Privacy Policy
Working pilot version — last updated 16 June 2026.
This is the version that governs the private pilot. It will be finalised with our lawyers ahead of public launch. Questions — legal@juriton.com.
1. Who we are
Juriton is a legal technology product operated by Vas Tech Operations Pty Ltd (ACN 699 082 409 / ABN 73 699 082 409), trading as Juriton ("Juriton", "we", "our", "us"). We can be reached at:
- Email: privacy@juriton.com
- Post: 33 Wheatland Rd, Malvern VIC 3144
This Privacy Policy describes how we collect, use, store, disclose, and protect personal information when you use the Juriton platform, website, and related services (together, the "Service"). It applies to customers, users, and prospective customers.
We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). If you are located outside Australia, additional rights may apply under your local law (see §10).
2. What we collect
2.1 Account and organisation data
- Your name, email, phone number (if provided), role, and password hash
- The name of your firm or chambers, business address, ABN (if applicable)
- Billing details (handled directly by Stripe — we store a customer identifier, never full card numbers)
2.2 Matter and client data
When you create matters and upload documents, we process:
- The client's name and matter identifiers you choose to record
- Documents you upload (pleadings, affidavits, correspondence, discovery material, etc.)
- Your chat history and generated outputs (summaries, chronologies, cross-examination drafts, witness statements)
This data frequently contains information subject to legal professional privilege. We treat it accordingly — see §6.
2.3 Usage data
- Log data: IP address, browser, device type, pages visited, time spent, actions taken
- Error reports and performance telemetry
- OAuth tokens if you connect Google Drive or Microsoft 365 — and other integrations as they launch — used only to fetch documents you explicitly select
2.4 Communications
- Support emails, feedback, survey responses
We do not collect sensitive information as defined in the Privacy Act (health, race, political opinion, etc.) unless you choose to upload it as part of a matter.
3. How we use your information
We use personal information to:
- Provide, operate, and improve the Service
- Authenticate you and secure your account
- Process payments and manage subscriptions
- Generate AI outputs you request (summaries, chronologies, chat responses, etc.)
- Respond to support and feedback
- Comply with legal obligations (including the Australian Privacy Act, Cyber Security Act 2024, and taxation laws)
- Detect, prevent, and respond to fraud, abuse, and security incidents
We do not train AI models on your content. The Anthropic and OpenAI APIs we use are configured so customer content is not used for model training.
4. Who we share it with
We use the following third-party service providers ("sub-processors") to deliver the Service:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, object storage | Account, matter, document data | Australia (Sydney, ap-southeast-2) |
| Vercel | Application hosting, compute | Request logs, minimal app data | Australia (Sydney) |
| Anthropic | LLM inference (Claude) | Document text and prompts at time of processing | United States |
| Mistral AI | Document OCR (text extraction) | Document images and text at time of processing | European Union (France) |
| OpenAI | Text embeddings | Document text at time of processing | United States |
| Stripe | Payments | Billing details | United States / Australia |
| Resend | Transactional and product email | Email address, email content | United States |
| Attio | Customer relationship management (waitlist, contact and demo enquiries) | Name, email, firm, enquiry details | United States / European Union |
| PostHog | Product analytics (content-free usage events) | Usage events, device and approximate location | European Union |
| Slack | Internal notifications of form submissions | Only what you submit via our forms | United States |
We also share information when you explicitly connect an integration (such as Google Drive or Microsoft 365) — and only for the scope you authorise.
We do not sell personal information. We do not share personal information for advertising.
We may disclose information when required by law, to enforce our Terms, or to protect the rights, property, or safety of Juriton, our users, or others — including in response to valid legal process.
5. Where your data is stored
Primary data — your account, matters, documents, and generated outputs — is hosted in Australia (Sydney, AWS ap-southeast-2). LLM inference and text embeddings currently run in the United States via Anthropic and OpenAI; we plan to move LLM inference onshore to Australia via Google Cloud Vertex AI, and will update this policy when that change takes effect. Document OCR (Mistral AI) and content-free product analytics (PostHog) are processed in the European Union.
By using the Service, you consent to the cross-border transfer of your personal information to the United States and the European Union as described above. We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs (APP 8).
6. Legal professional privilege
Juriton is designed to be used with privileged material. We treat all customer content as potentially privileged and:
- Limit access to customer content to the minimum necessary for operating the Service
- Do not review customer content except when responding to an explicit support request from you
- Do not use customer content to train AI models
- Maintain audit logs of administrative access to customer data
We cannot guarantee the legal status of privilege in every jurisdiction or for every interaction with AI systems. You remain responsible for assessing whether use of the Service is appropriate for a given matter.
7. Security
We implement the following safeguards, consistent with APP 11:
- Encryption in transit (TLS 1.2+) and at rest (AES-256, managed by our cloud providers)
- Multi-factor authentication available and, for administrator accounts, required
- Role-based access control and row-level security to prevent cross-organisation access
- Audit logging of security-relevant events
- Continuous dependency scanning and security patching
- Independent penetration testing (planned ahead of general availability)
- Restricted administrative access on a need-to-know basis
No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme.
8. Retention
- Active account data is retained for the duration of your subscription plus 30 days
- Deleted accounts are purged from primary storage within 30 days and from backups within 90 days
- Audit logs are retained for 12 months
- Financial records are retained for 7 years as required by Australian tax law
- You may request earlier deletion; legal holds may apply
9. Your rights
Under the APPs, you have the right to:
- Access the personal information we hold about you (APP 12)
- Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
- Opt out of direct marketing at any time
- Complain about our handling of your information (to us first; to the OAIC if unresolved)
To exercise these rights, email privacy@juriton.com. We will respond within 30 days.
If you are in the European Economic Area or the United Kingdom, additional rights (erasure, portability, restriction, objection) may apply under the GDPR / UK GDPR. Contact us and we will treat your request consistently with those frameworks.
10. International users
The Service is hosted for Australian use. If you access it from outside Australia, you are transferring your information to Australia and to our sub-processor jurisdictions listed in §4. By using the Service you consent to this transfer.
11. Cookies and tracking
We use strictly necessary cookies for authentication and core functionality, and a limited set of first-party analytics cookies. We do not use third-party advertising trackers. A cookie preferences control is available in-product.
12. Children
The Service is not directed at children under 18. We do not knowingly collect personal information from children.
13. Changes to this policy
We may update this policy from time to time. If changes are material, we will notify you by email and in-product at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
14. Contact
Questions, access requests, or complaints:
If you are dissatisfied with our response, you may complain to:
Office of the Australian Information Commissioner (OAIC) GPO Box 5288, Sydney NSW 2001 — 1300 363 992 — https://www.oaic.gov.au
Version 0.2 — last updated 16 June 2026. This policy will be finalised with Australian privacy counsel ahead of full public launch.