Privacy Policy
Ezel AI, Inc., a Delaware corporation ("Ezel", "we", "us", or "our"), operates ezel.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our legal AI platform.
We take your privacy seriously. As a legal AI tool, we understand the sensitive nature of the data you entrust to us and have built our platform with privacy and security as foundational principles.
- We never sell your personal data
- Your documents are never used to train AI models
- You maintain full control over your data at all times
- We implement enterprise-grade security measures
1. Information We Collect
1.1 Information You Provide Directly
Account Information
- Email address (used for passwordless authentication via magic links)
- Name (optional)
- Organization or company name (optional)
Payment and Transaction Data
- Payment information is processed by our payment processor, Stripe, Inc. (Stripe Privacy Policy)
- We do not store your full credit card numbers or CVV codes on our servers
- We retain transaction history, billing records, and subscription information for accounting and tax compliance
Content and Documents
- Legal documents, contracts, and files you upload to the platform
- Chat conversations and queries submitted to the AI
- Notes, annotations, and comments you create
- Saved searches and preferences
Communications
- Information you provide when you contact customer support
- Survey responses and feedback
- Communications through email, chat, or other channels
1.2 Information We Collect Automatically
Usage Data
- Token usage and API consumption for billing purposes and preventing overuse
1.3 Information from Third Parties
- Authentication Services: We use Supabase for authentication. When you sign up or log in, Supabase processes your email address for account creation and magic link authentication
1.4 Sensitive Data We Do NOT Collect
We do not intentionally collect or request:
- Social Security numbers, driver's license numbers, or passport information
- Financial account information (beyond payment processing)
- Biometric data
- Precise geolocation data
- Information about race, ethnicity, religious beliefs, or health conditions
If such information appears within documents you upload, we process it solely to provide the AI services you request and never use it for any other purpose.
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1 Service Delivery and Operations
- Provide, operate, and maintain the Ezel platform and AI services
- Process your documents and queries through our AI providers (Anthropic, OpenAI)
- Manage your account and authentication
- Store and retrieve your documents and chat history
2.2 Billing and Payments
- Calculate token usage and generate accurate billing
- Process payments and maintain transaction records
- Issue invoices and manage subscriptions
- Prevent fraudulent transactions and billing abuse
2.3 Communications
- Send magic link emails for authentication (via Supabase)
- Send billing and payment-related emails (via Stripe)
- Respond to your support requests and inquiries
2.4 Product Improvement and Research
- Develop new features and functionality based on user feedback
- Conduct internal testing
- Monitor and analyze platform performance and reliability
2.5 Security and Compliance
- Detect, prevent, and address fraud, abuse, security incidents, and Terms of Service violations
- Verify identity and authenticate users
- Maintain logs for security auditing and incident response
- Comply with legal obligations, court orders, and regulatory requirements
- Protect the rights, property, and safety of Ezel, our users, and the public
2.6 Legal Basis (for GDPR purposes - see Section 11)
We process your personal data based on one or more of the following legal grounds:
- Contract performance: Processing necessary to provide our services to you
- Consent: You have given clear consent for specific processing activities
- Legitimate interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, analytics, marketing)
- Legal obligation: Processing required to comply with applicable laws
3. AI Processing and Training
3.1 How AI Processing Works
When you use Ezel to analyze documents or generate legal insights:
- Your documents and queries are securely transmitted to our AI providers (Anthropic Claude and OpenAI) for real-time processing
- The AI models process your input and generate responses specific to your request
- The AI providers return the results to our platform, which displays them to you
- No training occurs: Your inputs and outputs are NOT retained by AI providers for model training or improvement
3.2 Data Processing Agreements
We work with AI providers that have strict data protection policies:
- Prohibitions on using customer data for training AI models
- Confidentiality and security obligations meeting industry standards
- Limited data retention by AI providers for processing purposes only
3.3 Our AI Providers
| Provider | Data Training Policy |
|---|---|
| Anthropic | Zero data retention for training (Anthropic Policy) |
| OpenAI | API data not used for training (OpenAI API Policy) |
Note: The specific AI models we use may change over time to provide you with the best possible service. We only use models from providers with strict data protection policies.
4. Data Access and Storage
4.1 Ezel's Access to Your Data
Ezel employees and contractors are bound by strict confidentiality obligations. We can technically access your uploaded documents and chat history, but we have implemented strict policies and access controls to protect your privacy.
We access your data ONLY in these limited circumstances:
- With your explicit permission: When you request support and grant us permission to view specific data to troubleshoot an issue
- Legal requirements: When required by law, court order, subpoena, or other valid legal process
- Security incidents: To investigate suspected fraud, security breaches, or violations of our Terms of Service
- System maintenance: For automated backups, disaster recovery testing, and infrastructure maintenance (performed by systems, not humans)
Access controls we maintain:
- Role-based access controls limiting who can access customer data
- Audit logging of all access to customer data
- Regular review of access logs and permissions
- Background checks and confidentiality agreements for all employees with potential data access
4.2 Bring Your Own Storage (BYOS)
For organizations with heightened security or compliance requirements, we offer a Bring Your Own Storage option:
- Your infrastructure: Documents are stored in your own cloud storage (AWS S3, Azure Blob Storage, Google Cloud Storage) or document management system
- Zero Ezel access: We cannot access, view, or retrieve your documents—they remain exclusively under your control
- Workflow orchestration only: Ezel orchestrates the AI processing workflow, sending documents directly from your storage to AI providers and returning results to you
- Enhanced compliance: Ideal for organizations subject to strict data residency, sovereignty, or regulatory requirements
Contact [email protected] to discuss BYOS options.
4.3 Data Storage Infrastructure
| Component | Details |
|---|---|
| Primary Storage | Secure servers located in the United States |
| Database | Encrypted at rest (AES-256) |
| Backups | Automated encrypted backups |
| Data in Transit | TLS encryption for all data transmission |
| Data at Rest | AES-256 encryption |
4.4 Data Residency
Customer data is stored on secure servers located in the United States. For enterprise customers with specific data residency requirements, contact [email protected] for more information.
5. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.
5.1 Active Accounts
- Account information: Retained for the duration of your active account
- Documents and chat history: Stored indefinitely while your account is active, accessible to you at any time
- Usage and billing data: Retained for the duration of your active subscription
5.2 Data Deletion
Individual Document and Chat Deletion
You can delete individual documents and chat conversations at any time through your account:
- Immediate deletion: When you delete a document or chat, it is permanently removed from our systems
- No recovery: Deleted documents and chats cannot be recovered
Account Deletion
You can delete your entire account from the Settings page in your account dashboard:
- Immediate deletion: All customer data (documents, chat history, notes, account information) is permanently and irreversibly deleted from our systems
- No exceptions: We do not retain any of your data after deletion, including transaction records or email addresses
- Complete removal: Your data is completely removed from all production and backup systems
5.3 Inactive Accounts
- If your account remains inactive (no login or usage) for 24 consecutive months, we will send a notice to your registered email address
- If you do not respond within 60 days, we may delete your account and associated data following the timeline described in Section 5.2
- This does not apply to paid subscriptions in good standing
6. Data Sharing and Disclosure
We share your data only in the following limited circumstances:
6.1 Service Providers and Subprocessors
We engage trusted third-party service providers to help us operate our business and deliver our services. These providers are contractually obligated to:
- Use your data only for the specific purposes we authorize
- Implement appropriate security measures
- Comply with applicable privacy laws and regulations
- Delete or return your data upon termination of services
Categories of service providers we use:
- AI providers: Anthropic, OpenAI (document processing and analysis)
- Payment processing: Stripe (payment processing and billing)
- Authentication services: Supabase (account creation, magic link authentication, transactional emails)
For a complete, up-to-date list of all subprocessors with access to personal data, please see our Subprocessor List.
6.2 AI Providers
Your documents and queries are sent to the following AI providers for processing:
- Anthropic: For document analysis, legal research, and AI chat functionality
- OpenAI: For document analysis, legal research, and AI chat functionality
As described in Section 3, these providers are contractually prohibited from using your data for training. The specific models we use may change to provide you with the best service.
6.3 Affiliates and Corporate Entities
We may share information with corporate affiliates, subsidiaries, or parent companies for internal business purposes, subject to the same privacy commitments outlined in this policy.
6.4 Legal and Compliance Disclosures
We may disclose your information when we believe in good faith that disclosure is necessary to:
- Comply with applicable laws, regulations, court orders, subpoenas, or other legal processes
- Respond to lawful requests from government authorities, law enforcement, or regulatory bodies
- Enforce our Terms of Service, investigate violations, or protect against fraud and abuse
- Protect the rights, property, safety, or security of Ezel, our users, or the public
- Defend against legal claims or litigation
Where permitted by law, we will notify affected users of legal demands for their data unless prohibited by court order or if notice would compromise an investigation.
6.5 Business Transfers and Mergers
If Ezel is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction:
- Your information may be transferred to the acquiring or successor entity
- We will notify you via email and prominent notice on our website at least 30 days before any such transfer
- The acquiring entity will be required to honor the privacy commitments made in this Privacy Policy
- If the acquiring entity wishes to use your data in a manner materially different from this policy, they must obtain your consent
6.6 With Your Consent
We may share your information with third parties when you explicitly consent or direct us to do so, such as:
- Integrations you enable (e.g., connecting Ezel to your document management system)
- Sharing features you use to collaborate with others
- Marketing or promotional activities you opt into
7. Your Privacy Rights
Depending on your location and applicable privacy laws (GDPR, CCPA, etc.), you may have the following rights regarding your personal information:
7.1 Access and Transparency
- Right to know: Request information about what personal data we collect, use, disclose, and retain
- Right to access: Request a copy of your personal data in a structured, commonly used format
- Right to transparency: Understand how we process your data (described in this Privacy Policy)
7.2 Correction and Deletion
- Right to correct: Request correction of inaccurate or incomplete personal information
- Right to delete (Right to be Forgotten): Request deletion of your personal data, subject to legal obligations
- Account deletion: Delete your entire account and all associated data (see Section 5.2)
7.3 Control and Restriction
- Right to data portability: Request a copy of your data in a portable format (feature in development)
- Right to restriction: Request that we limit how we process your personal data in certain circumstances
- Right to object: Object to processing based on legitimate interests
7.4 Communications
- Essential emails: You will receive necessary emails including magic links for login (Supabase) and billing/payment notifications (Stripe)
- No marketing emails: We do not send promotional or marketing communications
7.5 Consent Withdrawal
- Withdraw consent: If we process your data based on consent, you may withdraw that consent at any time
- Withdrawal does not affect the lawfulness of processing before withdrawal
7.6 How to Exercise Your Rights
To exercise any of the rights described above:
- Email: [email protected]
- In-app: Account Settings → Privacy & Data
- Support: [email protected]
7.7 Verification and Response
When you submit a privacy request:
- We will verify your identity to protect your information from unauthorized access
- We will respond to verified requests within 30 days (45 days under GDPR, up to 90 days for complex requests with notice)
- We will not charge a fee for your first request; we may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests
- We will explain the reason if we cannot comply with a request
7.8 No Discrimination
We will not discriminate against you for exercising your privacy rights, including by:
- Denying you services
- Charging different prices or rates
- Providing a different level or quality of services
7.9 Right to Complain to a Supervisory Authority
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.
8. Security
We implement comprehensive administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction.
8.1 Technical Security Measures
- Encryption:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- End-to-end encrypted connections to AI providers
- Infrastructure Security:
- Secure database infrastructure with access controls
- Regular security patches and system updates
- Encrypted backups
- DDoS protection and network firewalls
- Access Controls:
- Magic link authentication (passwordless, secure email-based login)
- Session management and automatic timeout
- Secure token-based authentication
8.2 Organizational Security Measures
- Personnel Security:
- Background checks for employees with access to customer data
- Confidentiality and non-disclosure agreements
- Regular security awareness training
- Principle of least privilege for data access
- Monitoring and Response:
- 24/7 automated security monitoring and alerting
- Intrusion detection and prevention systems
- Comprehensive audit logging and review
- Incident response plan and procedures
- Third-Party Security:
- Due diligence and security assessments of all subprocessors
- Contractual security obligations for service providers
- Regular vendor security reviews
8.3 Security Audits and Certifications
- Regular internal security audits and penetration testing
- Third-party security assessments (upon request for enterprise customers)
- Compliance with industry security frameworks (SOC 2 in progress)
- Vulnerability scanning and remediation program
8.4 Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users within 72 hours of discovery (as required by GDPR and similar laws)
- Describe the nature of the breach, the data affected, and potential consequences
- Explain the measures we have taken to address the breach and prevent future incidents
- Provide guidance on steps you can take to protect yourself
- Notify applicable regulatory authorities as required by law
8.5 Limitations
While we implement industry-leading security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use our services at your own risk. You are responsible for maintaining the confidentiality of your account credentials and for any activities under your account.
9. International Data Transfers
Ezel is headquartered in the United States. Your personal information is primarily stored and processed in the United States.
9.1 Data Protection for International Users
We implement strong technical and organizational measures to protect data, including:
- End-to-end encryption for data in transit and at rest
- Strict access controls and authentication requirements
- Secure server infrastructure located in the United States
If you are located outside the United States and have questions about how your data is protected, please contact [email protected].
11. GDPR Compliance (EEA, UK, and Swiss Users)
If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) or equivalent laws apply to our processing of your personal data.
11.1 Data Controller
Ezel is the data controller responsible for the processing of your personal information. Our contact details are provided in Section 15.
11.2 Legal Basis for Processing
We process your personal data based on one or more of the following legal grounds under Article 6 of the GDPR:
| Processing Activity | Legal Basis | Purpose |
|---|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) | Necessary to provide our services to you |
| AI processing of documents and queries | Contract performance (Art. 6(1)(b)) | Core functionality of the service |
| Payment processing and billing | Contract performance (Art. 6(1)(b)) | Fulfill contractual obligations |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Protect our platform, users, and business |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) | Improve user experience and develop features |
| Tax, accounting, and legal compliance | Legal obligation (Art. 6(1)(c)) | Comply with laws and regulations |
| Customer support | Contract performance (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f)) | Respond to inquiries and improve service |
11.3 Your GDPR Rights
As described in Section 7, you have comprehensive rights under the GDPR, including access, rectification, erasure, portability, restriction, objection, and the right to withdraw consent.
12. State-Specific Privacy Rights (United States)
Residents of certain U.S. states have additional privacy rights under state privacy laws.
12.1 California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights:
Your Rights
- Right to know: Categories and specific pieces of personal information we collect, sources, purposes, and third parties with whom we share it
- Right to delete: Request deletion of your personal information (subject to exceptions)
- Right to correct: Request correction of inaccurate personal information
- Right to opt-out: Opt-out of the "sale" or "sharing" of personal information (Note: We do NOT sell personal information)
- Right to limit sensitive personal information: Limit use of sensitive personal information (if applicable)
- Right to non-discrimination: Not be discriminated against for exercising these rights
Categories of Personal Information We Collect
Under the CCPA, we collect the following categories of personal information:
- Identifiers (name, email, IP address)
- Commercial information (transaction history, billing records)
- Internet or network activity (usage data, log data)
- Professional or employment information (job title, company)
- Inferences (preferences, characteristics drawn from usage patterns)
We Do NOT Sell Personal Information
However, our use of certain analytics and advertising cookies may be considered "sharing" under the CCPA. You can opt-out via our cookie settings.
How to Exercise Your California Rights
- Email: [email protected] with subject line "California Privacy Request"
- Toll-free: Available upon request for California residents
- Webform: Available in Account Settings → Privacy & Data
We will verify your identity and respond within 45 days (extendable to 90 days with notice).
Authorized Agents
You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization, and we may require you to verify your identity directly.
12.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA)
If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have similar rights under your state's privacy law:
Your Rights
- Confirm whether we process your personal data
- Access your personal data
- Correct inaccuracies in your personal data
- Delete your personal data
- Obtain a copy of your personal data (data portability)
- Opt-out of targeted advertising, sale of personal data, or profiling
Appeals Process
If we deny your request, you may appeal our decision by emailing [email protected] with subject line "Privacy Request Appeal - [Your State]". We will respond within the timeframes required by your state law (typically 45-60 days). If we deny your appeal, you may contact your state Attorney General to submit a complaint.
12.3 Other U.S. States
We will update this section as additional state privacy laws take effect (e.g., Oregon, Montana, Texas, etc.). Regardless of your location, you can exercise the privacy rights described in Section 7.
10. Cookies and Tracking Technologies
We use a minimal set of cookies and tracking technologies necessary to operate our platform.
10.1 Essential Cookies
These cookies are required for the platform to function properly. You cannot opt out of these cookies.
- Session cookies: Maintain your login state and authentication (provided by Supabase)
- Preference cookies: Remember your language, theme, and display settings
- Local storage: Browser storage for your preferences and cached data
10.2 Analytics Cookies
We use Google Analytics to understand basic usage patterns and improve our platform.
- Google Analytics: Collects anonymous usage statistics
- Privacy Policy: Google Privacy Policy
- Opt-Out: Google Analytics Opt-Out Browser Add-on
10.3 Managing Cookies
You can control cookies through your browser settings:
- Chrome: Settings → Privacy and Security → Cookies
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Cookies and website data
- Edge: Settings → Cookies and site permissions
Note: Disabling essential cookies will prevent you from logging in and using the platform.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
13.1 How We Notify You of Changes
When we make changes to this Privacy Policy, we will:
- Update the "Last Updated" date at the top of this policy
- Update the version number (e.g., Version 1.0 → Version 1.1)
- Post the updated policy on our website at ezel.ai/privacy-policy
13.2 Notification for Material Changes
For material changes that significantly affect your rights or how we use your personal information, we will provide additional notice:
- Email notification to your registered email address at least 30 days before the changes take effect
- Prominent banner on our website and within the platform
- In-app notification when you next log in
13.3 Your Consent to Changes
By continuing to use Ezel after the effective date of any updates, you accept the revised Privacy Policy. If you do not agree with the changes, you may:
- Stop using our services
- Delete your account before the changes take effect
- Contact us to discuss your concerns at [email protected]
13.4 Previous Versions
You can request previous versions of this Privacy Policy by contacting [email protected].
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
14.1 General Inquiries
- Email: [email protected] (all privacy and support inquiries)
- Postal Address: Ezel AI, Inc., 3229 Greenpoint Ave Suite 382, Long Island City, NY 11101, United States
Note: All emails sent to any @ezel.ai address are received by our team.
14.2 Privacy Rights Requests
To exercise your privacy rights (access, deletion, correction, portability, etc.), please:
- Email [email protected] with your specific request
- Use the in-app Privacy & Data settings in your account
- Include sufficient information to verify your identity (we will not process requests without verification)
14.3 Security Vulnerabilities
If you discover a security vulnerability, please report it responsibly to [email protected]. Please do not publicly disclose security issues before we have had an opportunity to address them.
14.4 Response Times
We strive to respond to all privacy inquiries within:
- General questions: 3-5 business days
- Privacy rights requests: 30 days (45 days for GDPR requests, up to 90 days for complex requests)
- Security incidents: 24-72 hours (as required by law)