Legal

Privacy Policy

Last updated: February 12, 2026

1. Introduction

Recess Legal, Inc. (“recess.legal,” “we,” “us,” or “our”) operates the recess.legal platform, an AI-powered legal assistant service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services (collectively, the “Service”).

We take your privacy and the confidentiality of attorney-client privileged information extremely seriously. Our platform is designed from the ground up with security and data isolation as core architectural principles.

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Name and email address
  • Firm name and practice area
  • Password (stored as a bcrypt hash — we never store plaintext passwords)

2.2 Case Data

When you use the Service, you may upload documents including medical records, legal filings, correspondence, and other case materials. This data is:

  • Stored in your dedicated, isolated environment
  • Encrypted at rest using AES-256 (Fernet) encryption
  • Never shared with other users or organizations
  • Never used to train our AI models or any third-party models

2.3 Usage Data

We automatically collect:

  • Service usage metrics (features used, API calls made)
  • LLM token usage for billing purposes
  • Error logs (which never contain case data or response bodies from external providers)

2.4 Third-Party Integrations

If you connect external services (Google Calendar, Microsoft 365, Zoom, Filevine), we store OAuth tokens encrypted at rest. These tokens are:

  • Fernet-encrypted in our database
  • Never logged, cached in Redis, or included in API responses
  • Used only to perform actions you explicitly authorize
  • Revocable at any time from your Settings page

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process your documents and generate AI-assisted work product
  • Bill for usage and manage your subscription
  • Provide customer support
  • Improve the Service (using aggregated, anonymized metrics only — never your case data)

We do NOT use your data to train AI models. Your documents, case information, and interactions are never used as training data for any language model, including our own or any third-party model.

4. Data Isolation & Security

4.1 Per-User Isolation

Every user receives a dedicated AI agent running in an isolated Docker container with its own workspace. Your data is architecturally separated from every other user at the infrastructure level — not just the application level.

4.2 Encryption

  • All data encrypted at rest (AES-256 via Fernet)
  • All data encrypted in transit (TLS 1.2+)
  • OAuth tokens and API credentials use additional Fernet encryption
  • Audit log fields containing PHI use HMAC hashing

4.3 Access Controls

  • JWT authentication with httpOnly cookies (no localStorage exposure)
  • Token revocation via Redis JTI blocklist
  • Rate limiting on authentication endpoints
  • Role-based access control

4.4 Audit Trail

All significant actions are logged in an append-only audit trail enforced by database triggers. Audit records cannot be modified or deleted, even by administrators.

4.5 Network Isolation

Our infrastructure uses split networks. Frontend services cannot directly access databases or internal services. All data access goes through authenticated API endpoints.

5. Third-Party Services

We use the following third-party services:

  • Moonshot AI (Kimi K2.5): LLM inference provider. Your prompts are processed but not stored or used for training per our data processing agreement.
  • Hetzner: Infrastructure hosting (EU/German provider).

We minimize third-party data sharing. All external API calls are proxied through our servers — your AI agent never calls external services directly.

6. OAuth Scope Transparency

When you connect external services, we request only the minimum permissions needed:

  • Google Calendar: Read and create events (sensitive scope, not restricted)
  • Email: Read-only access via IMAP (not Gmail API restricted scopes)
  • Zoom: Read-only access to recordings and transcripts
  • Filevine: Read and sync access only

Your AI agent operates under a strict action whitelist: it can read emails but never send them, create calendar events but never add attendees, and access recordings but never delete them.

7. Data Retention & Deletion

You may delete your account and all associated data at any time. Upon deletion:

  • Your AI agent container is destroyed
  • Your workspace files are permanently deleted
  • Your case data is removed from our databases
  • Encrypted backups are purged within 30 days
  • Audit log entries are retained for compliance (hashed, not containing raw data)

8. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and data
  • Export your data in standard formats
  • Revoke third-party integrations at any time
  • Object to processing (though this may limit Service functionality)

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@recess.legal