Privacy Policy

1.1 Account Information

When you create an account or subscribe to the Platform, we collect information necessary to establish and manage your subscription, including your name, email address, business name, job title, billing address, and payment information. If you are an Authorized User added by a Subscriber, we collect the information the Subscriber provides to us about you (typically your name and email address).

1.2 Subscriber Data

When Subscribers and Authorized Users use the Platform, they provide Subscriber Inputs (prompts, queries, documents, and context) and the Platform generates Outputs (work products, analyses, and memoranda). As described in our Terms of Service, Subscriber Data is processed solely to deliver the Platform services and is never used to train our AI models. Subscriber Data may contain personal information about the Subscriber's clients or other third parties — Zuben processes this information at the direction and on behalf of the Subscriber, who is the controller of that data.

1.3 Usage Data

We automatically collect information about how you interact with the Platform, including: feature utilization data, session timestamps and duration, work product types generated, error logs, browser type and version, operating system, IP address, device identifiers, and referring URLs. This data is collected in aggregate, de-identified form that cannot be used to reconstruct Subscriber Data or identify any individual's Subscriber Inputs or Outputs.

1.4 Communications

When you contact us for support, provide feedback, or otherwise communicate with us, we collect the content of those communications along with your name and contact information.

1.5 Cookies and Tracking Technologies

Our website and Platform use cookies and similar technologies to maintain session state, authenticate users, remember preferences, and collect analytics data. We use:

1. Strictly Necessary Cookies — required for the Platform to function (authentication, security, session management). These cannot be disabled.
2. Analytics Cookies — help us understand how the Platform is used so we can improve it. We use analytics providers with IP anonymization enabled.
3. Preference Cookies — remember your settings and preferences across sessions.

We do not use advertising cookies or tracking pixels. We do not sell personal information. We do not engage in cross-context behavioral advertising.

2.1 Service Delivery

We use your information to provide, maintain, and improve the Platform, including to process Subscriber Inputs and generate Outputs, manage your account, process payments, provide customer support, and communicate with you about your subscription.

2.2 Platform Improvement

We use aggregate, de-identified usage data (not Subscriber Data, Subscriber Inputs, or Outputs) to monitor Platform performance, identify and fix errors, analyze usage patterns, and improve the Platform's features and functionality.

2.3 Security and Fraud Prevention

We use your information to detect, prevent, and respond to security incidents, fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy.

2.4 Legal Compliance

We use your information as necessary to comply with applicable laws, regulations, legal processes, and governmental requests.

2.5 Communications

We use your contact information to send transactional communications (account confirmations, billing notices, security alerts, service updates) and, with your consent where required, promotional communications about new features or services. You may opt out of promotional communications at any time.

2.6 No Training on Subscriber Data

3.1 Service Providers (Subprocessors)

We share personal information with third-party service providers who perform services on our behalf, including cloud infrastructure providers, payment processors, analytics providers, and customer support tools. Each service provider is bound by written agreements imposing data protection obligations no less protective than those in this Privacy Policy.

3.2 Legal Requirements

We may disclose personal information if required by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, the safety of any person, or to detect and prevent fraud or security issues. Where legally permitted, we will provide you with advance notice of such disclosure.

3.3 Business Transfers

In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.

3.4 With Your Consent

We may share your information for any purpose disclosed to you at the time of collection with your consent.

3.5 No Sale of Personal Information

4.1 Subscriber Data

Subscriber Data (including Subscriber Inputs and Outputs) is retained in encrypted form during the active session and for the Retention Period specified in the applicable Terms of Service or Order Form (default: 30 days) following each session, solely to enable retrieval and download of Outputs. Upon expiration of the Retention Period, Subscriber Data is automatically and irreversibly purged from all active systems. Subscribers may trigger immediate deletion at any time through the Platform's data management interface.

Upon expiration or termination of a subscription, Subscriber Data is available for export for thirty (30) days and thereafter deleted within thirty (30) days, except to the extent retention is required by applicable law.

4.2 Account Information

We retain account information for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. After account closure, we retain only the minimum information necessary for these purposes and delete the remainder.

4.3 Usage Data

Aggregate, de-identified usage data is retained for up to twenty-four (24) months for analytics and Platform improvement purposes. This data cannot be used to identify any individual or reconstruct any Subscriber Data.

5.1 Rights Under Applicable State Privacy Laws

Depending on your state of residence, you may have some or all of the following rights with respect to your personal information:

1. Right to Know / Access. You have the right to know what personal information we collect, use, disclose, and retain about you, and to request a copy of that information in a portable format.
2. Right to Delete. You have the right to request that we delete your personal information, subject to certain legal exceptions.
3. Right to Correct. You have the right to request that we correct inaccurate personal information.
4. Right to Opt Out of Sale/Sharing. You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. We do not engage in either activity.
5. Right to Opt Out of Targeted Advertising. You have the right to opt out of processing of your personal information for purposes of targeted advertising. We do not use personal information for targeted advertising.
6. Right to Opt Out of Profiling. You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.
7. Right to Data Portability. You have the right to obtain your personal information in a portable, readily usable format.
8. Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights. We will not deny services, charge different prices, or provide a different quality of service because you exercised a privacy right.
9. Right to Appeal. If we deny your privacy rights request, you have the right to appeal that decision. See Section 5.4 below.

5.2 How to Exercise Your Rights

You may submit a privacy rights request by:

1. Emailing us at privacy@zuben.ai;
2. Using the privacy request form on our website; or
3. Writing to us at our physical address.

We will verify your identity before processing your request. For access and deletion requests, we will verify your identity using at least two data points matching the information we maintain about you. If we cannot verify your identity, we will notify you and explain what additional information is needed.

5.3 Response Timelines

We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days of receipt. If we require additional time (up to an additional forty-five (45) days), we will notify you of the extension and the reason.

5.4 Appeal Process

If we deny your privacy rights request in whole or in part, we will provide a written explanation of the basis for the denial and instructions for submitting an appeal. You may appeal by emailing privacy@zuben.ai with the subject line "Privacy Rights Appeal." We will respond to your appeal within sixty (60) days. If we deny your appeal, we will provide you with information on how to contact your state's attorney general or other relevant regulatory authority.

5.5 Authorized Agents

You may designate an authorized agent to submit privacy rights requests on your behalf. Authorized agents must provide written proof of authorization (such as a power of attorney or a signed authorization form) and we may verify your identity directly before processing the request.

5.6 Universal Opt-Out Mechanisms

We honor Global Privacy Control (GPC) signals and other universal opt-out mechanisms recognized under applicable law. When we detect a GPC signal, we treat it as a valid opt-out request for the sale and sharing of personal information associated with that browser or device.

6.1 Sensitive Personal Information

We do not intentionally collect sensitive personal information (as defined by applicable state privacy laws) directly from users as part of the account creation or subscription process. However, Subscriber Data uploaded to the Platform may contain sensitive personal information about the Subscriber's clients or other third parties. Zuben processes this information at the direction and on behalf of the Subscriber, who is responsible for obtaining any required consent for the processing of sensitive data.

6.2 Children's Information

The Platform is designed for use by licensed attorneys, law students, and legal professionals. It is not directed to individuals under the age of sixteen (16), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will promptly delete it.

7.1 Security Safeguards

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, and destruction. These safeguards are described in our Terms of Service and include encryption in transit and at rest, access controls, regular security assessments, incident detection and response procedures, and employee security training. Zuben is pursuing SOC 2 Type II certification. While we implement commercially reasonable security measures, no system is completely secure, and we cannot guarantee the absolute security of your information.

8.1 How the Platform Uses Automated Processing

The Platform uses artificial intelligence and automated processing to generate Outputs (legal research, analysis, and work products) based on Subscriber Inputs. This processing is performed at the direction and under the supervision of the Subscriber and its Authorized Users, who are licensed attorneys responsible for independently reviewing, verifying, and approving all Outputs before use.

8.2 No Automated Decisions with Legal or Similarly Significant Effects

8.3 California ADMT Disclosure

To the extent the California Privacy Protection Agency's regulations on Automated Decision-Making Technology (ADMT) apply to the Platform, this Section 8 constitutes the required disclosure. Subscribers and Authorized Users have the right to opt out of ADMT and to request information about how the Platform's automated processing functions. Because all Platform Outputs require human review and approval by a licensed attorney before use, the Platform operates as a decision-support tool under attorney supervision, not as an autonomous decision-making system.

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the rights described in Article V, including the right to know, delete, correct, and opt out. The categories of personal information we collect, the purposes for which we use them, and the categories of third parties with whom we share them are described in Articles I, II, and III. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We retain personal information for the periods described in Article IV. You may contact us at privacy@zuben.ai to exercise your rights.

9.2 Texas Residents (TDPSA)

If you are a Texas resident, you have the right to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of the processing of personal information for targeted advertising, the sale of personal data, or profiling. We do not sell personal data. We do not process personal data for targeted advertising. To exercise your rights, contact us at privacy@zuben.ai.

9.3 Maryland Residents (MODPA)

If you are a Maryland resident, we collect only the personal information that is reasonably necessary for the purposes disclosed in this Privacy Policy. We do not sell sensitive personal information. You have the rights described in Article V. To exercise your rights, contact us at privacy@zuben.ai.

9.4 Colorado, Connecticut, Virginia, Oregon, and Other State Residents

If you reside in a state with a comprehensive consumer privacy law (including Colorado, Connecticut, Virginia, Oregon, Montana, Delaware, New Hampshire, New Jersey, Indiana, Kentucky, Rhode Island, Iowa, Tennessee, Nebraska, Minnesota, Florida, and Utah), you have the rights described in Article V to the extent provided by your state's law. To exercise your rights, contact us at privacy@zuben.ai. If we deny your request, you may appeal in accordance with Section 5.4.

10.1 Cross-Border Data Transfers

The Platform is operated from the United States and is designed for use by attorneys licensed in the United States. If you access the Platform from outside the United States, your information may be transferred to, stored in, and processed in the United States, where privacy laws may differ from those in your jurisdiction. By using the Platform, you consent to such transfer, storage, and processing.

11.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform functionality. We will provide notice of material changes by posting the revised policy on our website with an updated "Last Updated" date and, for material changes, by sending email notice to the address associated with your account at least thirty (30) days before the changes take effect. Your continued use of the Platform after the effective date of the revised policy constitutes acceptance. If you do not agree to the changes, you may terminate your subscription in accordance with the Terms of Service.

12.1 Privacy Inquiries

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

QuillanAI Inc. d/b/a Zuben Email: privacy@zuben.ai