Privacy

What we do with your documents, and what we don't.

Effective date: [TO BE SET AT LAUNCH] Last updated: [TO BE SET AT LAUNCH]

HallucinX is built around a simple privacy commitment: your documents stay yours, and we don't track you. This policy explains what that means in practice.

The short version

  • No marketing cookies. We only set cookies that are strictly necessary to log you in and keep your account secure.
  • No cross-site tracking. We don't run advertising pixels, behavioral analytics, or third-party scripts that follow you across the web.
  • No document retention. When you upload a brief, it is processed in memory and discarded. We never store the contents of your documents.

The rest of this policy is the detail behind those commitments.

Who we are

HallucinX is operated by Z-Labs, LLC. If you have privacy questions or want to access, correct, or delete your data, contact privacy@hallucinx.com.

What we collect

We collect only what is necessary to run your account and the service.

Account information. Your email address and authentication credentials, managed by our authentication provider (Clerk). We use this to log you in, send you transactional email (receipts, password resets, security alerts), and contact you about your account.

Billing information. Subscription status, plan, and payment state, managed by our billing provider (Stripe). Your card details are handled directly by the billing provider and never touch our infrastructure.

Usage counters. A count of how many briefs you have verified in the current billing period, used to enforce plan limits. We do not store which briefs you verified, what was in them, or what the verification results were.

Server logs. Standard web server logs (request times, error codes, IP addresses) retained for 30 days for debugging and security purposes, then purged.

We do not collect: the contents of your documents, the citations you verified, the results of your verifications, behavioral analytics, browser fingerprints, advertising identifiers, or location data beyond what is in standard server logs.

How your documents are handled

When you upload a brief to HallucinX:

  1. The document is sent to our verification engine over an encrypted connection.
  2. The engine extracts citations and quoted text from the document in memory.
  3. Citation strings (for example, "Smith v. Jones, 123 F.3d 456") are sent to CourtListener's public Citation Lookup API for verification. No part of your document content other than the citation strings themselves leaves our infrastructure.
  4. Verification results are returned to your browser.
  5. The document, extracted text, and verification results are discarded from worker memory at the end of the request.

Nothing about your document is written to a database, log file, or any other persistent storage. This is a design property of the system, not a policy we could change without rebuilding the verification engine.

For the professional-responsibility framing behind this design, see Ethics.

Cookies

HallucinX uses only essential cookies:

  • Authentication session cookie (Clerk) — keeps you logged in.
  • CSRF token — protects forms against cross-site request forgery.

Your billing provider may set its own cookies on its own checkout domain when you make a payment. Those cookies are governed by the billing provider's privacy policy and are not under our control.

We do not set or permit any other cookies. We do not use marketing cookies, advertising cookies, behavioral tracking cookies, or third-party analytics cookies.

Third parties we work with

We use the following service providers ("subprocessors") to operate HallucinX. Each of them receives only the data necessary to perform their function.

  • Vercel — hosting and content delivery. Sees standard web server logs. Privacy policy
  • Modal — verification engine compute. Processes documents in worker memory; nothing is persisted. Privacy policy
  • Clerk — authentication and account management. Privacy policy
  • Stripe — billing and payments. Privacy policy
  • CourtListener (Free Law Project) — citation verification. Receives citation strings only; does not receive your identity, your document, or any other content. Privacy policy

We will update this list when we add or change subprocessors.

How we use your information

We use the information we collect only to:

  • Provide and operate the service
  • Authenticate you and secure your account
  • Process payments and enforce plan limits
  • Send transactional email (receipts, account notices, security alerts)
  • Send occasional product update emails to active users, with an unsubscribe link
  • Comply with legal obligations
  • Investigate and prevent abuse

We do not: sell your data, share your data with advertisers, use your data to train AI models, or run behavioral profiling.

How long we keep your information

  • Account data: for the lifetime of your account, plus 30 days after deletion to allow for recovery and to complete pending operations.
  • Billing records: retained as required by tax and accounting law, typically seven years.
  • Server logs: 30 days, then purged.
  • Usage counters: rolling window aligned with your billing period; historical counts are aggregated and detached from individual activity.
  • Document content: not retained at any point. See "How your documents are handled" above.

Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to specific uses of your data
  • Withdraw consent for any processing that depends on consent
  • Lodge a complaint with a data protection authority in your jurisdiction

To exercise any of these rights, email privacy@hallucinx.com. We will respond within 30 days.

If you are in the European Union, the United Kingdom, California, Colorado, Virginia, or another jurisdiction with specific privacy laws, you may have additional rights. Contact us and we will explain how those rights apply to your situation.

Security

We use encryption in transit (TLS) for all connections, encryption at rest for stored account data, and standard operational practices to protect against unauthorized access. The strongest privacy protection in HallucinX is architectural: because we do not retain document content, there is no document content to be exposed in a breach.

No system is perfectly secure. If we ever experience a data breach affecting your information, we will notify you and the relevant authorities as required by law.

Children

HallucinX is designed for use by licensed attorneys and is not directed to children. We do not knowingly collect information from anyone under 18.

International users

HallucinX is operated from the United States. If you use the service from outside the United States, your information will be processed in the United States and other countries where our subprocessors operate. By using the service, you consent to this processing.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify active users by email and update the "Last updated" date at the top of this page. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

Contact

privacy@hallucinx.com — privacy questions, data subject requests, complaints.

For other inquiries, see the contact information on hallucinx.com.