Privacy Policy

Effective date: August 22, 2025

Welcome to Lets-ParaConnect (“we,” “us,” “our”). We operate a platform where attorneys can hire and collaborate with certified paralegals. This Privacy Policy explains what information we collect, how we use it, how we share it, and the rights available to you.

Quick facts about our stack:

MongoDB Atlas (app data) AWS S3 (private uploads) Stripe (Checkout, PaymentIntents & Connect) Nodemailer (SMTP email) Google reCAPTCHA JWT auth + CSRF

1. Information We Collect
2. How We Use Your Information
3. Sharing of Information
4. Data Retention
5. Data Security
6. Cookies & Local Storage
7. International Transfers
8. Your Privacy Rights
9. Children’s Privacy
10. Updates to This Policy
11. Contact Us

1) Information We Collect

Account & Profile Data: name, email, role (attorney/paralegal/admin), bar number (attorneys), resume/certification URLs (paralegals), optional bio, availability, headline, website/LinkedIn.
Case & Collaboration Data: case titles/descriptions, assignments, messages, disputes, checklists, deadlines, Zoom links you choose to store, and related timestamps/audit entries.
Uploads: files you upload via presigned S3 URLs (e.g., resumes, certificates, case documents). Files are stored privately in AWS S3; we keep object keys and metadata in the app database.
Payments: Stripe identifiers like checkout.session IDs, payment_intent IDs, transfer IDs/metadata (e.g., transfer_group). We never store full card numbers.
System & Security: hashed passwords, session/JWT identifiers, CSRF tokens, IP addresses, user-agent, timestamps, rate-limit counters, audit logs (e.g., approvals, status changes).
reCAPTCHA: we use Google reCAPTCHA on sign-up/sign-in to reduce abuse. Google may collect device and usage data per Google’s policies.

2) How We Use Information

Provide and improve the platform (case creation, messaging, file transfers, deadlines, summaries).
Authenticate users; enforce roles and access controls.
Process payments/escrow and automate releases to paralegals on job completion.
Detect/prevent fraud, abuse, and policy violations (rate limits, CSRF, content checks).
Send transactional emails (approvals, resets, receipts, dispute updates).
Comply with legal obligations and enforce our Terms.

We do not sell your personal information.

3) Legal Bases (EEA/UK)

If you are in the EEA/UK, we process personal data under these bases: contract performance (providing the service), legitimate interests (security, fraud prevention, improvements), legal obligations (records, accounting), and consent where required (e.g., optional marketing if used).

5) Payments & Escrow (Stripe)

Payments are processed by Stripe. Card information is handled by Stripe directly; we do not store full card numbers. We store Stripe identifiers and metadata (e.g., payment_intent, checkout.session, transfer, transfer_group) to manage escrow and automate payouts to paralegals via Stripe Connect.

Stripe’s own privacy practices apply; see stripe.com/privacy.

6) Cookies & Local Storage

CSRF cookie: a short-lived, httpOnly cookie used only for cross-site request forgery protection.
Auth token (frontend): in some flows, a JWT may be stored in localStorage to authorize API requests from the browser. You can clear it by logging out or clearing site data.
Analytics/ads: we do not run third-party ads or tracking beacons on the core app.

7) Data Retention

We keep data only as long as needed for the purposes above or as required by law. As a guide (subject to change):

Accounts & profiles: retained while the account is active; deleted or archived upon verified request, subject to legal holds.
Cases, messages, disputes: retained for the life of the case and at least 24 months after closure, unless longer retention is required for legal, accounting, or audit purposes.
Uploads (S3): retained while associated to open matters; may be archived or purged after case closure per our internal schedules.
Audit logs & security records: typically 12–24 months.

8) Security

Industry-standard password hashing (bcrypt) and role-based authorization.
HTTPS required; Content-Security-Policy; rate limiting; CSRF protection.
Private S3 ACL for uploads; access via presigned URLs.
Webhook signature verification for Stripe events.

No system is 100% secure. If you suspect unauthorized access, contact us immediately at admin@lets-paraconnect.com.

9) International Transfers

We primarily process data in the United States. If personal data is transferred internationally, we rely on appropriate safeguards as required by applicable law.

10) Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or download your personal data, and to object or restrict certain processing.

EEA/UK: GDPR rights (access, rectification, erasure, restriction, portability, objection). You may also lodge a complaint with your local supervisory authority.
US (e.g., CA/VA/CO/CT/UT): state privacy laws may provide similar rights. We do not sell personal information.

To exercise rights, email admin@lets-paraconnect.com. We may need to verify your identity.

11) Children’s Privacy

Our service is not directed to children under 16. We do not knowingly collect personal information from children under 16.

12) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with a new effective date.

13) Contact Us

Lets-ParaConnect
Email: admin@lets-paraconnect.com