Privacy Policy

Last Updated: December 27, 2025 Effective Date: December 27, 2025

IMPORTANT LEGAL NOTICE: This document is a DRAFT template and has NOT been reviewed by a legal professional. Before publishing this privacy policy, it MUST be reviewed and approved by a qualified privacy attorney familiar with GDPR, CCPA, and other applicable privacy laws. This template should not be used in production without proper legal review.

1. Introduction

Welcome to Is It Legal ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website located at legalize.news (the "Service").

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

We reserve the right to make changes to this Privacy Policy at any time. We will notify you of any changes by updating the "Last Updated" date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

2. Information We Collect

2.1 Personal Information You Provide

When you register for an account or use certain features of our Service, we may collect the following personal information:

Account Information:
- Email address
- Name (optional)
- Password (encrypted)
- Account creation date
- Last login date
Workspace Information (if you create a workspace):
- Workspace name
- Workspace slug
- Connected integrations (Vercel projects, API tokens)
- Topics of interest
- Regions of interest
- Plan tier (free, paid)
Search Queries:
- Search terms you enter
- Filters you apply
- Search results you click
User Preferences:
- Saved locations
- Saved topics
- Language preferences
- Notification settings

2.2 Information Collected Automatically

When you access our Service, we automatically collect certain information about your device and usage:

Device Information:
- IP address
- Browser type and version
- Operating system
- Device type (mobile, tablet, desktop)
- Screen resolution
Usage Information:
- Pages visited
- Time spent on pages
- Click patterns
- Scroll depth
- Referral source (how you found our site)
- Exit pages
Location Information:
- Approximate geographic location based on IP address (city/country level)
- We do NOT collect precise GPS location data

2.3 Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are small data files stored on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

Types of Cookies We Use:

Essential Cookies: Necessary for the Service to function (authentication, session management)
Analytics Cookies: Help us understand how visitors use our Service (Google Analytics)
Functional Cookies: Remember your preferences and settings
Performance Cookies: Measure Service performance and speed

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Service

Create and manage user accounts
Authenticate users
Process workspace creation and management
Enable search functionality
Provide personalized content
Remember user preferences

3.2 To Improve and Optimize the Service

Analyze usage patterns and trends
Identify technical issues and bugs
Conduct A/B testing
Improve user experience
Develop new features

3.3 To Communicate With You

Send account-related notifications (password resets, account changes)
Respond to your inquiries and support requests
Send service announcements and updates
Send marketing communications (only if you opt-in)

3.4 For Security and Fraud Prevention

Monitor for suspicious activity
Detect and prevent fraud, spam, and abuse
Enforce our Terms of Service
Protect our legal rights

3.5 For Compliance and Legal Obligations

Comply with legal requirements
Respond to lawful requests from public authorities
Protect the rights, property, or safety of our users or others

4. Third-Party Services We Use

Our Service integrates with and uses the following third-party services that may collect, store, or process your information:

4.1 Google Analytics (Analytics)

Purpose: Website traffic analysis and user behavior tracking
Tracking ID: G-6CSJWY8JX3
Information Collected: IP address, browser type, pages visited, time on site, referral source
Privacy Policy: https://policies.google.com/privacy
Opt-Out: Use the Google Analytics Opt-out Browser Add-on

4.2 Mapbox (Map Rendering)

Purpose: Interactive maps showing legal status by location
Information Collected: Map interactions, zoom level, panning, location searches
Privacy Policy: https://www.mapbox.com/legal/privacy

4.3 Pinecone (Vector Database for Search)

Purpose: Semantic search for news articles and content
Information Collected: Search queries, click data
Privacy Policy: https://www.pinecone.io/privacy/

4.4 Neon/PostgreSQL (Database Storage)

Purpose: Store user accounts, workspaces, and application data
Information Stored: All user account information, workspace data, search history
Provider: Neon (serverless PostgreSQL)
Privacy Policy: https://neon.tech/privacy-policy

4.5 Vercel (Hosting and Deployment)

Purpose: Website hosting, serverless functions, edge networking
Information Collected: Server logs, access patterns
Privacy Policy: https://vercel.com/legal/privacy-policy

4.6 NextAuth (Authentication)

Purpose: User authentication and session management
Information Collected: Session tokens, authentication state
Security: Encrypted cookies (authjs.session-token)
Documentation: https://next-auth.js.org/

4.7 Third-Party OAuth Providers (Optional)

If you choose to authenticate via third-party services:

Vercel OAuth: Workspace integration
Future providers: May include TikTok, Google, GitHub

Note: When you use OAuth, the third-party provider may share information with us according to their privacy policy and your privacy settings with that provider.

5. How We Share Your Information

We do NOT sell your personal information. We may share your information in the following circumstances:

5.1 With Service Providers

We share information with third-party vendors who perform services on our behalf (hosting, analytics, customer support). These vendors are contractually obligated to use your information only as necessary to perform services for us and in compliance with this Privacy Policy.

5.2 For Legal Reasons

We may disclose your information if required to do so by law or if we believe such action is necessary to:

Comply with a legal obligation, court order, or subpoena
Protect and defend our rights or property
Prevent or investigate possible wrongdoing
Protect the personal safety of users or the public
Protect against legal liability

5.3 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

5.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may publish statistics about cannabis legalization trends or search patterns.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

Account Information: Retained while your account is active and for 90 days after account deletion (for recovery purposes)
Workspace Data: Retained while workspace is active and for 30 days after deletion
Analytics Data: Retained by Google Analytics for 26 months (configurable)
Server Logs: Retained for 30 days for security and debugging purposes
Search History: Retained for 12 months for improving search algorithms

Account Deletion: You may request deletion of your account at any time by emailing legal@legalize.news. We will delete your information within 30 days, except where retention is required by law.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Security Measures Include:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/SSL
Encryption at Rest: Sensitive data (passwords, API tokens) is encrypted in our database
Password Hashing: Passwords are hashed using bcrypt before storage
Access Controls: Limited employee access to personal data on a need-to-know basis
Regular Security Audits: Periodic review of security practices and vulnerabilities
Secure Hosting: Hosting on Vercel's secure infrastructure with DDoS protection

However, please note: No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

8.1 General Rights (All Users)

Access: Request access to the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information
Export: Request a copy of your data in a portable format
Opt-Out: Opt out of marketing communications

8.2 European Union Residents (GDPR)

If you are a resident of the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Right to Object: Object to processing of your personal data
Right to Restriction: Request restriction of processing
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing (GDPR):

Consent: Account creation, marketing communications
Contract Performance: Providing the Service to you
Legitimate Interests: Improving the Service, security, fraud prevention
Legal Obligations: Compliance with laws and regulations

8.3 California Residents (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: Know what personal information we collect, use, disclose, and sell
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of the "sale" of personal information (Note: we do NOT sell personal information)
Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Do Not Sell My Personal Information: We do not sell personal information as defined by the CCPA.

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: legal@legalize.news
Subject Line: "Privacy Rights Request - [Your Request Type]"
Required Information: Your name, email address, and description of your request

We will respond to your request within 30 days (GDPR) or 45 days (CCPA) of receipt.

9. Children's Privacy (COPPA Compliance)

Our Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at legal@legalize.news. We will take steps to delete such information from our systems.

Age Verification: We do not require users to verify their age, but our Terms of Service prohibit use by individuals under 13.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.

For European Union Users:

If you are located in the EEA and your information is transferred to countries outside the EEA (such as the United States), we will ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Privacy Shield certification (where applicable)
Other mechanisms approved by the European Commission

By using our Service, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.

11. Do Not Track Signals

Some web browsers have a "Do Not Track" feature that signals to websites you visit that you do not want to have your online activity tracked.

Our Response: We do not currently respond to Do Not Track signals because there is no industry consensus on how to interpret and comply with DNT signals.

However, you can disable cookies in your browser settings or opt out of Google Analytics as described in Section 4.1.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes: We will notify you of material changes by:

Posting the new Privacy Policy on this page with a new "Last Updated" date
Displaying a notice on our homepage
Sending an email notification (if you have an account)

Your Continued Use: Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: legal@legalize.news Website: https://legalize.news

Response Time: We aim to respond to all inquiries within 5 business days.

14. Data Protection Officer (if applicable)

[NOTE TO ATTORNEY: Determine if a Data Protection Officer is required based on the nature and scale of data processing]

15. Cookie Policy Details

Essential Cookies (Required)

Cookie Name	Purpose	Expiration	Provider
`authjs.session-token`	User authentication	30 days	NextAuth
`__Secure-authjs.session-token`	Secure session token	30 days	NextAuth

Analytics Cookies (Optional - Can Opt Out)

Cookie Name	Purpose	Expiration	Provider
`_ga`	Distinguish users	2 years	Google Analytics
`_gid`	Distinguish users	24 hours	Google Analytics
`_gat`	Throttle request rate	1 minute	Google Analytics

Managing Cookies: You can control cookies through your browser settings. Note that disabling cookies may affect the functionality of the Service.

16. Compliance Summary

This Privacy Policy is designed to comply with:

✅ GDPR (General Data Protection Regulation) - EU
✅ CCPA (California Consumer Privacy Act) - California, USA
✅ COPPA (Children's Online Privacy Protection Act) - USA
✅ ePrivacy Directive (Cookie Law) - EU

Disclaimer: While we strive for compliance, laws vary by jurisdiction. This Privacy Policy should be reviewed by a qualified privacy attorney to ensure compliance with all applicable laws in your specific jurisdiction.

AGAIN: THIS IS A DRAFT TEMPLATE. CONSULT WITH A QUALIFIED PRIVACY ATTORNEY BEFORE USING IN PRODUCTION.

Important Considerations for Attorney Review:

Data Processing Agreements (DPAs): Ensure DPAs are in place with all third-party service providers
International Transfers: Verify appropriate safeguards for cross-border data transfers
Consent Mechanisms: Ensure consent collection mechanisms are legally compliant
Cookie Banner: Implement a compliant cookie consent banner (especially for EU visitors)
Privacy by Design: Ensure technical implementations support privacy commitments
Breach Notification: Establish procedures for data breach notification as required by law
Records of Processing: Maintain records of processing activities (GDPR Article 30)
DPO Requirement: Determine if a Data Protection Officer is required

Attorney Should Customize Based On:

Jurisdictions where you operate or have users
Types and volume of data you process
Whether you process "special categories" of personal data (health, biometric, etc.)
Your specific business practices and data flows
Applicable sectoral regulations (e.g., health, finance)

Privacy Policy

Privacy Policy

1. Introduction

2. Information We Collect

2.1 Personal Information You Provide

2.2 Information Collected Automatically

2.3 Cookies and Similar Technologies

3. How We Use Your Information

3.1 To Provide and Maintain the Service

3.2 To Improve and Optimize the Service

3.3 To Communicate With You

3.4 For Security and Fraud Prevention

3.5 For Compliance and Legal Obligations

4. Third-Party Services We Use

4.1 Google Analytics (Analytics)

4.2 Mapbox (Map Rendering)

4.3 Pinecone (Vector Database for Search)

4.4 Neon/PostgreSQL (Database Storage)

4.5 Vercel (Hosting and Deployment)

4.6 NextAuth (Authentication)

4.7 Third-Party OAuth Providers (Optional)

5. How We Share Your Information

5.1 With Service Providers

5.2 For Legal Reasons

5.3 Business Transfers

5.4 With Your Consent

5.5 Aggregated or De-Identified Data

6. Data Retention

7. Data Security

8. Your Privacy Rights

8.1 General Rights (All Users)

8.2 European Union Residents (GDPR)

8.3 California Residents (CCPA)

8.4 How to Exercise Your Rights

9. Children's Privacy (COPPA Compliance)

10. International Data Transfers

11. Do Not Track Signals

12. Changes to This Privacy Policy

13. Contact Us

14. Data Protection Officer (if applicable)

15. Cookie Policy Details

Essential Cookies (Required)

Analytics Cookies (Optional - Can Opt Out)

16. Compliance Summary

Have Questions About This Document?