Privacy Policy

Last updated: April 28, 2026

Who we are

CitationShield ("we", "us") is a legal-tech software company operating citationshield.com. You can reach us at privacy@citationshield.com.

What we collect

• Account information: name, work email, firm name, role, billing contact.
• Onboarding answers: firm size, practice area, brief volume, AI usage, concerns. Used to tailor the dashboard and product onboarding.
• Uploaded briefs: processed in-memory for verification. Source documents are deleted by default within minutes of the run completing. Customers may opt into report retention; in that case only the structured verdict report (not the source brief) is retained, encrypted at rest.
• Automatically collected: standard server logs (IP, user agent, page, timestamp), and aggregate analytics (sessions, pages, referrers).
• Cookies: session, CSRF, and a single banner-consent cookie. With your consent, we set additional cookies for product analytics.

What we do not do

• We do not train AI models on customer briefs or report data.
• We do not sell or share customer data with third parties for marketing.
• We do not access individual customer briefs except as required to deliver the verification you requested or with your written authorization for support.

Where data is processed and stored

CitationShield processes data in U.S. cloud regions (currently AWS us-east-1 with us-west-2 failover). Enterprise customers may request data residency in a specific U.S. region or an on-premises deployment.

Subprocessors

We use a small number of subprocessors to operate the service: cloud hosting (AWS), email (Loops), payments (Stripe), and the OpenAI API for the citation-extraction fallback. Each is bound by data-protection terms. The current subprocessor list is available on request to privacy@citationshield.com.

Your rights

You can request a copy of your data, ask us to delete it, or opt out of marketing email any time. Email privacy@citationshield.com. We respond within 30 days. Residents of California (CCPA), the EU/UK (GDPR), and other privacy jurisdictions have additional rights including non-discrimination for exercising them.

Security

Encryption in transit (TLS 1.2+) and at rest (AES-256). Role-based access controls. Annual third-party penetration testing. SOC 2 Type 2 audit in progress; documentation available under NDA on request.

Children

CitationShield is a B2B product not directed to children.

Changes

We may update this policy. Material changes will be communicated by email to account owners 30 days before they take effect.