CounselorAI Logo

Privacy Policy

Last Updated: May 4, 2026 Effective Date: May 4, 2026

CounselorAI LLC (“CounselorAI,” “we,” “us,” or “our”) provides software-as-a-service tools that help personal injury law firms generate demand letters, predict case settlement values, and manage negotiation workflows (the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have.

If you have questions about this Privacy Policy, contact us at [email protected].

1. Who This Policy Applies To

This Privacy Policy applies to:

  • Law firm customers (“Customers”) who subscribe to and use the Service
  • Authorized users at those firms (attorneys, paralegals, intake staff, administrators) (“Users”)
  • End clients of law firms whose personal and medical information is uploaded to the Service by their attorneys (“Claimants”)
  • Visitors to our website at counselorai.io

This Privacy Policy does NOT cover the privacy practices of any third-party service that integrates with the Service (e.g., Google Drive, customer relationship management software). Those services are governed by their own privacy policies.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: name, email address, firm name, role, password (stored as a hash, never plaintext)
  • Billing information: we invoice on a business-to-business basis and do not process payment cards. Invoices include firm name, billing contact, billing address, and amounts due.
  • Communications: emails, support tickets, feedback you send to us

2.2 Information About Claimants (Uploaded by Law Firm Users)

When attorneys and their staff use the Service to prepare demand letters, they upload information about their clients (Claimants). This may include:

  • Personal identifiers: name, address, phone number, date of birth (Social Security Numbers may incidentally appear in source documents such as medical records or claims paperwork; we do not require or solicit SSNs as standalone fields)
  • Health and medical information: medical bills, treatment records, diagnoses, ICD-10 codes, CPT procedure codes, MRI/X-ray reports, surgical records, prescription records, treatment timelines
  • Insurance information: policy numbers, coverage limits, claim numbers
  • Financial information: lost wages, employment records, tax returns
  • Case-related documents: police reports, accident photos, witness statements, correspondence with insurance adjusters
  • Demographic information: age, occupation, employment history

This information is provided to us by the law firm acting on behalf of its client. We do not receive this information directly from Claimants. The law firm is the data controller for this information; CounselorAI acts as a data processor (and, where applicable, as a HIPAA business associate or subcontractor).

2.3 Information from Google Drive Integration

The Service offers an optional Google Drive integration that uses folder sharing, not OAuth scope delegation:

  • A Customer creates or designates a Google Drive folder for a case and shares it with our intake account ([email protected]) using Google’s standard folder-sharing functionality
  • Our backend, using its own credentials, reads files from folders that have been shared with us
  • The Customer’s authentication into the Service uses only basic sign-in scopes (openid, email, profile) — we do not request Google Drive OAuth scopes from the Customer’s account
  • We read file content and folder metadata for files in the shared folder (and its subfolders); we do not access any other content in the Customer’s Drive
  • Customers may revoke our access at any time by removing the share permission in their Drive

Additional details about our handling of Google-sourced data are set out in our Google API Services Disclosure.

2.4 Information from CRM Integrations

If a Customer connects a CRM (e.g., Litify, Filevine, MyCase, Smart Advocate, Clio) via our public API, we receive case data, document files, and case notes pushed to us by the Customer’s CRM under the Customer’s authorization.

2.5 Information Generated by the Service

  • AI-generated content: predictions, demand letter drafts, negotiation analyses, and other outputs generated by our use of large language models on Customer data
  • Usage data: log of actions taken in the Service (audit logs, API request logs, login history)
  • Internal cost tracking: per-case computational costs

2.6 Information We Collect Automatically

  • Log data: IP address, browser type, device type, pages visited, timestamps, error reports
  • Cookies and similar technologies: session cookies for authentication only

We do not use third-party advertising cookies, cross-site tracking, third-party web analytics tools (such as Google Analytics or Mixpanel), or behavioral profiling.

3. How We Use Information

3.1 To Provide the Service

  • Generate demand letters, predictions, and negotiation outputs for the Customer’s cases
  • Read documents from Customer-designated Google Drive folders and import them into the Customer’s case files
  • Run optical character recognition (OCR), narrative extraction, ICD-10 validation, citation validation, and other automated analyses on uploaded documents
  • Maintain user accounts and authenticate users
  • Issue and track invoices

3.2 To Improve and Maintain the Service

  • Monitor system health, performance, and security
  • Diagnose and fix bugs (using AWS-native logging covered by our AWS Business Associate Agreement; we do not transmit application errors or stack traces to any third-party error tracking service)
  • Develop new features

We do not use Customer data — including Claimant personal or health information, and including any data obtained from Google APIs — to develop, improve, or train any artificial intelligence or machine learning model, including any generalized, foundation, multi-tenant, or non-personalized model.

3.3 To Communicate with You

  • Send transactional emails (account, billing, password reset, integration alerts)
  • Respond to support requests
  • Notify you of material changes to the Service or this policy

3.4 To Comply with Law and Protect Rights

  • Comply with legal obligations and respond to lawful requests from authorities
  • Enforce our Terms of Service
  • Protect against fraud, abuse, and unauthorized access
  • Protect the rights, property, or safety of CounselorAI, our Customers, or others

3.5 Aggregated and De-Identified Data

We may aggregate and de-identify Customer data to produce statistics, benchmarks, and product improvements. De-identified data does not identify any individual or law firm and is not subject to this Privacy Policy.

Data obtained from Google APIs (“Google Workspace Data”) is excluded from this aggregation and de-identification right. We do not aggregate, de-identify, analyze for product improvement, or otherwise repurpose Google Workspace Data; our use is limited to providing the user-facing features the Customer has requested.

4. Legal Basis for Processing

We process information based on:

  • Contract: providing the Service the Customer has subscribed to
  • Legitimate interests: maintaining security, preventing fraud, customer support
  • Consent: where required (e.g., authorizing the Google Drive integration via folder sharing)
  • Legal obligation: complying with applicable laws

5. How We Share Information

We share information only as described below. We do not sell personal information.

5.1 With Service Providers (Sub-Processors)

We use the following third parties to operate the Service. Each processes information only on our instructions and under contractual data protection obligations. A current list is also published at counselorai.io/subprocessors.

Sub-Processor Purpose Data Categories Location HIPAA BAA
Amazon Web Services, Inc. Cloud hosting, encrypted document and database storage, AI model access via AWS Bedrock All Customer Data, including PHI and Google Workspace Data United States Yes
Anthropic, PBC (via AWS Bedrock) Large language model inference (Claude) — only for the specific user-facing AI output requested Specific Customer Data content as needed for the requested output, including PHI United States Yes (where applicable)
Google LLC (Google Workspace) Hosting of the intake account that receives Customer-shared Drive folders PHI within shared Drive folders United States Yes
Sendinblue SAS (Brevo) Transactional email delivery (account, billing, notifications) Recipient name, email, message content. No PHI, case content, or Google Workspace Data. European Union N/A — no PHI transmitted

Each sub-processor is contractually prohibited from using Customer Data — including any Google Workspace Data — to develop, improve, or train any artificial intelligence or machine learning model.

We update this list when sub-processors change. For Customers with an executed Business Associate Agreement, we provide advance notice of new sub-processors that will process PHI.

5.2 With Other Users in the Customer’s Firm

Information uploaded to a Customer’s account is accessible to authorized Users within that Customer’s firm based on roles and permissions configured by the firm’s administrator. We do not share information across Customers.

5.3 For Legal Reasons

We may disclose information if we believe in good faith that disclosure is required to:

  • Comply with applicable law, court order, subpoena, or other legal process
  • Cooperate with law enforcement or government agencies
  • Protect the rights, property, or safety of CounselorAI, our Customers, or others
  • Investigate suspected violations of our Terms of Service

We will notify the affected Customer of such disclosures unless prohibited by law.

5.4 Business Transfers

If CounselorAI is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality obligations and continuing application of this Privacy Policy.

5.5 With Your Consent

We may share information for purposes not listed above with your consent.

6. Health Information and HIPAA

The Service is designed to be used by law firms processing personal injury cases, which routinely involve protected health information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (“HIPAA”).

  • We enter into a Business Associate Agreement (“BAA”) with Customer law firms that are HIPAA-covered entities or business associates. Customers may request a BAA at [email protected].
  • We treat all uploaded medical and health information with the technical, administrative, and physical safeguards required of a HIPAA business associate, including:
    • Encryption at rest (AES-256 within AWS-managed storage)
    • Encryption in transit (TLS 1.2 or higher)
    • Per-firm tenant isolation
    • Role-based access controls within Customer accounts
    • Multi-factor authentication for administrative access
    • Audit logging of access to sensitive operations
    • Documented written information security program
  • PHI may be transmitted to Anthropic via AWS Bedrock only as necessary to generate the user-facing AI output requested by the Customer (for example, a demand letter draft for a specific case). Anthropic is contractually prohibited from using this data to train or improve its foundation models, and we have executed a Business Associate Agreement with Anthropic. We do not represent that PHI is anonymized prior to LLM processing; the architecture transmits identifiable case content as required to perform the Customer-requested task, within the protections of the AWS and Anthropic BAAs.
  • We do not use, disclose, or sell PHI for any purpose other than providing the Service and as permitted under the executed BAA with the Customer.

6.1 Human Access to PHI

Our personnel do not access Customer PHI except in the following limited circumstances:

  1. With the Customer’s specific, voluntary consent (for example, when diagnosing a support request)
  2. As necessary for security purposes (for example, investigating suspected abuse or a security incident)
  3. As required by law or to comply with valid legal process
  4. Where data has been aggregated and anonymized so that it cannot reasonably be used to identify any individual, firm, or end-client (and excluding Google Workspace Data, which is not aggregated or de-identified)

All such access is logged, restricted to authorized personnel under written confidentiality and security obligations, and subject to internal audit.

7. Data Storage and Security

7.1 Where We Store Data

All Service data — including all PHI, case content, and Google Workspace Data — is stored on infrastructure located in the United States, within AWS US regions. The only Customer-related data processed outside the United States is the limited transactional email metadata processed by Brevo in the European Union as described in Section 5.1.

7.2 How We Protect Data

In addition to the safeguards listed in Section 6, we implement:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
  • Hardware-key or authenticator-app multi-factor authentication for administrative access
  • Tenant isolation: data from one Customer is logically separated from other Customers
  • Audit logging via AWS CloudTrail with KMS-encrypted log storage and log-file integrity validation
  • Application-level audit logging of access to PHI
  • Sub-processor contracts requiring equivalent protections
  • Regular review of access permissions
  • Breach response procedures consistent with HIPAA and applicable state law

No system is perfectly secure. If we discover a security incident affecting Customer data, we will notify affected Customers consistent with applicable law and the executed Business Associate Agreement.

7.3 Data Retention

  • Active accounts: we retain Customer data for as long as the account is active
  • Cancelled accounts: we delete or anonymize Customer Data (other than Google Workspace Data) within 30 to 90 days of account termination, except where retention is required by law or for tax, audit, or fraud-prevention purposes
  • Google Workspace Data: deleted or anonymized within 30 days of termination, except for data we are required by law to retain or that resides in routine, time-bounded backup or audit-log systems
  • Deleted documents and cases: deleted within 30 days of deletion request
  • Backups: encrypted backups are retained for up to 90 days, after which deleted data is purged from backups
  • Audit logs: retained for up to 7 years for security and compliance purposes

8. Your Rights and Choices

8.1 Customer (Law Firm) Rights

Customers can at any time:

  • Access: view all data in their account through the Service interface
  • Export: download copies of case data, documents, and generated letters
  • Correct: modify data through the Service interface
  • Delete: delete cases, documents, and other data through the Service interface, or request full account deletion at [email protected]. Deletion is completed within 30 days.
  • Disconnect Drive integration: revoke our access by removing the share permission from any folder previously shared with [email protected], at any time, via Google Drive
  • Request a Business Associate Agreement for HIPAA compliance

8.2 Claimant Rights

Because Claimants do not have direct accounts with us — their information is uploaded by their law firm — Claimants who wish to exercise rights regarding their information should contact the law firm representing them. The law firm controls Claimant data and is responsible for honoring data subject requests.

If a Claimant contacts us directly, we will refer the request to the appropriate law firm.

8.3 California Consumer Privacy Act (CCPA / CPRA) Rights

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Access and request a copy of your personal information
  • Request deletion of your personal information
  • Correct inaccurate personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Opt out of sharing personal information for cross-context behavioral advertising (we do not engage in this)
  • Limit the use and disclosure of sensitive personal information
  • Non-discrimination for exercising these rights

To exercise these rights, contact [email protected]. We may need to verify your identity before processing your request.

We do NOT sell personal information. We do NOT use personal information for cross-context behavioral advertising.

9. Children’s Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information directly from children. Information about minor Claimants may be uploaded by law firms in the course of representing minor clients in personal injury matters; we treat such information with the same protections described in this policy.

10. Cookies and Tracking

We use only essential cookies necessary for authentication and session management. We do not use:

  • Third-party advertising cookies
  • Cross-site tracking
  • Third-party web analytics tools (Google Analytics, Mixpanel, etc.)
  • Behavioral profiling
  • Pixels or trackers from advertising networks

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last Updated” date at the top
  • Notify Customers via email or in-product notification
  • For material changes affecting how we handle Customer data, give Customers reasonable advance notice before the changes take effect
  • For material changes affecting how we handle Google Workspace Data, prompt Customers to re-consent before the change applies to their data

Continued use of the Service after the effective date of an updated policy constitutes acceptance of the updated policy.

12. Contact Us

For questions, requests, complaints, or to exercise privacy rights:

CounselorAI LLC Privacy: [email protected] Legal: [email protected] Security: [email protected] Mail: 100 Spectrum Center Dr #900, Irvine, CA 92618

13. Specific Notice for Google API Users

CounselorAI’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We do not request Google Drive OAuth scopes from end users. The Drive integration uses Google’s standard folder-sharing functionality: the Customer shares a folder with our intake account, and our backend reads from that shared folder using its own credentials.
  • We use Google Workspace Data only to provide the document import and case-processing features the Customer has requested.
  • We do not use Google Workspace Data for advertising purposes.
  • We do not sell Google Workspace Data.
  • We do not transfer Google Workspace Data to third parties except (a) to the sub-processors listed in Section 5.1 as necessary to provide the Service, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets where the recipient is bound by equivalent obligations.
  • We do not use Google Workspace Data to develop, improve, or train any artificial intelligence or machine learning model, including any generalized, foundation, multi-tenant, or non-personalized model.
  • We do not allow our personnel to read Google Workspace Data unless: (a) we have explicit Customer consent for specific files, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and de-identified for internal operations (Google Workspace Data is excluded from this aggregation right).
  • We retain Google Workspace Data only as long as necessary to provide the Service. Customers may revoke our access at any time by removing the share permission from the relevant Google Drive folder.

For complete details, see our Google API Services Disclosure.