1. Purpose

Sqaro is a document intelligence and review platform designed for legal professionals, law firms, compliance teams, and other authorized business users. Because the Services are used to upload, analyze, store, and interact with documents and related content, Sqaro handles potentially sensitive business, legal, and personal data. This Policy explains: what categories of data Sqaro handles; how that data enters the platform; where and how it is processed; who can access it; how it is secured; how long it is retained; how it is deleted or de-identified; and how third-party infrastructure providers are involved.

2. Scope

This Policy applies to data handled by Sqaro in connection with: website visits and account registration; authentication and account management; document upload, storage, viewing, and analysis; AI-assisted summaries, clause extraction, issue detection, highlights, and related outputs; workspace history and user interactions; support, communications, diagnostics, and operational logs; and subscription, invoicing, and payment processing. This Policy does not override any separate customer agreement, enterprise agreement, data processing addendum, or other contractual terms that specifically govern data handling between Sqaro and a customer.

3. Categories of Data Handled

Sqaro may handle the following categories of data:

A. Account and Identity Data: name; email address; password hash or authentication credentials; firm or organization name; role or permissions; account preferences and settings.

B. Customer Content: uploaded documents; document text; extracted text; metadata associated with documents; user-provided prompts, instructions, questions, and comments; annotations, edits, and workspace materials.

C. AI Processing Data: document excerpts and contextual text sent for analysis; user prompts and follow-up questions; generated summaries; clause extractions; risk flags; highlights; proposed revisions; chat history and related analysis outputs.

D. Usage and Operational Data: sign-in activity; page visits and workspace actions; timestamps; feature usage; system logs; error logs; diagnostics; abuse-prevention and security telemetry.

E. Billing and Transaction Data: billing contact details; subscription plan details; invoices; payment status; limited payment metadata received from payment processors. Sqaro does not intentionally store full payment card numbers on its own systems.

4. Sources of Data

Sqaro handles data from the following sources: directly from users and customers; from documents and files uploaded to the Services; from prompts, instructions, and messages submitted through the platform; from organization administrators managing team accounts; from payment processors and billing providers; and from automated system logs and application telemetry.

5. Data Flow Overview

Sqaro handles data across several functional layers:

A. Authentication and Access Control: Account authentication and identity-related workflows are handled through Firebase Authentication. Authentication and Security Rules are key mechanisms for restricting access to application data.

B. Database and Metadata Storage: Structured application data, such as account records, workspace state, permissions, analysis metadata, and document references, are stored in Cloud Firestore.

C. File and Document Storage: Uploaded documents and extracted document text are stored in Firebase Storage backed by Google Cloud infrastructure.

D. AI and Analysis Processing: Sqaro transmits document text, excerpts, prompts, and related contextual inputs to Vertex AI services to generate summaries, clause extractions, issue spotting, proposed changes, and chat responses. Google Cloud's generative AI offerings are covered by Google's AI/ML privacy commitments, and customer data is not used to train foundation models.

E. Billing and Payment Processing: Payment and subscription workflows are processed through Stripe. Stripe's DPA and privacy materials govern Stripe's handling of personal data within its payment services.

6. Purposes for Handling Data

Sqaro handles data only as reasonably necessary to: provide and operate the Services; authenticate users and manage permissions; store and retrieve documents and workspace materials; generate document analyses and AI-assisted outputs; support continuity of workspace history and user interactions; process payments and subscriptions; provide technical and customer support; detect, investigate, and prevent fraud, abuse, and unauthorized access; troubleshoot errors and improve system reliability; comply with legal obligations; and enforce contractual rights and platform policies. Sqaro does not sell customer-uploaded content.

7. Data Access Controls

Sqaro uses role-based and system-level controls designed to limit access to data.

A. Customer-Side Access: Access to customer data is limited to the authenticated user who uploaded or is authorized to view the content; authorized members of the same organization, firm, or workspace, depending on permissions; and organization administrators, where applicable.

B. Internal Access: Sqaro personnel access to customer data is limited to personnel with a legitimate business need, such as support, security, infrastructure operations, incident response, billing support, and legal compliance. Internal access is restricted by role, limited where feasible, and subject to confidentiality obligations.

C. Third-Party Provider Access: Third-party service providers may access data only as needed to provide infrastructure, hosting, AI processing, authentication, payment, or support functions on Sqaro's behalf, subject to their applicable contractual and operational safeguards.

8. Tenant Isolation and Workspace Segregation

Sqaro is designed to support firm-based and user-based access separation. Customer data is logically segmented so that one organization's data is not made available to another organization except where explicitly authorized. Within an organization, access is also limited according to user roles, workspace permissions, and product configuration. Per-user chat history, document workspaces, and analysis records are scoped to the authorized firm and authorized user context.

9. AI Data Handling

Sqaro uses AI-assisted systems to process document text, prompts, and related content for the purpose of generating summaries, clause lists, issue detection, risk flags, proposed revisions, and contextual answers. AI-related inputs may include user-submitted prompts, extracted portions of uploaded documents, contextual text windows, and analysis metadata needed to produce relevant outputs. AI-generated outputs may be stored as part of the user's workspace, file history, or analysis record. Customer data used with Vertex AI generative services is not used to train foundation models and is governed under Google Cloud's broader AI/ML privacy commitments. Sqaro users remain responsible for reviewing all AI outputs before relying on them.

10. Security Measures

Sqaro uses administrative, technical, and organizational safeguards designed to protect data against unauthorized access, loss, misuse, disclosure, or alteration. These safeguards include: authentication controls; role-based access restrictions; database and storage access rules; transport encryption; cloud-provider security features; logging and monitoring; least-privilege practices where feasible; and secure development and deployment practices. No system can guarantee absolute security.

11. Retention

Sqaro retains data for as long as reasonably necessary to: provide the Services; preserve active workspaces and account functionality; maintain analysis history and continuity features; support billing, auditing, and compliance obligations; investigate abuse, fraud, or security incidents; and enforce legal rights and contractual obligations. Retention periods may vary depending on the type of data, the customer's subscription status, whether deletion has been requested, legal or regulatory requirements, backup and disaster-recovery schedules, and security and operational needs.

12. Deletion and De-Identification

Sqaro may delete or de-identify data when it is no longer reasonably necessary for the purposes described in this Policy, subject to legal, contractual, technical, backup, and security constraints. Deletion may occur: at the request of a customer, where applicable; after account closure; after expiration of a retention period; or when data is no longer operationally necessary. Certain data may persist temporarily in backups, archives, logs, or replicated systems before full deletion occurs.

13. Customer Responsibilities

Customers and users are responsible for: ensuring they have the right to upload and process all content submitted to Sqaro; determining whether the Services are appropriate for the type of information involved; managing their users, permissions, and internal access practices; reviewing AI-generated outputs; and complying with legal, contractual, regulatory, and professional obligations related to the data they submit. Sqaro does not assume responsibility for a customer's independent obligations regarding confidentiality, privilege, legal ethics, records management, or regulated-data handling unless expressly agreed in writing.

14. Incident Response

If Sqaro becomes aware of a confirmed security incident affecting customer data, Sqaro may take steps such as: investigating the incident; containing and remediating the issue; assessing scope and impact; notifying affected customers where required by law or contract; and coordinating with relevant service providers as needed. Response timing and scope may depend on the facts of the incident, legal requirements, and the availability of reliable information.

15. Third-Party Infrastructure and Subprocessors

Sqaro uses third-party providers for cloud hosting and infrastructure, authentication, storage, database services, AI inference and related processing, billing and payment processing, and communications and support operations. This includes Google Cloud and Firebase infrastructure, Vertex AI services, and Stripe for billing and payment-related functions. Google Cloud and Firebase publish separate data-processing and privacy/security materials, while Stripe publishes privacy, security, and DPA documentation for payment processing.

16. International Processing

Data may be processed or stored in the United States or other jurisdictions where Sqaro or its providers operate. Google Cloud and Stripe both publish documentation addressing international transfers and data-processing commitments. Customers are responsible for determining whether their use of the Services satisfies any jurisdiction-specific transfer, notice, or contractual requirements applicable to their organization.

17. Policy Governance and Updates

Sqaro may update this Data Handling Policy from time to time to reflect changes to the Services, changes to infrastructure providers, legal or operational requirements, security improvements, and changes in retention, deletion, or access practices. The most current version will govern from its stated effective date.

18. Contact

Questions about this Data Handling Policy may be directed to:

Sqaro LLC Saint Clair Shores, MI 48082 Email: support@sqaro.co