Privacy Policy
Last updated: March 21, 2026. This policy describes how Ars Lex Associate ("the Service"), a Microsoft Word add-in operated by arslex, lc, collects, uses, and protects your information.
What is Ars Lex Associate?
Ars Lex Associate is a Microsoft Word add-in that provides AI-assisted litigation support, including document search, citation formatting, deposition digestion, complaint analysis, and brief drafting. The add-in runs within Microsoft Word and communicates with our backend servers to process documents and generate results.
Deployment options
Cloud (arslex.ai)
We host the service on Amazon Web Services (AWS) infrastructure in the United States. Your data is processed on our servers and stored in our database and vector search engine.
On-Premises
You host the service entirely on your own infrastructure. Your data never leaves your network. We have no access to your data, documents, or usage information.
Data we collect (Cloud deployment)
Account information
When you create an account, we collect your name, email address, and organization name. If you enable two-factor authentication (MFA), we store an encrypted TOTP secret. Passwords are stored as bcrypt hashes and are never stored in plaintext.
Documents you upload
When you upload PDF documents through the add-in, we process them to extract text, generate search embeddings (numerical vector representations), and store the results for search and citation purposes. The original PDF files are stored temporarily during processing and may be retained for the duration of your subscription to support features like document viewing.
Project and organizational data
We store the client, matter, and project structure you create within the Service, as well as outlines, allegation responses, and statement of facts content you generate.
Usage data
We collect basic usage logs (API requests, timestamps, error events) for debugging and service reliability. We do not track browsing behavior, keystrokes, or the content of your Word documents beyond what you explicitly upload or generate through the add-in.
Local storage
The add-in uses your browser's localStorage to cache authentication tokens, user preferences (citation format, display settings), and UI state. This data remains on your device and is not transmitted to our servers except as needed to authenticate API requests.
How we use your data
We use your data solely to provide and operate the Service:
- Process uploaded documents for search, citation extraction, and AI-assisted drafting
- Generate embeddings (vector representations) for semantic search
- Authenticate your identity and enforce access controls
- Send transactional emails (account verification, password reset, invitations)
- Monitor service health and diagnose errors
We do not use your data to train AI models. We do not sell, rent, or share your data with third parties for their own purposes.
Third-party services
The cloud Service uses the following third-party providers to operate:
- OpenAI API — We send document excerpts (not full documents) to OpenAI's API for text embedding and AI-assisted text generation. OpenAI's API terms prohibit use of business data for model training. We use only the enterprise API, not consumer ChatGPT.
- Amazon Web Services (AWS) — Hosts our backend servers, database (RDS PostgreSQL), and infrastructure. Data is encrypted in transit and at rest.
- Resend — Sends transactional emails (verification, password reset). Only receives email addresses, not document content.
- Vercel — Hosts the static frontend for the add-in (word.arslex.ai). No user data is stored on Vercel.
Data isolation
All data is isolated per tenant (organization). Users in one organization cannot access, search, or view data belonging to another organization. Within an organization, data is further scoped by project — documents uploaded to one project are not visible in other projects. This isolation is enforced at the database and search engine level and has been verified through automated testing.
Data storage & security
- Data is encrypted in transit (TLS/HTTPS) and at rest (AWS encryption)
- Passwords are hashed using bcrypt
- MFA secrets are encrypted using a key derived from the application secret
- Authentication uses signed JSON Web Tokens (JWT) with configurable expiration
- Database backups are automated and retained for 7 days
- The Service enforces role-based access control (admin and member roles per organization)
Retention & deletion
Account data is retained for the duration of your subscription. You may request deletion of your account and all associated data at any time by contacting admin@arslex.ai. Upon account deletion, we will remove your personal information, documents, and project data from our systems within 30 days. Automated database backups containing your data will expire within 7 days of deletion.
Your rights
You have the right to:
- Access your personal data and request a copy
- Correct inaccurate personal data
- Request deletion of your account and data
- Object to processing of your data
- Export your data in a portable format
To exercise any of these rights, contact admin@arslex.ai.
Children's privacy
The Service is intended for use by legal professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a notice within the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact
Questions about this policy? Contact us at admin@arslex.ai.
arslex, lc
Email: admin@arslex.ai