Skip to main content

Legal

Privacy Policy

Effective date: April 16, 2026  ·  Last updated: April 16, 2026

1. Introduction

Certavi (“Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Certavi citation verification platform (the “Service”).

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

Information you provide directly

  • Account information: Full name, email address. Optionally: bar number, bar state, and firm name.
  • Uploaded documents: Legal briefs and filings (PDF and DOCX) that you upload for citation verification.
  • Certification data: Your typed signature (full name), bar information, and scope-limitation acknowledgment when generating a verification certificate.
  • Free-tier lookups: The citation text you submit and the email address you provide for rate-limiting purposes.

Information collected automatically

  • Session data: User-agent string (browser and device type) and session timestamps. We store a hash of your session token, not the token itself.
  • Usage data: Verification run metadata (document name, citation counts, verification statuses, timestamps). We do not store the full text of your uploaded documents beyond what is needed for the verification pipeline.
  • IP address: Collected for rate-limiting on the free tier and for security purposes. Not used for location tracking or profiling.

Information we do NOT collect

  • We do not collect passwords (the Service uses passwordless email authentication)
  • We do not collect payment card numbers directly (payments are processed by Stripe)
  • We do not use cookies for advertising or cross-site tracking
  • We do not collect biometric data

3. How We Use Your Information

  • To provide and maintain the Service, including citation extraction, verification, and certificate generation
  • To authenticate your identity via email-based sign-in
  • To communicate with you about your account, including sign-in links and (if you opt in) verification-complete notifications
  • To enforce rate limits and prevent abuse
  • To maintain an append-only audit log of verification results for legal-evidence integrity
  • To improve the Service (aggregated, anonymized usage analytics only)

We never use your uploaded documents for model training. This restriction is enforced at the infrastructure level through S3 bucket policies that prevent any training pipeline from accessing the documents bucket. This is not a promise we can silently change — it is an architectural constraint.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

  • Service providers: We use AWS for infrastructure (compute, storage, database), Cloudflare for bot protection (Turnstile), and Stripe for payment processing. These providers process data on our behalf under contractual obligations to protect your information.
  • Legal databases: When verifying citations, we send parsed citation components (volume, reporter, page number) to CourtListener. We do not send your name, email, document text, or any personally identifiable information to legal databases.
  • AI extraction (limited): For citation extraction from complex documents, brief text excerpts may be processed by Amazon Bedrock (Llama 3.1). These excerpts are processed in real time and are not retained by the model provider for training.
  • Legal compliance: We may disclose information if required by law, subpoena, court order, or governmental authority.

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest (AES-256 via AWS KMS)
  • Documents are stored in private S3 buckets with public access blocked and cross-account access denied
  • Database connections are encrypted and restricted to a private VPC
  • Authentication uses HttpOnly, Secure, SameSite=Strict cookies — session tokens are never exposed to client-side JavaScript
  • Verification certificates are digitally signed (RSA-2048 + SHA-256) with signing keys stored in AWS Secrets Manager
  • All API inputs are validated at the boundary using strict schema validation

No system is perfectly secure. If you become aware of a security vulnerability, please report it to legal@certavi.com.

6. Data Retention

  • Account data: Retained for as long as your account is active. When you delete your account, personal information (email, name, firm name, bar information) is anonymized immediately. The user record is retained in anonymized form because verification run records reference it.
  • Verification runs and citation results: Retained indefinitely as part of the append-only audit log. These records are never modified or deleted because they serve as legal evidence of the verification that was performed.
  • Uploaded documents: Retained in encrypted storage for your verification history. Subject to a 90-day automatic lifecycle policy on the document storage bucket.
  • Free-tier lookup audit: Citation text, email, and IP address are retained as part of the audit log for rate-limiting and abuse prevention.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Update inaccurate personal information through your Settings page
  • Deletion: Delete your account and anonymize your personal information through your Settings page
  • Data portability: Request your verification history in a machine-readable format
  • Opt-out: Manage notification preferences through your Settings page

To exercise any of these rights, contact us at legal@certavi.com. We will respond within 30 days.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

9. International Data Transfers

The Service is hosted in the United States (AWS us-east-1). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

Questions or concerns about this Privacy Policy should be directed to: legal@certavi.com

Placeholders to update before launch: The governing jurisdiction in the Terms of Service, the formal legal entity name, and the contact email address (legal@certavi.com) should be finalized before the Service is made publicly available.