Privacy

Before you start using our legal AI services, please carefully read through this Privacy Policy.

If you have any questions, concerns, or feedback about this Policy or other legal matters, please reach out to [email protected]. If you would like to learn more about our controls, subprocessors and security, privacy, and compliance posture, please consult the Isaacus Trust Center.

This Privacy Policy (the “Policy”) describes the types of personal data that Isaacus Pty Ltd (“Isaacus”, the “Company”, “us”, “we” or “our”) collects, uses, discloses, stores, and otherwise handles when you (“you”, “your” or a “User”) use our websites (collectively, the “Website”), including but not limited to https://isaacus.com, https://platform.isaacus.com, https://docs.isaacus.com and https://api.isaacus.com, as well as the Isaacus Platform, the Isaacus API, Isaacus artificial intelligence and machine learning models, algorithms and systems, Isaacus apps and any other software, products or services that we offer (collectively, including our Website, the “Services”).

This Policy along with the Isaacus Trust Center supports Isaacus’ compliance with applicable privacy laws, including the EU General Data Protection Regulation (“GDPR”) and the Australian Privacy Principles (“APPs”) in the Privacy Act 1988 (Cth).

We may change this Policy from time to time by posting revisions on our Website. If you were a User of our Services before the posting of a revision, that revision will take effect 14 days after its posting. If you do not intend to agree to a revision, you must stop using our Services before it comes into effect. For new Users, revisions will take effect immediately upon their posting.

This Policy was last updated on 16 April 2026.

1. Who we are

Isaacus Pty Ltd is an Australian proprietary company limited by shares registered in Victoria, Australia.

Our registered office is located at 81-83 Campbell Street, Surry Hills, New South Wales 2010, Australia.

Our Australian Company Number (ACN) is 684 344 134, and our Australian Business Number (ABN) is 15 684 344 134.

We operate under the registered business name, Isaacus.

We develop effective, efficient, and scalable legal AI models, APIs, and applications to solve the most time-consuming problems legal professionals face each day.

We work with legal technology companies, law firms, corporate legal departments, and government to deploy our solutions both in the cloud and on premises, including inside air-gapped environments.

2. Exclusion of external third-party services

This Policy does not cover any external third-party services that you access through external links, optional integrations, or the like, except to the extent that we handle personal data from them.

3. The types of personal data we may collect

We may collect personal data directly from you, automatically from your device, from third parties, and indirectly from Inputs and Outputs sent to and from our AI Services.

Below, we detail the broad types of personal data we may collect depending on how you interact with our Services.

3.1. Personal data collected from you

We may collect:

  • Account and profile data, such as your name, email address, company name, login credentials, account preferences and authentication details.
  • Billing and transaction data, such as billing contact details, subscription information, usage records needed for charging, invoices, tax information and limited payment-related information. Full payment card details are handled by our payment processors rather than being stored by us.
  • Communications, such as information you include in support requests, contact forms, emails and other correspondence with us.
  • Feedback, such as survey responses, reviews, ratings, bug reports and other information you choose to provide to us about our Services.
  • Identity and access data provided through optional third-party sign-in methods, such as Google or GitHub, if you choose to use them.

3.2. Personal data collected automatically

We may collect:

  • Technical and device data, such as IP address, approximate location derived from IP, browser type, device type, operating system, referring pages, timestamps and similar technical metadata.
  • Platform and website usage data, such as log data, navigation events, page views, account events, session information and interactions with our Services.
  • Security and abuse-prevention data, such as records generated to detect fraud, misuse, unauthorized access, service abuse, sanctions risk and other harmful or unlawful activity.

3.3. Personal data received from third parties

We may receive personal data from:

  • Authentication providers you choose to use, such as Google or GitHub.
  • Payment and billing providers.
  • Service providers who help us operate, secure or support the Services.
  • Other users or organizations that invite you to use the Services or identify you as an account administrator, billing contact or authorized user.

3.4. Personal data received through Inputs and Outputs

In the course of interacting with our artificial intelligence and machine learning models, algorithms, systems, tools, applications, technologies and other AI-powered products and services that we offer (the “AI Services”) you may provide inputs to such AI Services (“Inputs”) that, in response to your Inputs, provide you with generated outputs (“Outputs”).

Inputs and Outputs may contain personal data.

4. How we use personal data

We only use personal data where we have a lawful basis to do so and a legitimate and disclosed purpose, including to:

  • Provide, operate, maintain and secure the Services.
  • Create and manage accounts, organizations, API keys and user access.
  • Authenticate users and verify eligibility to use paid Services.
  • Meter usage, administer subscriptions, generate invoices, collect payments and maintain billing records.
  • Communicate with users about accounts, transactions, updates, service changes, security matters and support requests.
  • Troubleshoot errors, investigate incidents, diagnose performance issues and improve reliability, security and usability.
  • Detect, prevent and respond to fraud, abuse, misuse, sanctions risk and unlawful activity.
  • Comply with legal obligations, regulatory requirements, law enforcement requests and lawful process.
  • Establish, exercise or defend legal claims.
  • Maintain audit trails, backups and business continuity processes.
  • Send service-related or, where permitted, marketing communications where you have not opted out to such communications.
  • Use feedback you provide to improve our Services.

We do not sell personal data.

5. How we disclose personal data

Where there is a legitimate purpose to do so, we may disclose personal data to:

  • Service providers and subprocessors that help us provide the Services, including hosting, infrastructure, email delivery, billing, error monitoring, security, support and content delivery providers.
  • Payment and billing providers, including Stripe, to administer subscriptions, usage-based billing and payments.
  • Communications providers, such as email and transactional messaging providers.
  • Cloud, hosting and infrastructure providers used to host, secure and deliver the Services.
  • Professional advisers, such as legal, accounting, insurance and audit advisers.
  • Corporate transaction participants, where disclosure is reasonably necessary in connection with an actual or proposed merger, acquisition, financing, asset sale, reorganization or similar transaction.
  • Law enforcement, regulators, courts and other authorities, where required by law or reasonably necessary to protect rights, property, safety or the integrity of the Services.
  • Other parties at your direction or with your consent.

We require service providers that process personal data on our behalf to handle it under appropriate confidentiality, security and data protection obligations.

6. Lawful bases for processing personal data

Depending on the context, we will process personal data on one or more of the following lawful bases:

  • Performance of a contract, where processing is necessary to provide the Services you request, manage your account, authenticate access, meter usage or administer billing.
  • Legitimate interests, where processing is necessary for our legitimate interests, including securing the Services, preventing abuse, maintaining system reliability, improving the Services, communicating with customers, administering our business and protecting our legal rights, provided those interests are not overridden by your rights.
  • Legal obligation, where processing is required to comply with applicable law, including tax, accounting, sanctions, corporate, consumer protection and law-enforcement obligations.
  • Consent, where we rely on your consent, for example, for certain cookies, some marketing activities or other optional processing.

7. No persistent retention of Inputs and Outputs

When you use our AI Services, Inputs and Outputs are processed in order to provide such services. By default, we do not retain Inputs and Outputs under normal operations.

An exception is when an error is raised, in which case Inputs or Outputs or fragments thereof may be sent to Sentry (an error monitoring platform) solely for the purpose of assisting us with identifying and resolving the cause of the error.

We may also persist Inputs and Outputs if you expressly opt in or provide feedback on them.

8. No training on Inputs and Outputs

We will not train our models on Inputs and Outputs except where you expressly consent to doing so, for example, by opting in to training on them if and when that ever becomes possible or by providing feedback regarding those Inputs and Outputs.

9. Retention of personal data other than Inputs and Outputs

For types of personal data other than Inputs and Outputs, we may retain such data depending on the purpose for which the data was collected or received and our legal obligations. For example:

  • Account, contract and billing records are retained for as long as the account remains active and thereafter for as long as reasonably necessary for billing, tax, accounting, audit, dispute resolution and legal compliance purposes.
  • Usage metadata is retained for as long as reasonably necessary to authenticate access, administer subscriptions, meter and bill usage, maintain service integrity, investigate incidents, prevent abuse, report usage, and meet legal and audit obligations.
  • Support and communications records are retained for as long as reasonably necessary to respond to the request, improve support quality, maintain service continuity and protect our legal interests.
  • Security, audit and incident records are retained for as long as reasonably necessary to detect, investigate, remediate and document security or operational incidents and to comply with legal obligations.
  • Website and cookie-related information is retained in accordance with the applicable purpose, your settings, our cookie practices and legal requirements.

When personal data is no longer reasonably required, we will delete it, anonymize it, or de-identify it, unless we are required or permitted by law to retain it.

10. International processing and storage

Isaacus is based in Australia but operates internationally. The vast majority of our critical infrastructure is located in the United States, with our own internal services operating from Australia.

We provide a comprehensive, up-to-date list of our subprocessors and their locations in the Isaacus Trust Center.

Currently, our infrastructure is arranged as follows:

  • We use Cloudflare for DNS, proxying, WAF, DDoS protection, and storing static media in R2 buckets located in the Western North America (WNAM)
  • We use Azure for hosting the Isaacus Platform and Isaacus API, including our user database, all of which are located in the United States.
  • We use AWS for hosting and serving our models in the United States and proxying communication between our Azure-based Isaacus API and our AWS-based inference servers through AWS Global Accelerator.
  • We use Sentry for monitoring errors.
  • We use Stripe for billing.
  • Our public website, including our contact and support forms, is hosted on Hetzner in Hillsboro, Oregon, using WordPress through RunCloud.
  • We use Mintlify to host our documentation.
  • We use Google Analytics to collect analytics on usage of the Website.
  • We use Microsoft 365 to send personal emails, SendGrid for marketing emails, and storing customer names and email addresses, and AWS SES in the United States for transactional emails, such as all emails sent by the Isaacus Platform.

Where required by applicable law, we take reasonable steps to ensure your personal data is handled in a manner consistent with applicable privacy requirements. For personal data subject to the GDPR, this may include using contractual safeguards such as the European Commission’s standard contractual clauses or relying on another valid transfer mechanism.

11.  Security

We take reasonable technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, misuse and loss. Such measures may include encrypting Inputs and Outputs in transit, hashing secrets, using firewalls, and implementing authentication, monitoring, and administrative safeguards.

12. Your rights and choices

Depending on where you are located and subject to applicable law, you may have rights to:

  • Request access to personal data we hold about you.
  • Request correction of inaccurate or incomplete personal data.
  • Request deletion of personal data in certain circumstances.
  • Request restriction of processing in certain circumstances.
  • Object to processing carried out on the basis of legitimate interests in certain circumstances.
  • Withdraw consent where processing is based on consent.
  • Request portability of certain personal data.
  • Complain to a privacy regulator.

To exercise your rights, please contact us at [email protected]. We may need to verify your identity before acting on your request.

13. Children

Our Services are not intended for anyone under the age of 18 or the minimum age required by law to be able to consent to access and use our Services, whichever is higher. Our Services are also not intended for those lacking legal capacity to enter into binding contracts. We do not intentionally gather personal data from such individuals. If you become aware that a minor has provided us with personal data, please notify us at [email protected].

14. Complaints

If you have a complaint concerning the manner in which we maintain the privacy of your personal data, please contact us at [email protected]. We may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner or your local supervisory authority.