Privacy Policy

At Civilly, we understand you are trusting us with some of the most sensitive information in your life. Divorce involves finances, children, emotions, and private communications. We take that responsibility seriously.

This Privacy Policy explains what information we collect, how we use it, and how we protect it. We have written this in plain English because you deserve to understand exactly how your data is handled. This Policy is incorporated into our Terms of Service and governs your use of Civilly.

When this policy mentions "Civilly," "we," "us," or "our," it refers to Civilly Services, located in San Diego, California, United States. We are the data controller responsible for your personal information under this Privacy Policy.

As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring your information is handled in compliance with applicable privacy laws, including GDPR for European users and CCPA/CPRA for California residents.

Civilly collects information in four ways: information you provide directly, information from services you connect, information from third-party authentication, and information collected automatically when you use our platform.

We use the information we collect for the following purposes:

• Provide the Civilly service: store your documents, display your timeline, calculate support estimates, manage your calendar, and deliver all platform features
• Power AI features: our AI assistant uses your case information to provide personalized guidance, extract information from documents, and categorize your data
• Process transactions: handle payments, send receipts, and manage your subscription
• Communicate with you: send account notifications, respond to support requests, deliver security alerts, and share product updates you opt into
• Improve the platform: understand how people use Civilly so we can make it better, fix bugs, and develop new features
• Ensure security: detect and prevent fraud, abuse, unauthorized access, and security threats
• Comply with legal obligations: respond to valid legal requests and meet regulatory requirements
• Personalize your experience: tailor content and recommendations based on your case details and usage patterns

If you are located in the European Economic Area (EEA) or United Kingdom, we collect and process your personal information only where we have a legal basis to do so under applicable data protection law. The legal bases we rely on include:

• Consent: You have given clear consent for us to process your personal data for a specific purpose, such as receiving marketing communications
• Contractual necessity: Processing is necessary to perform our contract with you (providing the Civilly service) or to take steps at your request before entering a contract
• Legal obligation: Processing is necessary to comply with a legal obligation, such as tax reporting or responding to valid legal requests
• Legitimate interests: Processing is necessary for our legitimate interests (such as improving our services, preventing fraud, or ensuring security) where those interests do not override your fundamental rights and freedoms

You have the right to withdraw consent at any time where we rely on consent to process your personal information. This will not affect the lawfulness of processing conducted before your withdrawal.

We may share limited information with the following categories of recipients:

• Service providers: Companies that help us operate Civilly, including cloud hosting (Google Cloud), payment processing (Stripe), email delivery, and analytics. These providers are contractually required to protect your data and use it only for the services they provide to us.
• Professional advisors: Lawyers, accountants, and auditors who need access to fulfill their professional obligations to us
• Legal requirements: If we receive a valid legal order (like a subpoena or court order), we will notify you before disclosing information unless legally prohibited from doing so. We will challenge overly broad requests.
• Your explicit request: When you export data to share with your attorney or other party you designate
• Business transfers: If Civilly is acquired or merges with another company, your information would transfer to the new owner under the same privacy protections described in this policy
• Safety situations: If we believe disclosure is necessary to prevent imminent harm to you or others

We do not sell or rent your personal information to third parties for their marketing purposes. We do not share your information with business partners for their independent use.

Cookies are small text files stored on your device that help us provide and improve our services. We use the following types of cookies:

• Essential cookies: Required for basic functionality like keeping you logged in and maintaining security. These cannot be disabled.
• Functional cookies: Remember your preferences, such as language settings and display options
• Analytics cookies: Help us understand how people use Civilly so we can improve the platform. We use privacy-focused analytics that do not track you across other websites.

We do not use advertising cookies or allow third-party advertisers to track you on Civilly. We do not sell data collected through cookies.

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent you from logging in or using certain features.

We understand that many people going through divorce need extra privacy protections, especially those in difficult or dangerous domestic situations. Civilly includes several features designed to protect your confidentiality:

Security is foundational to everything we build. Here is how we protect your information:

• Encryption at rest: All data stored in our database and file storage is encrypted with AES-256 encryption
• Encryption in transit: All data sent between your device and our servers uses TLS 1.3 encryption
• Row-level security: Our database enforces access controls so users can only access their own case data
• Field-level encryption: Sensitive fields like financial account tokens receive additional encryption layers
• Access controls: Only authorized personnel can access systems, and all access is logged and audited
• Regular security assessments: We conduct regular security reviews and penetration testing
• Secure infrastructure: We host on Google Cloud Platform with SOC 2 Type II compliance
• Secure authentication: We support multi-factor authentication and secure OAuth sign-in

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We encourage you to use a strong, unique password and enable multi-factor authentication on your account.

• Active accounts: We retain your data as long as your account is active and you continue using Civilly
• Account closure: When you close your account, we delete your data within 30 days
• Backup retention: Encrypted backups are retained for 90 days after deletion for disaster recovery, then permanently deleted
• Legal requirements: Some records may be retained longer if required by law, such as financial transaction records for tax purposes
• Anonymized data: We may retain anonymized, aggregated data that cannot identify you for analytics and service improvement

When we delete your data, we use secure deletion methods. If immediate deletion is not possible (such as data in backup systems), we securely isolate your data from further processing until deletion is complete.

You have control over your personal information. Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we have about you
• Export: Download a complete copy of your data in standard, portable formats
• Correction: Update or correct any inaccurate information in your profile or case
• Deletion: Request deletion of your account and all associated data
• Restriction: Ask us to limit how we process your data in certain circumstances
• Objection: Object to our processing of your data based on legitimate interests
• Data portability: Receive your data in a structured, commonly used format
• Withdraw consent: Withdraw consent for processing where consent is the legal basis
• Disconnect services: Remove connected services like Plaid at any time
• Marketing opt-out: Unsubscribe from marketing emails with one click

To exercise these rights, visit your Account Settings or contact us at privacy@civilly.io. We will respond within 30 days. We may need to verify your identity before processing certain requests.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• Right to know: You can request details about what personal information we collect, use, disclose, and sell
• Right to delete: You can request that we delete personal information we collected from you
• Right to correct: You can request that we correct inaccurate personal information
• Right to opt-out: You can opt out of the sale or sharing of your personal information (note: we do not sell your data)
• Right to limit use of sensitive information: You can limit how we use sensitive personal information
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights

To exercise these rights, contact us at privacy@civilly.io or use the privacy controls in your Account Settings. You may designate an authorized agent to make a request on your behalf.

In the past 12 months, we have collected the categories of personal information described in the "Information We Collect" section. We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by CCPA/CPRA.

Civilly is intended for adults 18 years of age and older who are managing divorce-related matters. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@civilly.io. We will promptly delete any information we have collected from children.

Civilly operates in the United States, and your personal information is stored and processed on servers located in the United States. If you are accessing Civilly from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area (EEA) or United Kingdom, we ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses approved by the European Commission where applicable.

By using Civilly, you acknowledge that your information may be transferred to and processed in the United States in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we make material changes, we will:

• Notify you by email at least 30 days before the changes take effect
• Post a prominent notice on our website
• Update the "Last Updated" date at the top of this policy
• Obtain your consent if required by applicable law

We encourage you to review this Privacy Policy periodically. Your continued use of Civilly after any changes indicates your acceptance of the updated policy. If you do not agree to the changes, you should stop using Civilly and close your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Civilly Services

San Diego, California, United States

We aim to respond to all privacy inquiries within 48 hours. For data subject access requests under GDPR or CCPA/CPRA, we will respond within 30 days as required by law.