Your Data, Protected

How LawCite secures your data and protects your privacy — with full transparency about what we do, what our infrastructure partners do, and what we're working toward.

Zero

Data sold or shared for advertising

Zero

AI training on your data

Encrypted

All data in transit and at rest

Audited

Infrastructure providers independently certified

Your Scenarios Are Private

LawCite uses Anthropic's Claude API for AI-powered legal analysis. Here's exactly how your data is handled:

Your scenarios are not used to train AI.

Anthropic's commercial API terms explicitly state that API inputs and outputs are not used to train or improve their models. Your legal research stays private and is never incorporated into any machine learning dataset.

What we send to the API

Your scenario text, selected jurisdiction, and relevant case law context. We do not send your name, email, agency, or other account information to Anthropic.

Data retention by Anthropic

Under Anthropic's standard API terms, they may temporarily retain API inputs for up to 30 days for trust and safety purposes, after which they are deleted. This retention is for abuse prevention — not training.

Anthropic's Certifications

SOC 2 Type IIIndependent audit of security controls over time

ISO 27001:2022International standard for information security management

ISO/IEC 42001:2023International standard for AI management systems

View Anthropic Trust Center

Exactly What Data LawCite Stores

We believe you should know exactly what data we keep. Here's the complete picture.

Account Information

→Email address, display name

→Agency name, state, rank, and unit

→Subscription and billing status (we store Stripe reference IDs — never payment card numbers)

→Theme and notification preferences

→IP address recorded at terms of service acceptance

→Profile photo if uploaded (EXIF metadata is automatically stripped)

Research Data

→Your legal scenarios (the full text you submit for analysis)

→AI-generated analysis results (the full response)

→Follow-up questions and responses

→AI-generated titles and summaries

→Case law results and citation verification data

→Pinned cases

Session & Security Data

→Active session records including IP address, device type, and approximate location

→Security audit logs for authentication events and security-relevant actions

→Analytics events tracking feature usage, not content (example: "user searched in Texas, 5th Circuit, 12 cases found" — not the scenario text)

What We Don't Store

→Your password — managed entirely by Auth0. We never see it.

→Payment card numbers — managed entirely by Stripe. Card numbers, CVV, and billing addresses never touch our servers.

Your legal scenarios and AI analysis results are stored in our database so you can access your search history. You can delete individual searches anytime, clear your entire history, or delete your account to remove all data.

Built on Audited Infrastructure

LawCite does not hold independent security certifications like SOC 2 or ISO 27001. We're transparent about that.

What we do is build on infrastructure providers that have been independently audited and certified. Each provider's certifications cover their own systems and controls — not LawCite's application code or business processes.

Infrastructure providers and their security certifications
Provider	Role	Certifications	What They Secure
Railway	Backend & database	SOC 2 Type II, SOC 3	Server infrastructure, database encryption at rest, automated backups, network security
Vercel	Frontend hosting	SOC 2 Type II	Edge network, static asset delivery, HTTPS termination, DDoS protection
Auth0	Authentication	SOC 2 Type II	Password storage, OAuth 2.0 flows, multi-factor authentication, brute-force protection
Stripe	Payments	PCI DSS Level 1	All payment card handling, tokenization, fraud detection
Anthropic	AI analysis	SOC 2 Type II, ISO 27001, ISO 42001	AI model infrastructure, API security, data handling

Railway Anthropic Auth0 Stripe Vercel

What We Build and Control

Beyond our infrastructure providers, here's what LawCite implements directly:

Encryption & Transport

→All connections between your browser and our servers use TLS encryption, enforced at the platform level by both Railway and Vercel

→HSTS (HTTP Strict Transport Security) with preload directive on both frontend and backend — your browser will always use HTTPS after the first visit

→Session cookies are encrypted using iron-session before being stored in your browser

→Database connections enforce SSL at both the infrastructure and application level

→Database encryption at rest provided by Railway’s infrastructure

Authentication & Sessions

→JWT tokens validated using RS256 cryptographic signatures, verified against Auth0’s public keys

→Automatic token refresh every 50 minutes — seamless and invisible to you

→16-hour session duration designed for law enforcement shift patterns

→Session blocklist system — when you log out all devices, all existing tokens are immediately invalidated

→HttpOnly, Secure, and SameSite cookie flags prevent cross-site attacks

Application Security

→CSRF protection via origin header validation and content-type enforcement

→Comprehensive security headers on every response including Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy

→Rate limiting at 60 requests per minute per IP, with per-user limits for authenticated requests

→Input sanitization with prompt injection detection — suspicious inputs are flagged and tracked using one-way hashes, never logged in full

→All API keys and secrets stored as environment variables — never hardcoded, never exposed to the browser

Security Monitoring

→Security events logged to three independent destinations: application logs, Betterstack, and a dedicated database audit table

→Structured event tracking for authentication failures, rate limit violations, CSRF attempts, and suspicious input patterns

→Error tracking via Sentry with personally identifiable information collection disabled

→Security-relevant logging never captures full user content — only hashed identifiers and metadata

You Control Your Data

Delete search history

Remove individual searches or clear your entire history from Settings > Privacy. Deletion is immediate and permanent.

Export your data

Download all your research data as a ZIP file containing PDF exports and a CSV summary from Settings > Privacy. You can also export individual analyses as PDF from any results page.

Delete your account

Permanently delete your account and all associated data. This removes your data from our database, cancels your Stripe subscription, and deletes your Auth0 authentication record. Available from Settings.

Manage sessions

View all active sessions with device type and approximate location from Settings > Privacy. Log out all devices at once to immediately invalidate all active sessions.

Third-Party Services That Receive Your Data

We don't sell your data. We don't share it for advertising. But some third-party services receive limited data as part of normal platform operations. Here's the complete list:

Third-party services and the data they receive
Service	What They Receive	Why
Anthropic (Claude API)	Your scenario text, jurisdiction, and case law context	AI-powered legal analysis — core product functionality
Auth0	Email, login credentials, session data	Authentication and identity management
Stripe	Email, subscription selections	Payment processing and subscription management
Resend	Email address	Transactional email delivery (account notifications, password resets)
Sentry	Error context and stack traces (PII collection disabled)	Error tracking and application monitoring
Betterstack	Security event metadata (event types, timestamps, severity)	Security monitoring and log aggregation
ip-api.com	IP address	Approximate geolocation for session management display (e.g., "Dallas, TX")

No service on this list receives your legal scenario text except Anthropic, which requires it to perform analysis. Feedback submissions to our project management system include only a reference ID — not your research content.

If Something Goes Wrong

LawCite maintains a documented Security Incident Response Plan covering detection, containment, investigation, notification, and recovery procedures.

We will notify you promptly.

If a confirmed breach affects your data, we will email you directly with: what happened, what data was affected, what we've done about it, and what (if anything) you should do. Our target is notification within 72 hours of confirming a breach. Containment always comes first — but we will never delay notification to protect our reputation.

We will be specific.

Notifications will tell you exactly what data types were affected — not vague generalities.

We will tell you what we've done.

Every notification includes the concrete steps we've taken to contain the issue and prevent recurrence.

We will share findings.

Post-incident reports are produced within 7 days of resolution and available upon request.

Detection

Security events are actively monitored through automated logging (application logs, Betterstack, database audit trail, Sentry) and external sources (Auth0 anomaly detection, Stripe fraud alerts, vendor security advisories, dependency vulnerability scanning).

Security Questions?

If you have security concerns, questions about how your data is handled, or need to report a vulnerability, contact us at security@lawcite.app. This inbox is actively monitored.