Privacy Policy

Vitreon Legal (“we”, “our”, or “us”) operates the AI-powered legal research platform at vitreon.app. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over your information under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

By using the Service you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.

1.Who We Are

Vitreon Legal is an AI-powered legal research platform that helps legal professionals find answers grounded in primary legal sources. We are the data controller for the personal data processed through our Service.

2.Data We Collect

Account information

When you create an account, we collect your email address, display name, and a cryptographically hashed version of your password. If you sign in with Google, we receive your email, name, and profile picture URL from Google. We never store your password in plain text.

Legal research queries and answers

When you submit a question, we store your query text and the AI-generated answer (including cited sources) in your conversation history. This enables multi-turn conversations and lets you review past research.

Session and security data

We record your IP address and browser user-agent string when you log in or create a session. This data is used exclusively for security purposes — detecting unauthorised access, preventing brute-force attacks, and investigating incidents.

Payment information

Payments are processed entirely by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. We only retain your Stripe customer ID and subscription status for billing management.

Documents you upload

Documents you upload for analysis are processed and indexed on our servers. Document content is stored only for the purpose of providing the research service and is subject to the retention periods described below.

3.Why We Collect Your Data

We process your personal data for the following purposes:

• Provide the Service: deliver accurate, source-grounded legal research answers and maintain your conversation history.
• Improve answer quality: analyse aggregate usage patterns to improve retrieval accuracy and answer relevance.
• Security and abuse prevention: detect unauthorised access, enforce rate limits, and investigate security incidents.
• Billing: manage subscriptions, process payments through Stripe, and enforce usage limits.
• Legal compliance: meet our obligations under GDPR and other applicable data protection laws.

Lawful basis for processing

Under GDPR Article 6, we rely on the following legal bases for processing your personal data:

• Service delivery (queries, answers, conversation history): contractual necessity — Article 6(1)(b).
• Billing and subscription management: contractual necessity — Article 6(1)(b).
• Security and abuse prevention (rate limiting, brute-force protection, audit logs): legitimate interests — Article 6(1)(f).
• Legal compliance (tax records, regulatory obligations): legal obligation — Article 6(1)(c).

4.Data Retention

We retain your data only as long as necessary for the purposes described above. Specific retention periods:

Automated cleanup processes run hourly to enforce these retention periods. When you delete your account, all associated data (conversations, sessions, documents) is permanently removed.

5.Your Rights Under GDPR

Under the General Data Protection Regulation (Articles 15-22), you have the following rights regarding your personal data:

• Right to access (Article 15): Request a copy of all personal data we hold about you. You can also export your data directly from the platform.
• Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17): Request deletion of your account and all associated data. We will remove all your personal data unless we have a legal obligation to retain it.
• Right to data portability (Article 20): Receive your data in a structured, machine-readable JSON format. Use the data export feature in your account settings or contact us.
• Right to object (Article 21): Object to processing of your personal data based on legitimate interests.
• Right to restrict processing (Article 18): Request that we limit how we process your data in certain circumstances.
• Right to withdraw consent (Article 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights

To exercise any of these rights, email [email protected] with the subject line “Data Subject Request”. We will respond within 30 days as required by GDPR. For data export, you can also use the self-service export endpoint available in your authenticated account.

6.Data Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit: all connections are encrypted using TLS 1.2 or higher.
• Password security: passwords are hashed using bcrypt with automatic salting — we never store plain-text passwords.
• Session security: authentication uses HttpOnly, SameSite cookies that cannot be accessed by JavaScript or sent in cross-site requests.
• CSRF protection: state-mutating requests require a custom header, blocking cross-site request forgery.
• Rate limiting: brute-force protection on authentication endpoints (IP-based throttling).
• Access control: audit logs and user data are restricted by user ID — one user cannot access another's data.

If you discover a security vulnerability, please disclose it responsibly to [email protected].

7.Third-Party Services

We share data with the following third-party services, each for a specific and limited purpose:

Anthropic (via Google Cloud Vertex AI)

Your legal research queries and relevant document excerpts are sent to the Anthropic Claude API (accessed through Google Cloud Vertex AI) to generate answers. Anthropic's enterprise API does not use customer inputs to train foundation models. See Anthropic's Privacy Policy.

Stripe

Payment processing is handled by Stripe. We share your email and subscription details with Stripe to manage billing. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.

Google (OAuth)

If you choose to sign in with Google, we receive your email, name, and profile picture from Google's OAuth service. We do not access any other Google account data. See Google's Privacy Policy.

8.Cookies

Vitreon Legal uses a single session cookie (vitreon_session) to maintain your authenticated session. This cookie is:

• HttpOnly: cannot be read by JavaScript, protecting against XSS attacks.
• SameSite=Lax: not sent on cross-site requests, preventing CSRF.
• Secure: transmitted only over HTTPS in production.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use browser localStorage to store sensitive data.

9.International Data Transfers

When your queries are processed by Anthropic via Google Cloud Vertex AI, your data may be transferred to servers outside your country of residence. These transfers are protected by appropriate safeguards including Google Cloud's data processing terms and Anthropic's enterprise data handling agreements.

10.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11.Contact Us

For questions, complaints, or data subject requests related to this Privacy Policy, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For users in the Czech Republic, the supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů — ÚOOÚ) at uoou.cz.