Privacy Policy

LawCoach AI (“we,” “us,” or “Company”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and related services (the “Service”).

LawCoach AI is incorporated in Delaware and operates from New York, United States. If you have questions, contact us at privacy@lawcoach.ai.

2.1 Information You Provide

Account Information:

• Email address (required)
• Name (optional)
• Law school name (optional)
• Year of study (optional)

Study and Coaching Data:

• Practice session content (fact patterns, your answers, AI feedback)
• Coaching conversation history
• Weakness tracking data (subjects and topics where your accuracy is low)
• Session counts and scores

Payment Information:

Payment processing is handled by Stripe. We do not store your credit card number, CVV, or full card details. We store only your Stripe customer ID and subscription status. Stripe is PCI DSS Level 1 certified.

Communications:

Emails, support requests, and feedback you send us.

2.2 Information Collected Automatically

Device and Usage Data:

• IP address (anonymized for analytics)
• Browser type, device type, and operating system
• Pages visited, features accessed, session duration
• Referring URL

Cookies and Tracking Technologies:

• Essential cookies: Session tokens for authentication (Supabase), CSRF protection. Required for the Service to function.
• Analytics cookies: We use privacy-focused analytics to understand usage patterns. IP addresses are anonymized.
• Preference cookies: Your settings (dark mode, subject preferences).

We do not use third-party advertising cookies. We do not serve ads. See Section 11 for cookie controls.

2.3 Inferred Data

Weakness Profiling Data:

We derive weakness profiles from your practice session performance. This includes subjects where you score below your baseline, topics with recurring errors, and patterns in incorrect answers. This data is generated by our system, not directly provided by you, and is treated as sensitive academic data. See Section 5 for details.

For users in the European Union, United Kingdom, and similar jurisdictions, we process personal data on the following lawful bases:

For processing based on legitimate interest, we have conducted balancing tests and determined that our interests do not override your rights, given the educational nature of the Service, the sensitivity controls we apply, and your ability to object. Contact privacy@lawcoach.ai to request details of our legitimate interest assessments.

Core Service Delivery:

• Create and maintain your account
• Generate practice questions and AI-powered coaching feedback
• Track your progress and identify weakness areas
• Deliver personalized study recommendations based on your performance
• Process payments and manage subscriptions

Service Improvement:

• Understand usage patterns and optimize performance
• Fix bugs and improve features
• Monitor security and detect abuse

Communications:

• Account and transactional notifications (password resets, billing, subscription updates)
• Security alerts and breach notifications
• Responses to support requests
• Marketing emails (only if you opt in; unsubscribe anytime)

5.1 What We Do

LawCoach AI analyzes your practice answers to identify areas where you struggle and generates personalized question recommendations. Specifically:

1. We analyze patterns in your incorrect responses
2. We group weaknesses by subject area and topic
3. We prioritize practice questions in your weak areas
4. We adjust question difficulty based on your performance

5.2 Impact

This profiling determines which questions you see and which topics the Service prioritizes. It is designed to accelerate your learning. It does not determine enrollment, grading, bar admission, or any outcome outside this Service.

5.3 Your Rights

Under GDPR (Article 22): You have the right to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You may request human review of algorithmic recommendations by contacting privacy@lawcoach.ai.

Under CCPA: You can request the logic, significance, and consequences of this profiling.

Opting Out: You can disable automated recommendations by manually selecting study topics in your account settings. This does not affect your access to all available study materials.

5.4 Protections

Weakness profiling data is:

• Never shared with third parties (including your law school, unless you are on an institutional license and consent)
• Encrypted at rest and in transit
• Subject to the same access controls as all user data
• Deletable on request

We do not use your submitted answers, uploaded content, coaching conversations, or practice session data to train AI models unless you explicitly opt in.

Opt-in mechanism:A clearly labeled, unchecked toggle in your account settings under “Privacy Preferences.” Enabling it requires a confirmation step.

If you opt in:

• Only anonymized, de-identified data is used
• You may withdraw consent at any time via the same toggle
• Withdrawal applies prospectively; data already incorporated into models before withdrawal may remain, but no new data will be collected
• Consent is logged with timestamp for compliance

We do not sell your personal information. We share data only with the following service providers, under Data Processing Agreements:

All processors are contractually required to protect your data and process it only per our instructions.

Business Transfers:If LawCoach AI undergoes a merger, acquisition, or asset sale, your data may be transferred. We will provide 30 days' notice before your data becomes subject to a different privacy policy.

Legal Compliance: We disclose data when required by law (subpoenas, court orders, government requests). We will notify you unless legally prohibited.

Aggregated Data:We may share aggregated, anonymized statistics that cannot identify you (e.g., “65% of users struggle most with Evidence”).

LawCoach AI's infrastructure is hosted in the United States. If you are located in the EU, UK, or another jurisdiction with data transfer restrictions:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the United States
• Our Data Processing Agreements with sub-processors include SCC provisions
• We have conducted Transfer Impact Assessments for US-based transfers
• Supplementary measures include encryption of data in transit and at rest, access controls, and contractual restrictions on sub-processor data use

You may request a copy of our SCCs or transfer documentation by contacting privacy@lawcoach.ai.

Deletion Process: After retention periods expire, data is securely deleted. Upon account deletion, all associated data is permanently removed within 30 days, except records we are legally required to retain.

Data Export: You may export your practice history and feedback at any time through your account settings.

Data Minimization: We collect only what is necessary for the Service. We do not require phone numbers, precise geolocation, social media profiles, or non-essential demographic information.

Technical Safeguards:

• All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Authentication handled by Supabase with industry-standard security
• Row Level Security (RLS) in the database ensures users can only query their own records. RLS does not prevent authorized LawCoach AI staff from accessing data for support or debugging; all staff access is logged.
• Automated monitoring for suspicious access patterns

Organizational Safeguards:

• Regular security reviews and penetration testing of our infrastructure
• Privacy-by-design principles in product development
• Vendor security reviews

Limitations: No security measure is completely foolproof. You are responsible for keeping your login credentials confidential.

Reporting Vulnerabilities: Report security concerns to security@lawcoach.ai. We will investigate within 48 hours.

Essential Cookies (always active):

• Supabase session tokens for authentication
• CSRF protection tokens
• User preference storage

Analytics Cookies (can be declined):

• Privacy-focused usage analytics with anonymized IP addresses
• Feature adoption and session duration tracking

We do not use:

• Third-party advertising cookies
• Cross-site tracking pixels
• Social media tracking widgets

Cookie Control:

• EU users: A cookie consent banner is displayed before non-essential cookies are set
• All users: You can decline analytics cookies via your browser settings
• We honor Do Not Track (DNT) browser signals for analytics cookies

12.1 All Users

Regardless of your location, you have the right to:

• Access: Request a copy of all data we hold about you
• Delete: Delete your account and all associated data
• Export: Download your practice history, feedback, and profile data
• Correct: Update your profile information at any time
• Opt Out: Opt out of non-essential communications and AI training

12.2 EU/EEA/UK Users (GDPR)

In addition to the above:

• Right to Restrict Processing (Article 18): Request that we limit processing while you dispute accuracy or lawfulness
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (CSV/JSON)
• Right to Object (Article 21): Object to processing based on legitimate interests, including profiling
• Automated Decision-Making (Article 22): See Section 5 for your rights regarding weakness profiling
• Right to Lodge a Complaint: You may lodge a complaint with your national Data Protection Authority. DPA Directory

Timeline: We respond to GDPR requests within 30 days (extendable by 60 days for complex requests, with notice).

12.3 California Residents (CCPA/CPRA)

Right to Know (§ 1798.100): You can request what personal information we collect, the categories of sources, business purposes for collection, and categories of third parties with whom we share data.

Right to Delete (§ 1798.105): You can request deletion of your personal information, subject to legal exceptions.

Right to Correct (CPRA): You can request correction of inaccurate data.

Right to Opt Out of Sale/Sharing (§ 1798.120): We do not sell your personal information. We do not share your data for cross-context behavioral advertising.

Right to Limit Use of Sensitive Data (§ 1798.121): We only collect sensitive data with your explicit consent.

Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising your rights.

Verification: To submit a request, email privacy@lawcoach.ai. We verify your identity by confirming your account email. We may request additional information if needed.

Timeline: We acknowledge requests within 10 business days and respond substantively within 45 calendar days (extendable by 45 days with notice).

12.4 Other US State Laws

We comply with privacy laws in Virginia, Colorado, Connecticut, and other states with consumer privacy legislation, applying the most protective standard.

12.5 How to Submit Requests

Email privacy@lawcoach.ai with:

• Subject line: “Data Rights Request”
• Your name and account email
• The specific right(s) you wish to exercise

We respond within 10 business days to confirm receipt and provide a timeline. No fee unless a request is manifestly unfounded or excessive.

13.1 Direct-to-Consumer Use

LawCoach AI is primarily a direct-to-consumer service. If you subscribe individually (not through your law school), FERPA does not directly apply to our processing of your data. However, we implement FERPA-aligned practices:

• We do not share your academic performance data with your institution
• Your practice scores and weakness data are private to your account
• We implement encryption at rest and in transit

13.2 Institutional Licenses

If your law school provides access to LawCoach AI through an institutional license:

• We execute a FERPA-compliant Data Processing Agreement with the institution before any data sharing occurs
• The DPA specifies what data is shared, retention periods, security requirements, and your rights
• Your law school may receive aggregate class performance data (no individual identifiers) unless you consent otherwise
• Your coaching conversation transcripts are not shared with your institution without your explicit consent
• Contact privacy@lawcoach.aito request a copy of your institution's DPA

14.1 Our Response

If we discover unauthorized access, disclosure, or loss of personal data, we will:

1. Investigate the breach immediately
2. Determine the scope and categories of affected data
3. Implement measures to contain and remediate the breach
4. Notify affected users and regulators as required

14.2 Notification Timelines

EU/EEA Users (GDPR): We will notify the relevant Data Protection Authority without undue delay, and no later than 72 hours from discovery. We will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.

California Residents (CCPA): We will notify affected residents in the most expedient time possible and without unreasonable delay.

All Users: We will notify you by email and, if necessary, by prominent notice on our website.

Notice will include: Nature of the breach, categories of data affected, likely consequences, measures taken to address the breach, and contact information.

By uploading any material, you represent that you have the right to share it and that sharing does not violate any law, contract, or professional responsibility obligation. Uploading privileged material to a third-party service may constitute waiver of privilege.

If you inadvertently upload confidential material, contact us immediately at privacy@lawcoach.ai. We will delete it as soon as practicable, typically within 24 hours.

The Service is intended for law students who are 18 years of age or older. We do not knowingly collect information from children under 18.

During account creation, users must confirm they are 18 or older. If we discover we have collected data from a user under 18 without appropriate consent, we will delete their data within 30 days and deactivate the account.

The Service may contain links to third-party websites and resources (case law databases, law review articles, study guides). We are not responsible for their content or privacy practices. Review their privacy policies before providing them your information.

We may update this Privacy Policy periodically. Material changes (expanded data collection, new third-party sharing, changes to retention periods or your rights) will be communicated via email at least 30 days before taking effect. Non-material changes (clarifications, formatting) are effective upon posting.

If you disagree with material changes, you may delete your account before they take effect. Continued use after changes take effect constitutes acceptance.

Previous versions are available upon request from privacy@lawcoach.ai.

This Privacy Policy is governed by the laws of the State of New York, United States. For EU/EEA residents, GDPR and applicable national data protection laws supersede this policy to the extent of any conflict. You retain the right to lodge complaints with your local Data Protection Authority.

Privacy Questions & Data Requests: privacy@lawcoach.ai

Security Reports: security@lawcoach.ai

General Support: support@lawcoach.ai

Mail:
LawCoach AI
Attn: Privacy Team
New York, NY, United States

We aim to respond to all inquiries within 10 business days.