Skip to content

Privacy Statement

LegalSifter is SOC 2 Type II certified and participates and is certified under both the VeraSafe Privacy Program, the EU-U.S. Data Privacy Framework (DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF (search for LegalSifter).

        verasafe        soc logo

Last revised April 25, 2024

We process some personal data in order to run our business. There are a limited number of circumstances where we may share your personal data with third parties (for example, pursuant to a court order, if we are part of a merger, or with our business partners and service providers who support our business or collaborate with us). We take the security of your personal data seriously and take steps to keep your personal data confidential and secure. Please read the full Privacy and Security Statement below and you may always contact us if you have questions. If you are a California resident, please refer to our California Consumer Privacy Act (CCPA) Notice for California Residents.

1. Introduction & Scope

Legal Sifter, Inc. (“LegalSifter”, “we”, “us”, “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy and Security Statement. This Privacy and Security Statement (together with our Terms & Conditions of Website Use) describes the types of personally identifiable information related to you (“personal data”) that we may collect or that you may provide, and how we use, protect, disclose, and otherwise process that personal data in our web applications, LegalSifter Review® and LegalSifter Organize® (together, the “Web Applications”).

This Privacy and Security Statement does not apply to personal data collected or processed on any third-party site or application (including advertising) that may link to or be accessible from our Web Applications. We are not responsible for the privacy policies or data collection, use and disclosure practices of those sites. We encourage you to review the privacy policies of each site you visit. ​

Please read this Privacy and Security Statement carefully to understand our policies and practices regarding your personal data and how we will treat it. By accessing or using any of our Web Applications or services, you agree to this Privacy and Security Statement. This Statement may change from time to time, as further described below in Changes to Our Privacy and Security Statement, and these changes may affect how we use your personal data, so please check the Privacy and Security Statement periodically for updates.

2. Controllership

In the context of this Privacy and Security Statement, LegalSifter acts as a data processor for the personal data we process.

3. Categories of Personal Data

We may process the following types of personal data:

  • biographical information, such as initials or full name;
  • professional information, such as job title;
  • contact information, such as e-mail address;

any other type of personal data that may be contained within contracts and other legal documents.

4. How We Receive Personal Data

We may receive your personal data in the following ways:

  • Personal data you provide to us. When you navigate our Web Applications or contact us, we may request or you may choose to provide us with certain information.
  • Personal data collected from forms on our Web Applications. This includes personal data provided at the time of registering to use portions of our Web Applications, posting material, or requesting further services. We may ask you for information when you report a problem with our Web Applications, products or services.
  • Usage details, IP addresses and cookies. As you navigate through and interact with our Web Applications, we may automatically collect certain information about your equipment, browsing actions and patterns using common internet technologies, such as cookies and Web beacons. This may include details of your visits to our Web Applications, including information about your connectivity, such as your IP address and browser information, location data, logs and other communication data, and the resources that you access and use on the Web Applications. The information we collect automatically helps us to improve our Web Applications and to deliver better and more personalized content and services by enabling us to estimate our audience size and usage patterns and recognize you when you return to our Web Applications.
  • Personal data contained in contracts. We may also receive your personal data contained in a legal document provided to us by one of our clients or when we import a contract containing your personal data from a publicly available source.

5. Basis of Processing

Within the scope of this Privacy and Security Statement, we process your personal data based on the documented instructions of our clients, acting as data controllers.

6. Purposes of Processing

We process personal data for the following purposes:

  • to provide you with information, products or services that you request from us;
  • to maintain the integrity and security of our Web Applications, products, and services;
  • for our ordinary business operations, including people development, recruiting, and business research and outreach; and
  • responding to your inquiries, and/or other requests or questions.

We only collect and retain as much personal data as needed for the specific, identified purposes described in this Privacy and Security Policy and we will not use it in any way that is incompatible with those purposes.

7. Use of Cookies

We use cookies to store information on your computer. Cookies improve your navigation on this site and enhance your user experience. Depending on your browser, you may be able to change settings to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of the site may then be inaccessible or not function properly. For more information, please visit

8. Web Analytics

Our website uses Google Analytics, a service which transmits website traffic data to Google servers in the US. Google Analytics does not identify individual users/associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and webpage usage. Through User ID tracking, we will be able to more accurately track the number of users and activity on our site and will not send any personally identifiable information to Google.

Google Analytics Opt-Out is available for all to use via an add-on. For more information and instructions, view Google Analytics Opt-out Add-on here.

9. Promotional Offers from LegalSifter

If you do not wish to receive promotional e-mail messages from us, you may opt-out by sending us an e-mail at asking to be omitted from future e-mail distributions.

10. Data Retention Periods

We retain your personal data for as long as is necessary for us to perform under our engagement with the data controller. When the purposes of processing are satisfied, we will delete the related personal data within six months. ​

11. Sharing Data with Third Parties

We may share your personal data with other entities. Such third parties may include service providers offering the following types of services:

  • cloud storage
  • machine learning and natural language processing data science services
  • legal services
  • e-mail services
  • instant messaging
  • work tracking
  • project management
  • software version control
  • cloud computing
  • website building
  • legal R&D

We will require that these third parties maintain at least the same level of privacy and security that we maintain for your personal data. Our service providers may be located outside of the United States. LegalSifter remains liable for the protection of personal data that we transfer to our service providers within the scope of our Privacy Shield certification, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.

12. Other Disclosure of Your Personal Data​

We may also disclose your personal data:

  • to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders;​
  • if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; or
  • to our subsidiaries or affiliates only if necessary for business and operational purposes.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data, which does not include any personal data, about users of our Web Applications as a group for any legal business purpose, such as analyzing usage trends and seeking compatible advertisers, sponsors, clients, and customers.

If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data.

13. Data​ Integrity and Security

LegalSifter has implemented and will maintain technical, organizational, and physical security measures that are reasonably designed to help protect personal data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction. The safety and security of your personal data also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Web Applications, you are responsible for keeping this password confidential. Please do not share your password with anyone. Although we take reasonable security measures to protect your personal data, for example, by using Secure Socket Layer encryption when you transmit your password, we cannot guarantee the security of your personal data transmitted to our Web Applications. The transmission of information via the Internet is not 100% secure and we cannot ensure the security of any information you transmit to us. We are not responsible for circumvention of any privacy settings or security measures contained on the Web Applications.

14. Access and Review

If you are a data subject about whom we store personal data, you may have the right to request access to, and the opportunity to update, correct, or delete, such personal data. You may also have the right to opt out of having your personal data shared with third parties and to revoke your consent that you have previously provided for your personal data to be shared with third parties, except as required by law. You also have the right to opt out if your personal data is used for any purpose that is materially different from, but nevertheless compatible with, the purpose(s) for which it was originally collected or subsequently authorized by you. To exercise such rights, please contact the data controller who has provided your personal data to us.

15. Children's Privacy

Our Web Applications are not directed at, or intended for use by, children under the age of 13. We do not knowingly process the personal data of anyone under 18. Children should always get permission from a parent or guardian before sending personal data over the Internet. If you believe your child may have provided us with their personal data, you can contact us using the information in the Contact Information section of this Privacy and Security Statement and we will delete that personal data.

16. GDPR Compliance

The General Data Protection Regulation (“GDPR”) expands the data privacy rights for European individuals and gives them power to control their data. For companies that process the personal data of these European individuals, the GDPR outlines specific requirements that these companies must satisfy, as well as specific rights that the European individuals can exercise with these companies. Further information on the GDPR is available on the European Union’s official website. LegalSifter enters into Data Processing Agreements (“DPAs”) with its clients upon request.

LegalSifter also enters into compliant DPAs with its vendors, LegalSifter’s DPA may include where required by applicable law, standard contractual clauses that are the mechanism for compliant personal data transfer between the EU and any third country without an adequacy decision in terms of the GDPR. To request a DPA, please email

17. VeraSafe Privacy Program

LegalSifter is a member of the VeraSafe Privacy Program, meaning that with respect to personal data processed within the scope of the LegalSifter Review and LegalSifter Organize web applications on behalf of LegalSifter clients that opt-out of LegalSifter’s use of their data for the development of computer algorithms, VeraSafe has assessed LegalSifter’s data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.

18. Dispute Resolution

Where a privacy complaint or dispute cannot be resolved through LegalSifter’s internal processes, LegalSifter has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required personal data here.

19. Binding Arbitration

If your dispute or complaint can’t be resolved by us, or through the VeraSafe Privacy Shield Dispute Resolution Procedure, you may have the right to require that we enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.

20. Regulatory Oversight

LegalSifter is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

21. Changes to Our Privacy and Security Statement

We may amend this Privacy and Security Statement from time to time. If we make any material change to this Privacy and Security Statement, we will post the revised Notice to this web page and update the "Last revised” date above to reflect the date on which the new Privacy and Security Statement became effective. We encourage you to revisit this page periodically to read the current version of this Privacy and Security Statement in effect.

22. Contact Information

If you have any questions or comments about this Privacy and Security Statement, please contact us by emailing us at, by phone number 1-724-221-7438, or by writing to us at:

  • LegalSifter, Inc.
  • Attention: Todd Yocum, Chief Operating Officer
  • 8878 Covenant Avenue #304
  • Pittsburgh, PA 15237
Please allow up to four weeks for us to reply with final resolution.

Frequently Asked Questions

1. How will you provide assurance that you are meeting your compliance requirements? (For example, SOC 2 report)
  • LegalSifter has achieved SOC 2 and will provide its report upon request.
  • We host LegalSifter Review and LegalSifter Organize on Amazon Web Services.  Attached is their SOC compliance site: Amazon SOC Compliance Site.
2. Please provide a listing of where your data centers and off
  • We host LegalSifter Review and LegalSifter Organize environments at Amazon Web Services Northern Virginia, Singapore, London, Ireland, and Beijing - see Amazon Global Infrastructure.
  • We will host LegalSifter Review and LegalSifter Organize data at other Amazon Web Services locations at the request of the client or partner.
3. Are any of your data centers, servers, or data storage locations outside of the US?
In general, no. We offer locations outside of the US for some non-US clients.
4. If we must retain and generate data to support a legal matter, will you allow data to be put on retention hold?
5. What if data is co-mingled with another client's data?
Client data is not co-mingled with another client's data, except in the case of research and development and only if you give us permission to use such data for research and development.
6. What type of database environment is used to store data (multi-instance or multi-tenant)?
We are primarily a multi-tenant company, as of 2017.
7. What integrations are required?
LegalSifter Review and LegalSifter Organize do not require integrations.
8. Does LegalSifter acquire any rights to our data through the agreement, including intellectual property rights? Do you use client data to promote your business, such as collating client data as market information or selling the client behavior for third party marketing?
We ask our clients if they will allow us to use their contracts for research purposes only - to further our machine learning algorithms (“Sifters”). All clients benefit from our improved Sifters, and our Sifters need client data to do that.  Each client may decline to give us such permission when we work through our subscription agreement. We will also ask each client for permission to use their name and logo in marketing materials. If we do not have a client’s express written permission on either front, we will not acquire any rights to its data, and we will not use a client's name and logo for marketing purposes.
9. For an audit or security incident, will we be able to audit controls via a third party?
10. What is the process to export data?
  • LegalSifter Organize has an export button available at all times to clients, allowing them to export their data into xls format.
  • LegalSifter Review has an export button available to all clients, allowing them to export their sifted documents to docx format.
11. How long is my data stored in LegalSifter Review?
  • 15 days after a user deletes a contract in the LegalSifter Review (moves to Trash, then Deletes from Trash), LegalSifter permanently excises the associated contract files. LegalSifter retains the name of the file, the document type, and the account that uploaded it for reporting purposes as long as the account is open.
  • LegalSifter Review allows organizations to disable excision of deleted documents via a setting. This can be done for litigation hold or any other client need.
  • 30 days after a company or individual terminates their contract or trial for LegalSifter Review, LegalSifter permanently excises all data in the database and datastore.
  • Please note this refers to the LegalSifter Review, not the data that is in the R&D research repository. Copies of contracts are there if the client allowed so in their executed agreement with LegalSifter.
12. How long is my data stored in LegalSifter Organize?
  • 30 days after a company or individual terminates their contract, project, or trial for LegalSifter Organize, LegalSifter permanently excises all data in the database and datastore.
  • Please note this refers to the LegalSifter Organize product, not the data that is in the R&D research repository. Copies of contracts are there if the client allowed so in their executed agreement with LegalSifter.
13. What happens if I need extended access to documents, in cases such as litigation hold?
LegalSifter ensures that clients may specify when Client Data is deleted from LegalSifter’s systems, and to separate content and manage Client Data under differing scenarios (e.g., for litigation hold).
14. What will LegalSifter do in the case of a data breach?
LegalSifter will notify client(s) of any data breach within twenty-four (24) hours of becoming aware of any confirmed (a) breach of network or computing assets that result in potential or actual unauthorized access to any Client Data, or (b) misuse, potential disclosure or loss of, or inability to account for, any Client Data.