Privacy Policy

← Back to Home

1. Data Controller

The data controller responsible for your personal data is:

For data protection inquiries, contact our Privacy Officer at privacy@a2jsuites.com.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

Information you provide during registration and profile setup: full name, professional email address, job title, organization name, phone number, and login credentials (hashed).

2.2 Usage Data

Information generated through your interaction with the Platform: features accessed, actions performed, timestamps, session duration, search queries within the Platform, and notification preferences.

2.3 Technical Data

Data collected automatically from your device and connection: IP address, browser type and version, operating system, device identifiers, time zone, and referring URLs.

2.4 Client Case Data

Data that your organization uploads or inputs in connection with legal cases: client names, contact information, case details, court dates, and documents. A2J Suites processes this data solely on your behalf as a data processor.

2.5 Billing Data

Payment-related information: billing contact details, invoicing address, and payment method. Credit card numbers are processed exclusively by our payment processor (Stripe) and are never stored on our servers.

3. How We Use Data

We process personal data for the following purposes:

• Service Delivery: Operating the Platform, managing case workflows, delivering notifications, and providing customer support.
• Transactional Notifications: Sending case status updates, hearing reminders, document alerts, security notifications, and billing receipts.
• Billing & Invoicing: Processing payments, generating invoices, and managing subscription accounts.
• Security & Fraud Prevention: Monitoring for unauthorized access, detecting anomalies, enforcing access controls, and maintaining audit trails.
• Platform Improvement: Analyzing aggregated usage patterns to improve features, fix issues, and optimize performance. No individual-level profiling is conducted.
• Legal Compliance: Meeting regulatory obligations, responding to lawful requests from authorities, and exercising or defending legal claims.

We do not use personal data for marketing, advertising, user profiling, or automated decision-making that produces legal effects.

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA) and United Kingdom, we rely on the following legal bases:

• Performance of Contract (Art. 6(1)(b)): Processing necessary to deliver the Platform services under your subscription agreement.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, Platform improvement, and maintaining service integrity. We conduct balancing tests to ensure our interests do not override your rights.
• Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and regulatory requirements.
• Consent (Art. 6(1)(a)): Where required for specific processing activities. You may withdraw consent at any time by contacting privacy@a2jsuites.com.

5. No Data Selling

6. Sub-Processors

We engage the following categories of sub-processors to provide the Platform:

• Amazon Web Services (AWS): Cloud infrastructure hosting and data storage (US-East-1, N. Virginia).
• Mailgun (Sinch): Transactional email delivery for case notifications, security alerts, and billing receipts.
• Stripe: Payment processing and subscription billing management.

Each sub-processor is bound by data processing agreements that require equivalent data protection standards. We maintain an up-to-date list of sub-processors and will notify Clients at least 30 days before engaging a new sub-processor.

7. International Data Transfers

Our primary data processing occurs in the United States. For transfers of personal data from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards incorporated into our data processing agreements.
• EU-US Data Privacy Framework: Where applicable, ensuring compliance with the adequacy decision.
• Supplementary Measures: Encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and contractual obligations limiting access to personal data.

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this Policy:

• Account Data: Retained for the duration of the active subscription, plus 30 days post-termination for data export.
• Client Case Data: Retained during the subscription term and for 30 days post-termination. Permanently deleted thereafter unless legal hold applies.
• Usage & Technical Data: Retained for 12 months in identifiable form. Aggregated/anonymized data may be retained indefinitely.
• Billing Data: Retained for 7 years to comply with tax and accounting obligations.
• Email Delivery Logs: Retained for 90 days, then permanently deleted.
• Access & Security Logs: Retained for 12 months.

9. Your Rights — GDPR

If you are in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data where the legal basis for processing no longer applies.
• Right to Restriction (Art. 18): Restrict processing while a dispute about accuracy or legal basis is resolved.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling grounds.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@a2jsuites.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

10. Your Rights — CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we hold, subject to certain legal exceptions.
• Right to Opt-Out of Sale: We do not sell personal data. No opt-out is necessary, but you may contact us to confirm.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@a2jsuites.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

11. Cookies

A2J Suites uses strictly necessary cookies only:

• Session Cookie: Maintains your authenticated session while using the Platform. Expires when you close your browser.
• CSRF Token Cookie: Prevents cross-site request forgery attacks. Expires with each session.

We do not use:

• Advertising or remarketing cookies
• Third-party analytics or tracking cookies
• Social media tracking pixels
• Persistent behavioral tracking of any kind

12. Data Security

We implement comprehensive technical and organizational measures to protect personal data:

• Encryption: TLS 1.3 for all data in transit; AES-256 for data at rest; end-to-end encryption for client messages.
• Access Controls: Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication (MFA) enforced for all staff.
• Infrastructure Security: AWS VPC with private subnets, network firewalls, intrusion detection, and DDoS protection.
• Application Security: Regular vulnerability scanning, penetration testing, secure code review, and dependency monitoring.
• Employee Training: Annual security and privacy awareness training for all team members with access to personal data.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or Platform capabilities. When we make material changes:

• We will notify affected users at least 30 days in advance via email and/or in-app notification.
• The "Last Updated" date at the top of this page will be revised.
• Continued use of the Platform after the effective date of changes constitutes acceptance of the revised Policy.

14. Contact — Privacy Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: