Data Handling
Last updated: June 10, 2026
This document is the technical companion to our Privacy Policy. It explains, in concrete terms, how ClearPrecedent, LLC, a Wyoming limited liability company ("ClearPrecedent," "we," "us," or "our") stores, protects, retains, and disposes of data across our infrastructure. It is intended for security-minded users, prospective customers conducting vendor diligence, and counsel reviewing our practices.
Read this alongside our Privacy Policy, which describes what data we collect and why, and our Responsible AI Policy, which describes how AI is used inside the product.
1. Overview
ClearPrecedent is a web application. The marketing site and Insights articles live at clearprecedent.com. The authenticated app lives at app.clearprecedent.com. Data is stored in the United States. The Services are operated from and intended for use in the United States.
If your matter involves health records, regulated financial information, or other categories of data that come with specific compliance obligations, you are responsible for deciding whether ClearPrecedent is appropriate for your use case.
2. Data Classifications
We classify data into four categories. Different controls apply to each.
Account data
Includes your email address, your bcrypt-hashed password, your display name, your account settings, and any optional MFA phone number. Stored in our application database.
Motion data
Includes the inputs you provide to the Motion Builder, the uploaded documents you attach, the prompts and instructions you set, and the drafts the Motion Builder produces. May contain sensitive personal information that you choose to upload. Stored in our application database and file storage.
Billing data
Includes transaction records from our payment processor: the amount, date, status, last four digits of the card, card brand, and processor customer and payment identifiers. We do not store full card numbers, expiration dates, or CVCs. The payment processor holds those.
Derived analytics
Includes minimal usage analytics, operational logs, error traces, and aggregate counts. Used for operating and improving the Services. We try to keep this data minimal and, where it does not need to be linked to an individual user, aggregated or de-identified.
3. Encryption
In transit
All connections to clearprecedent.com and app.clearprecedent.com are served over HTTPS, and HSTS is enforced on the marketing site. Connections between our backend and our database, between our backend and AI model providers, and between our backend and other third-party services are likewise encrypted in transit using industry-standard TLS.
At rest
- Application database. Our primary application database, which holds account data, motion data, and operational records, is encrypted at rest using industry-standard ciphers provided by our hosting provider.
- File storage. Uploaded documents are stored in encrypted object storage.
- Backend environment. Backend service environment variables, including API keys for the third-party services we use, are encrypted at rest by our hosting provider.
- Backups. Database backups are encrypted at rest.
Passwords
User passwords are never stored in clear text. They are hashed using a modern password-hashing algorithm before storage; only the hash is stored. Password reset flows use single-use, time-bound tokens.
MFA
Multi-factor authentication is delivered through a third-party verification service. We send a one-time code to your phone number; the code is verified by the provider. We do not store the code on our side. Your phone number is stored encrypted at rest in our database when you enable MFA.
4. Access Controls
We follow a least-privilege model. Production data access is limited to a small number of named administrators who need it to operate the Services. Access is gated by individual accounts with strong authentication. We do not use shared production credentials.
We do not have offshore support staff with production access. Customer support is handled by team members with access scoped to what they need to resolve a ticket.
Third-party service-provider access is limited to the data each provider needs to perform its function.
Access events to sensitive systems are logged. Logs are retained as described in section 9.
5. Authentication and Session Management
Sessions use signed JWT access tokens with a short expiry, refreshed against a longer-lived refresh token. Signing out clears tokens in the current browser and revokes the refresh-token family on the server. Changing your password invalidates active sessions across all of your devices and requires you to sign in again.
Multi-factor authentication is optional and recommended.
6. Third-Party Service Providers
We work with a small set of established third-party providers, each performing a specific function. Each provider receives only the data needed to perform its function and is contractually bound to use that data solely to provide services to us.
The categories of providers we use are:
| Category | Function | Data accessed |
|---|---|---|
| Cloud infrastructure and database | Application database, file storage, backend hosting, static site delivery | Account data, motion data, operational records, environment secrets |
| Authentication | Account login, session management | Account credentials, session tokens |
| AI model providers | Language model inference for Motion Builder and related features | Prompts and context sent during a Motion Builder run; not used for training, not shared further; provider may briefly retain for trust-and-safety review (typically up to thirty days) |
| Payments | Card payment processing, receipts | Cardholder data held by the processor, not us; transaction records |
| Multi-factor verification | Sending one-time codes when MFA is enabled | Phone number, verification request |
| Transactional email | Account confirmations, password resets, receipts | Email address, message contents |
| Product analytics | Understanding which features are used and how the product is performing | Pageview, device, browser, approximate location derived from IP |
| Error tracking and application monitoring | Detecting bugs, investigating outages, improving reliability | Error traces, request paths, user agents, IP |
We do not name individual providers because the specific vendor for a given function may change without affecting how your data is handled. The protections described in this document apply across all providers we use.
7. Data Residency
Our primary database, file storage, and backups live in United States hosting regions. The backend service runs in the United States. The static marketing site is delivered through a CDN that serves pages from edge locations, but no customer data is stored at the edge.
Our runtime third-party service providers are U.S.-headquartered companies. Specific data-center routing for AI model inference, error tracking, and similar global services is governed by those providers' terms; we do not commit to a particular region for each provider in this document. If you require strict in-jurisdiction data residency for your matter, please get in touch before relying on the Services.
8. Backups and Restore
We rely on our hosting provider's managed backup system. Backups run daily and are retained on a rolling schedule. Each backup is encrypted at rest. Restoration is tested periodically as part of our operational practice.
In the event of a database failure, we restore from the most recent good backup. Some recent activity may be lost, depending on when the failure occurred relative to the last backup. We aim for a recovery point objective measured in hours and a recovery time objective measured in hours, but we do not commit to a specific number in this document.
9. Retention Schedule
Retention is set per data class. The deletion process in section 10 describes how data is removed.
| Data class | Retention |
|---|---|
| Account data | While account is active |
| Uploaded source documents (complaint, opposing motion, exhibits, attached files) | Hard-deleted from database and file storage immediately after the related Motion Builder run completes |
| Motion drafts and extracted matter content (parsed facts, strategy notes, citations) | Retained in your account until you delete them or close your account; no automated time-based sweep |
| Library content | While account is active, or until you delete the item |
| Billing data | 7 years, for tax and audit purposes |
| Operational logs | Hosting and monitoring provider defaults, generally up to 90 days |
| Security logs | Up to 1 year, longer if needed for an active investigation |
| Backups | Rolling schedule managed by our hosting provider |
You can delete most of your motion data and Library content yourself through your account settings at any time.
10. Deletion Process
When you delete content through the app, the record is hard-deleted from our primary database at the time of the request. Uploaded source documents are hard-deleted automatically when the Motion Builder run that uses them completes; this is event-driven, not scheduled.
When you close your account, your account-linked data is deleted from our primary database, subject to the retention exceptions above (notably, billing records that we are legally required to keep, and security logs related to an active investigation).
Backups follow a different timeline. Encrypted backups age out on the rolling schedule managed by our hosting provider. We do not pull individual records out of historical backups. Deleted records remain inside encrypted backup files until those files expire on the provider's schedule.
If you need a written confirmation of deletion, email support@clearprecedent.com and we will provide one.
11. No Training on Customer Data
We treat the no-training commitment as a hard rule. We do not use:
- Your matter inputs.
- Your uploaded documents.
- Your prompts or chat-style messages to the Motion Builder.
- Your Motion Builder drafts.
to train any AI model, our own or any third-party provider's, for any purpose, including fine-tuning, reinforcement learning from human feedback, or pretraining. We use AI providers whose commercial API terms commit them not to train on customer inputs. Those providers may briefly retain your inputs and outputs on their side for trust-and-safety and abuse-monitoring purposes (typically up to thirty days) and then delete them; they do not use them for any other purpose.
For model improvement, we use only:
- Public CourtListener opinions.
- Public statutes and procedural rules.
- Our own internal evaluation corpus, which is built from synthetic and public materials and from team-generated test cases, never from user content.
We have selected AI providers whose terms of service support this commitment. Where a provider's standard terms would allow training on prompts, we use the no-training configuration that the provider offers, and we will discontinue use of a provider that we cannot keep aligned with this rule.
This commitment is referenced in our Terms of Service and our Responsible AI Policy. It is intended to be enforceable as a customer promise.
12. Incident Response
We monitor for security incidents through logging, alerting, and periodic review. If we confirm a security incident that affects your data, we will:
- Contain the incident as quickly as we can.
- Investigate scope, including which users and which data are affected.
- Notify affected users without undue delay, with the information we have at the time and updates as we learn more.
- Notify regulators and other authorities where the law requires.
- Apply lessons learned, including changes to our systems and processes.
Our notification will, at minimum, describe what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
If you believe you have found a vulnerability, please report it to support@clearprecedent.com. We will acknowledge your report within a reasonable time. We do not currently run a public bug bounty, but we appreciate responsible disclosure.
13. Audit and Monitoring
We maintain operational and security logs for the Services. Logs capture request paths, response codes, authentication events, and key administrative actions. Logs are reviewed for unusual patterns. Alerts route to on-call engineers.
We do not currently publish third-party audit reports. If a formal audit becomes appropriate for our customer base, we will pursue it and update this document.
14. Vendor Diligence Questions
Common vendor diligence requests can be answered with this document plus the Privacy Policy and Responsible AI Policy. If you need additional information for a security review, write to support@clearprecedent.com with your questionnaire. We will respond to reasonable requests from customers and prospects.
15. Cardholder Data
We do not handle card data directly. Card payments are processed by a third-party payment processor that maintains PCI compliance. We receive only the transaction records described in section 2 (amount, date, status, last four digits of the card, card brand, customer identifier).
16. Privacy Rights
We honor the user rights described in our Privacy Policy, including access, correction, deletion, and portability, to the extent required by applicable U.S. law.
17. Changes to This Document
We will update this document as the Services and our practices evolve. Material changes, such as a substantive change in encryption, retention, or the way we engage third-party providers, will be flagged to users in advance through email or in-app notice.
Questions?
For data handling questions or vendor diligence requests, write to us at support@clearprecedent.com.