Your Legal Data

B-Legal follows a local-first approach for sensitive legal content. Wherever technically feasible, your private legal notes, annotations, and draft content are encrypted on your device and never transmitted to our servers in readable form.

This means B-Legal employees cannot read your private notes — because they never arrive on our servers unencrypted.

• Local private notes — Notes you add to Legal Locker documents are encrypted using AES-256-GCM in your browser and stored in your device's local IndexedDB. They are never sent to B-Legal's servers.
• Encryption keys — The cryptographic keys used to encrypt your notes are derived from your account identifier on-device and are never transmitted to us.
• Draft legal content — Drafts you work on are stored locally until you choose to save or submit them.

Local notes use AES-256-GCM encryption — the same standard used by major financial institutions and governments. Each note is encrypted with a unique initialization vector (IV) so no two encrypted records look the same, even if the content is identical.

The encryption runs entirely in your browser using the Web Crypto API, a browser-native cryptography standard that does not rely on any third-party library.

When you upload a document to Legal Locker with the "Encrypt file in browser before uploading" option enabled (the default), your file is encrypted in your browser before it leaves your device. The encrypted blob is what gets stored in cloud storage — not the original file.

The IV (initialization vector) needed to decrypt the file is stored in your device's local storage. If you lose access to this device without exporting your keys, you will not be able to decrypt that file. Keep this in mind before enabling client-side encryption for irreplaceable documents.

• File metadata — filename, category, file size, upload date, and a reference to the storage location are saved to our database.
• AI queries — Questions you submit to B-Legal AI are sent to OpenAI's API. Queries are logged to your account for history and usage limits. You can request deletion at any time.
• Account data — email, subscription status, and authentication tokens.
• Encrypted file blobs (when client-side encryption is enabled) — the server stores the encrypted content but cannot read it without the key, which stays on your device.

We do not collect data we do not need. B-Legal does not:

• Sell your personal information to third parties
• Use your legal questions or documents to train AI models
• Share your legal content with attorneys or third parties without your explicit action
• Store plaintext versions of content you choose to encrypt locally

• Delete any document at any time from the Legal Locker. Deleted files are removed from cloud storage within 30 days.
• Delete your AI history by emailing privacy@blegalapp.com.
• Delete your account at any time. Account data is purged within 90 days.
• Export your data by contacting privacy@blegalapp.com.

Storing legal information in B-Legal does not create an attorney-client relationship. B-Legal is a legal information and organization platform. Nothing stored in, generated by, or processed through B-Legal constitutes legal advice.

For advice specific to your situation, consult a licensed attorney. If you are in an immediate legal emergency, call 911 or contact an attorney directly.

For privacy questions or to exercise your data rights, contact us at privacy@blegalapp.com. We respond within 30 days.