Legal

Privacy Policy

Last updated:

This policy describes how Legibly collects, uses, and protects your personal information.

01Who We Are

Legibly is an AI-powered document analysis service. We are responsible for the personal information we collect and process in accordance with applicable privacy laws.

Our designated privacy contact:
Privacy Officer, Legibly
privacy@readlegibly.com

02Information We Collect

Account information

When you create an account we collect your email address. If you subscribe to a paid plan, billing is handled directly by Stripe — we never receive or store your payment card details.

Documents you upload

When you upload a file (PDF or photo), we extract the text content and send it to our AI service for analysis. We retain the following for up to 90 days:

  • Extracted text — the plain-text content pulled from your document, stored in our database.
  • Original file — your uploaded PDF or photo, stored in an encrypted private storage bucket accessible only to your account.
  • Analysis result — the plain-language summary, risks, and highlights generated from your document.

All three are permanently deleted 90 days after upload. Your original file is never shared with third parties and is not used to train AI models.

Usage analytics

We collect usage analytics including document type, detected region, file size, and processing duration. While your account is active, this data is linked to your account for service improvement purposes. It is not sold or shared with third parties for advertising. If you delete your account, your user identifier is removed from analytics records.

Server logs

Our servers automatically record IP addresses, browser type, and pages visited. This information is used solely to operate and secure the service.

03Purposes & Legal Basis

We collect and use personal information only for the specific purposes identified at or before the time of collection, and only with your knowledge and consent under applicable privacy law. Those purposes are:

  • To create and manage your account;
  • To provide the document analysis service;
  • To process payments and prevent fraud;
  • To send transactional communications (receipts, account notices);
  • To maintain the security and performance of the service.

We do not sell your personal information. We do not use your uploaded documents to train AI models.

04Disclosure to Third Parties

We share personal information only with service providers who require it to deliver the service, and only under written data-processing agreements:

  • Supabase

    Authentication and database hosting. Your account data is stored on servers in the United States. Supabase is contractually bound to protect your data and processes it only on our instructions.

  • Stripe

    Subscription billing. Stripe processes payment information directly and is subject to its own published privacy policy.

  • Anthropic

    The AI model that generates document summaries. The text extracted from your document is sent to Anthropic's API and processed on servers in the United States. As a result, your document content may be subject to U.S. law during processing. Anthropic does not use API inputs to train its models under its commercial API terms, which serve as the data protection safeguard for this transfer.

We may also disclose information when required by a valid court order, search warrant, or other legal process.

Cross-border transfers. Because Supabase and Anthropic operate in the United States, your personal information may be processed outside your country of residence and become subject to U.S. law, including lawful government access. For users in Quebec and other Canadian provinces, we rely on contractual protections with each provider — specifically Anthropic's commercial API terms and Supabase's data processing agreement — as the safeguards for these transfers.

05Data Retention

  • Uploaded files (original): Stored in an encrypted private bucket for 90 days, then permanently deleted. Only you can access your files.
  • Extracted text: The text content pulled from your document is retained for 90 days to support re-display of your analysis, then permanently deleted.
  • Analysis summaries: Retained for 90 days, then permanently and automatically deleted.
  • Account information: Retained while your account is active. You may delete your account at any time from the Account tab; deletion is immediate and permanent.
  • Anonymized analytics: Retained indefinitely as aggregate statistics that cannot identify you.

06Your Privacy Rights

Under applicable privacy laws, you may have the right to:

  • Know what personal information we hold about you and how it is used;
  • Access the personal information we hold about you;
  • Request correction of inaccurate or incomplete information;
  • Withdraw consent to our collection and use of your information (which may prevent us from providing the service);
  • File a complaint with the relevant privacy regulator in your jurisdiction.

To exercise any of these rights, email privacy@readlegibly.com. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

International users. We extend the same access, correction, and deletion rights to all users regardless of location.

Quebec residents. In addition to the rights above, residents of Quebec have the right under Law 25 to be informed of any cross-border transfer of their personal information and the protections in place (described in Section 4 above), and to file a complaint with the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

07Security

We apply security safeguards appropriate to the sensitivity of the information, including TLS encryption in transit, row-level security controls on our database, and access restricted to authorized service accounts.

No transmission over the internet is 100% secure; we cannot guarantee absolute security.

08Cookies

We use only essential session cookies required to authenticate you. We do not use tracking, advertising, or analytics cookies.

09Children's Privacy

Legibly is not directed at children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us at privacy@readlegibly.com and we will delete it promptly.

10Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice within the service at least 14 days before they take effect. Your continued use of Legibly after the effective date constitutes acceptance of the updated policy.

11Governing Law

This Privacy Policy is governed by the laws of Canada, including the Personal Information Protection and Electronic Documents Act(PIPEDA) and, where applicable, provincial privacy legislation including Quebec's Act respecting the protection of personal information in the private sector (Law 25). Privacy complaints may be directed to our Privacy Officer at privacy@readlegibly.com or to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

12Contact

Privacy questions or complaints: privacy@readlegibly.com

General support: support@readlegibly.com