Ars Lex Associate — Privacy Policy

Introduction

This Privacy Policy describes how ARSLEX LC ("Ars Lex," "we," "us," "our"), a Wyoming limited liability company, collects, uses, retains, and protects personal data and other information in connection with Ars Lex Associate (the "Service"). This Privacy Policy supplements, and should be read together with, our Terms of Service (the "Terms"), available at arslex.ai/terms. Capitalized terms not defined here have the meanings given in the Terms.

Geographic scope. The Service is offered to customers whose verified billing address is in the United States, and is intended for use from within the United States. We do not market the Service to, and we make no representations regarding compliance with the laws of, the European Union, European Economic Area, United Kingdom, Switzerland, or any other jurisdiction outside the United States. Use of the Service from outside the United States is at the user's sole risk.

1. What is Ars Lex Associate

Ars Lex Associate is a Microsoft Word add-in providing AI-assisted litigation support for legal professionals and legal trainees, including document upload and search, citation extraction and formatting, deposition digestion, complaint analysis, and brief drafting. The add-in runs within Microsoft Word and communicates with our backend (operated on Amazon Web Services) to process documents and generate AI-derived outputs.

The Service is not a lawyer, does not provide legal advice, and does not form an attorney-client relationship with anyone. See the Terms, Sections 7 and 16, for the full responsibility and disclaimer framing.

2. Categories of data we collect

2.1 Account data

When you create an account or are invited to a Customer account, we collect: your name; email address; organization name; role within the organization; preference flags (display settings, citation format defaults); and the timestamp and provenance of your acceptance of the Terms (IP address, user agent, version of the Terms accepted, and your responses to the acceptance attestations).

If you enable multi-factor authentication ("MFA"), we store an encrypted TOTP secret. Passwords are stored only as bcrypt hashes — we never store plaintext passwords.

2.2 Documents and Customer Content

When you upload documents through the add-in (PDFs, depositions, complaints, etc.), we extract text from each document, generate vector embeddings ("chunks") for search and retrieval, and store both the structured records (filename, document type, project association, page count, etc.) and the chunked text in our backend. Original PDF files are retained for the duration of your subscription (subject to the retention policies described in Section 5) to support features such as document viewing and re-indexing.

"Customer Content" as used here means the same as in the Terms: anything you upload, paste, generate, store, or transmit through the Service.

2.3 Project and matter structure

We store the client, matter, project, outline, allegation-response, and statement-of-facts records you create within the Service, along with metadata indicating when each record was created or modified and by whom.

2.4 Generated work product

We store the AI-derived outputs you generate within the Service — completed brief sections, deposition digests, complaint parses, search results, citation lists, statements of fact, and so forth — together with the inputs (chunks of Customer Content) that the Service used to produce them. We retain this record so that you can re-open prior work and so that we can comply with the Terms' integrity and audit obligations.

2.5 Billing data

If you have a paid subscription, our payment processor (Stripe) collects and stores cardholder data directly within Stripe's PCI-DSS Level 1 environment. We receive only a Stripe customer ID, a subscription ID, the last four digits of the card on file, and invoice records — we do not see or store raw card numbers, CVCs, or full billing addresses.

2.6 Operational telemetry

We collect basic operational logs from API requests (request path, response code, timestamp, request size, error events) for the purposes of debugging, security monitoring, and abuse prevention. We do not log the body of requests that contain Customer Content in production. We do not track browsing behavior, keystrokes within Word, or the content of your Word documents beyond what you explicitly upload or generate through the Service.

2.7 Local storage on your device

The add-in uses your browser's sessionStorage and in-memory state to cache authentication tokens, user preferences, and UI state. This data remains on your device and is not transmitted to our servers except as needed to authenticate API requests. We do not store long-lived tokens in browser localStorage (per the Office add-in iframe-based session architecture).

3. How we use your data

We use your data solely to operate and improve the Service for you and other Customers:

• Process documents you upload for text extraction, citation extraction, deposition digestion, and AI-assisted drafting
• Generate vector embeddings to support search across your documents
• Authenticate your identity and enforce access controls (including project and tenant-level scoping)
• Send transactional emails (account verification, password reset, MFA codes, invitations, billing receipts, security notices)
• Monitor service health, debug errors, and detect abuse
• Bill subscriptions and reconcile payments through Stripe
• Maintain records required for compliance with the Terms, including the acceptance attestations and any retention or deletion audit trail

We do not use Customer Content to train AI models. We do not use Customer Content for any purpose other than to deliver the Service to you and to fulfill the obligations described in this Privacy Policy and the Terms. We do not sell, rent, or share your data with third parties for their own commercial purposes.

4. Third-party subprocessors

The Service is delivered using a small number of third-party providers ("Subprocessors") that process Customer Content or personal data on our behalf. The current list — including the role, data categories, and processing region for each — is maintained at arslex.ai/subprocessors and is also available on written request to legal@arslex.ai.

Summary as of this Privacy Policy's effective date:

• Amazon Web Services, Inc. — Backend hosting, managed database, storage, operational logging
• OpenAI, L.L.C. — Large-language-model inference and embeddings
• Resend, Inc. — Transactional email delivery
• Stripe, Inc. — Payment processing and subscription billing
• Microsoft Corporation — Inbound and outbound email for our legal@, admin@, and similar role aliases

Where commercially available under the applicable provider plan, we configure each Subprocessor to use available training-opt-out, enterprise-tier, modified-abuse-monitoring, or zero-retention settings. OpenAI's API does not use API submissions for model training, and we have configured our OpenAI integration accordingly.

Material additions or substitutions of Subprocessors will be communicated under Section 14 of the Terms. The Subprocessor list at arslex.ai/subprocessors is the authoritative current version.

5. Retention and deletion

We retain Customer Content and personal data only as long as needed to provide the Service to you and to satisfy the audit and compliance obligations described in this section and in the Terms.

5.1 Per-document-type retention windows

Each Customer's tenant can configure separate retention windows for different categories of content (uploaded documents, depositions, brief outlines, generation history, citation usage). By default, depositions — which contain unredacted witness testimony often subject to court protective orders — are configured with a shorter retention window than public-record content (filed cases, published opinions, filed pleadings). Generation outputs that consumed deposition material inherit the deposition retention window so that derivative content does not outlive its source.

An automated purge job runs daily, deletes content whose retention window has expired, and writes an audit row for each deletion. Deletions are propagated across the relational database, the vector index, and underlying file storage.

5.2 Customer-initiated deletion

You may delete a project, a document, or your entire account at any time. Deletion is a hard delete: the record is removed from the relational database and the corresponding chunks are removed from the vector index. File storage is purged on the next sweep. Database backups created before the deletion will continue to contain the data until those backups expire under their own retention schedule (currently up to seven days for automated managed-database snapshots).

The Service does not maintain a long-term archive of deleted Customer Content. Our retention model is built around the processing window — when retention expires, work product evaporates and we expect Customers to refer back to their own document management system, shared drive, or local copies as the long-term record.

5.3 Audit log retention

The audit log of deletion events and other security-relevant actions is retained for as long as needed to support the Service's integrity obligations and is itself subject to a tenant-configurable retention window.

5.4 Database backups

Automated database backups are retained for up to seven days. Backups are encrypted at rest using AWS-managed encryption keys.

5.5 Subscription-cancellation behavior

If a Customer cancels its subscription, account data and Customer Content remain accessible for the remainder of the paid period and then enter the retention windows described above. Customers seeking immediate export of their data on cancellation should contact legal@arslex.ai per Section 8.

6. Confidentiality of deposition content in logs

Our production backend logs do not include deposition transcript text, deposition filenames, witness names, or AI-derived excerpts of deposition content. Deposition operations are logged by internal UUID only. This is enforced at the logger / formatter level and tested in our continuous-integration pipeline.

7. Tenant isolation

All Customer Content and account data is isolated per tenant. Users in one Customer's tenant cannot access, search, or view data belonging to another tenant. Within a tenant, data is further scoped by project — documents uploaded to one project are not visible from another project unless the user has been explicitly added to that project. Tenant isolation is enforced at the database, file-storage, and vector-index level and is exercised by automated tests on every deployment.

8. Your rights

You may:

• Access your account data and request a copy of the personal data we hold about you
• Correct inaccuracies in your account data
• Delete your account and all associated Customer Content (self-service via the add-in settings panel; tenant-wide deletion is available through the tenant-admin panel or by contacting legal@arslex.ai)
• Object to specific processing of your data, by contacting legal@arslex.ai

For rights other than self-service deletion, please contact legal@arslex.ai. We will respond to verifiable requests within a reasonable time and in any event no later than thirty (30) days from receipt.

Structured data export ("portability") is on our roadmap. In the interim, we will fulfill verifiable export requests by hand on contact.

9. Security

We protect Customer Content and personal data using industry-standard administrative, technical, and physical safeguards, including:

• Encryption in transit — all communication with the Service is over TLS (HTTPS)
• Encryption at rest — application storage, the managed PostgreSQL database, and all snapshots and backups are encrypted using AWS-managed encryption keys (AES-256)
• Password storage — bcrypt hashes only, never plaintext
• MFA secret encryption — TOTP secrets are encrypted at rest using a key derived from our application secret
• Session authentication — short-lived signed bearer tokens with refresh-token rotation; long-lived tokens are not stored in browser localStorage for our Office add-in surface
• Role-based access control — tenant-admin and member roles, enforced at the API layer
• Rate limiting — API endpoints subject to per-user and per-tenant rate limits to deter abuse and brute-force attacks
• Production monitoring — independent health checks via AWS CloudWatch and Route 53 alarming to a verified SES delivery channel, with mobile push notifications on alert events

No system is perfectly secure. If a security incident affects your personal data, we will notify you in accordance with applicable law, as described in Section 13 of the Terms.

10. AI-specific considerations

Because the Service uses third-party large-language-model providers (currently OpenAI) to produce AI-derived outputs, please be aware of the following:

• Transit of Customer Content to providers. Portions of every document you upload may be transmitted, in chunks, to our LLM provider's API at the time you query, search, or generate content using the Service. This is the standard pattern for retrieval-augmented generation.
• No training on Customer Content. Our LLM provider does not use API submissions to train its models, and we do not opt in to any setting that would enable such training. See Section 4 of this Privacy Policy and Section 5 of the Terms.
• Provider-side retention windows. Our LLM provider retains API inputs and outputs for up to thirty (30) days for abuse-monitoring purposes, after which they are deleted from the provider's systems. We will update this section if we obtain stricter (Zero-Data-Retention) commitments from our provider.
• AI-output fallibility. AI outputs may be incomplete, inaccurate, outdated, or fabricated. You are responsible for independently reviewing and verifying every AI-derived output before relying on it. See Section 7 of the Terms.

11. Children's privacy

The Service is intended for use by legal professionals and legal trainees and is not directed to children under thirteen (13). The Service may not be used by anyone under the age of eighteen (18) unless expressly authorized by Ars Lex in connection with an approved educational or organizational account. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly.

12. ABA Model Rules alignment

The Service is architected with the American Bar Association's Model Rules of Professional Conduct in mind, particularly:

• Rule 1.1 (Competence) and Comment 8 (technology competence) — we provide accurate documentation, recoverable processing pipelines, and visibility into how the Service uses Customer Content
• Rule 1.6 (Confidentiality) — tenant isolation, encryption, retention windows, and an absence of model training are intended to support attorneys' confidentiality obligations
• Rule 5.3 (Responsibilities regarding nonlawyer assistance) — we operate as a software vendor, do not exercise professional judgment, and rely on you to supervise the Service's outputs the same way you would supervise nonlawyer staff

Use of the Service does not, by itself, satisfy any specific ethics obligation. You remain responsible for confirming that your use of the Service complies with the ethics rules and practice-of-law restrictions of your jurisdiction.

13. Compliance posture

• SOC 2 Type I — planned. We are tracking controls aligned to the AICPA Trust Services Criteria as we prepare for an external audit. We will update this Privacy Policy when audit reports become available.
• SOC 2 Type II — planned, following Type I.
• HIPAA — not applicable. The Service is not designed, marketed, or warranted for protected health information ("PHI") under HIPAA. PHI must not be uploaded to the Service.
• GDPR / UK GDPR / Swiss FADP — the Service is not directed to data subjects in the EEA, UK, or Switzerland; please see the "Geographic scope" statement at the top of this Privacy Policy. We will nevertheless honor verifiable data-subject access and deletion requests by hand on contact to legal@arslex.ai.

14. Cookies and similar technologies

The Service uses only cookies and similar technologies strictly necessary to deliver the Service: session authentication, MFA state, CSRF protection, and similar mechanics. We do not use third-party analytics, advertising, or social-media tracking cookies on the add-in surface. The marketing site at arslex.ai may use basic, first-party server log statistics; it does not use cross-site advertising trackers.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on file for your account, or via a notice within the Service, at least the notice period required by Section 25 of the Terms (Changes to These Terms) before the change takes effect. The "Version" date at the top of this document is the authoritative version reference. Continued use of the Service after a material change takes effect constitutes acceptance of the updated Privacy Policy.

16. Contact

Questions, requests under Section 8, or other matters related to this Privacy Policy:

Email: legal@arslex.ai

Mailing address:
ARSLEX LC
30 N Gould St Ste R
Sheridan, WY 82801
United States

We are a small organization. We will respond to verifiable requests within a reasonable time and in any event no later than thirty (30) days from receipt.