Skip to main content

Privacy Policy

Last updated: March 2026

Legatus is committed to protecting your privacy. This policy explains what data we collect, how we use it, and the choices available to you.

1. Information We Collect

Account information: If you create an account, we collect your name, email address, and a hashed version of your password. We never store passwords in plain text.

Claims data: Logged-in users may save claims, deadlines, saved analyses, and evidence files. This data is stored in our database and associated with your account.

Workspace data: If you use the claims workspace without an account, data is stored locally in your browser (localStorage) and never sent to our servers.

Usage data: We maintain an audit log of actions taken within the platform (such as creating a claim or running an AI analysis) for security and feature-gate tracking purposes.

2. AI Data Processing

When you use AI-powered features (chat, nexus evaluation, denial analysis, buddy statement generation, condition finder, or hearing practice), the text you submit is sent to third-party AI APIs for processing:

  • OpenAI — primary AI provider
  • Anthropic — fallback AI provider

Text submitted to AI features is processed in real time. To improve performance, we cache AI tool responses for up to one hour. Cached data is stored in our database and is subject to the same deletion rights as other personal information. Refer to OpenAI's Privacy Policy and Anthropic's Privacy Policy for details on how they handle data sent to their APIs.

3. File Storage

Files uploaded to the Evidence Vault are stored securely via Vercel Blob. Files are associated with your account and are accessible only to you. Accepted file types include PDFs, images, DOCX, and plain text files, subject to tier-based storage limits.

4. Authentication & Sessions

Authentication is handled via NextAuth.js using a JWT (JSON Web Token) strategy. We use session cookies to maintain your logged-in state. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

5. Third-Party Services

In addition to the AI providers listed above, we use the following third-party services:

  • Stripe — payment processing for subscription billing. Stripe handles all payment card data directly; we never see or store your full card number. See Stripe's Privacy Policy.
  • Vercel — application hosting and file storage (Vercel Blob).
  • Neon — PostgreSQL database hosting.
  • Resend — transactional email delivery (password resets, magic link authentication).

6. Data Retention & Deletion

Your account data, claims, deadlines, saved analyses, and evidence files are retained for as long as your account is active. If you downgrade to a free tier, excess evidence files may be archived but are not immediately deleted.

Retention schedule:

  • Verification tokens: purged automatically after expiration
  • Security audit logs: retained for 2 years, then purged
  • AI usage metrics: retained for 1 year, then purged
  • AI response cache: in-memory only, automatically cleared within 1 hour

You can delete your account and all associated data directly from Settings > Data & Privacy. Account deletion is processed immediately and removes your profile, claims, evidence files, saved analyses, and cached AI responses. You can also email support@legatusos.com.

7. Your Privacy Rights

For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, California residents have the following rights:

  • Right to Know — request the categories of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it
  • Right to Delete — request deletion of your personal information (available in Settings > Data & Privacy or by emailing us)
  • Right to Correct — request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing — we do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination — exercising your rights will not result in denial of service or different pricing
  • Right to Limit Sensitive Personal Information Use — disability status and health-related claim data are sensitive personal information under CPRA and are used only to provide the Service

Categories of personal information collected: identifiers (name, email), health-adjacent information (claimed conditions, evidence descriptions, nexus letter text), usage data (audit logs, AI feature usage counts), and payment information (processed by Stripe; we do not store card numbers).

How to submit requests: use the self-service tools in Settings > Data & Privacy or email support@legatusos.com. We will verify your identity and respond within 45 days.

For EU/UK Residents (GDPR)

Under the General Data Protection Regulation, EU and UK residents have the following rights:

  • Right of Access (Art. 15) — obtain a copy of your personal data
  • Right to Rectification (Art. 16) — correct inaccurate data
  • Right to Erasure (Art. 17) — request deletion of your data
  • Right to Restriction (Art. 18) — limit processing of your data
  • Right to Data Portability (Art. 20) — export your data in a machine-readable format (available in Settings > Data & Privacy)
  • Right to Object (Art. 21) — object to processing based on legitimate interests

Legal bases for processing: contract performance (providing the Service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent (where specifically obtained).

Data controller: Legatus. Contact: support@legatusos.com.

International data transfers: your data is processed in the United States by our service providers (OpenAI, Anthropic, Vercel, Neon, Resend). These transfers are governed by standard contractual clauses or equivalent mechanisms. You have the right to lodge a complaint with your local supervisory authority.

For All Users

Regardless of your location, you can export your data or delete your account at any time from Settings > Data & Privacy. Data export provides a JSON download of your profile, claims, assessments, evidence metadata, saved outputs, deadlines, subscription details, and audit log.

8. Sub-Processors

We use the following sub-processors to provide the Service. For each, we describe the categories of data transmitted:

  • OpenAI (United States) — primary AI model provider. Data sent: user-submitted text for AI features (claim descriptions, questions, buddy statement answers, evidence text extracts). Personally identifiable information (SSNs, dates of birth, addresses, phone numbers, email addresses, VA file numbers) is redacted before transmission. AI API responses may be cached in-memory for up to 1 hour to reduce redundant requests; cached data is never persisted to disk and is subject to the same deletion rights as other personal information.
  • Anthropic (United States) — fallback AI model provider. Data sent: same categories as OpenAI above, with the same PII redaction applied.
  • Vercel (United States) — application hosting and file storage (Vercel Blob). Data sent: uploaded evidence files (PDFs, images, documents), application logs.
  • Neon (United States) — PostgreSQL database hosting. Data stored: account information, claims data, evidence metadata, audit logs, subscription records. Sensitive extracted text is encrypted at rest (AES-256-GCM).
  • Stripe (United States) — payment processing. Data sent: email address for customer identification. Stripe handles all payment card data directly; we never see or store card numbers.
  • Resend (United States) — transactional email delivery. Data sent: email address and email content (password resets, verification links, consent notifications).

9. Children's Privacy

Legatus is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notice. Changes will also be reflected by updating the “Last updated” date at the top of this page. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

11. Contact

If you have questions about this privacy policy or how your data is handled, contact us at support@legatusos.com or visit our Contact page.

About UsContact Us