LawMem.ai
Get API key
Legal

Privacy Policy

Effective Date: March 12, 2026 · Blue Swan Ventures, LLC · Governed by Florida Law

This Privacy Policy explains how Blue Swan Ventures, LLC ("we," "us," or "our") collects, uses, and protects information when you use lawmem.ai. We are committed to transparency and minimal data collection.

01 Who We Are

lawmem.ai is operated by Blue Swan Ventures, LLC, a Florida limited liability company located at 1201 E Broward Blvd, Fort Lauderdale, FL 33301. We are the data controller for personal data collected through lawmem.ai.

For data protection inquiries, contact us at david@lawmem.ai.

02 Information We Collect

We collect the minimum information necessary to operate the Service:

Category Data Collected Source
Account data Email address, company/organization name Provided at signup
API credentials API key (stored as bcrypt hash — plaintext not retained after issuance) Generated at signup
Billing data Stripe customer ID, subscription plan, payment status Stripe (on subscription)
Wallet data Blockchain wallet address (for x402 payment users) Provided by customer/agent
Usage data API call counts, timestamps, endpoint (store/recall), memory IDs Automatically logged
Audit logs Timestamp, API key hash, operation type, memory ID Automatically logged
Website analytics Page views, referrers, device type, country (no personal identifiers) Plausible Analytics

We do not collect: names of individual users, phone numbers, IP addresses linked to identities, or behavioral tracking data beyond what is described above.

03 How We Use Information

We use the information we collect exclusively to:

  • Provision and operate the Service (authentication, API access, quota management)
  • Send transactional emails — welcome email with API key, billing notifications, backup status (operator only)
  • Process payments and manage subscriptions via Stripe
  • Maintain audit logs for billing verification and compliance
  • Monitor service health and investigate abuse
  • Respond to support inquiries

We do not use your information for marketing, advertising, or sale to third parties. We do not use Customer Data to train AI models.

04 Customer Data (API Content)

"Customer Data" means all content you submit to the Service via the /store endpoint — the text, metadata, and embeddings stored in your namespace.

Isolation: Customer Data is stored in namespaces keyed to your API Key. No other customer, operator, or system can access your namespace. Namespace isolation is enforced at the architectural level on every query.

Processing: Customer Data is processed solely to provide the Service — specifically, to generate vector embeddings for semantic search and to return results via the /recall endpoint. We do not read, analyze, or retain Customer Data for any other purpose.

Deletion: You may delete individual memories at any time via the DELETE /memory/{id} endpoint. Upon account termination, all Customer Data is deleted from both the vector database (Qdrant) and the relational database (PostgreSQL) within 30 days.

Your responsibility: You are solely responsible for ensuring that Customer Data you submit complies with applicable confidentiality obligations, privilege protections, and data protection law. Do not submit data that you do not have the legal right to process.

05 Analytics — Plausible

lawmem.ai uses Plausible Analytics (plausible.io) to collect aggregate, anonymized website traffic data. Plausible is a privacy-first analytics service that:

  • Does not use cookies
  • Does not collect personal identifiers
  • Does not track individuals across sessions or websites
  • Is fully compliant with GDPR, CCPA, and PECR without requiring cookie consent banners
  • Stores data on servers in the European Union

The data collected by Plausible is limited to: page URL, referrer source, browser, operating system, device type, and country (derived from IP, not stored). No IP addresses are stored.

06 Payment Processing — Stripe

Monthly subscription billing is processed by Stripe, Inc. We do not store credit card numbers or full payment instrument details on our systems. Stripe stores and processes payment data in accordance with PCI DSS standards.

When you subscribe, Stripe assigns a customer ID and subscription ID that we store in our database to manage your account. You can manage your payment methods and view invoices via the Stripe Customer Portal accessible from portal.lawmem.ai.

Stripe's privacy practices are governed by the Stripe Privacy Policy.

07 Blockchain & x402 Payments

Pay-as-you-go and overage payments are processed on the Base blockchain network using the x402 protocol in USDC. Blockchain transactions are publicly visible and permanently recorded on the Base network. We record wallet addresses in our database solely for billing verification.

We do not link wallet addresses to personal identities unless you have provided both in the course of registration or support. We do not share wallet address data with third parties.

Blockchain data is inherently public and outside our control. If you are concerned about on-chain privacy, consider the public nature of Base network transactions before using x402 payment features.

08 Data Sharing & Third Parties

We do not sell, rent, or trade personal data. We share data with the following service providers only as necessary to operate the Service:

Provider Purpose Data Shared
Stripe Subscription billing Email, billing amounts, subscription status
Resend Transactional email delivery Email address, email content
Hetzner Server infrastructure All data stored on server (encrypted at rest using LUKS2 full-volume encryption (AES-256))
Plausible Website analytics Anonymized page view data (no personal data)
Coinbase CDP x402 payment verification Wallet address, payment amounts
Cloudflare DNS, CDN, Zero Trust access Network traffic metadata

We may disclose information if required by law, court order, or regulatory authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Blue Swan Ventures, LLC, our customers, or the public.

09 Data Retention

  • Account data (email, company name): Retained for the life of the account plus 90 days after termination
  • Customer Data (memories stored via API): Retained until deleted by you or 30 days after account termination
  • Audit logs: Retained for 12 months for billing verification and compliance purposes
  • Billing records: Retained for 7 years as required for financial record-keeping
  • Backup snapshots: Database backups retained for 7 days on a rolling basis

You may request deletion of your account and associated data at any time by contacting david@lawmem.ai.

10 Security

We implement technical and organizational measures to protect your data, including:

  • All data in transit encrypted via TLS 1.2+
  • API keys stored as bcrypt hashes — plaintext keys are not retained after issuance
  • Redis cache password-protected
  • Server access restricted to key-based SSH authentication only
  • Operator dashboard protected by Cloudflare Zero Trust + password authentication
  • UFW firewall — only ports 22, 80, 443 open
  • Automated daily database backups with 7-day retention

No security measure is perfect. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and applicable regulators as required by law.

11 GDPR Rights (EEA & UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under GDPR / UK GDPR:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restriction: Request that we restrict processing of your personal data
  • Right to data portability: Receive your personal data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests

Our legal basis for processing your personal data is: performance of a contract (account data, billing), legitimate interests (audit logs, security), and consent (analytics via Plausible — no consent required as Plausible collects no personal data).

A Data Processing Agreement (DPA) is available on request for Legal Pro customers (in preparation; timeline shared on engagement) at david@lawmem.ai.

To exercise any of these rights, contact us at david@lawmem.ai. We will respond within 30 days.

12 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete: Request deletion of personal information we have collected
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt out of sale: We do not sell personal information. No opt-out is required.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, contact us at david@lawmem.ai. We will respond within 45 days as required by law.

13 Cookies

lawmem.ai uses cookies minimally:

  • Operator dashboard session cookie: An 8-hour signed session cookie is set upon login to dashboard.lawmem.ai. This cookie contains no personal data — only a cryptographic session token. It expires automatically after 8 hours.
  • Plausible Analytics: Plausible does not set any cookies.
  • Stripe: The Stripe Customer Portal (accessed via portal.lawmem.ai) may set functional cookies necessary to operate the billing interface. These are governed by Stripe's cookie policy.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies that require consent under GDPR or PECR.

14 Children's Privacy

The Service is not directed at children under the age of 18 and is intended for business and professional use only. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly.

15 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your account or by posting a notice on lawmem.ai. The effective date at the top of this page will be updated accordingly.

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

16 Contact & Data Requests

For privacy inquiries, data access requests, deletion requests, or questions about this Policy:

We aim to respond to all privacy inquiries within 30 days.