How we protect your legal documents.

Last updated: May 12, 2026

A will, a separation agreement, a power of attorney. These are some of the most personal documents a person ever signs. We treat them that way. Here is exactly what we do, and what we do not do, with your data.

Where your data lives

• All customer data is stored in Canada. Our database and file storage run on Supabase's ca-central-1 region in Montréal, Québec.
• Your data never crosses the border. Subject to PIPEDA federally and Québec's Law 25 (CCQ-modernization).
• Web hosting runs on Vercel, with HTTPS everywhere and HTTP Strict Transport Security enabled.

Encryption

• In transit: TLS 1.2 or higher on every request. No mixed-content traffic.
• At rest: Database is AES-256 encrypted by Supabase. File storage (your generated PDFs) is encrypted at rest with per-bucket keys.
• Passwords: Hashed using industry-standard bcrypt via Supabase Auth. We never see your password.

Access controls

• Row-level security is enabled on every table that contains user data. You can only see your own forms, your own PDFs, your own AI conversations. This is enforced at the database layer, not the application layer.
• Service-role credentials are only used in our server code (never exposed to the browser) and only for narrow operations such as creating a profile on signup or processing a Stripe webhook.
• Internal access to customer data is limited to support staff resolving a specific ticket, and is logged.

What we keep and for how long

• In-progress drafts: kept as long as you have an active LegalPath account.
• Completed forms and generated PDFs: kept for 7 years (Canadian record-keeping standard) or until you delete them, whichever comes first.
• Payment data: we do not store credit card numbers. Stripe handles all card data and is PCI DSS Level 1 certified.
• AI conversation history: tied to your account, used to give the assistant context across sessions. Deleted on account deletion.

AI processing

The LegalPath AI assistant uses Anthropic Claude. When you ask a question, your message and the relevant form context are sent to Anthropic's API. Anthropic does not train on this data (per their API terms). We do not send your personal identifiers (name, address, SIN, financial details) to the AI unless those are part of the question you typed. The assistant is configured to refuse legal advice on your specific situation.

Your rights under Canadian privacy law

Under PIPEDA and Québec's Law 25, you have the right to:

• Access the personal information we hold about you.
• Correct any information that is inaccurate or incomplete.
• Withdraw consent and have your data deleted.
• File a complaint with the Office of the Privacy Commissioner of Canada or, for Québec residents, the Commission d'accès à l'information.

To exercise any of these rights, email privacy@legalpath.ca from the email address on your account. We respond within 30 days as required by law (usually within 2 business days).

Breach notification

If we discover a security breach that creates a real risk of significant harm to you, we will:

• Notify you directly within 72 hours of discovery.
• Notify the Office of the Privacy Commissioner of Canada (as PIPEDA requires).
• Log the incident publicly in our changelog.
• Tell you what happened, what was accessed, and what we have done to fix it.

What we will never do

• Sell your data to third parties. Ever.
• Use your form contents to train AI models.
• Share your forms with any government agency without a valid Canadian court order, and only after notifying you unless legally prohibited.
• Send your data outside Canada without your explicit consent.

Reporting a vulnerability

If you find a security issue, please email privacy@legalpath.ca with a description and reproduction steps. We respond within 1 business day and credit responsible reporters in the changelog (with permission).