Legal Policy

Privacy Policy

The RAG Group LLC - Case Strategy Services
Effective Date: June 8, 2026 · Last Updated: June 8, 2026

Summary for legal professionals: Search queries are processed by OpenAI (embedding) and Anthropic (summary); both are contractually barred from training on your inputs. We do not sell your data or use it to train AI. Attached documents are processed in memory only and never stored. We recommend anonymizing client-identifying information before submitting queries. This summary is for convenience only - the full policy governs.

Contents

Who We Are
Scope of This Policy
Information We Collect
How We Use Your Information
How Your Queries Are Processed
Cookies and Tracking Technologies
How We Share Your Information
Data Retention
Security
Your Rights
Attorney-Specific Considerations
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

The RAG Group LLC ("Company," "we," "us," or "our") operates Case Strategy Services, an AI-powered legal research platform for VA disability attorneys. We are a limited liability company organized under the laws of the State of California, headquartered at 2108 N Street, Suite N, Sacramento, CA 95816.

Privacy Contact:
Email: clientservices@projectrag.net
Mailing: The RAG Group LLC, 2108 N Street, Suite N, Sacramento, CA 95816

For GDPR/international data inquiries, the same contact applies. We will respond within 30 days.

2. Scope of This Policy

This Privacy Policy applies to:

The Case Strategy Services web application and all associated services (collectively, the "Service")
The Case Strategy Services marketing website (projectrag.co, projectrag.net, and associated domains)
All personal information collected in connection with user registration, subscription management, and use of the Service

This Policy does not apply to:

Third-party websites linked from the Service
Information processed by third-party services you use independently of Case Strategy Services

3. Information We Collect

3.1 Information You Provide Directly

At Registration / Checkout

Full name
Work email address
Law firm name
Payment card information (collected and stored by Stripe, Inc. - we never see or store raw card numbers)

During Use

Search queries and prompts submitted to the Service
Documents you choose to attach (PDF or TXT) to provide context for a query or to draft an argument. Attached documents are processed in memory only and are never stored on our servers - see Section 5 for the processing pipeline.
Feedback or support messages sent to clientservices@projectrag.net

3.2 Information Collected Automatically

Authentication & Session Data (via Clerk, Inc.)

User ID, session tokens, and authentication credentials
Login timestamps and session duration
Organization/firm membership and seat assignments

Usage and Technical Data

IP address (used for rate limiting: 20 queries/minute, 200 queries/day; logged for security purposes)
Browser type and version
Operating system
Pages visited within the Service and timestamps
Query submission timestamps

Rate Limit and Security Logs

IP addresses triggering rate limit violations
Detected prompt injection attempts (query snippet logged for security review)

3.3 Information We Do Not Collect

We do not collect Social Security numbers, veterans' service numbers, DoD identification numbers, or any protected health information (PHI). Submitting PHI to the Service is prohibited under our Terms of Service.
We do not retain the content of client files, documents, or communications. Documents you attach are processed transiently in memory to fulfill your request and are never written to persistent storage (see Section 5).
We do not use cookies for advertising or cross-site tracking.

4. How We Use Your Information

Purpose	Legal Basis (GDPR)	Data Used
Delivering the Service (processing queries, returning results)	Performance of contract	Queries, account credentials, session data
Processing payments and managing subscriptions	Performance of contract	Email, firm name; payment data processed by Stripe
Authentication and access control	Performance of contract	Email, session tokens, org membership
Rate limiting and security enforcement	Legitimate interests	IP address, query timestamps
Responding to support requests	Legitimate interests	Email, message content
Detecting and preventing fraud, abuse, and security threats	Legitimate interests	IP address, usage patterns, security logs
Complying with legal obligations	Legal obligation	As required by applicable law
Improving service reliability (aggregated, de-identified analytics only)	Legitimate interests	Anonymized usage metrics - never individual queries

We do not use your data for:

Advertising or marketing to third parties
Training AI models (ours or anyone else's)
Profiling for automated decision-making that produces legal effects
Sale to data brokers or third parties

5. How Your Queries Are Processed

Every search query you submit passes through the following pipeline. We disclose this in full because attorneys have professional obligations regarding client data.

Optional - Attached Documents. If you attach a document (PDF or TXT) for context or to draft an argument, its text is extracted in your browser where possible. For scanned/image-based PDFs with no selectable text, page images are sent to Anthropic's Claude API for optical character recognition (OCR). Extracted text is used solely as context for your request, is capped to a limited number of characters before being sent to the AI, and is processed in memory only - never written to persistent storage. Anthropic processes this content under an agreement prohibiting use of API inputs for model training.

Step 1 - Embedding (OpenAI, Inc.). Your query text is sent to OpenAI's text-embedding-3-large API to generate a vector representation. OpenAI processes this under an agreement that prohibits using API inputs to train or improve its models. OpenAI's API data usage policy is available at openai.com/policies/api-data-usage-policies.

Step 2 - Vector Search (Qdrant). The resulting vector is used to search our case law database hosted on Qdrant Cloud. No identifiable user information is passed to Qdrant at this step - only the query vector.

Step 3 - Summary Generation (Anthropic, PBC). Retrieved document excerpts and your original query are sent to Anthropic's Claude API to generate a summary. Anthropic processes this under an agreement prohibiting use of API inputs for model training. Anthropic's privacy practices are available at anthropic.com/legal/privacy.

Step 4 - Response Delivery (Vercel / DigitalOcean). Results are returned to your browser via our Vercel-hosted frontend and DigitalOcean-hosted backend.

Query Log Retention: Query logs are retained on our backend only for a limited period necessary for security monitoring and service integrity, after which they are deleted. Queries are not linked to individual client matters in our systems.

Attorney Recommendation: We recommend anonymizing or generalizing queries wherever possible to avoid including identifying client information. Consult applicable state bar ethics opinions on cloud-based AI services before submitting matter-specific queries.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Cookie / Technology	Provider	Purpose	Duration
Session token	Clerk, Inc.	Authentication - maintains your logged-in state	Session / up to 7 days
CSRF token	Clerk, Inc.	Security - prevents cross-site request forgery	Session
Google Fonts	Google LLC	Typography rendering (CSS/font files only - no tracking pixel)	Browser cache

We do not use:

Advertising cookies
Third-party analytics cookies (e.g., Google Analytics)
Cross-site tracking pixels or beacons
Fingerprinting technologies

6.2 Managing Cookies

You may configure your browser to block or delete cookies. Blocking session cookies will prevent login and use of the Service. Blocking Google Fonts cookies will cause font fallbacks but will not affect Service functionality.

7. How We Share Your Information

We do not sell personal information. We share information only as follows:

7.1 Subprocessors

The following vendors process data on our behalf to deliver the Service. Each is bound by the data processing terms of its respective agreement and is prohibited from using your data for its own purposes beyond service delivery.

Subprocessor	Function	Data Shared	Data Residency
OpenAI, Inc.	Query embedding	Query text	United States
Anthropic, PBC	AI summary generation & document OCR	Query text, retrieved excerpts, attached document text	United States
Qdrant GmbH	Vector database (Qdrant Cloud)	Query vectors, document metadata	EU / United States
Clerk, Inc.	Identity & access management	Name, email, session credentials	United States
Stripe, Inc.	Payment processing	Billing info, email	United States
Vercel, Inc.	Frontend hosting & CDN	Browser requests, session tokens	United States
DigitalOcean, LLC	Backend hosting	Application data, server logs	United States

7.2 Legal Requirements

We may disclose information if required by law, court order, or regulatory process. We will provide prompt notice to you before disclosure where legally permitted, so you may seek a protective order.

7.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and in-app notice before your information becomes subject to a different privacy policy.

7.4 With Your Consent

We may share information for other purposes with your prior written consent.

8. Data Retention

Data Category	Retention Period
Account information (name, email, firm)	Duration of subscription; deleted upon verified request or within a commercially reasonable period after termination
Query logs	A limited period for security and service integrity, then deleted
Payment records	As required by Stripe and applicable tax/financial law (typically 7 years)
Security logs (IP, rate limit violations)	A limited period for security purposes, then deleted
Support correspondence	2 years from resolution
Aggregated, de-identified analytics	Indefinitely (no personal data retained)

Upon termination or expiration of your subscription, we will delete or anonymize your personal data upon verified request or within a commercially reasonable period, except where longer retention is required by law. You may request written confirmation of deletion.

9. Security

We implement the following technical and organizational measures:

In transit: TLS 1.2 or higher for all data transmissions between you and the Service and between the Service and its subprocessors
At rest: Encryption of stored data where supported by our database and hosting providers
Access controls: Least-privilege access; authentication required for all backend systems
Rate limiting: Rate limiting on API routes to prevent abuse
Breach notification: In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery, or within the timeframe required by applicable state law, whichever is sooner

Company intends to pursue SOC 2 Type II certification. We will announce attainment in the Service and via email to subscribers.

No security system is impenetrable. If you believe your account has been compromised, contact clientservices@projectrag.net immediately.

10. Your Rights

10.1 Rights Available to All Users

Regardless of location, you may:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your account and associated data (subject to retention obligations under applicable law)
Data portability: Request your account data in a machine-readable format
Opt-out of marketing: Unsubscribe from any marketing emails using the unsubscribe link. Transactional emails (receipts, renewal notices, breach notifications) cannot be opted out while your subscription is active.

To exercise these rights, email clientservices@projectrag.net. We will respond within 30 days.

10.2 California Residents - CCPA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., legal obligations, security purposes).

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising. No opt-out mechanism is required because we do not engage in these activities.

Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

How to Submit a Request: Email clientservices@projectrag.net with "CCPA Request" in the subject line. We will verify your identity before processing the request and respond within 45 days (extendable by 45 additional days with notice).

Authorized Agent: You may designate an authorized agent to submit a CCPA request on your behalf by providing written authorization and verifying your identity directly with us.

CCPA Categories of Personal Information Collected:

CCPA Category	Collected	Sold	Shared
Identifiers (name, email, IP)	Yes	No	No (except subprocessors)
Commercial information (subscription, billing)	Yes	No	No (except Stripe)
Internet/electronic activity (queries, usage)	Yes	No	No (except subprocessors for delivery)
Professional/employment information (firm name, bar status)	Yes	No	No
Sensitive personal information	No	N/A	N/A

10.3 EEA, UK, and Swiss Residents - GDPR Rights

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable national law:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure ("right to be forgotten") (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object to processing based on legitimate interests (Article 21)
Right not to be subject to automated decision-making (Article 22) - we do not make automated decisions with legal effects based on your personal data

Legal Bases for Processing: See the table in Section 4.

Data Transfers: Personal data of EEA/UK/Swiss residents is processed in the United States. Where required for such transfers, we will put in place appropriate safeguards, such as the European Commission's Standard Contractual Clauses. Contact clientservices@projectrag.net regarding international data-transfer terms.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk).

11. Attorney-Specific Considerations

11.1 Professional Responsibility

Attorneys using the Service remain solely responsible for compliance with applicable Rules of Professional Conduct, including:

ABA Model Rule 1.6 (and state analogues): Duty of confidentiality. Attorneys should consider whether including client-identifying information in search queries is consistent with their confidentiality obligations. We recommend anonymizing queries.
ABA Model Rule 1.1 (Competence): Attorneys are responsible for understanding the nature of AI-assisted research and verifying all outputs before use.
Court disclosure rules: Some federal courts require disclosure of AI-assisted work product. Attorneys bear sole responsibility for compliance with applicable court rules.

11.2 Attorney-Client Privilege

Company processes User Content as a third-party service provider in circumstances intended to preserve applicable legal privileges, consistent with the common-interest doctrine and the functional-equivalent-of-employee doctrine as recognized in applicable jurisdictions. However, the applicability of these doctrines varies by jurisdiction and is not guaranteed. Attorneys are advised to consult qualified counsel regarding privilege implications before submitting privileged content to any third-party service.

Company will assert applicable privileges to resist compelled disclosure of User Content in legal proceedings to the extent permitted by law.

11.3 No PHI

The Service is not HIPAA-compliant. Do not submit protected health information (PHI). If you inadvertently submit PHI, notify us immediately at clientservices@projectrag.net.

12. Children's Privacy

The Service is intended exclusively for licensed attorneys and law firm personnel. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes - defined as changes that expand data collection, alter data sharing practices, or materially reduce your rights - we will provide at least 30 days' prior notice via email and in-app notification before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Prior versions of this Privacy Policy are archived and available upon request at clientservices@projectrag.net.

14. Contact Us

For privacy questions, rights requests, or data inquiries:

The RAG Group LLC
2108 N Street, Suite N, Sacramento, CA 95816
Email: clientservices@projectrag.net

For DMCA notices: clientservices@projectrag.net

For GDPR/international data requests, include "GDPR Request" in the subject line. Response within 30 days.