Privacy Policy

• Operate, maintain, and improve the Service.
• Authenticate users and enforce security policies (suspension, MFA, session timeouts).
• Generate AI-drafted communications on your behalf — drafts are reviewed by a human before send.
• Send transactional emails (alerts, password resets, integration expiration notices, AI budget threshold warnings).
• Provide platform-administration features to internal BarNone AI staff: cross-firm observability, usage metrics, and incident response.
• Comply with legal obligations and enforce our Terms.

We do not sell your data or Customer Data. We do not use Customer Data to train AI models that are made available to other customers.

We use the following third parties to deliver the Service. Each handles only the categories of data necessary for its function.

• Supabase — authentication, database, file storage.
• AWS Bedrock (Anthropic Claude) — AI inference. Prompts and Customer Data passed to the model are processed under AWS Bedrock's terms.
• PracticePanther — source of truth for firm/matter/contact/invoice data; connected via OAuth at the firm's authorization.
• Google Workspace / Microsoft 365 — email sending and reading (restricted Gmail scopes gmail.compose + gmail.readonly; Microsoft Graph Mail.ReadWrite) and calendar events.
• Slack — approval cards and assistant interactions inside the firm's workspace.
• Resend — transactional email delivery (alerts, password reset, etc.).
• Sentry — error monitoring. Stack traces and request metadata are sent; we scrub PII from error payloads where possible.
• PostHog — product analytics. Configured WITHOUT autocapture or session replay; we capture only explicit events.
• Inngest — background job orchestration (durable execution of scheduled and event-driven tasks).
• Cloudflare Turnstile — CAPTCHA on login/signup/password-reset forms.
• Vercel — application hosting.

We retain Customer Data for the duration of your subscription plus a reasonable wind-down period (default thirty (30) days after termination), unless a longer period is required by law or by an executed agreement. Audit logs are retained for at least one year for security and compliance.

We use industry-standard practices: TLS in transit, encrypted storage at rest, row-level security on the database, JWT-claim-based tenant isolation for headless workers, two-factor authentication (TOTP), session timeout enforcement, and bot mitigation via CAPTCHA. We monitor errors and alert on credential expirations and AI cost anomalies. No system is perfectly secure; you are responsible for safeguarding your own credentials.

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data. To exercise these rights, contact privacy@sidebar.example. We will respond within thirty (30) days. We will not retaliate against you for exercising your rights.

Our service infrastructure is located primarily in the United States. If you access the Service from outside the United States, you consent to the transfer of your data to the United States and other jurisdictions where our processors operate.

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

We may update this Privacy Policy. Material changes will be communicated by email or in-app notice with at least thirty (30) days' notice. Continued use of the Service after the effective date constitutes acceptance.

Privacy questions or requests: privacy@sidebar.example. For enterprise customers requiring a Data Processing Addendum (DPA), reach out to the same address.