LegalPath

Privacy

Privacy Policy

Effective May 18, 2026

Draft for review. This Privacy Policy is effective as of May 18, 2026. We recommend reviewing it with your legal counsel before relying on it for high-stakes matters. Material changes are communicated by email.

LegalPath (“we”, “us”), operating under JP Consulting & Management, a Canadian company, respects your privacy. This policy explains what we collect, why we collect it, and how we protect it. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) federally and Alberta’s Personal Information Protection Act (PIPA), along with applicable provincial privacy laws (including Québec’s Law 25).

What we collect

When you use LegalPath, we collect:

  • Account info: email address, password (hashed, never stored in plain text), and any name or profile details you choose to add.
  • Form data: the answers you provide to our wizards so we can generate your documents. Some forms include sensitive information (full name, address, financial details, family relationships, etc.).
  • Payment info: handled directly by Stripe. We never see or store your full credit card number, only a Stripe customer ID.
  • Usage data: standard web analytics (pages visited, browser type, anonymized IP) so we can improve the product.
  • Support communications: emails or chat messages you send us.

How we use it

  • To generate the legal forms and PDFs you request.
  • To save your in-progress work so you can return to it later.
  • To process payments and send receipts.
  • To respond to your support requests.
  • To send essential service emails (welcome, payment confirmation, document ready).
  • To improve LegalPath through aggregated, anonymized analytics.

We do not sell your personal information. Ever. We do not use your form answers to train AI models. Your documents and answers belong to you.

Where it lives (data residency)

Your primary data is stored on Supabase infrastructure in the ca-central-1 region (Montreal, Canada). Stripe processes payments. Resend delivers transactional email. Vercel hosts the application. Each provider complies with industry-standard security practices.

AI assistance may use US-based API endpoints (Anthropic, OpenAI), but no personally identifiable form data is stored by those providers; queries are processed and returned without long-term retention on their side.

Who we share it with

We share information only when necessary:

  • With service providers (Supabase, Stripe, Resend, Vercel) strictly to operate the service.
  • With our AI assistant provider (Anthropic) when you use the AI helper. Only the specific question and form context is shared, never your full account.
  • When required by law (court order, valid legal request).
  • To prevent fraud or protect the safety of our users.

Cookies

We use essential cookies to keep you logged in and to remember your in-progress work. We use anonymized analytics cookies to understand how the product is used. You can disable non-essential cookies in your browser without losing core functionality.

Your rights

Under PIPEDA, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion of your account and associated data.
  • Withdraw consent for non-essential data uses.
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

To exercise any of these rights, email privacy@legalpath.ca. We'll respond within 30 days.

Data retention

We keep your account and documents for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we're required by law to retain certain records (e.g., tax/payment records held for 7 years).

Security

We use industry-standard encryption: AES-256 at rest and TLS 1.3 in transit. Database access is restricted via row-level security, so each user can only access their own records. There is no cross-account visibility. Service roles use least-privilege scoping. Passwords are hashed with bcrypt. We test for common web vulnerabilities regularly.

Breach notification

If a security breach occurs that involves a real risk of significant harm to your personal information, we will notify affected users and the Office of the Privacy Commissioner of Canada without unreasonable delay, in accordance with PIPEDA breach reporting requirements. We will also notify Alberta’s Office of the Information and Privacy Commissioner where Alberta PIPA applies.

Updates to this policy

If we make material changes to how we handle your data, we'll email you and post a notice on the site at least 30 days before the change takes effect.

Contact

Privacy questions: privacy@legalpath.ca
General: hello@legalpath.ca