Privacy Policy

Effective date: August 22, 2025

Welcome to Lets-ParaConnect (“we,” “us,” “our”). We operate a platform where attorneys can hire and collaborate with certified paralegals. This Privacy Policy explains what information we collect, how we use it, how we share it, and the rights available to you.

Quick facts about our stack:

MongoDB Atlas (app data) AWS S3 (private uploads) Stripe (Checkout, PaymentIntents & Connect) Nodemailer (SMTP email) JWT auth + CSRF

1. Information We Collect
2. How We Use Your Information
3. Sharing & Service Providers
4. Payments & Stripe
5. Cookies & Local Storage
6. Data Retention
7. Data Security
8. International Transfers
9. Your Privacy Rights
10. Updates to This Policy
11. Contact Us

1) Information We Collect

Account & Profile Data: name, email, role (attorney/paralegal/admin), bar number (attorneys), resume/certification URLs (paralegals), optional bio, availability, headline, website/LinkedIn.
Case & Collaboration Data: case titles/descriptions, assignments, messages, disputes, checklists, deadlines, Zoom links you choose to store, and related timestamps/audit entries.
Uploads: files you upload via presigned S3 URLs (e.g., resumes, certificates, case documents). Files are stored privately in AWS S3; we keep object keys and metadata in the app database.
Payments: Stripe identifiers like checkout.session IDs, payment_intent IDs, transfer IDs/metadata (e.g., transfer_group). We never store full card numbers.
System & Security: hashed passwords, session/JWT identifiers, CSRF tokens, IP addresses, user-agent, timestamps, rate-limit counters, audit logs (e.g., approvals, status changes).

2) How We Use Information

Provide and improve the platform (case creation, messaging, file transfers, deadlines, summaries).
Authenticate users; enforce roles and access controls.
Process payments through Stripe and facilitate payouts to paralegals upon job completion.
Detect/prevent fraud, abuse, and policy violations (rate limits, CSRF, content checks).
Send transactional emails (approvals, resets, receipts, dispute updates).
Comply with legal obligations and enforce our Terms.

We do not sell your personal information.

4) Payments & Stripe

Payments are processed by Stripe. Card information is handled by Stripe directly; we do not store full card numbers. We store Stripe identifiers and related metadata to coordinate payment records and support Stripe Connect payouts.

We use Stripe for payment processing. Stripe may collect/process personal data in accordance with its Privacy Policy: stripe.com/privacy.

5) Cookies & Local Storage

CSRF cookie: a short-lived, httpOnly cookie used only for cross-site request forgery protection.
Auth token (frontend): in some flows, a JWT may be stored in localStorage to authorize API requests from the browser. You can clear it by logging out or clearing site data.
Analytics/ads: we do not run third-party ads or tracking beacons on the core app.

6) Data Retention

We keep data only as long as needed for the purposes above or as required by law. As a guide (subject to change):

Accounts & profiles: retained while the account is active; deleted or archived upon verified request, subject to legal holds.
Cases, messages, disputes: retained for the life of the case and at least 24 months after closure, unless longer retention is required for legal, accounting, or audit purposes.
Uploads (S3): retained while associated to open matters; may be archived or purged after case closure per our internal schedules.
Audit logs & security records: typically 12–24 months.

7) Security

Industry-standard password hashing (bcrypt) and role-based authorization.
HTTPS required; Content-Security-Policy; rate limiting; CSRF protection.
Private S3 ACL for uploads; access via presigned URLs.
Webhook signature verification for Stripe events.

No system is 100% secure. If you suspect unauthorized access, contact us immediately at help@lets-paraconnect.com.

8) International Transfers

We primarily process data in the United States. If personal data is transferred internationally, we rely on appropriate safeguards as required by applicable law.

9) Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or download your personal data, and to object or restrict certain processing. In the U.S., some state privacy laws (e.g., CA/VA/CO/CT/UT) may provide similar rights. We do not sell personal information.

To exercise rights, email help@lets-paraconnect.com. We may need to verify your identity.

10) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with a new effective date.

11) Contact Us

Lets-ParaConnect
We are happy to help with privacy questions or requests. Email us at help@lets-paraconnect.com and we will respond as soon as possible.