Privacy Policy

Your privacy is our foundation

At RedactLaw, we built our entire platform around a simple principle: your documents are yours, and we have no right to keep them. This Privacy Policy explains exactly what data we collect, how we use it, and what we never do with it.

Effective Date: February 2026

1. Information We Collect

1.1 Account Information

When you create an account with RedactLaw, we collect:

  • Email address
  • Password (stored as a hashed value via Supabase)
  • Name and organization name (if provided during sign-up)
  • OAuth provider data (if you sign up via a third-party provider) — includes profile name, email, and profile picture URL

1.2 Subscription and Payment Information

For paid subscriptions, we collect:

  • Subscription tier, billing cycle, and renewal date
  • Payment information is processed through Razorpay (we do not store credit card numbers or payment details directly)
  • Transaction IDs and payment status

1.3 Usage Data

We track the following usage metrics:

  • Number of pages redacted per month (for billing)
  • Redaction template configurations you create
  • Session activity logs (login times, file upload events, download events)
  • Error logs and diagnostic data (to improve service quality)

1.4 Technical Data

We automatically collect certain technical information:

  • IP address (used for security, fraud prevention, and geolocation)
  • Browser type and version
  • Device type (desktop, mobile, tablet)
  • Referring URL and page navigation paths
  • Cookies and session identifiers (see Section 8)

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the RedactLaw service — authenticate your account, process documents, and deliver redacted outputs
  • Manage subscriptions and billing — calculate usage, enforce plan limits, process payments, and send invoices
  • Improve product quality and reliability — analyze error logs, identify performance bottlenecks, and debug technical issues
  • Communicate with you — send transactional emails (password resets, billing notifications), service updates, and optional product announcements (you can opt out)
  • Ensure security and prevent fraud — detect unauthorized access, monitor for abuse, and enforce our Terms of Service
  • Comply with the law — respond to subpoenas, court orders, and regulatory obligations (we will notify you unless prohibited by law)

3. Document Processing & Privacy

Critical Commitment: We Never Store Your Document Content

Your uploaded documents are processed entirely in-memory. Once the redaction process completes and you download your file, the original and redacted versions are immediately purged from our systems. We do not retain any document content — ever.

How Document Processing Works

  1. Upload: Your PDF is uploaded via an encrypted HTTPS connection (TLS 1.2+) to an ephemeral processing container.
  2. In-Memory Processing: The document is converted to images, analyzed by our proprietary AI model for sensitive information detection, and redacted — all in volatile memory (RAM), never written to disk.
  3. Download: The redacted PDF is generated and delivered to your browser.
  4. Immediate Deletion: The processing container is destroyed, and all temporary files (original and redacted) are purged within seconds.

What We Do Store

  • Page count only: We record the number of pages processed for billing and usage tracking.
  • Redaction template configurations: Your saved redaction rules (e.g., "redact SSNs and dates of birth") — but never the actual document text.
  • Activity metadata: Timestamps for when you uploaded and downloaded files.

What We Never Do

  • Store the content of your documents on our servers or in backups
  • Use your documents to train, fine-tune, or improve any AI models
  • Share your documents with third parties
  • Allow employees to access or view your documents (our architecture makes this technically impossible)

4. Third-Party Services

RedactLaw uses the following third-party services. Each provider has its own privacy policies governing how they handle data.

4.1 AI Document Analysis

What we use: Document images are analyzed by our proprietary AI model for AI-powered detection of sensitive information (e.g., SSNs, PHI, PII).

Our AI processing infrastructure: Our proprietary AI model processes data ephemerally and does not use your documents to train or improve our models. Document content is never retained after processing.

Why we use it: Our custom redaction AI provides state-of-the-art document understanding necessary for accurate redaction detection.

4.2 Supabase (Authentication & Database)

What we store: User account credentials, session tokens, subscription data, and usage records. Document content is never sent to Supabase.

Data security: Supabase uses SOC 2-certified infrastructure with encryption at rest and in transit.

Learn more at Supabase Privacy Policy.

4.3 Razorpay (Payment Processing)

What we share: Your email, subscription tier, and billing amount are sent to Razorpay to process payments.

Payment data handling: Razorpay is PCI DSS Level 1 certified. RedactLaw does not store credit card numbers, CVVs, or other sensitive payment information.

Review Razorpay's Privacy Policy.

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All connections use TLS 1.2 or higher (HTTPS).
  • Encryption at rest: User data (account info, templates, usage logs) is encrypted using AES-256.
  • Access controls and authentication: Multi-factor authentication (MFA) is available and recommended for all users.
  • Infrastructure security: All services run on SOC 2-certified cloud infrastructure (AWS, Supabase) with continuous monitoring.
  • Regular security audits: We conduct annual penetration tests and vulnerability scans.

No security system is perfect. In the event of a data breach, we will notify affected users within 72 hours and comply with applicable data breach notification laws.

6. Data Retention

What We Retain

  • Account data: Stored for as long as your account is active, plus 90 days after account deletion (for billing and legal compliance).
  • Subscription and payment records: Retained for 7 years to comply with tax and financial regulations.
  • Usage logs: Kept for 12 months for service improvement and debugging.
  • Security and audit logs: Retained for 24 months for fraud prevention and compliance.

What We Never Retain

  • Uploaded document content: Deleted immediately after processing (as described in Section 3).
  • Redacted document content: Not stored after you download the file.

7. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of all personal data we have stored about you.
  • Correction: Update or correct inaccurate account information at any time via your account settings.
  • Deletion: Request deletion of your account and all associated data (subject to legal retention obligations for payment records).
  • Data portability: Receive your data in a machine-readable format (JSON or CSV).
  • Opt-out: Unsubscribe from marketing emails at any time (transactional emails like password resets cannot be opted out).

To exercise any of these rights, email us at contact@redactlaw.com. We will respond within 30 days.

8. Cookies and Tracking Technologies

RedactLaw uses cookies to manage authentication sessions and improve user experience.

Types of Cookies We Use

  • Essential cookies (required): Authentication session tokens to keep you logged in. These cannot be disabled without breaking the service.
  • Functional cookies (optional): Preferences like theme selection, language, and UI customizations.
  • Analytics cookies (optional): We do not use third-party analytics services. All usage tracking is first-party and privacy-focused.

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in.

9. Children's Privacy

RedactLaw is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

If we discover that a child under 18 has created an account, we will delete it immediately. If you believe a child has provided us with personal information, contact us at contact@redactlaw.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

Notice of changes: If we make material changes, we will notify you via email (to the address on file) at least 30 days before the changes take effect. For non-material changes (typo fixes, clarifications), we will update the "Effective Date" at the top of this page.

Your continued use: By continuing to use RedactLaw after changes take effect, you accept the updated Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

RedactLaw

Email: contact@redactlaw.com

We will respond to privacy inquiries within 30 days. For security-related concerns, please include "SECURITY" in your subject line for priority handling.

Questions about our privacy practices?

Our team is happy to walk you through how we protect your data, or address any concerns your IT or compliance team may have.

Contact Us