Privacy Policy
Effective Date: May 20, 2026
Last Updated: May 20, 2026
1. Introduction
This Privacy Policy ("Policy") describes how Limbic Engineering Systems, LLC, doing business as Weave Legal ("Weave Legal," "we," "our," or "us") collects, uses, shares, and protects information when you use the weave.legal website and our cloud-based platform (collectively, the "Service"). Weave Legal provides a SaaS platform that connects law firms' existing legal software behind a single AI-ready connection and offers configurable workflow automations ("Routines") that execute on Weave's infrastructure.
By accessing or using the Service, you agree to the collection, use, and disclosure of information as described in this Policy. If you do not agree with the practices described here, you should not use the Service.
In this Policy, "you" and "your" refer to the individual or entity that has registered for or uses the Service. "Customer Content" means any data from your connected Third-Party Services that passes through the Service during the course of your use.
2. Information We Collect
We collect the following categories of information:
2.1 Account Information
When you register for the Service, we collect information you provide directly, including:
- Name
- Email address
- Firm or organization name
- Role or title within your organization
2.2 Billing Information
We use Stripe as our payment processor. When you start a free trial or subscribe to a paid plan, your payment information (such as credit card number, expiration date, and billing address) is collected and processed directly by Stripe. We do not collect or store your credit card numbers or full payment card details. We retain only transaction-level information necessary to manage your subscription, such as plan type, billing cycle, payment status, and invoice records.
2.3 Service Usage Data
We collect information about how you use the Service, including:
- Audit logs: Records of actions taken within the Service, including tool calls, Routine executions, AI interactions, and administrative actions (who did what, and when)
- Connection metadata: Which Third-Party Services you have connected, and their configuration settings
- Routine definitions: The workflow descriptions you create or configure (not the data those Routines process)
- OAuth tokens: Encrypted credentials that authorize the Service to connect to your Third-Party Services on your behalf
2.4 Technical Data
When you access the Service, we automatically collect certain technical information, including:
- IP address
- Browser type and version
- Device type and operating system
- Referring URL
- Pages visited within the Service
- Date and time of access
2.5 Analytics Data
We use Fathom Analytics for product analytics. Fathom is a privacy-focused, cookieless analytics service that does not use cookies and does not collect personal information about individual visitors. The analytics data we receive is aggregated and de-identified.
2.6 Support Data
When you communicate with our team, we collect:
- The content of emails, chat messages, and other correspondence
- Call recordings and transcriptions made during customer support or onboarding sessions (via Fireflies), with your knowledge and, where required, consent
- Scheduling information (via TidyCal) when you book meetings with our team
3. Information We Do NOT Collect or Store
This is central to how Weave Legal is designed. Our platform operates as a pass-through connection layer between your existing legal tools and your AI environment. As such:
- We do not store your clients' personal information. Client names, contact details, and other personally identifiable information belonging to your clients are not persisted by Weave Legal.
- We do not store matter details, documents, or case data. Information such as case notes, legal documents, court filings, and matter records from your connected services passes through Weave but is not retained.
- We do not read, access, or analyze the substantive content of Customer Content flowing through our connectors except as strictly necessary to route requests, execute Routines, and provide the Service.
- Data from your connected Third-Party Services is proxied, not persisted. Weave Legal facilitates communication between your tools and LLM providers in real time. Once a request is fulfilled, Customer Content is not stored on our infrastructure beyond the duration necessary to complete the transaction, subject to any applicable audit logging.
Audit logs may record metadata about transactions (such as the type of action taken, the tool involved, timestamps, and the identity of the user who initiated the action), but they do not capture the substantive content of the data processed.
4. How We Use Information
We use the information we collect for the following purposes:
- To provide and operate the Service, including connecting your Third-Party Services, executing Routines, and maintaining your account
- To process payments through our payment processor, Stripe
- To provide audit logging and governance features that help you maintain oversight and compliance within your firm
- To improve the Service, using de-identified and aggregated data to understand usage patterns, diagnose issues, and develop new features
- To communicate with you, including responding to support requests, sending service-related notices, providing billing information, and (with your consent where required) sharing product updates
- To ensure security and prevent fraud, including monitoring for unauthorized access, abuse, or violations of our terms
We do not use Customer Content for any purpose other than providing the Service to you. We do not use your data to train our own AI models.
5. How We Share Information
We share information only in the following circumstances:
5.1 Subprocessors
We share information with the third-party service providers listed in Section 6 below, solely as necessary to operate and deliver the Service. These providers are contractually obligated to use your information only to perform services on our behalf and in accordance with this Policy.
5.2 LLM Providers
When you execute Routines, the Service sends data to third-party LLM providers (currently Anthropic and OpenAI) via their APIs in order to process your requests. The data sent to LLM providers is governed by their respective terms of service and privacy policies. See Section 12 for additional detail.
5.3 Legal Requirements
We may disclose information if we believe in good faith that disclosure is required by applicable law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or similar legal obligation.
5.4 Business Transfers
In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will provide notice before your information becomes subject to a different privacy policy.
5.5 With Your Consent
We may share information with third parties when you direct us to do so or provide your explicit consent.
5.6 What We Do NOT Do
- We do not sell personal information. We have never sold personal information and have no plans to do so.
- We do not use customer data for advertising. We do not share your information with advertisers or ad networks.
- We do not share Customer Content with third parties for their own independent purposes.
6. Subprocessor List
The following third-party service providers process information on our behalf in connection with the operation of the Service:
| Subprocessor | Function |
|---|---|
| Fly.io | Cloud hosting and data storage |
| Grafana Labs | Infrastructure monitoring and logging |
| Clerk | User authentication and identity management |
| Stripe | Payment processing and subscription management |
| Latitude | AI agent monitoring, logging, and automatic issue detection |
| Sentry | Application error tracking and diagnostics |
| Fathom Analytics | Privacy-focused, cookieless product analytics |
| TidyCal | Meeting scheduling for customer onboarding and support |
| Fireflies | Call recording and transcription for customer support |
| Anthropic | LLM API provider for Agentic Routine execution |
| OpenAI | LLM API provider for Agentic Routine execution |
We will update this list as our subprocessors change. If you would like to be notified of subprocessor changes, please contact us at [email protected].
7. Data Security
We take the security of your information seriously and implement reasonable administrative, technical, and organizational measures to protect it, including:
- Encryption in transit: All data transmitted between your browser and our servers, and between our servers and Third-Party Services, is encrypted using TLS.
- Encryption at rest: Stored data, including OAuth tokens, is encrypted at rest.
- Access controls: User authentication is managed through Clerk. Access to customer data within our infrastructure is restricted to authorized personnel on a need-to-know basis.
- Audit logging: We maintain logs of administrative and system actions to support security monitoring and incident investigation.
- Incident response: In the event of a security incident that affects your personal information, we will notify you within a reasonable timeframe and in accordance with applicable law.
No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
8. Data Retention
We retain information in accordance with the following guidelines:
- Account data: Retained while your account is active and for 30 days following account termination or deletion, after which it is deleted.
- Audit logs: Retention periods for audit logs are configurable. Default retention periods and available options will be specified in your service agreement. We may retain certain audit log data for longer periods where required for legal or compliance purposes.
- Billing records: Retained as required by applicable tax, accounting, and financial reporting laws, which generally require retention for a minimum of seven years.
- Support communications and call recordings: Retained for two years from the date of the communication, unless a shorter period is required by applicable law.
- Analytics data: Aggregated and de-identified analytics data may be retained indefinitely.
- Customer Content: Not retained. As described in Section 3, Customer Content passes through the Service and is not persisted.
When data is no longer required, we will delete or de-identify it in accordance with our internal data management procedures.
9. Your Rights (California Residents)
If you are a California resident, you may have certain rights under the California Online Privacy Protection Act (CalOPPA) and other applicable California privacy laws, including:
- Right to know. You have the right to request information about the categories and specific pieces of personal information we have collected about you.
- Right to deletion. You have the right to request that we delete personal information we have collected from you, subject to certain legal exceptions.
- Right to opt out of sale. We do not sell personal information. However, you have the right to direct us not to sell your personal information, and we honor that right by default.
- Right to non-discrimination. We will not discriminate against you for exercising any of your privacy rights.
To exercise any of these rights, please contact us at [email protected]. We will verify your identity before processing your request and respond within the timeframes required by applicable law.
Note: As our business grows, we will evaluate whether additional obligations under the California Consumer Privacy Act (CCPA) apply and will update this Policy accordingly.
10. Children's Privacy
The Service is designed for use by legal professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe that a minor has provided personal information to us, please contact us at [email protected].
11. Third-Party Services
The Service allows you to connect various third-party legal software applications ("Third-Party Services"). Each Third-Party Service has its own privacy policy and data practices that are independent of Weave Legal. We are not responsible for the privacy practices, data collection, or data handling of any Third-Party Service you choose to connect.
Before connecting a Third-Party Service to Weave Legal, we encourage you to review that service's privacy policy and terms of use. Your use of each Third-Party Service is governed by your agreement with that provider.
12. LLM Provider Data Practices
When you use Routines, the Service sends data to LLM providers (currently Anthropic and OpenAI) to process your requests. The following applies to data processed by LLM providers:
- Data handling by LLM providers is governed by each provider's own terms of service and privacy policy. We encourage you to review them.
- Weave Legal does not use Customer Content to train AI models. We do not use the data that flows through the Service to train, fine-tune, or improve any machine learning model.
- LLM provider training policies: Each LLM provider's own policies govern whether and how data submitted through their APIs may be used for model training. We select API tiers and configurations designed to minimize or eliminate provider-side training on customer data, but you should review each provider's current terms for definitive information.
- Retention of prompt and response data from Routine executions is configurable. Default retention behavior and available options will be specified in your service agreement. Where prompt and response data is retained, it is stored subject to the same security measures described in Section 7.
We may add or change LLM providers in the future. Any new providers will be reflected in the Subprocessor List in Section 6 and disclosed in accordance with Section 13.
13. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law.
- Material changes: If we make material changes to this Policy, we will provide at least 30 days' advance notice by email to the address associated with your account or by prominent notice within the Service before the changes take effect.
- Non-material changes: Minor clarifications or formatting changes may be made without advance notice.
Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should discontinue use of the Service before the updated Policy takes effect.
We encourage you to review this Policy periodically.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a concern, please contact us:
Email: [email protected]
Mailing Address:
Limbic Engineering Systems, LLC d/b/a Weave Legal
2261 Market Street STE 96277
San Francisco, CA 94114
This Privacy Policy is effective as of May 20, 2026.