Privacy Policy

Effective date: April 19, 2026

Last updated: May 15, 2026

This Privacy Policy and our Terms of Service are provided in plain language for clarity. They are legally binding documents. If you do not agree, please do not use LawEngine.

A plain-English note before the legal part

Here is the short version of this policy:

• We collect what we need to run the Service. Your email and name so you can sign in, your IP address in hashed form so we can detect abuse, and the queries, citations, answers, and receipts you send us or receive from us — because that is the Service.
• We track public acquisition pages differently from legal-input product routes. Marketing and attribution tools may run on landing/proof pages. Search, Verify, Verify Brief, auth, and legal/system routes use first-party product/audit logging and should not load ad-tech or CRM tracking scripts.
• Do not submit sensitive material unless you are authorized to share it. Public/demo pages are not a private client workspace. Do not submit confidential client facts, privileged material, trade secrets, health information, or client-identifying information unless you are authorized to share it with LawEngine.
• We do not sell your submitted legal work. We do use analytics and marketing vendors on acquisition surfaces. We do not intentionally send raw submitted legal text, uploaded files, extracted text, search query strings, Search Answer answers, citations, quote receipts, statuses, or full verification/search responses to marketing analytics vendors.
• We use a defined set of vendors: Clerk for sign-in, Supabase for the account database, Vercel for hosting and web analytics, Plausible for product analytics, CookieYes for consent management, Google Tag Manager and Google Analytics for attribution/funnel analytics, LinkedIn Insight Tag for marketing attribution and retargeting, RB2B for B2B visitor identification, and HubSpot for contact management and marketing follow-up.
• If you want your data out, or want to know what we have, email stephen@lawengine.ai. A human reads it.

If you want the full version, keep reading.

1. Who we are

This Privacy Policy explains how I'm No Lawyer LLC, an Illinois limited liability company ("Company," "we," "us," or "our"), collects, uses, shares, and protects information in connection with LawEngine (the "Service"), accessible at lawengine.ai.

Questions about this policy or your data can be directed to stephen@lawengine.ai.

2. What we collect

2.1 Information you provide

When you create an account through our authentication provider, Clerk, we collect:

• Email address
• First name
• Last name

If you contact us by email, we collect whatever you choose to include in your message.

2.2 Information we collect automatically

When you use the Service, we collect technical information, including:

• IP address, stored in hashed form, used for rate-limiting and abuse detection.
• User agent (browser and device information).
• Referer URL (the page that sent you to us, when your browser sends it).
• Landing-page, campaign, and attribution information, including UTM parameters and similar referral metadata when your browser sends it.
• Timestamps of requests to the Service.
• Session and authentication tokens issued by Clerk for the duration of your session.
• Analytics and marketing identifiers set or read by our analytics, attribution, retargeting, and B2B visitor-identification vendors on public/demo surfaces.

2.3 Information about your use of the Service

Because LawEngine is a research tool, the core of what we collect is what you ask the Service to do. That includes:

• Verification queries — the citations, quotes, or text you submit for verification.
• Verification results — what the Service returned in response.
• Search Answer questions and responses — raw submitted research questions, any confirmed interpreted question, public answer text, citations, quote receipts, answer statuses, result counts, warning counts, and related error/status payloads.
• Uploaded verification documents — if you use a document-upload verifier such as Verify Brief, we may retain the original uploaded file, extracted text, cryptographic hashes of the file and outputs, extraction metadata, verifier outputs, and related request metadata.
• Usage metadata — the timing, frequency, and pattern of your queries.
• Public/demo analytics events — page views, route changes, CTA clicks, navigation clicks, sample/example clicks, verifier submissions, verifier success/error/limit states, upload attempts, search usage, sign-in/sign-out attempts, and request-access form events. These events may include metadata such as route, referrer, campaign source, file type, file size, text length, word count, status, and success/failure flags.

We treat query content as sensitive. See Section 4 for how we use it and Section 6 for how long we keep it.

2.4 Information we do not intentionally send to marketing analytics vendors

• We do not intentionally send raw submitted legal text to Google Analytics, LinkedIn, RB2B, Plausible, or similar marketing analytics vendors.
• We do not intentionally send uploaded files, extracted document text, Search Answer answer markdown, citations, quote receipts, or full verifier/search response content to marketing analytics vendors.
• We do not intentionally send raw search query strings to marketing analytics vendors.
• We do not collect precise geolocation.
• We do not collect payment-card data directly; if we add paid plans in the future, payments will run through a PCI-compliant processor (likely Stripe), and our policy will be updated to describe it.

3. Cookies and similar technologies

We use cookies, pixels, scripts, local/session identifiers, and similar technologies to run the Service and measure acquisition behavior. Specifically:

• Authentication session cookies set by Clerk, used to keep you signed in.
• Strictly necessary hosting and security technologies used by our infrastructure providers.
• Usage measurement through Vercel Web Analytics and Plausible.
• Consent management through CookieYes.
• Analytics and marketing attribution through Google Tag Manager and Google Analytics.
• Marketing attribution and retargeting through the LinkedIn Insight Tag.
• B2B visitor identification through RB2B on public/demo surfaces.
• Contact-management and marketing-follow-up tooling through HubSpot.

These tools help us understand how people reach LawEngine, which public/proof pages they use, where the funnel breaks, and which campaigns or referrals lead to signups, access requests, or deeper product use. Legal-input product routes use first-party product/audit logging for service-integrity, support, abuse investigation, and product-improvement purposes instead of ad-tech or CRM scripts. Future paid or private workspaces may use a different tracking policy.

4. Why we collect it

We use the information described above to:

• Provide the Service. We need your account information to authenticate you and your query content to return a verification result.
• Prevent and investigate abuse. Hashed IP addresses, timestamps, and usage metadata help us detect scraping, bulk-extraction attempts, and other misuse.
• Audit and verify disputes. For Search Answer, Verify, and document-upload verification, retained questions, files, extracted text, hashes, outputs, citations/receipts, statuses, errors, and metadata help us confirm what was submitted, what was checked, and what response LawEngine returned.
• Debug and improve the Service. Query patterns, uploaded-document artifacts, verifier outputs, and related metadata help us find gaps in corpora, fix verification bugs, evaluate accuracy, and build new features.
• Measure acquisition and conversion. Analytics and attribution events help us understand public traffic sources, campaign performance, sample usage, verifier/search engagement, signup or sign-in attempts, request-access submissions, and conversion paths.
• Market LawEngine. Marketing pixels and B2B visitor-identification tools help us measure and improve outreach, retarget public/demo visitors, and understand which companies or professional audiences may be interested in LawEngine.
• Communicate with you. We may send transactional emails about your account, notices of material changes to these policies, and — if you opt in — product updates.
• Meet legal obligations. Where the law requires us to retain or disclose information, we do so.

5. Who we share with

We do not sell your submitted legal content. We share information in the limited circumstances below, including with analytics and marketing vendors on public/demo surfaces.

5.1 Infrastructure providers

We rely on a small set of vendors to run the Service. They process information on our behalf, under their own privacy terms:

• Clerk — authentication and account management. Clerk Privacy Policy
• Supabase — product database hosting. Supabase Privacy Policy
• Vercel — application hosting and web analytics. Vercel Privacy Policy
• Plausible — product analytics. Plausible Data Policy
• CookieYes — cookie consent and consent-mode management. CookieYes Privacy Policy
• Google Tag Manager and Google Analytics — tag management, attribution, and funnel analytics. Google Privacy Policy
• LinkedIn Insight Tag — marketing attribution, retargeting, and campaign measurement. LinkedIn Privacy Policy
• RB2B — B2B visitor identification on public/demo surfaces. RB2B Privacy Policy
• HubSpot — CRM, contact management, website activity associated with contacts where available, and marketing follow-up. HubSpot Privacy Policy

Where providers process personal information on our behalf, they do so under their own terms and privacy commitments.

Each provider is bound by its own agreement with us and by its public privacy commitments. Data processed by them is hosted in the United States or handled through U.S.-based service operations.

5.2 Legal process

We may disclose information if we are required to by law, subpoena, court order, or other valid legal process — or where disclosure is necessary to protect our rights, our users, or the public. Where we are legally permitted to do so, we will tell you about legal demands that affect your account.

5.3 Corporate transactions

If I'm No Lawyer LLC is acquired, merged, reorganized, or sells substantially all of its assets, information may be transferred to the successor entity. We will give you notice and an opportunity to object or delete your account where the law requires it.

5.4 With your consent

We may share information in ways not listed here with your specific, informed consent.

6. How long we keep it

• Account data (email, name, authentication state) — kept as long as your account is active. When you delete your account, we delete account data within thirty (30) days, except where we are required to retain it by law or for the establishment, exercise, or defense of legal claims.
• Verification queries and results — retained indefinitely in aggregated and de-identified form for product improvement, accuracy evaluation, and corpus-coverage analysis. Identifiable query-to-user links are deleted along with your account unless we need to retain them for legal, audit, abuse-investigation, or service-integrity reasons.
• Search Answer questions and public responses — raw submitted research questions, confirmed interpreted questions, public answer/error payloads, citations, quote receipts, statuses, result counts, request timestamps, and related request metadata may be retained indefinitely for audit, abuse investigation, support, service integrity, and product improvement unless a later retention policy changes this.
• Verify Brief uploads and audit artifacts — retained indefinitely unless manually deleted by us or deleted in response to a verified deletion request where the law permits. This may include original uploaded files, extracted text, hashes, verifier responses, extraction metadata, tier-limit context, and request metadata.
• Security and abuse logs (hashed IPs, timestamps, user agents) — retained for up to twenty-four (24) months, then deleted or aggregated.
• Support emails — kept for our records; deleted on request where the law permits.

Public demo users should not enter or upload sensitive personal information, patient health information, privileged material, trade secrets, client-identifying information, or highly confidential material unless they are authorized to share it with LawEngine for the retention and tracking purposes described here.

7. Your rights

You have rights over the information we hold about you. Depending on where you live, those rights may include:

• Access. Ask us for a copy of the information we have about you.
• Correction. Ask us to fix information that is inaccurate.
• Deletion. Ask us to delete your account and associated personal data.
• Portability. Ask us for your data in a machine-readable format.
• Objection or restriction. Ask us to stop or limit certain processing.

To exercise any of these rights, email stephen@lawengine.ai with the account email address you want to act on. We will respond within thirty (30) days, or sooner if the law requires.

If we cannot fulfill a request — for example, if we must retain information for legal reasons — we will explain why.

8. Security

We use commercially standard measures to protect your information, including TLS encryption in transit, restricted database access, hashed IP storage, and vendor security commitments from Clerk, Supabase, and Vercel.

No system is impervious. If we become aware of a security incident that affects your personal information, we will notify you consistent with applicable law.

9. Children

LawEngine is not directed at children under 18 and is not intended for use by minors. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, email stephen@lawengine.ai and we will delete it.

10. International users

The Service is operated from the United States, and our infrastructure vendors host data in the United States. If you use the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States.

Privacy laws in the United States may differ from those in your home country. By using the Service, you consent to the transfer and processing described above. We are actively monitoring GDPR, UK GDPR, and U.S. state privacy law (including CCPA/CPRA) as the Service grows, and we will expand this policy with jurisdiction-specific provisions when and where they are required.

11. California privacy notice

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) may give you additional rights, including the right to know what personal information we collect, the right to delete it, and the right to opt out of sale or sharing. We do not sell submitted legal content for money. On public/demo surfaces, we may use or share identifiers and event data with analytics, attribution, retargeting, and B2B visitor-identification vendors. To exercise any CCPA/CPRA right, including an opt-out request, email stephen@lawengine.ai.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide at least thirty (30) days' advance notice by email to the address associated with your account and, where practical, through the Service itself.

Your continued use of the Service after the effective date of an update means you accept the updated policy. If you do not agree to an update, stop using the Service before the effective date.

13. Contact

Questions about this policy, data requests, or anything privacy-related:

I'm No Lawyer LLC Attn: LawEngine Privacy Chicago, Illinois stephen@lawengine.ai

We read what you send us.

Also see Terms of Service.