Privacy Policy – DisabilityProAI
(Last updated: July 6, 2025)
Canary Doctor LLC ("DisabilityProAI,"
"we," "our") provides
an AI‑enabled document‑summarization platform used by
licensed attorneys and their staff.
We act as a service provider to
law‑firm customers and are not a
"business" under the California Consumer Privacy Act
(CCPA) nor a "covered entity" under HIPAA.
This Policy explains how we collect, use, protect, and
disclose
personal information about account holders
(attorneys and staff). If you are a claimant whose
medical records are processed, please contact your
attorney for any privacy requests.
1. Scope & Eligibility
- This Policy covers the website https://disabilityproai.com and related sub‑domains (the "Service").
- Age 18+ only: The Service is intended exclusively for adults. We do not permit individuals under 18 to create accounts or submit information directly.
2. What We Collect
| Category | Examples | Purpose | Retention¹ |
|---|---|---|---|
| Account details | Name, work e‑mail, firm name, bar ID | Create & secure account | Life of account + 30 d |
| Auth & usage data | OAuth tokens, IP, logs, device info | Security, debugging, analytics | 2 yrs |
| Billing | Sent directly to Stripe | Payment processing | Stripe policy |
| User Content | Medical records you upload; AI summaries | Provide the Service at your instruction | Raw uploads 30‑90 d → auto‑delete • Summaries until you delete the matter |
¹ See §8 for full schedule.
PHI notice. We are not a HIPAA "covered entity," but we treat all medical records as highly sensitive and apply the safeguards in §7.
3. How & Why We Use Information
- Operate, deliver, and improve the Service
- Authenticate users, prevent fraud, ensure security
- Communicate essential account or product updates (opt‑out of marketing at any time)
- Comply with applicable laws and defend legal claims
Legal bases for EEA/UK visitors: contract performance, legitimate interests, and your consent for marketing e‑mails.
4. Sharing & Disclosure
| Type | Recipient(s) | Safeguard |
|---|---|---|
| Cloud hosting & AI inference | Supabase (database + storage), Render (app host), OpenAI (OCR & LLM) | SOC 2, encryption, written Data Processing Agreements |
| Payments | Stripe | PCI‑DSS compliance |
| Analytics / cookies | Google Analytics (IP truncated) | Configured for privacy‑focused measurement |
| Legal / safety | Courts, regulators, or law enforcement when legally required | Only as mandated |
We do not sell personal information or use your data to train independent AI models.
5. International Transfers
Data is stored on U.S. servers. By using the Service from another jurisdiction you consent to the transfer, storage, and processing of your data in the United States.
6. Your Rights & Choices
| Right | How to exercise |
|---|---|
| Access / Deletion / Correction | Use the Data Management tab in your dashboard or e‑mail privacy@disabilityproai.com. |
| Opt‑out of marketing | Click "unsubscribe" in any non‑transactional e‑mail. |
| Global Privacy Control (GPC) |
We honour the Sec‑GPC: 1 header
and will mark your account as "no
sale/sharing."
|
| EEA/UK GDPR rights | Contact us to object, restrict, or request portability. |
Claimants whose records are processed: Please contact your attorney, who can delete the entire matter via the portal; we cannot identify your data without their help.
7. Security Measures
- TLS 1.3 encryption in transit; AES‑256 encryption at rest
- Role‑based access, MFA, and annual penetration tests
- 24‑hour incident‑response SLA; breach notifications issued within timeframes required by law
- Vendor SOC 2 Type 2 reports on file
8. Data Retention Schedule
| Data Set | Default Retention | Disposal Method |
|---|---|---|
| Raw uploads (PDF/images) | Auto‑deleted 30–90 days after upload | Supabase object‑lifecycle rule |
| AI summaries | Until firm deletes matter or closes account | Immediate hard delete |
| Account & billing | Account life + 30 days | Anonymized |
| Auth & usage logs | 2 years | Purged quarterly |
| Incident & audit logs | 2 years | Cold storage erase |
We may retain information longer if required by law, court order, or to defend legal claims.
9. Cookies & Analytics
We use first‑party cookies and Google Analytics to understand site usage. Disabling cookies may reduce analytics accuracy but will not break core functionality.
10. AI Transparency
Uploaded documents are processed with OpenAI's OCR and language‑model APIs. Files are not used by OpenAI to train its models and are retained by OpenAI no longer than 30 days (or zero days when the zero‑retention endpoint is enabled). AI summaries are drafts; attorneys remain responsible for human review.
11. Accessibility
We aim for WCAG 2.2 AA conformance. Contact accessibility@disabilityproai.com with feedback; we respond within two business days.
12. Children (Under 18)
The Service is not directed to, and must not be used by, anyone under 18 years old. We do not knowingly collect personal information from minors. If you believe a minor has provided us information, contact privacy@disabilityproai.com so we can delete it.
13. Changes to This Policy
We will post any material changes here and e‑mail account holders at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
14. Contact Us
Privacy & Security Officer
Alex Mohseni
Canary Doctor LLC
350c Fortune Terrace #227, Potomac MD 20854
privacy@disabilityproai.com