1. Overview

Notal LLC ("Notal," "we," "our," or "us") provides an AI-powered business operations management platform that helps organizations organize, analyze, and manage client and matter information securely. We are committed to protecting your privacy and maintaining the confidentiality of all data stored within the platform.

2. Information We Collect

We collect and process information necessary to provide and improve our services:

• Account information: name, email, organization, role, and authentication credentials.
• Usage data: interactions within the app, feature activity, and performance metrics.
• Workspace content: files, notes, and communications you or your organization choose to store within Notal. We process this data only to provide the platform's functionality and never access or share it without authorization
• Technical data: browser type, device information, IP address, and cookies for session management and security.

3. How We Use Information

We use your information only to operate and improve the Notal platform in a secure, confidential manner. Specifically, we:

• Provide and maintain workspace functionality and user authentication;
• Enforce access controls, security, and audit policies;
• Offer AI-assisted tools that operate within your private workspace only and do not send prompts, documents, or outputs to any external model providers for training or retention. Your data is never used to train external models;
• Communicate service updates and respond to support requests; and
• Comply with legal and regulatory requirements.

We do not sell, rent, train on, or otherwise disclose personal or client data to third parties.

4. Data Security and Storage

All data is encrypted in transit and at rest. Access is restricted to authorized users within each organization's tenant. Notal is hosted on secure cloud infrastructure (Microsoft Azure) with strict role-based access controls and audit logging. We follow SOC 2 and ISO 27001-aligned security frameworks and are in the process of independent certification.

We continuously monitor our infrastructure for anomalous behavior, maintain immutable audit trails, and segregate customer data at the tenant level. Regular penetration tests, vulnerability scans, and tabletop exercises help us validate incident-response readiness.

Role-Based Permissions & Access Controls

Workspace owners control who can view, edit, or administer matters, documents, and AI workflows. Built-in safeguards include:

• Organization-level roles (owner, admin, contributor, reader) with least-privilege defaults.
• Matter-level permissions to restrict highly sensitive clients or investigations.
• Optional MFA enforcement for all users and mandatory MFA for privileged roles.
• Comprehensive audit logs covering logins, configuration changes, exports, and AI usage.

5. Data Retention and Deletion

You control your data. Workspace owners may export or delete content at any time. When an account or workspace is deleted, data is permanently removed from production systems within 30 days, except where retention is required by law.

Depending on your jurisdiction, you may request access, correction, or deletion of your personal data by contacting [email protected].

Compliance & Governance

Notal is an early-stage platform built with security and privacy as core design principles. While we are not yet SOC 2 or ISO certified, we follow the underlying frameworks and engineering practices that these standards require. Our governance approach focuses on building secure foundations that scale as we grow.

Our current compliance posture includes:

• Industry-standard security controls such as encryption in transit and at rest, access isolation by organization, audit logging, and strict authentication requirements.
• Cloud infrastructure hosted on Microsoft Azure, which maintains its own SOC 2, ISO 27001, and FedRAMP certifications.
• Least-privilege access for all production systems. All access is logged and monitored.
• Secure development practices, including code reviews, dependency scanning, and environment separation.
• Clear data-handling policies, including no training on customer data, no sharing of workspace data across organizations, and no third-party access to user content.
• Documented internal procedures for data deletion, access control, environment configuration, and handling security-related events.

What we are currently working toward:

• Preparing internal controls and documentation for future SOC 2 Type I readiness.
• Formalizing incident response workflows, security policies, and vendor reviews as the platform scales.
• Publishing a detailed compliance roadmap as more customers onboard.

For questions about our security posture or compliance documentation, contact [email protected].

AI Privacy & Controls

Notal’s AI assistants operate entirely inside your private tenant. Prompts, documents, and outputs never train shared or public models. Customers can:

• Disable AI features tenant-wide or limit usage to specific roles.
• Review AI activity logs to monitor prompt content and generated responses.
• Export or delete AI conversations and outputs at any time.

6. Third-Party Services

We integrate with trusted third-party providers (e.g., Google OAuth, Microsoft OneDrive, and Cloudflare) only to deliver core functionality such as authentication, file storage, and hosting. Each provider maintains its own privacy commitments, which govern the data shared with them.

7. Your Rights

You have control over your personal data. Where applicable under local laws, you may:

• Access, correct, or delete your information;
• Export your data in a portable format; or
• Object to or limit certain processing activities.

8. Updates

We may update this Privacy Policy periodically. The "Effective Date" above reflects the most recent revision. Continued use of Notal after updates constitutes acceptance of the revised policy.

9. Contact

For questions about privacy or data protection, email [email protected].