privacy

Privacy Policy

Last Updated: August 22, 2025

Introduction

Www.prose.law LLC (“we,” “us,” or “our”) operates a U.S.-based AI document-generation web platform (the “Platform”). We are committed to protecting your privacy.

This Privacy Policy explains how we collect, use, store, and share your personal information, and outlines your rights under applicable privacy laws. We comply with U.S. privacy laws (including California’s Consumer Privacy Rights Act (CPRA) and other state laws in Virginia, Colorado, Connecticut, and Utah) and, as we may serve individuals in the European Economic Area (“EEA”) and United Kingdom (“UK”), we also incorporate principles of the EU/UK General Data Protection Regulation (“GDPR”).

By using our Platform, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Platform. This Policy applies to our website and online services (no mobile apps) and not to any third-party websites or services that we do not control.

Note for Legal Professionals and Their Clients: If you use our Platform as an attorney or on behalf of another individual, you are responsible for ensuring you have the right to provide any personal information about others. In such cases, we treat that data as described in this Policy and in accordance with our agreements with you. When we process personal data on behalf of a business client (for example, a law firm), we act as a “service provider” or “processor” to that client, and that client is responsible for compliance with relevant privacy laws as the “data controller.”

Information We Collect

We collect personal information (“personal data”) that you provide to us directly and information that we collect automatically when you use the Platform. The types of information we may collect include:

Information You Provide Directly: When you create an account or use our services,
you may provide personal details such as your name, email address, phone
number, and account login credentials. You also input information into the
Platform when generating documents (e.g., details about your legal case,
names and contact information of parties involved, and other content you
choose to provide). This may include sensitive personal information
if you voluntarily include it (for example, health-related information,
financial details, or other sensitive data relevant to a legal matter). We
only collect such sensitive information if you choose to provide it, and
we handle it with special care (see Data Security below).
Payment Information: If you make a purchase or subscription on our Platform,
you may provide payment information. Payments are processed by our
third-party payment processor; we do not store your full credit card
numbers. We may retain basic transaction information (e.g., billing name,
payment method, and amount) for record-keeping purposes.
Communications:
If you contact us for support or feedback, we collect the information you
provide in those communications (such as your contact details and the
content of your messages). If you request assistance with a document, our
support staff may temporarily access your document content with your
permission to help resolve your issue.
Automatically Collected Data: When you use our website, we automatically collect
certain information about your device and usage:
- Usage and Device Information: We collect data such as your IP address,
  browser type, device type, operating system, referring URLs, pages
  viewed, and the dates/times of access. We also log your interactions with
  the Platform (e.g., features used, errors encountered) to help us understand
  usage patterns and improve performance.
- Cookies and Tracking Technologies: We use cookies and similar technologies to remember your preferences, authenticate your login, and gather information about how you interact with our site. For example, we may use cookies to keep you logged in and analytics tools to collect information about user interactions (see Cookies and Tracking below for details and
  your choices).

Categories of Personal Information (CPRA): For California residents, the following categories of personal information have been collected from users in the past 12 months (as defined by California law):

Identifiers: e.g., name, email address, IP address.
Customer Records Information: Contact details and account credentials.
Protected Class Characteristics: (Only if you choose to provide this in your document content, such as health information or demographic details relevant to a case.)
Commercial Information: Transaction records (e.g., subscription purchases).
Internet or Network Activity: Browsing or usage data on our Platform.
Geolocation Data: Approximate location (e.g., derived from your IP address).
Professional or Employment Information: If you provide it (for example, your law
firm name or job title).
Sensitive Personal Information: Account login credentials, and any sensitive
data you choose to include in your documents (such as health or legal
information).

We collect these categories of information directly from you and through automated means as you use the Platform.

How We Use Your Information

We use personal information for the following purposes:

To Provide and Improve Our Services: We process your information to
operate the Platform’s core functionality. This includes generating
documents based on the information you input, maintaining your account,
and storing your documents for your convenience. We may analyze usage
trends and feedback to improve our AI document-generation algorithms, add
new features, and enhance the user experience.
To Communicate with You: We use contact information (like your email and
phone number) to send service-related communications. These include
confirmations of document generation, updates about changes to our
Platform or policies, and responses to your inquiries or support requests.
If you have opted in, we may also send newsletters or marketing
communications about new features or services; you can unsubscribe from
these at any time.
Customer Support: If you reach out for help, we will use the information you
provide (and may access your document content) to assist you and resolve issues. Our staff access to user content is limited and only granted for customer support or troubleshooting with your consent and under strict confidentiality.
Legal and Compliance: We may process and retain personal data to comply with
applicable laws, regulations, and legal obligations. For example, we may
use your information to fulfill tax and accounting requirements, to verify
your identity where required by law, or to respond to lawful requests by
public authorities (such as court orders or government inquiries).
Security and Fraud Prevention: We use information (such as device identifiers
and usage patterns) to maintain the security of the Platform and detect
and prevent fraud, unauthorized access, and abuse of our services. This
includes using automated systems and manual review of activities that
appear suspicious or may violate our Terms of Service.
Analytics and Product Development: We analyze how users interact with our
Platform (e.g., which features are used most or where users encounter
errors) to understand performance and improve our offerings. This may
involve creating aggregated, de-identified statistics that do not identify
any individual. We do not use any personal information you provide
in your documents to profile you for marketing; any analysis of document
content to improve our AI is done in a manner that does not identify
specific individuals.
Advertising and Marketing (with Consent/Opt-Out): We may use cookies and
third-party tools to help deliver relevant advertisements about our
services on our site or elsewhere, and to measure the effectiveness of our
marketing campaigns. For example, we might use an advertising network that
uses cookies to track that you visited our site, so we can later show you
an ad for our Platform on other websites. These activities may be
considered targeted advertising. We will only engage in such advertising
practices in compliance with applicable laws – for instance, by obtaining
opt-in consent where required or providing you the opportunity to opt out
(see Cookies and Tracking for how to control advertising cookies). We may also transfer or sell your personal information as indicated below.

We will not use personal information for purposes incompatible with those listed above without your consent. If we need to process your information for a new purpose, we will notify you or seek your permission as required.

How We Share Your Information

We do not sell your personal information to third parties, and we do not share your personal information with third parties for their own marketing purposes without your explicit consent. We only disclose your information in the following circumstances:

Service Providers and Contractors: We share personal information with trusted
third-party companies and individuals who perform services on our behalf
and under our instructions (these are our “service providers”
under laws like CPRA, or “processors” under GDPR). For example,
this includes cloud hosting providers (to store data and run our
Platform), IT support and security service providers, email and
communication tools, payment processors, and AI technology partners that
assist in document generation. These parties are contractually obligated
to protect your information, to use it only for the services we specify,
and to comply with applicable privacy requirements (for instance, they
must not use your data for their own purposes and must meet the standards
of laws like CPRA and GDPR).
Business Transfers: If we are involved in a corporate transaction such as a
merger, acquisition, investment financing, reorganization, bankruptcy, or
sale of company assets, your information may be disclosed to the parties
involved (e.g., to lawyers, auditors, potential buyers) as part of that
process. We will ensure that any party receiving your personal data as
part of such a transaction is bound to keep it confidential and use it
only for the purposes of evaluating or completing the transaction (or as
otherwise legally required).
Legal Obligations and Protection of Rights: We may disclose personal
information when required by law or when we believe in good faith that
such disclosure is necessary to: (i) comply with a legal obligation,
investigation, or lawful request (for example, a subpoena, court order, or
government demand); (ii) protect and defend our rights, property, or
safety, or that of our users or others; (iii) enforce our Terms of Service
or other agreements; or (iv) detect, prevent, or address fraud, security,
or technical issues.
With Your Consent or At Your Direction: We will share your personal
information with third parties if you specifically request or consent to
us doing so. For example, if you choose to integrate our Platform with
another service, or ask us to convey to or transfer or collaborate with another professional (such as an attorney or colleague) on your behalf, we will share data as needed and may obtain a payment for doing so. We may also publish user testimonials or case studies that include personal information only with your consent.
Advertising and Analytics Partners: As part of our use of cookies and tracking
tools, we may allow certain third-party analytics and advertising partners
to collect identifiers and internet/activity information about users
through our site for the purposes of analytics and targeted advertising
(see Cookies and Tracking below). For instance, we use analytics
providers like Google Analytics to understand website traffic, and we
might work with advertising networks to show our ads on other sites to
people who have visited our Platform. These third parties may use cookies
or similar technologies to collect data about your interactions over time
and across different websites. Where required by law, we will obtain your
consent for this kind of data sharing. In all cases, you can opt out of or
limit such data collection and sharing as described in the Cookies and
Tracking section and Your Rights and Choices sections of this Policy.

No Sale of Personal Data: In the last 12 months, we have not sold any personal data, and we do not share personal data for cross-context behavioral advertising without your consent. If this ever changes, we will update this Policy and provide the required notices and opt-out mechanisms so you can exercise your rights.

Cookies and Tracking Technologies

Our Platform uses cookies, pixels, and similar tracking technologies to provide functionality, analyze usage, and support marketing efforts. A cookie is a small text file that a website stores on your device which allows the site to recognize your device and remember information (like user preferences or login status). Pixels (also known as web
beacons) are tiny images or code snippets that can track actions such as opening an email or visiting a webpage. We use these technologies in the following ways:

Necessary Cookies: These cookies are essential for the operation of our website
and services. They enable core functionality such as user authentication,
security (e.g., keeping your session secure), and network management. For
example, when you log in, we set a cookie to maintain your session. You
cannot opt out of these required cookies, as our service cannot function
properly without them.
Functional & Preference Cookies: These cookies remember your preferences and
settings to enhance your experience. For instance, they might recall your
preferred language or other customizations so you don’t have to set them
every time. While you can disable these cookies via your browser settings,
doing so may make some features of the Platform less efficient or
unavailable.
Analytics Cookies: We use analytics tools (like Google Analytics) that set
cookies to collect information about how users navigate and use the
Platform. This data (such as which pages are visited, how long users stay,
and any errors encountered) helps us improve the content and performance
of our services. The information collected via analytics cookies is
aggregated and does not directly identify you. If you prefer not to be
included in Google Analytics measurements, you can install the Google Analytics Opt-out Browser Add-on, or use the cookie preference tools described below.
Advertising Cookies: With your consent, we and certain third parties may use
cookies and similar trackers to collect information about your browsing
activities on our site and other sites, in order to provide you with
targeted advertisements for our services. For example, if you visit our
Platform, a cookie may remember that you showed interest, and then enable
us to display our ads to you on other websites. These cookies also help us
measure the effectiveness of our ad campaigns. We will not set advertising
cookies or trackers unless you have had an opportunity to opt out or
(where required by law) you have opted in.

Your Choices for Cookies: When you first visit our site, you will see a cookie notice or banner that allows you to accept or adjust your cookie settings. You can change your preferences at any time by using our cookie management tool (if available) or by adjusting your browser settings. Most web browsers provide options to refuse new cookies, delete existing cookies, or notify you when a cookie is being set. Please note that blocking or deleting certain cookies (especially the necessary ones) may affect the functionality of our Platform.

If you wish to opt out of targeted advertising cookies specifically, you can also use industry-provided opt-out tools. For example, you can visit the Network Advertising Initiative’s opt-out page or the Digital Advertising Alliance’s Consumer Choice page to opt out of many advertising networks’ cookies. Additionally, if you enable a browser signal such as the Global Privacy Control (GPC), which is a mechanism that communicates your desire to opt out of the sale or sharing of personal information, our site will honor it as an opt-out request for cookies that involve sharing your data for targeted advertising.

Do Not Track: “Do Not Track” (DNT) is a setting in some web browsers that signals a preference to disable tracking across sites. Currently, our Platform does not respond to DNT signals specifically. However, as noted above, we do respond to the Global Privacy Control for California residents as a valid opt-out of cookie-based data sharing. We continue to monitor developments around DNT and may update our practices if an industry standard emerges.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. In general, unless contradicted by our terms of service at prose.law/terms, the following applies:

Account Information and User Content: We keep your account information and any
documents or data you have stored on the Platform for as long as your
account is active. You have the ability to delete specific documents or
information at any time through your account settings. If you delete information
or close your account, we will remove or anonymize your personal data
within a reasonable time, except as noted below.
Transaction Records: If you have made payments or engaged in transactions through the Platform, we may retain certain records (like invoices, payment
history, and related communications) as needed for legitimate business
purposes and as required by law. For example, for tax and accounting
reasons we might keep billing records for a number of years as mandated by
regulations.
Backup and Log Data: Due to the way our data backup systems work, copies of
your personal data (especially content you provided) might persist in
encrypted backups for a short period (e.g., a few weeks) after you delete
it from our live systems, until those backups are securely overwritten. We
also maintain server logs and audit trails for security monitoring; these
logs may include some personal identifiers (like IP addresses or account
IDs) and are retained only as long as necessary for those security and
audit purposes.
Legal Obligations and Dispute Resolution: We may retain information if
needed to comply with our legal obligations or for handling disputes. For
instance, if we deactivated your account due to a violation or if we are
addressing a legal claim involving your use of the Platform, we might
preserve relevant data until the issue is resolved. In such cases, the
data will be stored securely and isolated from routine use.

Once the applicable retention period has passed, we will either delete your personal information or de-identify it (so it can no longer be linked to you). If we convert data to an anonymized form (removing or irreversibly hashing personal identifiers), we may use that information for analytics, research, or improvements indefinitely without further notice to you.

Data Security

We take the security of your personal information very seriously and implement a range of administrative, technical, and physical safeguards to protect against unauthorized access or disclosure. Our security measures include:

Encryption: We use encryption technology to protect data in transit and at rest. When data is sent to our Platform (for example, when you log in or upload
information), it is encrypted using Transport Layer Security (TLS).
Likewise, sensitive data stored on our servers is encrypted. This means
that your document content and personal details are encoded such that they
cannot be read by unauthorized parties.
Access Controls: Access to personal data within our organization is limited
to personnel who need that information to perform their job duties.
For example, customer support or engineering staff will only access your
data when necessary to assist you or maintain the service, and even then,
only with appropriate authorization. All employees undergo training on
privacy and data protection. We also implement measures like two-factor
authentication and strict password policies for our systems to prevent
unauthorized access.
Security Certifications and Practices: Our Platform and internal practices
adhere to industry standards for security. We undergo security audits for
a SOC 2 (Service Organization Control 2) compliant program, which
means we have formal controls and processes in place for data security,
availability, and confidentiality. Additionally, although our service is
not primarily a healthcare service, we follow HIPAA-aligned
security practices for any health-related data that users might input
(e.g., encryption, strict access controls, audit logging) to ensure a high
level of protection for sensitive information.
Monitoring and Testing: We employ tools and services to monitor our systems for
vulnerabilities, unusual access patterns, and potential threats. This
includes firewalls, intrusion detection systems, anti-malware scanning,
and routine penetration testing by security professionals. We quickly
address any vulnerabilities identified, and we continually update our
infrastructure and practices to respond to new security threats.
Incident Response: We have an incident response plan in place for handling any
data security breach or incident. If a security breach were to occur, we
will promptly investigate and take steps to mitigate the issue. In the
unlikely event that a data breach results in unauthorized access to
personal information, we will notify affected users and relevant
authorities as required by law, and provide information on steps we are
taking and recommendations for you to protect yourself.

Despite all these precautions, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You can help protect your account by using a strong, unique password, keeping it confidential, and notifying us immediately if you suspect any unauthorized access to your account or any security vulnerability. We will also notify you of any unauthorized access or breach affecting your personal information, as required by applicable laws.

International Data Transfers

We are headquartered in the United States. If you are accessing the Platform from outside the U.S. (for example, from the EEA or UK), please be aware that your personal information will likely be transferred to and stored on servers in the United States or other jurisdictions where our service providers are located. These countries may not have the same level of data protection laws as your home jurisdiction.

However, we take steps to ensure that appropriate safeguards are in place when we transfer personal data internationally. In particular, for personal data transferred from the EEA, UK, or Switzerland to the U.S. (or other countries), we rely on approved legal mechanisms to ensure an adequate level of protection. These mechanisms may include the European Commission’s Standard Contractual Clauses (“SCCs”), which are contractual commitments between parties transferring data, obligating them to protect the data to EU standards. We also may rely on your explicit consent for certain cross-border transfers where that consent is obtained and valid.

By using our services or providing us with information, you acknowledge the transfer of your personal data to the United States and other jurisdictions as described in this Policy. We will always protect your information as described here, wherever it is processed. If you have questions about our international data transfer practices or want more information about the safeguards in place, you can contact us as described in Contact Us below.

Children’s Privacy

Our Platform is not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on this Platform. If we discover that we have inadvertently collected personal information from a child under 13, we will promptly delete such information from our records.

If you are between 13 and 18 years old, you may use the Platform only with involvement of a parent or guardian. We encourage parents and guardians to be aware of and supervise the online activities of their minors.

If you believe that we might have any information from or about a child under 13 (or the relevant minimum age in your jurisdiction), please contact us so that we can take appropriate action.

California Privacy Rights

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights are summarized below, and this section of our Policy is intended to comply with Cal. Civ. Code § 1798.100 et seq.:

Right to Know (Categories and Specific Pieces of Information): You have the
right to request that we disclose the personal information we have
collected about you over the past 12 months. This includes the categories
of personal information, the categories of sources from which the
information was collected, the business or commercial purpose for
collecting (or sharing) the information, and the categories of third
parties with whom we share personal information. You can also request the specific
pieces of personal information we have about you (this is sometimes
called the right to access).
Right to Delete: You have the right to request that we delete personal
information we have collected from you. Once we receive and verify your
request, we will delete (and direct our service providers to delete) your
personal information from our records, unless an exception applies. For
example, we may retain information needed to complete a transaction you
requested, to detect security incidents, to comply with a legal
obligation, or other purposes permitted by law.
Right to Correct: You have the right to request that we correct inaccuracies
in the personal information we maintain about you. If you become aware
that any information we have is incorrect, please let us know. Upon
verifying your request, we will correct (and instruct our
processors/service providers to correct) your information as you direct.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the
sale of your personal information, or the sharing of your personal
information for cross-context behavioral advertising. As noted earlier, we
do not sell personal information, and we only share information for
targeted advertising with consent. If we ever engage in practices that
fall under “selling” or “sharing” as defined by California law, we will provide a clear way for you to exercise this right (such as a “Do Not Sell or Share My Personal Information” link on our homepage). You may also send an opt-out request to us at any time (see Submitting Requests below).
Right to Limit Use of Sensitive Personal Information: You have the right to
direct us to limit the use and disclosure of your sensitive personal
information if we use it for purposes beyond what is necessary to
provide the services. However, we only use sensitive personal information
that you provide (like document content or account credentials) for the
core services you’ve requested (or for security, anti-fraud, and
compliance, which are purposes allowed by law). We do not use or disclose
sensitive information for purposes like profiling or targeted advertising.
Therefore, at this time, we do not offer a separate opt-out mechanism for
limiting use of sensitive information, because we do not use your
sensitive data for unintended secondary purposes.
Right of Non-Discrimination: We will not discriminate against you for
exercising any of your rights under the CCPA/CPRA. This means that if you
exercise your privacy rights, we will not deny you our services, charge
you a different price, or provide you with a lower quality of service just
because you made a privacy request. (However, please note that if your
request involves us deleting or not using certain information, we may not
be able to provide services that rely on that information. For instance,
if you ask us to delete your account data, you will no longer be able to
use the account.)

Submitting Requests (California): If you are a California resident and wish to exercise any of the rights described above, you or your authorized agent can submit a request to us by contacting support@prose.law with the subject line “California Privacy Rights Request,” and specifying which right you seek to exercise. Alternatively, you may call our privacy request line at 1-614-279-9035 (if available) or use any online web form we provide for CCPA requests.

When you submit a request, please provide sufficient information that allows us to verify you are the person about whom we have collected personal information (or an authorized representative of that person). Verification: To protect your privacy, we will take steps to verify your identity before fulfilling your request. For example, we may ask you to confirm certain account details or respond to an email from the address associated with your account. If an authorized agent is making the request on your behalf, we will require proof of the agent’s authority (such as a signed permission from you or power of attorney) and will still verify your identity directly.

We will respond to your verified request within 45 days as required by California law (or inform you in writing if we need more time, up to an additional 45 days). If we decline any part of your request, we will explain the reason in our response.

Shine the Light: Separately from CCPA, California’s “Shine the Light” law (Civil Code § 1798.83) allows California residents to request information about certain types of personal information a business has disclosed to third parties for direct marketing purposes in the preceding year. We do not share personal information with third parties for their own direct marketing purposes without your consent. Therefore, we do not maintain a list of such disclosures. If you have questions about our direct marketing practices, you can contact us at privacy@prose.law.

Privacy Rights in Other U.S. States (Virginia, Colorado, Connecticut, Utah)

Several other U.S. states have enacted privacy laws that grant residents rights over their personal data. If you are a resident of Virginia, Colorado, Connecticut, or Utah (and, to the extent applicable, other states with similar privacy laws), you may have the following rights:

Right to Access: You can request confirmation of whether we are processing
your personal data, and access to such personal data.
Right to Obtain a Copy (Data Portability): You may request a copy of the
personal data you provided to us, in a portable and readily usable format,
so that you can transfer it to another service or controller, where
technically feasible.
Right to Correct: You can ask us to correct inaccuracies in the personal
data we hold about you, taking into account the nature of the data and the
purposes of processing.
Right to Delete: You can request that we delete personal data that we have
collected from you or obtained about you. As with the California right to
delete, there may be exceptions (for instance, if the data is needed to
complete a transaction you requested, to comply with law, to exercise or
defend legal claims, or for certain internal uses).
Right to Opt Out of Targeted Advertising, Sales, or Profiling: You have the
right to opt out of:
- Targeted Advertising: We have described above how we may use cookies for
  targeted advertising of our own services. You can opt out of this
  processing (for example, by using the cookie preferences on our site or
  contacting us to register an opt-out).
- Sale of Personal Data: Our business does not sell personal data in
  exchange for monetary compensation. If the definition of “sale”
  under your state law includes other types of sharing, we similarly honor
  opt-out requests and, as of now, we do not engage in such sharing without
  consent.
- Profiling in Furtherance of Decisions with Legal or Similar Effects: You have
  the right to opt out of any processing of personal data that constitutes
  profiling to make decisions that produce legal or similarly significant
  effects. Our Platform does not make autonomous decisions that impact your
  legal rights; the AI-generated documents are based on your input and are
  under your control. We do not engage in automated processing that
  produces legal effects on you without human involvement. Therefore, this
  opt-out is not applicable to our services at this time.
Right to Appeal: If we decline to take action on a request you make
regarding your personal data, you have the right to appeal our decision.
When we respond to your request, we will provide instructions on how you
can appeal if you are dissatisfied with the outcome. If your appeal is
ultimately denied, and you believe we have not respected your rights, you
may contact your state’s Attorney General to submit a complaint.

Exercising Your State Privacy Rights: To exercise the rights above, please contact us at support@prose.law and indicate that you are a resident of Virginia, Colorado, Connecticut, Utah, or another applicable state, and specify your request. For example, you can say “Virginia Data Request – Access” in the subject line, and in the email, detail your request. Just as with California requests, we will need to verify your identity (and/or authority, if you are an authorized agent) before processing the request, toensure we are protecting your data from unauthorized access or deletion.

We will respond within the timeframe required by your state law (generally within 45 days). If an extension is needed, we will inform you. Any information we provide in response will be specific to you (or general to our data practices if it’s a broader inquiry). Note that these state laws may have some differences; for instance, Virginia, Colorado, Connecticut, and Utah all require opt-in consent for processing sensitive personal data (such as data about health, race, ethnicity, precise geolocation, etc.). By using our Platform and inputting any sensitive information, you are giving us consent to process that information for the purpose of providing our service. You can withdraw that consent at any time by removing such information and/or contacting us to delete it.

GDPR and UK Data Protection Rights

If you are located in the EEA (European Economic Area) or the UK, you have additional rights under the GDPR (and the UK’s equivalent law) regarding your personal data. In GDPR terms, www.prose.law LLC. is the Data Controller of personal data you provide through the Platform (except in cases where we act as a processor for a business client, as noted in the Introduction). This section explains how we lawfully process your data and the rights you have as a Data Subject under GDPR/UK law.

Lawful Bases for Processing

We will only collect and process your personal data when we have a valid legal basis to do so under GDPR. The legal bases we rely on include:

Contractual Necessity (Art. 6(1)(b)): We process personal data to provide our services as agreed in our Terms of Service with you. For example, we need to use your personal details and document inputs to generate the legal documents you request and to perform our contract with you as a user of the Platform.
Consent (Art. 6(1)(a)): We rely on your consent in certain situations. For instance, if you voluntarily input sensitive personal data (what GDPR refers to as “special category data,” such as information about health, biometric data, or racial/ethnic origin) into the Platform as part of your document content, we treat that as you consenting to our processing of that information for the purpose of providing the service to you. Similarly, we will ask for your consent to send you marketing emails (if you are an EU/UK user) and for the use of any non-essential cookies or trackers on our site. You have the right to withdraw consent at any time, as described below.
Legitimate Interests (Art. 6(1)(f)): We may process your data as necessary for our legitimate interests, provided those interests are not overridden by your rights and interests. Our legitimate interests include improving and securing our Platform, communicating with you about product updates or services you might be interested in (where not overridden by your marketing preferences), preventing fraud, and conducting analytics (in a privacy-friendly way). When we rely on legitimate interests, we conduct a balancing test to ensure our interest isn’t outweighed by your privacy rights. We do not use this basis to process sensitive data or to engage in activities that people would not reasonably expect from an AI document service.
Legal Obligation (Art. 6(1)(c)): In some cases, we need to process or retain personal data to comply with a law or legal requirement. For example, we might keep records to satisfy financial reporting laws, or disclose information if required by a court order.
Protection of Vital Interests (Art. 6(1)(d)) or Public Interest (Art. 6(1)(e)): These
bases are less likely to apply, but if processing your data were necessary to protect someone’s life, or for a task in the public interest, we could rely on those provisions. (For completeness, we mention them, but our typical operations do not involve these bases.)

Additionally, GDPR has specific rules for processing “special category” sensitive data. We will only process such data if you have given explicit consent (Art. 9(2)(a)) or if it’s necessary for the establishment, exercise, or defense of legal claims (Art. 9(2)(f)), since our service might be used in a legal context.

If we ever need to use your personal data for a new purpose that is not compatible with the original purposes, we will inform you and, if required, seek your consent or provide an opportunity to opt out.

Your Data Subject Rights Under the GDPR (and UK data protection law), for those that are covered by the law, have the following rights regarding your personal data:

Right of Access: You have the right to obtain confirmation as to whether or
not we are processing personal data about you. If we are, you can request
access to the personal data (commonly known as a “data subject access
request”). This allows you to receive a copy of the personal data we
hold about you and to check that we are processing it lawfully.
Right to Rectification: You have the right to request correction of any
incomplete or inaccurate data that we hold about you. We want to make sure
your information is correct and up-to-date. If you realize that any
information in your account or in the documents we store is incorrect, you
can correct some of it through your account settings, or you can contact
us to request correction.
Right to Erasure: This is sometimes called the “right to be
forgotten.” You have the right to ask us to delete or remove personal
data when there is no good reason for us to continue processing it. For
example, if you cancel your account and ask us to delete all information,
we will do so (aside from data we are required to keep for legal reasons,
as explained in Data Retention). You also have the right to request
deletion or removal of your data if you have exercised your right to
object to processing (see below) or if we unlawfully processed your data
or must erase it to comply with law. Note that there are exemptions – for instance,
we might retain certain information if needed for freedom of expression,
legal claims, or compliance with a legal obligation – but we will inform
you if any such exemption applies.
Right to Restrict Processing: You have the right to request that we suspend
the processing of your personal data in certain scenarios. You might ask
us to restrict processing if: (i) you contest the accuracy of the data
(until we can verify its accuracy); (ii) the processing is unlawful but
you don’t want us to delete the data; (iii) we no longer need the data,
but you want us to keep it for the establishment, exercise, or defense of
legal claims; or (iv) you have objected to our use of your data (when
relying on legitimate interests) and we are considering whether our
reasons for processing override your rights.
Right to Data Portability: You have the right to obtain your personal data
that you provided to us, in a structured, commonly used, machine-readable
format, and to transfer (or have us transfer) that data to another
controller where technically feasible. This right only applies to
information you have provided to us, when the processing is based on your
consent or our contract with you, and when processing is carried out by
automated means. In practice, if you need a copy of the information you’ve
put into our Platform (such as the content of your legal documents or your
account details), we will provide that to you electronically upon request.
Right to Object: You have the right to object to the processing of your
personal data in certain circumstances:
- Direct Marketing: You can object at any time to the processing of your
  personal data for direct marketing purposes. If you object, we will stop
  processing your personal data for such purposes immediately. (Note: We
  only send marketing communications with your consent as mentioned, but
  you always have the right to opt out and we will honor that.)
- Legitimate Interests: If we are processing your data based on our legitimate
  interests, you also have the right to object to that processing. However,
  we may continue processing if we have compelling legitimate grounds that
  override your rights and freedoms or if the processing is needed for
  legal claims. If you do object to processing based on legitimate
  interest, please explain your situation so we can assess whether there is
  an overriding need to keep processing your data.
Rights Related to Automated Decision-Making: You have the right not to be
subject to a decision solely based on automated processing (including
profiling) which produces legal effects concerning you or similarly
significantly affects you, unless it is necessary for entering into or
performing a contract between you and us, is authorized by law, or is
based on your explicit consent. Note: Our Platform does not make
any decisions about you with legal or significant effects without human
involvement. The AI simply assists in generating document text based on
your input; it does not make judgments about your rights or status.
Therefore, this right is more relevant to other contexts and is not
applicable in any impactful way to our services at this time.
Right to Withdraw Consent: If we are processing your personal data based on
your consent, you have the right to withdraw that consent at any time. For
example, if you consented to receive marketing emails, you can opt out via
the unsubscribe link in those emails or by contacting us. If you consented
to our use of certain cookies, you can change your cookie settings to
withdraw that consent. Withdrawing consent will not affect the lawfulness
of any processing we conducted prior to your withdrawal, and it won’t
affect processing under other legal bases.
Right to Complain: If you believe we have infringed your data protection
rights, you have the right to lodge a complaint with a supervisory
authority. If you are in the EU, you can contact the data protection
authority in the country where you live, where you work, or where you
believe the breach may have occurred. In the UK, you can file a complaint
with the Information Commissioner’s Office (ICO). We would, however,
appreciate the chance to address your concerns directly before you do
this, so we encourage you to contact us first if possible.

Exercising Your GDPR/UK Rights: You may contact us at privacy@prose.law to exercise any of the rights listed above. Please describe your request with sufficient detail for us to understand and respond. We will need to verify your identity (for example, by confirming information we have on file or asking for identification) before releasing or deleting personal data, to ensure we protect your privacy and that of others. We will respond to your request within one month of receipt, or inform you if we need additional time (we can extend the period by two further months for complex or multiple requests, as allowed by GDPR). We will not charge a fee for fulfilling your request unless it is excessive or unfounded, in which case we will explain the situation and why a fee may apply.

Limitations on Rights

As we are a small company, there may be laws in which we are exempt and are not required to abide by, such as those that are resource intense. In that event, the section of this policy relevant to that exclusion shall not apply and is expressly disclaimed. Further, if you are not a resident or citizen of the state or country whose laws are referenced above such that the laws would not normally provide you with coverage or protection, then those shall not be imposed by contract between us. This privacy policy is not intended to impose contractual obligations on us that are not required under the law of your jurisdiction.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using one of the methods below. We will respond as promptly as we can.

Email: support@prose.law
Mail: www.prose.law LLC., Attn: Privacy Team, 485 Metro Place South, Suite 300,
Dublin, OH 43017, USA

If you contact us to exercise a privacy right, please make sure to mention which right you are concerned with and provide any relevant information (such as your state or country of residence, if applicable), so we can more efficiently route your request.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make updates, we will revise the “Last Updated” date at the top of this Policy. If we make significant changes, we may also provide additional notice (such as adding a prominent statement on our website or sending you an email notification).

We encourage you to review this Policy periodically to stay informed about how we protect your personal information. Your continued use of the Platform after any changes to this Privacy Policy constitutes your acceptance of those changes.

Signed

/s/ Troy Doucet

August 22, 2025

company | info | conditions