Skip to content
ImNotAnAttorney

Privacy Policy

Last updated: April 6, 2026

You're sharing sensitive legal information with us. We don't take that lightly. Here's the short version: we never see your credit card number, we don't sell your data, your case documents are deleted within 90 days of report delivery, and we minimize tracking to essential analytics. Everything below explains this in detail.

1. Information We Collect

We collect the following categories of information:

  • Contact information: Name, email address, and phone number (when you submit the intake form, purchase a service, or subscribe to our email list)
  • Case information: Charge type, state, county, attorney status, discovery status, and situation description (when you submit the intake form or use our Case Progress Score tool). Also includes service-related details provided at checkout: court date (if provided), priority delivery selection, and applicable upgrade credits
  • Discovery documents: Files you upload for case analysis, which may include police reports, forensic reports, witness statements, lab results, and other legal documents (for $2,497+ service tiers only)
  • Payment information: Processed securely and exclusively by Stripe. We do not store, access, or have visibility into your credit card number, CVV, expiration date, or full card details on our servers. We receive only a confirmation of payment status and the last four digits of your card for identification purposes.
  • Usage data: Pages visited and general traffic patterns, collected via Vercel Analytics using anonymized, cookieless tracking. IP addresses are temporarily stored (60-second windows) for rate-limit enforcement on sensitive endpoints and are automatically discarded
  • Communications: Email correspondence with our support team related to your order or service. Inbound emails sent to our support address are stored to ensure we can respond to and track your requests.

We do not collect biometric information (fingerprints, facial recognition, voiceprints, or other identifying biological characteristics).

2. How We Use Your Information

We use your information for the following purposes:

  • To provide the services you purchase (case analysis, report generation, question generation)
  • To process your case information through our analysis systems for the purpose of generating your report (see Section 3)
  • To communicate with you about your order, deliverables, and service status
  • To send transactional emails (payment confirmation, intake confirmation, upload receipts, report delivery notifications, intake reminders)
  • To send marketing and educational emails if you subscribe to our email list (you can unsubscribe at any time)
  • To improve our services, website, and report quality
  • To detect and prevent fraud, abuse, or unauthorized access

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not use your case information or discovery documents for any purpose other than providing your purchased service.

3. Data Processing & Analysis Technology

Our analysis services use automated processing technology to process your case information and generate reports. We believe in full transparency about how your data is handled:

  • Analysis technology provider: We use automated analysis technology developed by Anthropic, Inc., headquartered in San Francisco, California
  • What data is sent: Your case details from the intake form (charge type, state, situation description) and, for discovery-tier services, the text content extracted from your uploaded documents
  • Your data is not used for training: Per Anthropic's commercial API terms, data sent through their API is not used to train or improve their systems
  • Retention by technology provider: Per Anthropic's current commercial API terms, they may temporarily retain API inputs and outputs for up to 30 days for abuse monitoring and safety purposes, after which they are deleted. See Anthropic's Privacy Policy for current details
  • Case-specific analysis: Your case details (charges, jurisdiction, situation) are combined with legal research frameworks to generate analysis specific to your matter. This means your personal case information directly shapes the analysis output you receive
  • Our quality review: Every report is reviewed for quality and compliance before delivery. We check for errors, prohibited language, and adherence to our information-only standard

4. Discovery Document Handling

We understand that discovery documents contain highly sensitive legal information. We treat these with the highest level of care:

  • Storage: Documents are stored in a private, encrypted storage bucket hosted by Supabase on AWS infrastructure in the United States (US East region)
  • Access control: Documents are accessible only through authenticated, service-role API access. No public URLs are generated. Each upload is tied to a unique case identifier
  • Purpose limitation: Documents are used solely for the purpose of generating your purchased analysis. They are never shared with third parties (other than automated processing as described in Section 3), sold, licensed, or used for any other purpose
  • Automatic deletion: Discovery documents are automatically deleted 90 days after your report is delivered. Consider downloading and saving your report upon delivery. You may also request immediate deletion at any time by contacting us — documents are removed within 5 business days of a deletion request.
  • What happens if you get a refund: If your purchase is refunded (delivery guarantee or chargeback), your uploaded documents and generated report are deleted, and your report access token is revoked. This protects you — once a transaction is reversed, we don't hold onto your data. Satisfaction credits do not trigger deletion or token revocation.

Consent. By purchasing our services and submitting case information or discovery documents, you consent to the processing of this sensitive personal information for the purpose of generating your report, including processing through our analysis systems as described in Section 3.

5. Third-Party Services

We use the following third-party services to operate. Each processes only the minimum data necessary for its function:

  • Stripe — Payment processing. Receives your payment card details directly (we never see them). Subject to Stripe's Privacy Policy
  • Supabase — Database and file storage (US East region). Stores your case data and uploaded documents. SOC 2 Type II compliant infrastructure
  • Anthropic — Automated analysis processing for report generation (see Section 3 for details)
  • Resend — Transactional and marketing email delivery. Receives your email address and email content
  • Vercel — Website hosting, serverless functions, and anonymized analytics (cookieless)
  • Cloudflare — DNS and CDN services. May process your IP address for routing purposes
  • Google Analytics — Website traffic analytics via Google Analytics 4 (GA4). Collects page views, device information (browser, operating system, screen size), referral source, and user interaction events (clicks, scroll depth, form submissions). IP addresses are anonymized by default before storage. Data is retained for 14 months, after which event-level data is automatically deleted while aggregated reports are preserved. Sets _ga and _ga_* cookies to distinguish users and sessions. Subject to Google's Privacy Policy
  • Meta Pixel (consent-gated) — Conversion tracking and ad measurement for Meta (Facebook, Instagram) advertising. Tracks page views and conversion events (purchases, intake submissions). Sets the _fbp cookie. Data is shared with Meta for ad targeting and measurement. The Meta Pixel only loads after you provide explicit consent — it is disabled by default. Subject to Meta's Privacy Policy
  • Google Ads (consent-gated) — Conversion tracking and ad measurement for Google Ads campaigns. Tracks conversion events for ad attribution. Sets the _gcl_au cookie. Data is shared with Google for ad measurement and conversion reporting. Google Ads only loads after you provide explicit consent — it is disabled by default. Subject to Google's Privacy Policy

All third-party service providers are based in the United States. We do not transfer your data outside the United States.

6. Data Retention

We retain your data for the following specific periods:

  • Contact information (email, name, phone): Retained for 3 years after your last interaction with our services, or until you request deletion
  • Order records: Retained for 7 years for accounting, tax, and legal compliance purposes
  • Case data (intake responses, generated reports): Retained for 12 months after report delivery to support the report access period and upgrade credit window. After 12 months, case data is deleted unless you have an active higher-tier service
  • Discovery documents: Deleted within 90 days after report delivery, or immediately upon request (see Section 4)
  • Report access tokens: Expire 12 months after report delivery
  • Email subscriber data: Retained until you unsubscribe. Unsubscribed records are marked inactive and purged after 90 days
  • Drip email send logs: Purged automatically after 90 days
  • Inbound email correspondence: Retained for 24 months or until you request deletion
  • Free tool submissions (Case Progress Score): Processed server-side and returned immediately. We do not store score inputs permanently.
  • Usage analytics: Anonymized and aggregated; no individual-level data is retained
  • Backup copies: Our database provider maintains automated backups for disaster recovery. Deleted data may persist in encrypted backups for up to 30 days after deletion from live systems.

7. Your Rights

Regardless of where you live, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Correct — Request correction of inaccurate personal data
  • Delete — Request deletion of your personal data (subject to legal retention requirements for order records)
  • Unsubscribe — Opt out of marketing emails at any time via the unsubscribe link included in every marketing email
  • Data portability — Request your data in a commonly used, machine-readable format

To exercise any of these rights, email us at help@imnotanattorney.com. We will respond to all requests within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations)
  • Right to opt out: We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to correct: You may request correction of inaccurate personal information
  • Right to limit use of sensitive data: Case information and discovery documents may constitute sensitive personal information. We use this data only for the purpose of providing your purchased service, which is a permitted use under the CPRA

Categories of personal information collected (last 12 months): Identifiers (name, email, phone); commercial information (purchase history); internet activity (page views via anonymized analytics); sensitive personal information (case details, legal documents).

Categories disclosed to third parties: Identifiers (to Stripe for payment, to Resend for email delivery); case information (to Anthropic for automated analysis); internet/network activity (to Google Analytics for traffic analytics). No categories are sold.

Financial incentives. Upgrade credits and satisfaction guarantees are service benefits available to all customers. They are not financial incentives offered in exchange for providing personal data.

To submit a CCPA request, email help@imnotanattorney.com with the subject line "CCPA Request." We will verify your identity before processing any request.

Authorized agents. You may designate an authorized agent to submit CCPA requests on your behalf. Agents must provide written authorization signed by you and proof of their identity. We may contact you directly to confirm the request.

Other State Privacy Laws

If you reside in a state with comprehensive consumer privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Utah, Montana, Iowa, Delaware, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Texas, and Oregon), you may have similar rights to access, correct, delete, and port your personal data, as well as the right to opt out of certain processing activities. We do not sell personal data or use it for targeted advertising. To exercise any state privacy right, email help@imnotanattorney.com with the subject line "State Privacy Request" and your state of residence. We will respond within the timeframe required by your state's law.

Appeals. If we deny a request to access, correct, delete, or port your personal data, we will provide a written explanation. You may appeal by emailing help@imnotanattorney.com with the subject line "Privacy Appeal." We will respond to appeals within 60 days.

8. Cookies

We use Google Analytics 4 (GA4), which sets _ga and _ga_* cookies to distinguish unique users and track sessions. These cookies expire after 2 years and 24 hours respectively. Vercel Analytics provides additional anonymized usage data without cookies. Stripe may set essential cookies during the checkout process to prevent fraud and process payments — see Stripe's Privacy Policy for details. With your explicit consent, we may also load the Meta Pixel (which sets the _fbp cookie for conversion tracking on Facebook and Instagram ads) and Google Ads conversion tracking (which sets the _gcl_aucookie for attribution of Google Ads campaigns). Both are disabled by default and only activate after you opt in. We do not use cookies for cross-site behavioral retargeting outside these consent-gated conversion measurement tools. We do not respond to Global Privacy Control (GPC) or "Do Not Track" (DNT) browser signals because consent for advertising cookies is handled through our explicit opt-in flow rather than browser signals.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit (enforced via HSTS)
  • Private, encrypted storage buckets for discovery documents
  • Row-level security policies on all database tables
  • Service-role key access restricted to server-side API routes (never exposed to the browser)
  • HMAC-signed, time-limited tokens for operator and report access links
  • Rate limiting on all sensitive endpoints (checkout, intake, subscription)
  • Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
  • Input sanitization to prevent XSS and HTML injection in all email templates and user-facing outputs

No internet service can guarantee zero risk, but we've made every architectural decision with your case data's sensitivity in mind.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach. We will also notify applicable regulatory authorities as required by law. The notification will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address the breach and mitigate its effects.

11. International Data Transfers

All data processing and storage occurs in the United States. Our servers (Supabase, Vercel) are located in US data centers. Analysis processing by Anthropic also occurs in the United States. If you access our services from outside the United States, you consent to the transfer of your data to the United States, which may have different data protection laws than your country of residence.

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at help@imnotanattorney.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. If you have an active order, we will notify you of material changes by email. Continued use of our services after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

14. Contact

For privacy-related questions, data requests, or to exercise any of your rights described above, contact us at help@imnotanattorney.com.

ImNotAnAttorney LLC
195 Dr MLK Jr St N
St Petersburg, FL 33701