Privacy Policy

Last Updated: March 22, 2026

Section 01What This Privacy Policy Covers

Mattersort, Inc. (“Mattersort,” “we,” “our,” or “us”) provides an AI-powered email triage and matter management platform designed specifically for law firms and legal professionals (the “Service”). We understand that the legal profession demands the highest standards of confidentiality, privilege protection, and data security.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information and professional data. It applies when you:

Create or use a Mattersort account
Use Mattersort’s web, desktop, or mobile applications
Connect email providers (Google Gmail or Microsoft Outlook)
Connect calendar providers (Google Calendar or Microsoft Outlook Calendar)
Connect practice management systems (e.g., Clio, MyCase, PracticePanther)
Use Mattersort’s APIs, extensions, or integrations
Visit our website at mattersort.com (the “Site”)

We have designed Mattersort with attorney-client privilege protection, compliance with ABA Model Rules of Professional Conduct (including Rules 1.3, 1.4, and 1.6), and adherence to ABA Formal Opinion 512 as core architectural principles—not afterthoughts.

Section 02Information We Collect

We collect information necessary to provide, maintain, and improve our Service.

2.1 Information You Provide

Account Data: full name, professional title, work email address, phone number, law firm name, firm size, practice area(s), bar admission details.
Content: emails, drafts, calendar entries, documents, tasks, matter notes processed with Mattersort.
Billing Information: processed through PCI-DSS compliant third-party processors. We do not store full credit card numbers.
Login Credentials: stored using industry-standard bcrypt hashing with per-user salts.

2.2 Information Collected Automatically

Device and Technical Data: IP address, browser type, OS, device identifiers, screen resolution.
Usage Data: feature interactions, triage actions, workflow configurations, performance metrics, timestamps.
Approximate Location: inferred from IP address (city/region only).

2.3 Information from Connected Services (Google and Microsoft)

When you connect services, Mattersort accesses only the scopes you explicitly authorize via OAuth.

2.3.1 Google Services

Profile: name, email, profile photo.
Email Data (Gmail): message content (processed transiently), metadata, labels, threads.
Calendar Data: event titles, dates, times, durations, attendees. Used for deadline correlation.
OAuth Tokens: encrypted at rest, revocable at any time.

Our use adheres to the Google API Services User Data Policy, including Limited Use requirements. We do not use Google data for advertising, ad targeting, or serving ads.

2.3.2 Microsoft Services

Mail Data (Outlook): email content (processed transiently), metadata, folders, categories.
Calendar Data: event titles, dates, times, attendees, locations.
OAuth Tokens: encrypted at rest, revocable at any time.

Access governed by Microsoft Graph permissions (Mail.Read, Calendars.Read, etc.) granted by you or your administrator.

2.3.3 How Connected Service Data Is Handled

Email content processed transiently in memory — never written to persistent storage
Calendar data stored only as matter-linked deadline metadata
You can disconnect any service at any time through your settings
We do not use connected service data for advertising or resale

2.4 Matter and Case Data

Matter names, identifiers, descriptions
Client names and contacts
Court docket numbers, filing deadlines, hearing dates
Integration data from Clio, MyCase, PracticePanther
Court notification data from PACER, CourtListener

Section 03Zero-Retention Architecture and Privilege Protection

Protecting attorney-client privilege is enforced at the infrastructure level.

3.1 Infrastructure-Level Enforcement

Transient processing only: Email bodies and attachments processed exclusively in volatile memory (RAM). Never written to disk, database, or log file.
No model training on client data: Per-firm customization through isolated LoRA adapter layers with federated gradient aggregation.
Cryptographic session isolation: Session keys destroyed upon completion.
Hardware-level memory clearing: Consistent with NIST SP 800-88.

3.2 What We Do Retain

Classification metadata (urgency level, matter assignment, routing decision, confidence score)
Audit trail entries (timestamp, action, user, classification outcome)
Email metadata (sender, recipient, subject line hash, date/time)
Calendar deadline metadata (event date, deadline type, matter association)
Aggregated, de-identified performance metrics

3.3 Audit Trail Integrity

All audit records stored in WORM-compliant storage (Amazon S3 Object Lock). Records cannot be modified or deleted, meeting evidentiary standards for e-discovery.

3.4 Privilege Protection by Design

In the event of a discovery request targeting your use of Mattersort, our zero-retention design ensures there is no stored content to produce.

Section 04How We Use Your Information

We use data solely to provide Mattersort’s services. We do not use mailbox or calendar data for advertising, ad targeting, resale, or unrelated analytics.

4.1 Email Triage and Prioritization

Processing and classifying emails through our three-tier cascading multi-LLM system
Routing communications based on matter assignments
Generating draft responses for your review (no auto-send)

4.2 Calendar and Deadline Management

Correlating calendar events with matter assignments
Proactive deadline alerts via PACER and state court data
Hard-rule overrides for court deadlines within 72 hours

4.3 Security and Threat Detection

Detecting phishing, scams, malware, and BEC attempts
Compliance-grade audit trails for e-discovery readiness

4.5 Product Improvement

Important: We never use identifiable email content, calendar content, client data, or privileged communications for model training or product development.

Section 05Legal Bases for Processing

Legal Basis	Applicable Processing
Contract Performance	Providing the Service, email triage, deadline management, billing
Legitimate Interests	Security monitoring, fraud prevention, service improvement
Legal Obligation	Tax recordkeeping, responding to legal process
Consent	Connecting Google/Microsoft via OAuth, marketing communications

Section 06Information Sharing and Disclosure

We do not sell, rent, or trade your personal information, email data, or calendar data.

We share information only with vetted service providers (cloud infrastructure, payment processors), as required by law (with prompt notice and minimum scope), or with your explicit consent.

Section 07Data Security

AES-256 encryption at rest and TLS 1.3 in transit
Zero-retention architecture with in-memory-only processing
WORM-compliant audit storage with cryptographic integrity
OAuth 2.0 token management with encrypted storage
Role-based access controls (RBAC) with least privilege
Multi-factor authentication for all admin access
SOC 2 Type II audit program (in progress)

7.3 Incident Response

We will notify affected users within 72 hours of confirmed breach discovery, consistent with GDPR Article 33.

Section 08Data Retention

Data Category	Retention	Rationale
Email content	Zero retention	Privilege protection
Calendar content	Zero retention	Only metadata retained
Classification metadata	Subscription + 90 days	Triage history
Audit trail records	7 years (WORM)	E-discovery compliance
Account information	Subscription + 1 year	Reactivation
Billing records	7 years	Tax requirements

Section 09Your Rights and Choices

GDPR / UK GDPR

Right of Access, Rectification, Erasure, Restrict Processing, Data Portability, Object
Rights Related to Automated Decision-Making (Mattersort provides recommendations, not autonomous decisions)

U.S. State Privacy Laws

Right to know, delete, opt out of sale (we do not sell data), non-discrimination, correct

Contact: [email protected]. Response within 30 days.

Section 10AI and Automated Processing

Three-tier cascading multi-LLM system with hard-rule engine for court deadlines within 72 hours. Your data is never used for general model training. Per-firm customization via isolated LoRA adapters.

Section 11Google API Services — Limited Use Disclosure

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements. We do not use Google data for advertising or allow human access without your affirmative consent.

Section 12Cookies and Tracking

Type	Purpose	Duration
Strictly Necessary	Authentication, session, security, OAuth state	Session / 30 days
Functional	User preferences, display settings	1 year
Analytics	Aggregated usage patterns (no cross-site tracking)	1 year

We do not use advertising cookies. We honor GPC and DNT signals.

Section 13International Data Transfers

Primary infrastructure in the United States. For UK/EEA transfers: Standard Contractual Clauses, UK IDTA, supplementary technical measures.

Section 14Children’s Privacy

We do not knowingly collect information from individuals under 16.

Section 15Regulatory Compliance

Framework	Relevance
ABA Rules 1.3, 1.4, 1.6	Diligence, communication, confidentiality
ABA Formal Opinion 512	Attorney AI obligations
SOC 2 Type II	Security controls (in progress)
GDPR / UK GDPR	EEA/UK data protection
CCPA / CPRA	California privacy rights
SRA Standards (UK)	UK solicitor technology requirements
Google API User Data Policy	Limited Use requirements

Section 16Changes to This Policy

Material changes notified by email at least 30 days in advance.

Section 17Contact Information

Mattersort, Inc.

Email: [email protected]

DPO: [email protected]

Web: mattersort.com

Section 18Supplemental Notices

California Residents (CCPA/CPRA)

We do not sell or share personal information for cross-context behavioral advertising.

UK and EEA Residents

Mattersort acts as both data controller (account/usage data) and data processor (email/calendar content). Processing governed by DPAs with subscribing firms.

Nevada Residents

We do not sell personal information. Opt-out requests: [email protected].