Data Retention & Deletion Policy
This policy describes how long LegalsOne retains different categories of data, how data is deleted, and how customers can manage their data lifecycle.
Effective Date: February 23, 2026
1. Overview
LegalsOne retains data only for as long as necessary to deliver the subscribed services and meet applicable legal obligations. As the data controller for their firm's content, law firm customers bear primary responsibility for defining and implementing appropriate retention schedules for client matter data, consistent with applicable ethics rules, court orders, and statutory requirements. LegalsOne provides the infrastructure and tools to support those decisions.
2. Customer Data (Active Subscriptions)
Customer Content — including case files, documents, client records, HR records, and all other data entered into the platform — is retained for the duration of the active subscription. During the subscription, customers have full ability to access, modify, export, or delete their own data within the platform.
Customers are encouraged to implement their own retention policies within the platform — for example, archiving or deleting closed matters after a specified period — in accordance with applicable bar association records retention requirements.
3. Logs & Activity Records
| Log Type | Retention Period | Accessible To |
|---|---|---|
| Login & authentication events | 12 months (24 months on Enterprise) | Firm administrators |
| Document access logs | 12 months (24 months on Enterprise) | Firm administrators |
| Permission change logs | 12 months (24 months on Enterprise) | Firm administrators |
| Infrastructure & system logs | 90 days | LegalsOne operations (not customer-facing) |
| Security incident records | 3 years | LegalsOne security team (provided to customers on request) |
4. Backups
Automated nightly backups are retained for the following durations by tier:
- Starter: 30 days
- Professional: 60 days
- Enterprise: 90 days
Backup retention periods begin on the date the backup is created. Backups cycle out automatically as new backups are added. Point-in-time restore capability (within the backup window) is available on Professional and Enterprise tiers.
5. Website & Prospect Data
- Contact form submissions: Retained for the duration of the sales relationship and up to 3 years of inactivity, then deleted or anonymized.
- Website analytics: Aggregated data retained indefinitely; individual session data retained up to 26 months.
- Marketing communications: Contact data retained while the prospect relationship is active. Upon written request to opt out, removed from active marketing lists within 10 business days.
6. Data After Subscription Termination
When a subscription ends (by cancellation, non-payment, or LegalsOne's termination), the following applies:
- Days 1–30 (Export Window): Customer Content remains accessible for export via standard platform tools. The firm administrator will receive export instructions by email.
- Days 31–90 (Deletion Window): LegalsOne begins the secure deletion process for all Customer Content from primary storage and active systems. This process is completed within 90 days of the export window closing.
- Backup Purge: Encrypted backups are cycled through the standard rotation and fully purged within the backup retention window applicable to the customer's tier (up to 90 days after the last backup containing customer data).
- Deletion Confirmation: Upon customer request, LegalsOne will provide written confirmation that deletion is complete.
Customers who do not export their data before the export window closes may lose access permanently. LegalsOne does not offer post-window recovery except in cases of LegalsOne-caused error.
7. Deletion Process
LegalsOne uses AWS-native deletion mechanisms for primary data, which include secure overwrite and key destruction for KMS-encrypted data. For encrypted S3 objects, deletion of the encryption key renders the data cryptographically unrecoverable. Database records are deleted through standard database operations followed by vacuum processing. Physical media is handled according to AWS's data center security standards, which include decommissioning procedures meeting NIST 800-88 guidance.
8. Legal Holds
If LegalsOne receives a valid legal order requiring retention of specific data beyond its normal retention schedule, LegalsOne will comply and will notify the affected customer to the extent permitted by law. Legal holds are identified and tracked by LegalsOne's legal team. Data subject to a legal hold is not subject to routine deletion until the hold is released.
9. Contact
Questions about data retention or to request deletion assistance: privacy@legalsone.com