disclosure of sensitive personal information.
  • Opt out of the "sale" or "sharing" of personal information. Based on our current practices, we do not believe we sell or share personal information as those terms are defined under the CCPA/CPRA; if our practices change, we will update this Policy or provide any legally required notices and choices.
  • Be free from retaliation for exercising your rights.

To submit a CCPA/CPRA request, email support@attorneytoolkit.com with the subject line "California Privacy Request." You may use an authorized agent to submit a request on your behalf, in which case we will need written proof of the authorization.

13. Users in the EEA, UK, and Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation ("GDPR") or its national equivalents give you certain rights, including those listed in section 11. The data controller for your personal information is Attorney Toolkit. You may lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data-protection law, although we encourage you to contact us first so we can try to resolve the issue.

14. Children's privacy

The Service is intended exclusively for licensed attorneys and is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it as quickly as practicable. If you believe a minor has provided us personal information, please contact support@attorneytoolkit.com.

15. International data transfers

Our servers are located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to such transfer, storage, and processing. Where required by law, we use appropriate safeguards (such as Standard Contractual Clauses) to legitimize cross-border transfers.

16. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal to websites. There is no industry consensus on how to interpret DNT signals, so we do not currently respond to them. We do, however, limit our use of cookies and trackers as described in our Cookie Policy.

17. Security incident notification

In the unlikely event of a security incident affecting your personal information, we will notify you and applicable regulators without undue delay, consistent with applicable law. Notifications will describe (as appropriate) the nature of the incident, the categories of information affected, the steps we have taken, and steps you can take to protect yourself.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top of this page. If the changes are material, we will provide additional notice — for example, by emailing you or displaying a notice in the application before the changes take effect. Your continued use of the Service after changes become effective constitutes your acceptance of the updated Policy.

19. How to contact us

If you have questions, requests, or complaints about this Policy or our privacy practices, contact us:

Attorney Toolkit

Email: support@attorneytoolkit.com

Or reach us through our contact form.