Effective date: October 30, 2025
serfsUp (together with its affiliates, "we," "us," "our") is a hybrid technology company and law firm platform. We provide legal information services (including a 24/7 simple legal question service) and facilitate legal services delivered by licensed attorneys. Today we operate in California, New York, and Texas through independent contractor relationships with partner attorneys. We communicate only through written channels—SMS, WhatsApp, and email—and, on request, can arrange video or phone meetings with attorneys. As we expand nationwide, we will update this Policy to reflect new states.
We expect to operate an Arizona Alternative Business Structure (ABS)–owned law firm affiliate. An ABS allows non-lawyer ownership/participation in law firms under Arizona Supreme Court rules; it is licensed and regulated by Arizona's program. If/when our ABS is live, it will be included as an affiliate under this Policy.
This Privacy Policy applies to our websites and apps (if any), SMS/WhatsApp/email communications, our 24/7 question-answering service, intake conversations (even when no agreement is signed), and legal services delivered by partner attorneys or our ABS-owned law firm.
We do not sell or share your personal information for cross-context behavioral advertising. If this ever changes, we will provide the required "Do Not Sell or Share" controls and honor recognized opt-out preference signals (e.g., Global Privacy Control) as required by California law.
We use OpenAI, Anthropic, and Google as subprocessors to automate parts of intake, routing, drafting, and quality control. Our enterprise accounts are configured with no training on your data and zero data retention by those providers; we instruct them to process data only under our direction. However, we cannot guarantee absolute compliance by third-party AI providers with these contractual terms. In the event of a breach or non-compliance by an AI subprocessor, we will notify affected users as required by applicable law and take reasonable steps to mitigate harm.
Licensed attorneys (independent contractor partner attorneys now, and later attorneys of our ABS-owned law firm) review matters as appropriate.
We treat intake communications (including our question-answering service) as confidential; however, attorney-client privilege may not attach until a formal engagement is established. Ethical rules restrict lawyers' use/disclosure of information learned from prospective clients.
Contact details (name, email, phone), identity and demographic details you choose to provide, chat/message content, documents you upload, billing/subscription information (handled by our payment processor), matter facts, and scheduling preferences.
Service logs and metadata (timestamps, message routing, delivery/read status, IP addresses, device and network data). If you use our website, we may use limited cookies or similar technology for operations and security.
Referrals, opposing/related parties, courts and agencies, public records, and service providers (e.g., communications and analytics vendors).
Depending on your matter, you may share sensitive data (e.g., government IDs, financial/immigration/health-related facts). We use this only to provide services or meet legal/ethical obligations, not for advertising or unrelated purposes. California residents may have a right to limit the use of Sensitive Personal Information; see Section 9.
Our AI tools may generate summaries, analyses, suggestions, or draft documents based on information you provide. These AI outputs become part of your matter file and are subject to the same confidentiality protections as your original information. AI-generated content may contain errors or inaccuracies; such outputs are reviewed by licensed attorneys before being used in legal deliverables.
We do not use your message content for third-party advertising. We do not use solely automated decision-making to deny access to legal services.
Independent contractor partner attorneys (today) and, once licensed, our ABS-owned law firm affiliate (future). They are bound by professional rules of confidentiality and by our agreements.
Communications vendors (for SMS, WhatsApp, email delivery), cloud hosting and security providers, e-signature, e-billing, and the foundation-model providers named above. We require confidentiality and use limitations by contract.
With your direction or as necessary to deliver legal services (e.g., filings with a court/agency) or to comply with law or enforce our rights.
In connection with mergers, financing, or sale of assets, subject to confidentiality commitments.
SMS, WhatsApp, and email are our standard channels. While we implement strong safeguards, these channels inherently involve third-party networks and providers. For highly sensitive data, ask us about alternative secure options.
Lawyers have duties to prospective clients—even if no engagement follows—restricting the use/disclosure of information learned. We honor those duties and limit internal access accordingly.
We rarely send marketing; if we do, you may opt-out at any time (e.g., reply STOP to SMS).
We use enterprise accounts with settings configured to disable training on your content and to avoid provider retention; we send only the minimum data needed for a task, and we bind these providers to contractual privacy and security terms. We supervise outputs before they are used in client work. (If these settings or vendors change, we will update this Policy.)
While we implement safeguards, AI technologies present unique privacy considerations:
By using our AI-assisted features, you acknowledge these inherent risks and our mitigation efforts, and you agree that we are not liable for privacy harms caused by AI subprocessor conduct that violates our contractual terms, provided we exercised reasonable care in vendor selection and oversight.
California residents may have the right to know/access, delete, correct, portability, opt-out of sale or sharing, limit use of Sensitive Personal Information, and non-discrimination for exercising rights. We also honor the Global Privacy Control for opt-outs as required. You may use our Privacy Request Form, email privacy@serfsup.com, or use the browser signal.
California residents also have the right to know:
You may request this information using the mechanisms described below.
Our current status: We do not sell or share personal information for cross-context behavioral advertising. If that changes, we will provide a prominent "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" control.
We extend comparable rights (access, deletion, correction, portability, and opt-out of sale/targeted advertising/profiling; appeals where required) to residents of states with active comprehensive privacy laws, including Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Delaware, Tennessee, and Texas.
Submit a request via our Privacy Request Form or email privacy@serfsup.com. We will verify your identity, respond within the time required by law, and honor authorized agents where permitted. If we decline your request, you may appeal by replying to our decision (we'll include appeal instructions). If you remain unsatisfied, you may contact your state Attorney General.
We do not collect "biometric identifiers" (e.g., retina/iris scan, fingerprint, voiceprint, or scan of hand/face geometry). If we ever need to collect biometric identifiers or biometric information (for example, to power identity verification), we will first provide a written policy with a retention schedule and obtain a written consent, will not sell or profit from such data, and will use reasonable safeguards—consistent with BIPA's requirements.
In the event of a data breach involving Illinois residents, we will provide breach notifications as required by PIPA. If we implement AI-powered voice or video features (e.g., AI-assisted video conferences, voice transcription), we will:
This is in addition to any BIPA obligations for biometric data.
For New York residents, we maintain a reasonable security program with administrative, technical, and physical safeguards designed to protect private information, consistent with the NY SHIELD Act's requirements.
Texas residents have privacy rights under the Texas Data Privacy and Security Act. We recognize applicable rights (access, delete, correct, portability, and opt-out of targeted advertising/sale) and controller duties.
We retain personal information only as long as needed for the purposes described above, to provide services, for legitimate business needs (e.g., conflict checks), and to meet legal and professional obligations. Legal-matter files are retained consistent with applicable ethics rules and law. If you request deletion, we will delete or de-identify your data unless we must retain it (e.g., to comply with law, enforce agreements, or resolve disputes).
Information you provide that is processed by AI is retained according to the general retention rules above. AI-generated drafts, summaries, and analyses are retained as part of your matter file subject to legal and ethical retention requirements.
We retain logs of AI system queries and responses for quality assurance, security monitoring, and professional responsibility for the duration of engagement plus 7 years. We do not retain identifiable data for AI training purposes; any aggregated usage analytics are de-identified and retained indefinitely for system improvement.
We use administrative, technical, and physical safeguards to protect personal information (e.g., access controls, encryption in transit, logging/monitoring, least-privilege access, staff training). No system is 100% secure, but we strive to meet or exceed industry and professional standards and applicable state-law baselines (e.g., NY SHIELD).
In addition to general security safeguards, we implement AI-specific protections:
Despite these measures, AI systems may be vulnerable to emerging attack vectors including adversarial inputs, model extraction attempts, and prompt injection. We continuously monitor for such threats but cannot guarantee prevention of all AI-specific security risks.
Our services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child provided information, contact us and we will delete it.
We are a U.S.-based provider. Your information may be transferred to, stored, and processed in the United States or where our service providers operate. We apply the protections described in this Policy regardless of location.
We may update this Policy to reflect operational, legal, or regulatory changes. We will post the updated Policy with a new effective date and, where material, provide additional notice.
If you suspect that an AI system disclosed information it should not have, that AI generated content about you that appears inaccurate or harmful, that an AI interaction violated your privacy expectations, or that an AI system was manipulated or behaved unexpectedly, please report it immediately to ai-incidents@serfsup.com.
We will:
This incident reporting process does not limit any legal rights you may have regarding privacy violations.
Privacy requests: privacy@serfsup.com
General inquiries: legal@serfsup.com
If you are in California: You may also use your browser's Global Privacy Control to opt out of sale/sharing (which we currently do not engage in).