Legal · Privacy

Privacy Policy

Effective: April 1, 2026 Last updated: April 1, 2026 v 1.0

This Privacy Policy describes how Ross ("Ross," "we," "us," or "our") collects, uses, discloses, and protects information when you visit our website, sign up for an account, or use the Ross platform — the agentic AI paralegal service designed for personal injury law firms (collectively, the "Service").

We've tried to write this in plain English. Where we use legal terminology — controller, processor, PHI — we do so deliberately and for clarity, not to obscure. If anything below is unclear, email inquiries@rosspara.legal and we'll explain.

The short version. We collect what we need to run the Service: your account info, what you do on the platform, and the case data your firm puts into it. We use that information to operate the Service, keep it secure, comply with the law, and — if you opt in — to make Ross better. We do not sell personal information. We do not use your firm's case files to train general-purpose AI models. We treat protected health information (PHI) under a Business Associate Agreement.

§ 1Quick reference

Use this as a fast-glance summary. The full text below controls if there's any conflict.

What we collect

Account information, usage and device data, communications you send us, and Customer Data (case files, communications) that your firm submits.

Why we collect it

To operate the Service, authenticate you, keep records of activity, secure the platform, comply with law, and improve the product.

Do we sell data?

No. We do not sell or "share" personal information for cross-context behavioral advertising as defined under the CPRA.

Do we train AI on your case files?

No. Customer Data is not used to train general-purpose foundation models. We only use it to provide the Service to your firm and to improve features at your firm's election.

PHI / HIPAA

When your firm causes the Service to handle PHI, we act as a HIPAA Business Associate under a signed BAA.

Where we operate

United States. Data is processed and stored in U.S.-based facilities operated by our infrastructure providers.

Retention

Account data for the life of the account plus 30 days. Customer Data per your firm's contract. Audit logs for 7 years to support attorney supervision and bar requirements.

Contact

inquiries@rosspara.legal

§ 2Who we are and what this Policy covers

Ross is a software service operated under the trade name "Ross." Where this Policy refers to "Ross," "we," "us," or "our," we mean the team responsible for operating the Service. We are working through formation of a corporate entity; once that entity is registered, we will update this Policy to reflect its name and address. Until then, the responsible parties may be reached at the address below.

This Policy applies to:

Visitors to our marketing website at rosspara.legal and any subdomain;
Authorized users at customer law firms ("Firm Users") who sign in to the Service;
Individuals whose information is submitted to the Service by a customer firm (for example, the firm's clients, opposing parties, witnesses, and providers); and
People who contact us by email, phone, or other channels.

This Policy does not apply to third-party services that integrate with Ross — for example, your firm's email system, e-fax provider, or court e-filing portal. Their privacy practices are governed by their own policies.

§ 3Information we collect

We collect information in three ways: information you give us directly, information collected automatically when you use the Service, and information your firm submits in the course of using Ross.

3.1Information you provide directly

Account information. Your name, work email address, role at the firm, and the firm name. If you set up SSO, we receive the identity attributes that your firm's identity provider sends us.
Authentication information. A salted hash of your password (we never see or store the password itself), recovery email, and — if enabled — multi-factor authentication factors.
Communications with us. If you email support, request a demo, or fill out a contact form, we keep what you sent and our reply for as long as needed to handle the matter and demonstrate the response history.
Payment information. If your firm subscribes to a paid plan, our payment processor collects billing details on our behalf. We receive only the metadata we need to recognize payments (e.g., invoice number, last four digits of a card, billing email).

3.2Information collected automatically

Usage and audit data. When you use the Service we record what pages you view, which controls you interact with, the sequence of actions Ross takes on your firm's behalf, the model and tool calls used, the cost and duration of each tool run, and the time you spend on each screen. These records form the audit trail your firm needs to supervise AI-assisted work.
Device and connection data. Browser type and version, operating system, screen and viewport dimensions, language and time zone, hardware characteristics that the browser exposes (such as logical CPU count and approximate device memory), referrer, and the IP address from which you connect.
Approximate location. We derive an approximate city and country from the IP address. We do not collect precise (GPS-level) location.
Cookies and similar technologies. See Section 5.
Server logs. Standard request, error, and security logs (headers, status codes, timing) generated by our servers and infrastructure providers.

3.3Information from third parties

We may receive information about you from:

Your firm's identity provider (Okta, Google Workspace, Microsoft 365, etc.) when you sign in via SSO;
Your firm's administrators when they invite you, change your role, or remove your access;
Public IP geolocation providers we use to enrich audit records;
Fraud-prevention and abuse-detection services that help us identify suspicious sign-ins; and
Service providers and integrations that your firm has connected to Ross.

3.4Customer Data

"Customer Data" means information that your firm or its users submit to or store in the Service in the course of using it — case files, client and provider names, medical records, billing exhibits, demand drafts, communications Ross sends or receives on the firm's behalf, transcripts of voice calls Ross places, and the like.

Your firm is the controller (or "business" under CCPA) of Customer Data. We are a processor (or "service provider"). We process Customer Data only on your firm's documented instructions, including those reflected in these Terms, your subscription order, and our Data Processing Addendum.

If Customer Data includes Protected Health Information, the additional rules in Section 13 apply.

§ 4How we use information

We use the information described above for these purposes, and only these:

Provide the Service. Authenticate you, render your firm's workspace, run the agentic actions you direct (calls, drafts, records requests), maintain the audit trail, and generally make the product work.
Secure the Service. Detect and respond to abuse, abuse, fraud, account takeover, malware, and other security events. Investigate incidents and notify affected parties when required.
Support and communicate with you. Respond to support tickets, send service announcements (downtime, security advisories), and — for marketing communications, only with consent or as permitted under applicable law — send product updates you can opt out of at any time.
Comply with the law. Meet our obligations under applicable laws, including responding to lawful subpoenas, court orders, and similar legal process; cooperating with regulators where we are required to do so.
Improve the Service. Aggregate, anonymized usage analytics help us understand which features are used and where the product breaks. Where we use Customer Data to improve features (for example, to refine how Ross drafts demands), we do so only on your firm's election and only at the firm level — never combined with other firms' Customer Data.
Bill and account. Issue invoices, calculate usage, and reconcile payments.

We do not use information about you to make solely automated decisions that produce legal or similarly significant effects on you.

§ 5Cookies and similar technologies

We use a small number of cookies and equivalent technologies (such as localStorage) to operate the Service. We do not use third-party advertising or behavioral-tracking cookies.

The categories we use are:

Strictly necessary. Authentication, session management, CSRF protection, and load balancing. Without these, the Service does not function. They cannot be disabled through the Service.
Functional. Remembering your firm's display preferences, the last view you opened, and saved filters.
Audit and security. Recording session identifiers and audit metadata. These power the internal audit trail your firm relies on to supervise AI-assisted work.
Aggregate analytics. Anonymous, sampled telemetry that helps us identify which screens are slow or which features are unused. Disabling these will not affect your experience of the Service.

You can control most cookies through your browser. If you block strictly-necessary cookies, the Service will not work.

We do not sell or rent personal information. We share information only in these limited circumstances:

We rely on a short list of vetted vendors to operate the Service — for example, cloud infrastructure, email delivery, telephony for outbound voice calls, error monitoring, and IP geolocation. Each subprocessor is contractually bound to confidentiality obligations and processes data only as instructed.

The current list of subprocessors is available on request from inquiries@rosspara.legal. We notify customers of new subprocessors before they begin processing Customer Data.

We may disclose information to comply with applicable law, regulation, legal process, or governmental request; to protect the rights, property, and safety of Ross, our users, or the public; and to enforce our Terms of Service. Where legally permitted, we will attempt to notify your firm before producing Customer Data in response to legal process.

If Ross is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify you and provide reasonable notice and choice before personal information becomes subject to a different privacy policy.

We share information for any other purpose disclosed to you and with your consent.

§ 7AI training and model improvement

This is one of the most common questions we get, and we want the answer in writing.

We do not use Customer Data to train general-purpose foundation models, our own or anyone else's.
The third-party model providers we use (for example, our voice-synthesis and large-language-model providers) are contractually prohibited from training their models on inputs and outputs generated through the Service. Their zero-retention or limited-retention policies are part of how we choose them, and we will not switch to providers that do not offer equivalent terms.
Where we use Customer Data to improve Ross — for example, to refine how a particular firm's drafts read, or to fine-tune a small model used for that firm's intake routing — we do so only at the firm level. The resulting improvements stay within that firm's tenancy and are not exposed to other customers.
Aggregated, fully de-identified usage statistics (e.g., "median time-to-records-receipt across all firms is 19 days") may be used in our marketing and product-development work. These statistics cannot reasonably be used to identify any person, case, or firm.

§ 8Data retention

We keep personal information for as long as we have a legitimate, ongoing reason to do so. Specific defaults:

Account information — for the life of the account, plus 30 days after deletion to support reversal of accidental deletions.
Customer Data — per your firm's subscription contract. On termination, Customer Data is deleted within 60 days of the end of the post-termination return period, unless we are required to retain it longer by law (for example, to comply with a litigation hold).
Audit logs and immutable records — seven (7) years from creation, in keeping with attorney supervision and recordkeeping norms. We retain these even after Customer Data is deleted, because the audit log is a record of what was done, not the underlying content.
Marketing-website analytics — 13 months.
Support correspondence — 3 years.

§ 9Security

We design and operate Ross with the threat model of a regulated profession in mind. Our practices include:

Encryption in transit (TLS 1.2+) for all communications with the Service;
Encryption at rest for Customer Data and account credentials;
Strong authentication, including support for SSO and TOTP-based MFA;
Least-privilege access controls and just-in-time elevated access for production systems, with all elevated access logged;
Network segmentation between customer tenancies and clear separation between production and non-production environments;
Continuous logging and alerting on anomalous activity;
Annual security review against an industry-recognized control framework, with a written incident-response plan and tabletop exercises;
Secure software development practices, including code review, dependency scanning, and pre-deployment review of changes that touch authentication, access control, or Customer Data handling.

No system is perfectly secure. If we discover a breach affecting your information, we will notify you and the relevant authorities as required by law and as quickly as we can reasonably investigate and characterize the incident.

§ 10International data transfers

Ross is operated from, and primarily processes data in, the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those of your country.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) and on supplementary measures appropriate to the data being transferred. We are also prepared to certify under the EU-U.S. Data Privacy Framework when our enrollment is complete.

§ 11Children's privacy

The Service is intended for use by adult professionals at law firms. We do not knowingly collect information directly from children under 16. If we learn that we have collected such information, we will delete it. (Note that the Service may incidentally process information about minors when, for example, a minor is the injured party in a personal-injury matter; in those cases, the firm is the controller and is responsible for handling that information lawfully.)

§ 12Your rights and choices

12.1All users

You can:

Update your account profile from within the Service;
Ask your firm's administrator to remove your access;
Request a copy of the personal information we hold about you;
Ask us to correct information that is inaccurate;
Ask us to delete your information, subject to the retention rules above and any contractual obligations to your firm;
Opt out of marketing email by clicking the unsubscribe link in any marketing message; transactional and security emails are not opt-out-able while you have an account.

To exercise any of these rights, email inquiries@rosspara.legal. We will respond within the time required by applicable law (and in any event within 45 days).

12.2California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Subject to verification of your identity and to certain exceptions, you may:

Know what personal information we have collected about you, and how we have used and disclosed it;
Receive a copy of the personal information we hold about you in a portable format;
Request deletion of personal information we hold about you;
Correct inaccurate personal information we hold about you;
Limit the use and disclosure of sensitive personal information;
Be free from retaliation for exercising any of these rights.

We do not "sell" personal information or "share" it for cross-context behavioral advertising as those terms are defined under the CPRA. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

To submit a request, email inquiries@rosspara.legal. You may use an authorized agent; we will require written proof of authorization.

12.3European Economic Area, United Kingdom, and Switzerland

Where the GDPR or UK GDPR applies, you have the rights of access, rectification, erasure, restriction, data portability, and objection, as well as the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we don't make such decisions about you).

The legal bases on which we process personal information include performance of a contract, our legitimate interests in operating and securing the Service, compliance with legal obligations, and — where applicable — your consent.

You have the right to lodge a complaint with your local supervisory authority. We hope you'll let us try to resolve any concern first by emailing inquiries@rosspara.legal.

§ 13HIPAA and Protected Health Information

When a customer firm causes the Service to receive, store, transmit, or otherwise handle Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), we act as a Business Associate of the firm. The terms of a separately executed Business Associate Agreement ("BAA") govern that handling.

To the extent of any conflict between this Privacy Policy and a signed BAA with respect to PHI, the BAA controls. Customers without a signed BAA must not submit PHI to the Service.

§ 14Changes to this Policy

We will update this Policy from time to time. When we do, we will revise the "Effective" and "Last updated" dates at the top. If a change is material, we will provide notice — for account holders, by email and an in-product notice; for visitors, by a banner on the marketing site — at least 14 days before the change takes effect, except where a shorter period is required by law.

Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy. If you do not agree to the change, you should stop using the Service and ask your firm's administrator to remove your account.

§ 15How to contact us

For privacy questions, requests, or complaints, email us at inquiries@rosspara.legal with "Privacy" in the subject line. We aim to acknowledge requests within 7 days and resolve them within 45.

For HIPAA-specific concerns, mark the subject "BAA / HIPAA" so the right person sees it first.

A note on entity status. Ross is operated by a team currently in the process of forming a U.S. corporate entity. Once that entity is registered, this Policy will be updated to identify it by name and registered address. Until then, the human beings responsible for the Service can be reached at the email address above.