Privacy Policy

1. Who We Are

LegalsOne LLC ("LegalsOne," "we," "us," or "our") is a Nebraska limited liability company that provides a hosted legal operations platform for small to medium law firms. Our platform unifies CRM, case management, document management, HR, and related functions into a single secure environment hosted on dedicated AWS infrastructure per firm. Privacy questions may be directed to privacy@legalsone.com.

2. Scope of This Policy

This policy covers three categories of individuals:

• Website Visitors — anyone who accesses legalsone.com or related subdomains.
• Prospects — organizations and individuals who contact us, request demos, or engage with our sales team.
• Platform Users — employees, contractors, and staff of law firms that have subscribed to the LegalsOne platform.

When LegalsOne processes personal data on behalf of a subscribing law firm (e.g., the firm's client matter data or employee records stored inside the platform), LegalsOne acts as a data processor and the law firm is the data controller. Those processing activities are governed by our Data Processing Agreement, not this policy.

3. Information We Collect

3.1 Website Visitors

• IP address and approximate geographic location
• Browser type, operating system, and referrer URL
• Pages viewed, session duration, and click paths
• Cookie identifiers (see Section 6)

3.2 Prospects

• Name, title, firm name, email address, and phone number
• Firm size, practice areas, and stated workflow requirements
• Information you share during demo sessions or onboarding conversations
• Correspondence records and sales interaction notes

3.3 Platform Users (processed as a service on behalf of subscriber firms)

• Account credentials (username; passwords are hashed and never stored in plaintext)
• Profile information: name, role, department, and contact details
• Activity logs: login events, document access events, and permission changes
• Content created or uploaded within the platform (case files, documents, trust records, HR data)
• Communications transmitted through integrated services (Microsoft 365, Zoom)

3.4 Information We Do Not Collect

We do not intentionally collect sensitive personal data (health information, biometric identifiers, full financial account numbers, or government-issued ID numbers) through our website or sales process. Firms may store such data within their dedicated platform environments; that data is subject to the firm's own data controller obligations and our DPA.

4. How We Use Information

4.1 Website Visitors

• Operate, secure, and improve our website
• Understand aggregate traffic and navigation patterns
• Detect and prevent unauthorized access or abuse

4.2 Prospects

• Respond to inquiries and deliver requested demonstrations
• Prepare proposals and configure trial environments
• Send relevant product communications and newsletters (with your consent or where legitimate interest applies)
• Maintain CRM and sales pipeline records

4.3 Platform Users

• Deliver, support, and maintain the subscription service
• Authenticate access and enforce firm-configured role-based permissions
• Generate audit logs accessible to the subscribing firm's administrators
• Process subscription billing and account management
• Investigate security incidents and support tickets

We do not sell personal information to third parties. We do not use platform user data for our own advertising purposes.

5. Legal Basis for Processing (GDPR / UK GDPR)

Where applicable law requires a legal basis, we rely on:

• Contract performance — processing necessary to deliver the platform to subscribing firms and their users.
• Legitimate interests — website analytics, security monitoring, fraud prevention, and prospect communications (balanced against individual rights).
• Consent — marketing emails to prospects and non-essential cookies, where required.
• Legal obligation — compliance with applicable tax, financial, or law enforcement requirements.

6. Cookies & Tracking

Our public website uses cookies and similar tracking technologies for analytics and functionality. Please see our full Cookie Policy for details on cookie categories, purposes, and lifespans. You can adjust your preferences at any time via our Cookie Preferences page.

7. Sharing & Disclosure

We share personal information only as follows:

• Service Providers (Subprocessors): Vendors who assist in operating the platform under appropriate data processing agreements. See our Subprocessors List.
• The Subscribing Law Firm: Firm administrators have access to activity logs, user profiles, and content within their dedicated environment.
• Legal Requirements: We may disclose information when required by law, valid court order, or governmental authority, or to protect LegalsOne's legal rights and the safety of users.
• Business Transfers: In connection with a merger, acquisition, or asset sale, personal information may transfer as a business asset. We will provide notice as required by applicable law.

8. Subprocessors

LegalsOne uses a defined set of third-party service providers to deliver the platform, including AWS for cloud infrastructure and storage, NetBird for private network access, and certain operational tools. A current list is available at our Subprocessors page.

9. Data Retention

Personal data is retained only as long as necessary for the purposes described in this policy or as required by applicable law. Website analytics data is retained in aggregate form. Prospect data is retained while the prospect relationship is active and for a reasonable period thereafter (generally no more than three years of inactivity). Platform data is retained for the duration of the subscription and handled upon termination per our Data Retention & Deletion Policy.

10. Security

LegalsOne implements technical and organizational security measures appropriate to the sensitivity of the data processed. These include TLS 1.2+ encryption in transit, AES-256 encryption at rest via AWS SSE-KMS, role-based access controls, audit logging, nightly encrypted backups, and dedicated infrastructure per firm. Further detail is available in our Security Overview.

No security system is infallible. In the event of a confirmed personal data breach affecting your information, we will notify affected subscriber firms in accordance with our Incident Response & Breach Notification Policy.

11. Your Rights

11.1 U.S. Residents

Depending on your state of residence, you may have rights to access, correct, delete, or obtain a copy of personal information we hold, and to opt out of certain processing activities. California residents may have additional rights under the CCPA/CPRA. Submit requests to privacy@legalsone.com. We will respond within 45 days or as required by applicable law.

11.2 EEA, UK & Swiss Residents

If you are located in the EEA, UK, or Switzerland, you have rights under the GDPR or equivalent legislation to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request erasure (where no overriding legal basis applies)
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent at any time (without affecting prior processing)
• Lodge a complaint with your local data protection supervisory authority

11.3 Note for Platform Users

If you are an end-user within a law firm's LegalsOne environment, the law firm is the data controller for your platform data. Please direct data rights requests to your firm's administrator. We will assist firms in fulfilling verified requests as required under our DPA.

11.4 Marketing Opt-Out

You may opt out of marketing emails at any time by clicking "unsubscribe" in any email from us or by contacting privacy@legalsone.com. Opt-out from marketing does not affect service communications related to your subscription.

12. Children's Privacy

Our website and platform are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.

13. International Data Transfers

LegalsOne is based in Nebraska, USA. Platform infrastructure is hosted on AWS in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the U.S. For transfers originating from the EEA or UK, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable. Contact us for further information about transfer mechanisms.

14. Updates to This Policy

We may update this policy from time to time as our practices or applicable law changes. When we make material changes, we will update the "Last Updated" date above and, where appropriate, notify platform subscribers via email or in-platform notice. Continued use after a policy update constitutes acceptance of the revised terms.

15. Contact Us

For privacy questions, requests, or complaints:

• Email: privacy@legalsone.com
• Web: legalsone.com/contact

Note: This policy reflects LegalsOne's current practices and is provided in good faith. It does not constitute legal advice. Law firms and other organizations should consult qualified counsel to assess their own data privacy obligations.