Privacy Policy

1. Scope & Definitions

This Privacy Policy (“Policy”) describes how Thalax, Inc. (“Thalax,” “Company,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects information in connection with the Thalax platform, web applications, mobile applications, browser extensions, APIs, and all related services (collectively, the “Service”).

This Policy applies to: (a) law firm subscribers and their authorized personnel (“Firm Users”); (b) clients of subscribing law firms whose data is processed through the Service (“Firm Clients”); and (c) visitors to our website.

“Personal Information” means any information that identifies, relates to, or could reasonably be linked to an individual or household.

“Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. § 160.103 under HIPAA.

“Case Data” means all data relating to legal cases processed through the Service, including client information, medical records, insurance details, litigation documents, communications, and financial records.

“Customer Data” means, collectively, Personal Information, PHI, and Case Data that Firm Users provide to or authorize us to receive through the Service.

2. Information We Collect

a. Information provided by Firm Users

• Account information: name, email, phone, firm name, bar number, role, billing address.
• Case management data: case facts, incident details, liability assessments, case status, litigation deadlines, statute of limitations dates, game plans, and strategic notes.
• Communications: SMS/text messages (via Twilio), secure messages, emails synced through Gmail or Outlook extensions, call recordings, and transcriptions.

b. Firm Client data processed on behalf of law firms

• Identity & contact: full name, date of birth, Social Security Number (encrypted), phone, email, mailing address.
• Medical records & health information (PHI): treatment records, medical bills, provider information, diagnoses (ICD-10), imaging results, pre-existing conditions, pain journals, medication logs, and missed work records.
• Insurance information: PIP carrier details, policy numbers, claim numbers, BI coverage limits, adjuster contacts, health insurance details, workers’ compensation claims, Medicare/Medicaid information, and subrogation/lien details.
• Financial data: medical billing breakdowns, settlement amounts, trust account transactions, contingency fee calculations, lien amounts, and expense records.
• Litigation documents: complaints, answers, motions, discovery requests/responses, deposition transcripts, expert witness reports, and court filings.
• Uploaded files: documents, PDFs, images, spreadsheets, and other files uploaded for case management.

c. Information collected automatically

• Usage data: pages visited, features used, actions taken, timestamps, session duration.
• Device data: browser type, operating system, device identifiers, screen size, mobile app version.
• Network data: IP address, approximate location derived from IP.
• Log data: HTTP request metadata, error traces, performance metrics.

d. Information from third parties

• Stripe: card brand, last four digits, billing address, charge amounts, subscription status. We never receive full card numbers.
• Email delivery (Resend): delivery receipts, bounce notifications.
• Call transcription (Deepgram): speech-to-text output from recorded calls.

3. How We Use Information

We use information to:

• Provide, operate, maintain, and improve the Service.
• Manage cases, deadlines, medical records, billing, and litigation workflows on behalf of subscribing firms.
• Facilitate communications between attorneys and their clients (SMS, calls, secure messaging, email sync).
• Generate AI-assisted outputs (document parsing, demand letter drafts, case valuations, intake summaries).
• Process payments, issue invoices, manage subscriptions, and track trust account transactions.
• Send transactional notifications (deadline alerts, case updates, payment confirmations, SOL warnings).
• Facilitate electronic signatures (BoldSign) and remote online notarization (Notarize).
• Detect fraud, prevent abuse, maintain security, and enforce our Terms.
• Comply with legal obligations, respond to lawful requests, and cooperate with regulators.
• Generate aggregated, de-identified analytics to improve platform features and benchmarks.

4. AI Processing & Model Training

We do not use your Customer Data to train third-party AI models.

The Service uses the Anthropic Claude API to generate certain outputs, including medical record summaries, demand letter drafts, case valuations, and document parsing. When we call that API, we rely on Anthropic’s contractual commitment that API inputs and outputs are not used to train their foundation models. We transmit only the minimum data necessary to produce the requested output.

Deepgram processes call recordings for speech-to-text transcription. Audio data is processed in real-time and is not retained by Deepgram after transcription, per their data processing terms.

We may use aggregated, de-identified data (e.g., anonymized case outcome statistics, settlement range benchmarks) to improve our scoring methodology and product features. De-identified data cannot reasonably identify any individual, case, or firm. Thalax retains all rights in such aggregated, de-identified data.

AI outputs are probabilistic and for informational purposes only. They are not legal advice and do not replace attorney judgment. Firm Users are solely responsible for reviewing all AI-generated content before use.

5. How We Share Information

We never sell Personal Information, PHI, or Case Data. We do not share Personal Information with third parties for their own marketing purposes.

We share information only in these limited circumstances:

• Subprocessors (Section 6): strictly to operate the Service, under written data processing agreements and, where applicable, Business Associate Agreements.
• Legal requirements: when compelled by valid legal process (subpoena, court order, regulatory demand). We will push back on overbroad requests and notify affected subscribers where legally permitted.
• Protection of rights: where necessary to enforce our Terms, protect rights, property, or safety, or detect fraud.
• Business transfers: in connection with a merger, acquisition, or sale of substantially all assets, Customer Data may transfer to the successor, subject to this Policy or a materially equivalent policy. You will be notified via email.
• With your explicit authorization: when a Firm User explicitly directs us to share data with a designated third party.
• Aggregated & de-identified data: we may share data that cannot reasonably identify any individual, case, or firm.

6. Subprocessors

We use the following subprocessors. Each is bound by written data processing agreements. Where PHI is involved, a BAA is in place.

We will provide at least 14 days’ advance notice before adding a new subprocessor that processes Customer Data. A current list may be requested at [email protected].

7. Data Retention & Disposal

• Active subscriptions: Customer Data is retained for the duration of the subscription.
• After termination: Case Data is retained in read-only form for 90 days to permit export, after which it is irreversibly deleted from primary systems unless the Firm User requests extended retention or applicable law requires it.
• Legal retention obligations:certain records (including case files, billing records, and trust account transactions) may be subject to state bar rules, court orders, or regulatory requirements mandating longer retention (typically 5–7 years post-disposition). Firm Users are responsible for maintaining their own archival copies to comply with applicable retention rules.
• Encrypted backups: retained for 30 days after deletion from primary systems, then cryptographically purged.
• Billing records: retained for 7 years per tax and accounting obligations.
• Aggregated & de-identified data: retained indefinitely.

8. Security Measures

We implement administrative, technical, and physical safeguards appropriate for the sensitivity of the data we process:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption at rest for all database storage.
• SSN fields encrypted via pgcrypto/Supabase Vault - never stored in plaintext.
• OAuth tokens and API keys encrypted with AES-256-GCM.
• Row-Level Security (RLS) enforced at the database level - complete firm-to-firm data isolation.
• Parameterized queries to prevent SQL injection.
• Multi-factor authentication required for all Firm Users.
• Least-privilege access controls for all Thalax personnel.
• Automated daily encrypted backups with geographic redundancy.
• IP-based rate limiting and DDoS mitigation on all endpoints.
• Dependency vulnerability scanning and automated patching.
• Audit logging for all access to PHI and sensitive records.
• Incident-response procedures with breach notification within 72 hours to affected subscribers and applicable regulators (per HIPAA, Florida HB 286, and other state breach notification laws).

Infrastructure compliance

Customer Data is hosted on SOC 2 Type II-certified infrastructure. Supabase (database), Vercel (hosting), and Stripe (payments) each maintain independent SOC 2 Type II certifications. Stripe is PCI-DSS Level 1 certified. All data resides in US-East regions.

No system is perfectly secure. Report vulnerabilities to [email protected].

9. HIPAA & Protected Health Information

The Service processes PHI on behalf of subscribing law firms. Thalax acts as a Business Associate under HIPAA when processing PHI on behalf of a Covered Entity or another Business Associate.

All subscribing firms that transmit PHI through the Service must execute a Business Associate Agreement (BAA) with Thalax. Our standard BAA is available at /legal/baa or upon request at [email protected].

We maintain HIPAA-compliant administrative, physical, and technical safeguards as described in Section 8. We conduct periodic risk assessments and maintain documentation of our HIPAA compliance program.

Do not transmit PHI through the Service without a fully executed BAA. Thalax disclaims all liability for PHI transmitted absent a BAA.

10. Attorney-Client Privilege

Thalax is a technology platform that facilitates communication and case management. Use of the Service does not waive, diminish, or otherwise affect attorney-client privilege, work-product doctrine, or any other applicable legal privilege.

All communications between attorneys and their clients transmitted through the Service (including SMS, secure messages, calls, and emails) remain privileged and confidential between the attorney and client. Thalax processes these communications solely as a service provider and does not access, review, or disclose privileged content except as necessary to deliver the Service or as required by law.

Firm Users are responsible for ensuring that their use of the Service complies with applicable rules of professional conduct, including confidentiality obligations under their state bar rules.

11. Your Rights

Firm Users may exercise the following rights regarding their account data:

• Access: request a copy of your data.
• Correction: request correction of inaccurate data.
• Deletion: request deletion (subject to legal retention requirements and active case obligations).
• Portability: export data in JSON or CSV format.
• Restriction: request restricted processing in certain circumstances.
• Objection: object to specific processing (e.g., marketing).

Firm Clients whose data is processed through the Service should direct privacy requests to their attorney/law firm, who is the data controller for Case Data. Thalax will cooperate with Firm Users to fulfill such requests.

Email [email protected]with subject “Data Rights Request.” We respond within 30 days.

12. CCPA/CPRA (California)

California residents have rights under CCPA/CPRA:

• Right to know what Personal Information we collect, use, and disclose.
• Right to delete Personal Information.
• Right to correct inaccurate Personal Information.
• Right to opt out of sale/sharing. We do not sell or share Personal Information as defined by CCPA/CPRA.
• Right to limit use of sensitive Personal Information.
• Right to non-discrimination.

When Thalax processes Firm Client data on behalf of a law firm, Thalax acts as a “Service Provider” under CCPA. Firm Clients should direct CCPA requests to their law firm.

Email [email protected]with subject “CCPA Request.”

13. Call Recording & Transcription

The Service may record and transcribe audio/video calls between attorneys and clients using Stream (recording) and Deepgram (transcription). Call recordings and transcripts are stored as part of Case Data and subject to all protections described in this Policy.

Consent: Firm Users are solely responsible for obtaining all necessary consents for call recording under applicable federal and state wiretapping/eavesdropping laws (including two-party consent states). Thalax provides configurable notification/consent mechanisms but does not guarantee compliance - Firm Users must verify requirements in their jurisdiction and each jurisdiction where their clients are located.

14. Cookies & Analytics

We use minimal cookies limited to those strictly necessary for authentication and session management. We use PostHog for product analytics - it can be configured to collect no Personal Information and does not track PHI.

We do not use third-party advertising pixels, retargeting cookies, or behavioral advertising technologies.

15. Children’s Privacy

The Service is a business-to-business product for law firms. It is not directed to individuals under 18. We do not knowingly collect Personal Information from children under 13. If you believe a child has provided information, contact us immediately at [email protected].

Minor Firm Clients: where a law firm represents a minor, the firm is responsible for ensuring that data is provided by a parent or legal guardian in compliance with applicable law.

16. International Data Transfers

Thalax is based in the United States. All Customer Data is stored and processed in the United States. If you access the Service from outside the U.S., your data will be transferred to the U.S. We implement Standard Contractual Clauses (SCCs) and other appropriate safeguards for international transfers where required by applicable law.

17. Changes to This Policy

We may update this Policy to reflect changes in practices, technologies, or legal requirements. Material changes will be communicated by email at least 14 days before taking effect. Continued use after the effective date constitutes acceptance. If you disagree with a material change, you must stop using the Service and contact us to export your data.

18. Contact

• Privacy & data requests: [email protected]
• General support: [email protected]
• Security vulnerabilities: [email protected]
• Legal notices: [email protected]

Thalax, Inc.
United States