Skip to main content
LegalPath

Security

How we protect your legal documents.

Last updated: May 12, 2026

A will, a separation agreement, a power of attorney. These are some of the most personal documents a person ever signs. We treat them that way. Here is exactly what we do, and what we do not do, with your data.

Where your data lives

  • Primary customer records are stored in Canada. Our database and file storage run on Supabase's ca-central-1 region in Montréal, Québec.
  • Some service providers process data outside Canada. AI, payment, hosting, analytics, and email providers may process limited data in the United States or other jurisdictions needed to operate LegalPath.
  • Web hosting runs on Vercel, with HTTPS everywhere and HTTP Strict Transport Security enabled.

Encryption

  • In transit: TLS 1.2 or higher on every request. No mixed-content traffic.
  • At rest: Database is AES-256 encrypted by Supabase. File storage (your generated PDFs) is encrypted at rest with per-bucket keys.
  • Passwords: Hashed using industry-standard bcrypt via Supabase Auth. We never see your password.

Access controls

  • Row-level security is enabled on every table that contains user data. You can only see your own forms, your own PDFs, your own AI conversations. This is enforced at the database layer, not the application layer.
  • Service-role credentials are only used in our server code (never exposed to the browser) and only for narrow operations such as creating a profile on signup or processing a Stripe webhook.
  • Internal access to customer data is limited to support staff resolving a specific ticket, and is logged.

What we keep and for how long

  • In-progress drafts: kept as long as you have an active LegalPath account.
  • Completed forms and generated PDFs: kept while your account is active. If you delete them or close your account, we delete the files within 30 days unless we are legally required to retain a related business record.
  • Payment data: we do not store credit card numbers. Stripe handles all card data and is PCI DSS Level 1 certified.
  • AI conversation history: tied to your account, used to give the assistant context across sessions. Deleted on account deletion.

AI processing

The LegalPath AI assistant uses Anthropic Claude. When you ask a question, your message and the relevant form context are sent to Anthropic's API. Per Anthropic's API terms, this data is not used to train their models. We do not send your personal identifiers (name, address, SIN, financial details) to the AI unless those are part of the question you typed. The assistant is configured to refuse legal advice on your specific situation.

Your rights under Canadian privacy law

Under Canadian privacy law, you have the right to:

  • Access the personal information we hold about you.
  • Correct any information that is inaccurate or incomplete.
  • Withdraw consent and have your data deleted.
  • File a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email hello@legalpath.ca from the email address on your account. We respond within 30 days as required by law (usually within 2 business days).

Breach notification

If we discover a security breach that creates a real risk of significant harm to you, we will:

  • Aim to notify you directly within 72 hours of confirming the breach.
  • Notify the Office of the Privacy Commissioner of Canada (as PIPEDA requires).
  • Log the incident publicly in our changelog.
  • Tell you what happened, what was accessed, and what we have done to fix it.

What we will never do

  • Sell your data to third parties. Ever.
  • Use your form contents to train AI models.
  • Share your forms with any government agency without a valid Canadian court order, and only after notifying you unless legally prohibited.
  • Use customer documents for advertising or unrelated product training.

Reporting a vulnerability

If you find a security issue, please email hello@legalpath.ca with a description and reproduction steps. We respond within 1 business day and credit responsible reporters in the changelog (with permission).

Privacy questions

Email hello@legalpath.ca and we respond within 1 business day. For account-level questions, use hello@legalpath.ca.

See our refund policy →
Security: how we protect your legal documents · LegalPath