Privacy Policy

1. About this Privacy Policy

This Privacy Policy describes how Scrivly, Inc. d/b/a Aewita, a Delaware C-Corporation ("Aewita," "we," "us"), collects, uses, and protects information on the marketing website at aewita.com and the application at app.aewita.com (together, the "Service").

If you are a customer, the Terms of Service and this Privacy Policy apply together. If you are a visitor who is not a customer, only the portions of this Policy that address the marketing site apply to you.

2. What we collect

We try to collect as little information as the Service needs to work. Here is the full list.

Account information. When you sign up we collect your name, email, bar jurisdiction, firm (if any), and password hash. If you subscribe, we also collect billing contact information.

Billing information. Payments are processed by Stripe. Stripe holds card numbers and related financial instruments. We store only the invoice metadata Stripe returns to us: billing address, last four digits of card, subscription state, and invoice history. We do not store card numbers, CVV, or full account numbers on our servers.

Product usage. Inside the app we store the content you create or upload (matters, notes, uploads, drafts), your queries, the Service's responses, and audit logs of product actions (who did what, when, and on which record).

Session information. For security we log request metadata: IP address, user-agent, authentication events, and timestamps. These logs are retained for 90 days.

Marketing site. On aewita.com we collect aggregate visitor metadata (page, referrer, country, user-agent, session ID) through privacy-respecting analytics. We do not set cross-site advertising cookies, retargeting pixels, or social-media tracking pixels.

3. What we do NOT collect

To be specific about things we are often asked:

• No cross-site tracking. We do not operate or embed any third-party advertising, retargeting, or social-media pixel on aewita.com or app.aewita.com.
• No behavioral profiles. We do not build profiles of individuals for marketing or advertising.
• No sale of data. We have never sold personal information and we will not. For state-law purposes (including CCPA/CPRA), we do not "sell" or "share" personal information.
• No third-party LLM calls. Customer queries never leave our infrastructure for inference.

See the Cookie Policy for the full cookie inventory.

4. How we use customer content

We use Customer Content solely to provide the Service to you: to run research queries, generate drafts, index matters for search, enforce access controls, and produce audit logs you can review.

We do not train our models on Customer Content. This is a build constraint, not a toggleable preference. Customer Content is walled off from every training, fine-tuning, evaluation, or reinforcement-learning pipeline operated by Aewita. We do not use Customer Content to produce aggregate statistics that leave Aewita's systems. We do not sample it for internal review absent a specific, documented support ticket you have opened with us.

We may use anonymized, non-reconstructable operational telemetry (latency, error rates, cache hit ratios) to improve performance. This telemetry does not contain query text, file contents, matter names, or matter metadata. It is indistinguishable at the record level from telemetry generated by synthetic load tests.

If a support engineer needs to see Customer Content to resolve a ticket you opened, we ask for your explicit authorization inside the ticket, log the access in the audit log you can see, and limit the scope of review to what is necessary to reproduce and fix the issue.

5. Where your data lives

Aewita runs on U.S. infrastructure. Inference — the actual running of the reasoning model over your query — happens on servers we operate, in U.S. data centers, for U.S. customers. At no point is a customer query routed to OpenAI, Anthropic, Google, Cohere, Mistral, Meta, or any other external LLM provider. We self-host the model.

Storage (databases, object stores, backups) is U.S.-region. Replicas and backups remain in the United States.

6. Subprocessors

A subprocessor is a vendor we rely on to deliver a specific part of the Service. We keep the list short on purpose. Our current subprocessors are:

• Stripe, Inc. — payments processing. Data category: billing contact, payment method metadata, invoice history.
• Vercel, Inc. — hosting for the marketing website at aewita.com. Data category: visitor metadata (IP, user-agent, path, timestamps). Vercel does not host the product or see Customer Content.
• A U.S. cloud infrastructure provider (SOC 2 Type II and HIPAA-eligible) — product hosting for app.aewita.com. Data category: Customer Content at rest and in transit, encrypted with keys we control.
• A U.S.-based transactional email provider — account, billing, and security notifications. Data category: name, email, message content limited to Service notifications.

There is no LLM subprocessor. The reasoning model that powers Aewita is operated by us on infrastructure we control.

A current list of subprocessors, with notice of additions, is available at aewita.com/subprocessors. Enterprise customers can subscribe to subprocessor-change notifications.

7. How long we keep data

• Active accounts. For the life of the account. You control deletion of individual matters, files, and queries from within the product.
• Closed accounts. A 30-day grace window during which you can export everything. After that window, Customer Content is deleted from production systems within 90 days.
• Encrypted backups. Rotated out within 1 year from closure.
• Security logs. 90 days (authentication events, IP addresses, user-agent strings).
• Billing records. Seven (7) years for tax and regulatory purposes, after which they are purged.

8. Your rights

Subject to applicable law (including the California Consumer Privacy Act/CPRA and the EU General Data Protection Regulation where it applies to you as a visitor), you have the right to:

• Access a copy of personal information we hold about you.
• Correct information that is inaccurate.
• Port your data in a machine-readable format.
• Delete your data (subject to narrow exceptions like legal holds).
• Opt out of "sale" or "sharing" of personal information — we do not sell or share, so there is nothing to opt out of, but we confirm on request.
• Be free from retaliation for exercising these rights.

To exercise any of these rights, email legal@aewita.com. We reply within one business day and fulfill verified requests within 30 days (45 for complex requests under CPRA).

8a. How to make a request

A complete rights request should include: (i) the email on your Aewita account (or the email associated with your visit to the marketing site), (ii) the right you want to exercise, (iii) if you are requesting deletion, whether you want export first, and (iv) enough context for us to verify that you are who you say you are without collecting more information than necessary. We may ask a short follow-up question if the request is ambiguous. You may designate an authorized agent to act on your behalf under CPRA; we verify agent authority before acting.

We do not charge for rights requests except where a request is manifestly unfounded or excessive, and we do not retaliate against anyone for exercising their rights.

9. Children

Aewita is not intended for persons under 18. We do not knowingly create accounts for minors. If we learn that an account belongs to a minor, we will close it and delete associated data.

10. International data transfers

Our customers are U.S.-licensed attorneys and their firms. Customer Content stays in the United States.

If you visit the marketing website from outside the United States, limited visitor metadata (IP, user-agent, page views) is processed in the U.S. by Vercel and our analytics subprocessor. For EU/UK visitors, we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum with our subprocessors where applicable. The marketing site does not set optional cookies by default.

11. Security practices

We operate Aewita to the expectations of attorneys handling privileged content:

• Encryption in transit. TLS 1.3 everywhere; modern cipher suites; HSTS preloaded.
• Encryption at rest. AES-256 for databases, object storage, and backups. Keys are managed by us with regular rotation.
• FIPS 140-2 validated cryptography for cryptographic operations where practicable.
• Least-privilege access. Production access limited to a small number of named engineers, gated by hardware key MFA.
• Separation of duties. The people who can deploy code are not the same people who can read customer databases in the rare cases support access is needed.
• Annual penetration test by an independent third party. Summary letter available to customers under NDA.
• SOC 2 Type II audit in progress; target report Q3 2026.
• HIPAA. Business Associate Agreement available on request for firms that handle PHI.
• Regional isolation. Production is isolated from corporate systems; no engineer laptop ever holds a copy of a customer database.

More detail is on the Security page.

12. Audit logging

Every product action is recorded in an append-only audit log: authentication events, matter access, file uploads, queries, exports, and permission changes. Firm administrators can export their firm's log via the admin console or by request to legal@aewita.com.

Audit log entries are tamper-evident: each entry is chained to the prior entry's hash so that deletion or modification of a past entry is detectable. Logs are retained for the life of the account plus the 30-day post-termination export window, and they form the factual record of who accessed what, from where, and when. This is the record firms use to satisfy their internal supervision policies and, where applicable, to respond to discovery requests that implicate the use of AI tools.

12a. Law enforcement and government requests

Separately from valid civil-discovery requests addressed in section 14, we receive occasional questions about how we handle requests from government agencies. Our default position is that Customer Content is the customer's content, not ours, and that the customer is the right party to litigate any request for it. Whenever law permits, we redirect government requests to the affected customer and do not ourselves produce Customer Content. Where a request is properly directed to us and legally valid, we produce the minimum data responsive to the request, notify the customer unless we are under a lawful nondisclosure obligation, and log the request for our annual transparency report.

13. Breach notification

If we detect unauthorized access to Customer Content, we notify affected customers within 72 hours of confirming the incident, consistent with applicable law. Notifications include what happened, what data was involved, what we have done to contain it, and what you should do.

14. Legal requests

We require a valid subpoena, warrant, or court order to disclose Customer Content. We notify the affected customer of any such request unless we are legally prohibited from doing so. We challenge requests that are overbroad, that lack legal authority, or that conflict with attorney-client privilege asserted by the customer.

Aggregate statistics about government requests will be published annually in a transparency report.

15. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes we will email you at the address on your account at least 30 days before the change takes effect and update the "Last updated" date above. We keep prior versions available on request.

16. Contact

For privacy rights requests, data questions, or anything in this Policy, contact:

Scrivly, Inc. d/b/a Aewita
Attn: Privacy
Wilmington, DE
legal@aewita.com

For security questions or to report a vulnerability, use security@aewita.com.