Rule26
Sign in →

Legal

Privacy Policy

Effective 2026-05-24 · Last updated 2026-05-24

This Privacy Policy describes how Springhead, LLC (“Springhead,” “we,” “us”) collects, uses, and shares information when you use rule26 (“the Service”). It is incorporated into our Terms of Service.

1. What we collect

1.1 Information you provide

  • Account information: your email address, your account password (stored as a salted hash, never in plaintext), and any profile information you enter (full name, professional title, firm name, hourly rate).
  • Cumulative-state data: your CV entries (education, licenses, certifications, employment, awards), publications, and case history including prior-testimony events.
  • Case content: the working notes you submit for each case and the resulting Rule 26 drafts.
  • Payment information: payment-card information is collected by Stripe, not by Springhead. We receive only a Stripe customer identifier, subscription status, and the last four digits of the card.

1.2 Information collected automatically

  • Usage data: log records of your access, including IP address, timestamps, request paths, and the token counts and computed cost of each AI-assisted draft generation.
  • Cookies: session cookies set by Supabase Auth to keep you signed in. We do not use third-party advertising or analytics cookies.

1.3 Information from third parties

  • Citation sources: When you generate a draft, we send candidate citations to CourtListener, Crossref, Semantic Scholar, and OpenAlex to verify them. The data sent is limited to the citation text (e.g., a case name and reporter citation, or a paper title) — we do not send your case notes or expert profile to these services.

2. How we use your information

We use the information to:

  • Provide the Service (draft generation, citation validation, cumulative-state assembly, Word export);
  • Authenticate you and maintain your account;
  • Process payments and manage your subscription;
  • Send transactional emails (invite to sign in, password reset, billing notifications);
  • Monitor usage to enforce per-user limits and detect abuse;
  • Debug, secure, and improve the Service;
  • Comply with legal obligations.

We do not:

  • Sell your information to third parties;
  • Use your case content or working notes to train any AI model;
  • Share your case content with anyone outside the sub-processors listed in Section 4.

3. Legal basis

We process your information on the following bases:

  • Contract: to provide the Service you have subscribed to;
  • Legitimate interest: to operate, secure, and improve the Service;
  • Consent: where you have provided it (e.g., by subscribing);
  • Legal obligation: where required by law.

4. Sub-processors

We use the following third-party services to provide rule26. Each has its own privacy policy and is contractually obligated to protect your data:

Sub-processorPurpose
Supabase, Inc.Database, authentication, file storage
Vercel, Inc.Hosting and content delivery
Stripe, Inc.Payment processing
Anthropic, PBCAI model for draft assembly (does not train on customer data)
Postmark (ActiveCampaign, LLC)Transactional email delivery
Cloudflare, Inc.DNS and inbound email routing
CourtListener (Free Law Project)Case-citation lookup
Crossref, Semantic Scholar, OpenAlexPaper-citation lookup

We may update this list. Material changes will be reflected here and, where required, notified to your account email.

5. Data retention

  • Account information and cumulative state: retained for the life of your account, plus 30 days after deletion to allow account recovery.
  • Case content (notes, drafts): retained for the life of your account, plus 30 days after deletion.
  • Durable finalization record (metadata only): when you finalize a report, we keep a durable, metadata-only record for up to 7 years for legal compliance and evidentiary purposes, even after account deletion. This record consists only of a cryptographic fingerprint (a SHA-256 hash) of the finalized report’s content, the server-computed citation verdicts, your acknowledgements at the moment of finalization, and identifiers/timestamps/versions. It does not contain your case content: the fingerprint is a one-way hash from which the underlying notes or report text cannot be reconstructed. It lets a document you filed be verified against its fingerprint, and its citation verdicts and acknowledgements shown, without retaining the case content itself.
  • Audit log: the append-only audit log of changes to your data retains only the event and a one-way content hash of each change — not the before-and-after text of your content. When you delete your account (or request deletion), your raw working notes and drafted report prose are deleted and the audit log’s raw content is purged; only the metadata-only finalization record described above survives.
  • Billing records: retained as required by tax and accounting law (generally 7 years in the U.S.).
  • Usage logs: retained for 90 days unless an investigation is ongoing.

You may request immediate deletion at any time by emailing contact@rule26.app, subject to the legal retention requirements above.

6. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate information;
  • Delete your personal information (subject to legal retention);
  • Export your personal information in a portable format;
  • Object to or restrict certain processing;
  • Withdraw consent where consent is the legal basis;
  • Lodge a complaint with a data protection authority (e.g., a state attorney general in the U.S., or a supervisory authority in the EU or UK).

To exercise any of these rights, email contact@rule26.app. We may require identity verification before fulfilling requests.

7. Security

We use the following measures to protect your information:

  • Row-level security policies on every database table, scoped to the owning user;
  • Encryption in transit (TLS) and at rest via our database provider (Supabase);
  • Access isolated per account by row-level security, so your data is scoped to you;
  • Authentication via Supabase Auth with hashed password storage;
  • An append-only audit log of every change to your cumulative state;
  • Service-role database access restricted to server-side code only.

When you generate a draft, your case content is processed only by the model that drafts your report (Anthropic). It is not used to train any model. When we verify a citation, the citation-verification databases receive only the citation itself — never your case notes.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you in accordance with applicable law.

8. International transfers

The Service is operated from the United States. If you access it from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our sub-processors operate.

9. Children

The Service is not intended for anyone under 18. We do not knowingly collect information from children. If you believe a child has provided information to us, contact contact@rule26.app and we will delete it.

10. California residents — CCPA notice

Under the California Consumer Privacy Act, California residents have the rights described in Section 6 above. We have not sold personal information in the preceding 12 months and do not currently sell personal information.

11. Changes to this Policy

We may update this Privacy Policy. Material changes will be posted at rule26.app/privacy and notified to your account email at least 30 days before they take effect.

12. Contact

Questions about this Privacy Policy or our handling of your information? Email contact@rule26.app.

Springhead, LLC