Privacy Policy

Effective Date: September 21, 2025

1. Introduction

VUGA Enterprises LLC d/b/a LegalPrizm ("LegalPrizm," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using LegalPrizm, you consent to the data practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

Account Information

  • Name, email address, phone number
  • Bar number and jurisdiction (for attorneys)
  • Firm name and address
  • Billing information (processed by Stripe)
  • Password (stored as encrypted hash)

Service Data

  • Documents you upload
  • Case information and client data
  • Notes, annotations, and tags
  • Calendar events and deadlines
  • Communications within the Service

2.2 Information Collected Automatically

We automatically collect:

  • Usage data and analytics
  • Device information and IP address
  • Browser type and operating system
  • Cookies and tracking technologies

3. How We Use Your Information

3.1 Provide and Maintain the Service

  • Create and manage your account
  • Process transactions and billing
  • Provide customer support
  • Send service notifications

3.2 Improve the Service

  • Analyze usage patterns
  • Develop new features
  • Fix bugs and technical issues
  • Optimize performance

3.3 Legal and Security

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Detect and prevent fraud
  • Protect rights and safety

4. How We Share Your Information

4.1 We DO NOT Sell Your Personal Information

We never sell, rent, or trade your personal information to third parties.

4.2 Service Providers

We share limited information with trusted service providers:

ProviderPurposeData Shared
DigitalOceanCloud hostingEncrypted user data
StripePayment processingBilling information
SendGridEmail deliveryEmail addresses

5. Data Security

We implement industry-standard security measures to protect your data:

Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication (MFA)
  • Regular security audits

Organizational Safeguards

  • Employee background checks
  • Role-based access controls
  • Confidentiality agreements
  • Incident response procedures

6. Your Rights and Choices

You can:

  • Access your personal information
  • Correct or update your data
  • Delete your account
  • Download your data
  • Opt out of marketing communications
  • Control cookie preferences

7. California Privacy Rights (CCPA)

California residents have additional rights under CCPA:

  • Know what personal information is collected
  • Know if information is sold (we do not sell data)
  • Delete personal information
  • Non-discrimination for exercising rights

8. European Privacy Rights (GDPR)

For European Economic Area (EEA), UK, and Switzerland residents, LegalPrizm complies with the General Data Protection Regulation (GDPR) and provides the following rights:

8.1 Your GDPR Rights

  • Right of Access (Article 15): Request a copy of your personal data we hold
  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction (Article 18): Limit how we use your personal data
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to Object (Article 21): Object to processing of your personal data
  • Rights related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing

8.2 Legal Basis for Processing

We process your personal data based on:

  • Contract Performance: To provide our services under our Terms of Service
  • Legitimate Interests: To improve our services, prevent fraud, and ensure security
  • Legal Obligations: To comply with EU and member state laws
  • Consent: Where required, we obtain your explicit consent (e.g., marketing communications)

8.3 International Data Transfers

Your data may be transferred to and processed in the United States. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequate safeguards compliant with GDPR Chapter V requirements
  • Encrypted data transmission and storage using AES-256 encryption
  • Regular data protection impact assessments (DPIAs)

8.4 Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

  • Active accounts: Data retained while your account is active
  • Closed accounts: Most data deleted within 90 days; some data retained for legal compliance (up to 7 years for tax/accounting records)
  • Legal documents: Retained per applicable legal and professional obligations
  • Audit logs: Retained for 2 years for security and compliance purposes

8.5 Supervisory Authority

You have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

8.6 Exercising Your GDPR Rights

To exercise any of your GDPR rights, contact our Data Protection Officer:

Email: [email protected]
Response Time: We will respond to your request within 30 days (may be extended by 60 days for complex requests)

9. Digital Operational Resilience Act (DORA) Compliance

For clients in the European Union, particularly those in the financial services sector, LegalPrizm complies with the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which entered into force on January 17, 2025.

9.1 ICT Risk Management

We maintain comprehensive ICT (Information and Communication Technology) risk management frameworks including:

  • Continuous monitoring of information security risks
  • Regular security testing and vulnerability assessments
  • Incident detection, response, and recovery procedures
  • Business continuity and disaster recovery planning
  • Backup systems with tested restoration capabilities

9.2 ICT Incident Reporting

We maintain incident reporting procedures compliant with DORA Article 19:

  • Initial notification of major ICT incidents within required timeframes
  • Intermediate and final incident reports to clients as appropriate
  • Classification of incidents by severity and impact
  • Root cause analysis and remediation tracking

9.3 Third-Party ICT Service Provider Management

Our sub-processors and ICT service providers are managed according to DORA requirements:

  • Due diligence assessments of all ICT third-party providers
  • Contractual arrangements complying with DORA Article 30 requirements
  • Regular monitoring of third-party performance and security
  • Exit strategies and data portability provisions

Sub-Processors Register: View our complete list of ICT sub-processors at /subprocessors

9.4 Testing and Resilience

We conduct regular testing to ensure operational resilience:

  • Annual penetration testing by independent security firms
  • Quarterly disaster recovery drills
  • Continuous vulnerability scanning
  • Threat-led penetration testing (TLPT) where applicable

9.5 Client Rights Under DORA

If you are a financial entity regulated under DORA, you have the right to:

  • Request information about our ICT risk management framework
  • Receive notification of ICT incidents that may impact your services
  • Audit our security and operational resilience measures (with reasonable notice)
  • Request data portability and orderly transition arrangements
  • Terminate services with appropriate exit rights

Note for Financial Institutions: If you are subject to DORA requirements, please contact our compliance team at [email protected] to discuss specific contractual provisions required under Article 30 of DORA.

10. Children's Privacy

LegalPrizm is not intended for children under 18. We do not knowingly collect information from children.

11. Breach Notification

In the event of a personal data breach, we will:

  • GDPR Compliance: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (if it poses a risk to rights and freedoms)
  • Affected Individuals: Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • US State Laws: Comply with applicable state data breach notification laws
  • DORA Compliance: For financial entity clients, provide incident notifications as required under DORA Articles 19-20

Breach notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address the breach.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a new "Last Updated" date
  • Sending email notifications for significant changes
  • In-app notifications for changes affecting core functionality

Your continued use of LegalPrizm after changes become effective constitutes your acceptance of the revised Privacy Policy. For material changes that require consent under GDPR, we will obtain your explicit consent before applying changes.

13. Contact Us

Privacy Team

Email: [email protected]

Data Protection Officer

Email: [email protected]

Mailing Address

VUGA Enterprises LLC d/b/a LegalPrizm
18117 Biscayne Blvd Unit 1039
Aventura, FL 33160
United States

Phone: 786-967-6544
Email: [email protected]

Last Updated: September 21, 2025

Version: 2.1

Legal Documents

Privacy PolicyTerms of ServiceCookie PolicyAcceptable Use PolicyDMCA PolicyData Processing AgreementSub-Processors