Privacy Policy

Effective 2026-05-21.

redlines.law is a document-redlining service for legal professionals. This page explains what we collect, how we use it, and how we protect it.

What we collect

• The document you upload. Stored encrypted at rest under a document-specific key (DEK), which is itself wrapped under a server master key held in Azure Key Vault. We never persist plaintext.
• Your email and your collaborators' emails. Used solely to deliver magic-link access and version-update notifications.
• Your initials (and your collaborators'). Displayed in the redline history so each editor's changes are attributable.
• Payment metadata. Stripe processes the charge and shares only the session ID + outcome with us. We never see your card number.
• Access audit log. Each successful or failed access to a document is logged with IP and user-agent. Used for security review and to power the evidence chain.

What we do not do

• We do not sell your data.
• We do not train AI/ML models on your documents.
• We do not store passphrases or magic-link tokens in plaintext — only SHA-256 hashes.
• We do not share documents with third parties except Microsoft Azure (our infrastructure provider) and Stripe (payment processing), each under contractual data-protection obligations.

Where the data lives

Microsoft Azure, US East 2 region. All transit is TLS 1.2+. Database backups are retained for 7 days (production) on Azure Flexible Server with point-in-time restore.

Your rights

You may request access to, correction of, or deletion of your data at any time by emailing support@redlines.law. Deletion is irreversible — the document, its versions, every collaborator's access record, and the evidence chain are removed.

Changes

If we materially change this policy we will email everyone with an active document at least 14 days before the change takes effect.