Privacy Policy

Last updated: April 2, 2026

1. Introduction

Verba Brief ("Company," "we," "us," or "our") is committed to protecting your privacy and the confidentiality of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered email drafting service ("the Service"). Given that our users are legal professionals who may handle sensitive and privileged information, we take data protection with the utmost seriousness.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

  • Name and email address
  • Firm name and bar number (optional)
  • Password (cryptographically hashed — never stored in plain text)
  • Practice area preference
  • Preferred sign-off and custom terminology preferences

2.2 Content You Provide

  • Information you enter into email templates (client names, case details, key points, and other input fields)
  • Generated email content saved to your history
  • Custom legal terminology you add to your profile

2.3 Usage Data

  • Number of emails generated per month
  • Templates used (by category)
  • General usage patterns (aggregate, for improving the Service)

2.4 Payment Information

Payment card information is collected and processed exclusively by Stripe, our PCI DSS Level 1 certified payment processor. We do not receive, store, or have access to your full payment card numbers.

2.5 Information We Do NOT Collect

  • We do not use tracking cookies or advertising pixels
  • We do not collect browsing history or device fingerprints
  • We do not collect information from social media profiles
  • We do not purchase data from third-party data brokers

3. How We Use Your Information

  • To provide the Service: Your input data is transmitted to our AI provider (Anthropic) to generate email drafts. This data is processed transiently and not retained by Anthropic.
  • To maintain your history: Generated emails are stored in your personal history for your reference and convenience.
  • To manage your account: Authentication, billing, subscription management, and profile settings.
  • To improve the Service: Aggregate, anonymized, non-identifiable usage data may be used to improve templates, features, and overall Service performance.
  • To communicate with you: Service-related communications, including account verification, billing notifications, security alerts, and material changes to these policies.

4. AI Processing and Data Handling

This section is critical for legal professionals to understand:

  • AI Provider:We use Anthropic's Claude API to generate email content. Anthropic maintains SOC 2 Type II certification.
  • No AI Training:Your data is NOT used to train AI models. Anthropic's commercial API terms explicitly state that customer data is not used for model training purposes.
  • Transient Processing: Input data sent to the AI API is processed transiently for the sole purpose of generating a response and is not retained by the AI provider beyond the immediate request processing window.
  • Encryption in Transit: All data transmitted to and from the AI provider is encrypted using TLS 1.2 or higher.
  • No Logging of Content: We do not log the content of your inputs or generated outputs on our servers beyond what is stored in your personal email history (which you control).

IMPORTANT:You are solely responsible for determining whether it is appropriate to input confidential, privileged, or sensitive client information into the Service. Please consult your jurisdiction's ethics rules and opinions regarding the use of cloud-based and AI-powered tools in legal practice.

5. Data Storage and Security

5.1 Infrastructure

  • Database: Supabase (PostgreSQL) — encryption at rest, SOC 2 compliant, hosted in secure data centers
  • Hosting: Vercel — SOC 2 Type II certified, DDoS protection, edge network security
  • Location: Data is stored and processed in the United States

5.2 Security Measures

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Authentication via secure, industry-standard protocols with cryptographically hashed passwords
  • Row-level security (RLS) in our database ensuring strict data isolation — users can only access their own data
  • No storage of payment card information (handled entirely by Stripe)
  • Regular security reviews of our infrastructure and dependencies
  • Principle of least privilege applied to all system access

6. Data Retention

  • Account data: Retained as long as your account is active.
  • Email history: Retained until you delete it or close your account. You may delete individual emails at any time.
  • Account deletion: Upon account deletion, all your personal data, email history, and profile information is permanently and irreversibly removed from our systems within 30 days.
  • Backups: Database backups are retained for up to 30 days for disaster recovery purposes, after which they are automatically purged.
  • Anonymized data: Aggregate, anonymized usage statistics (which cannot be linked to any individual user) may be retained indefinitely for Service improvement purposes.

7. Data Sharing and Disclosure

We do NOT sell, rent, trade, or otherwise share your personal information or content with third parties for their marketing or commercial purposes. We may disclose your information only in the following limited circumstances:

  • Service Providers: To trusted third-party service providers who assist us in operating the Service (Anthropic, Supabase, Vercel, Stripe), subject to contractual obligations of confidentiality and data protection
  • Legal Compliance: When required by law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or similar legal obligation
  • Protection of Rights: When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request
  • Business Transfer: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, in which case your data would remain subject to this Privacy Policy

8. Your Rights

You have the following rights regarding your data:

  • Right to Access: View all data we store about you via your account settings and email history
  • Right to Deletion: Delete individual emails from your history or request complete deletion of your account and all associated data
  • Right to Export: Copy your generated emails at any time via the copy-to-clipboard or PDF download features
  • Right to Correction: Update your profile information at any time through your account settings
  • Right to Restrict Processing: You may contact us to request restriction of processing of your personal data
  • Right to Object: You may object to certain processing activities by contacting us

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of personal information we have collected from you
  • Right to Opt-Out of Sale: We do NOT sell personal information. There is no need to opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, contact us at verbabrief@gmail.com.

10. International Data Transfers

Your information is stored and processed in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer, storage, and processing.

11. Third-Party Services

We use the following third-party services:

  • Anthropic (Claude API): AI content generation — SOC 2 Type II certified, no customer data used for training
  • Supabase: Database and authentication — SOC 2 compliant, PostgreSQL with encryption at rest
  • Vercel: Application hosting — SOC 2 Type II certified, global edge network
  • Stripe: Payment processing — PCI DSS Level 1 certified, the highest level of payment security certification

Each third-party provider is bound by their own privacy policies and terms of service. We encourage you to review their respective policies.

12. Cookies

We use essential cookies only for authentication and session management. These cookies are strictly necessary for the operation of the Service. We do NOT use:

  • Tracking cookies
  • Advertising or marketing cookies
  • Analytics cookies that track individual users
  • Third-party cookies for cross-site tracking

13. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach
  • Provide details about the nature of the breach, the types of information affected, and the steps we are taking to address it
  • Comply with all applicable data breach notification laws and regulations
  • Take immediate steps to contain and remediate the breach

14. Children's Privacy

The Service is intended for use by legal professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

15. Do Not Track Signals

We do not track users across third-party websites and therefore do not respond to Do Not Track (DNT) signals. However, as stated above, we do not use any tracking technologies beyond essential authentication cookies.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least thirty (30) days prior to the effective date. The "Last updated" date at the top indicates the most recent revision. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. No Guarantee of Absolute Security

While we implement industry-standard security measures and use commercially reasonable efforts to protect your data, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee absolute security of your data. However, we are committed to protecting your information using all commercially reasonable measures and will promptly address any security incidents in accordance with our Data Breach Notification procedures.

18. Contact Us

For privacy-related questions, concerns, or to exercise your data rights, contact us at:

We will respond to all privacy-related requests within 30 days.