Last Updated: September 30, 2025
Privacy Summary: We collect minimal data necessary to provide our citation verification service. We do not sell your data. You control your information and can request deletion at any time.
1. Introduction
GPAI Network ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Citation Verification API service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name: Your full name
- Email address: For account authentication and communication
- Password: Encrypted and never stored in plain text
- Organization: Company or institution name (optional)
- Billing information: Payment details (processed by Stripe, not stored by us)
2.2 API Usage Data
When you use our API, we automatically collect:
- Citation queries: The legal citations you submit for verification
- Verification results: Status, confidence scores, and case details
- Timestamps: When requests are made
- API key identifier: Hashed version (not the actual key)
- Processing metrics: Response times, cache hits, error rates
- IP addresses: For fraud detection and rate limiting
2.3 Technical Information
- Browser and device type: User agent strings
- Operating system: For compatibility
- Cookies: Session management (see Section 8)
2.4 Information We Do NOT Collect
- We do NOT require or collect Social Security Numbers
- We do NOT track your location beyond IP-based country detection
- We do NOT access or store the content of your legal documents (only citations)
- We do NOT sell or share your data with data brokers
3. How We Use Your Information
| Purpose |
Data Used |
Legal Basis |
| Provide citation verification service |
Citation queries, API keys |
Contract performance |
| Process payments |
Email, billing info |
Contract performance |
| Improve service accuracy |
Queries, results, metrics |
Legitimate interest |
| Prevent fraud and abuse |
IP addresses, usage patterns |
Legitimate interest |
| Send service announcements |
Email |
Contract performance |
| Marketing communications |
Email |
Consent (opt-in) |
4. Data Sharing and Disclosure
4.1 Third-Party Services
We share limited data with trusted third-party service providers:
- CourtListener: Federal case citations (public information)
- Google Scholar: Citation queries for verification (see Google's Privacy Policy)
- OpenAI, Anthropic, Google Gemini: AI analysis of citations (anonymized)
- Stripe: Payment processing (see Stripe's Privacy Policy)
- Railway: Infrastructure hosting (data encrypted at rest and in transit)
- Redis Cloud: Caching service (temporary data storage)
4.2 We Do NOT Sell Your Data
We have never sold user data and we never will. We do not share your citation queries with:
- Advertising networks
- Data brokers or aggregators
- Social media platforms
- Marketing companies
4.3 Legal Obligations
We may disclose information if required by law:
- In response to valid subpoenas or court orders
- To comply with legal obligations
- To protect our rights or the safety of users
- In connection with a business transaction (merger, acquisition)
5. Data Retention
| Data Type |
Retention Period |
Reason |
| Account information |
Until account deletion + 30 days |
Service provision, compliance |
| API usage logs |
90 days |
Debugging, analytics, fraud detection |
| Cached verification results |
7 days (default) |
Performance optimization |
| Billing records |
7 years |
Tax and legal compliance |
| IP addresses |
30 days |
Security and abuse prevention |
6. Data Security
6.1 Security Measures
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- API key hashing: Keys are hashed using bcrypt before storage
- Access controls: Role-based access, principle of least privilege
- Monitoring: 24/7 automated security monitoring
- Regular audits: Quarterly security assessments
- Incident response: Documented breach notification procedures
6.2 Your Responsibilities
- Keep API keys confidential
- Use strong, unique passwords
- Enable two-factor authentication (when available)
- Report suspected security issues immediately
7. Your Privacy Rights
7.1 Access and Control
You have the right to:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account and data
- Export: Download your API usage data in JSON format
- Opt-out: Unsubscribe from marketing emails
- Object: Object to processing of your data
7.2 How to Exercise Your Rights
Contact us at privacy@gpai.network with requests. We will respond within 30 days.
7.3 California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of sale (we don't sell data)
- Right to non-discrimination for exercising rights
7.4 European Privacy Rights (GDPR)
EU/EEA residents have rights under GDPR:
- Right to data portability
- Right to restriction of processing
- Right to lodge a complaint with supervisory authority
8. Cookies and Tracking
8.1 Cookies We Use
- Essential cookies: Session management, authentication (required)
- Analytics cookies: Usage statistics (can be disabled)
- We do NOT use: Advertising cookies or third-party trackers
8.2 Cookie Management
You can control cookies through your browser settings. Note that disabling essential cookies may impair service functionality.
9. Children's Privacy
Our service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us immediately at privacy@gpai.network.
10. International Data Transfers
Your data may be transferred to and processed in the United States. We use:
- Standard Contractual Clauses (SCCs) for EU transfers
- Adequate security measures during international transfers
- Compliance with applicable data protection laws
11. Changes to This Privacy Policy
We may update this Privacy Policy to reflect:
- Changes in our practices
- New legal requirements
- Service enhancements
Material changes will be communicated via:
- Email notification (30 days advance notice)
- Prominent notice on our website
- Updated "Last Modified" date at top of this policy
12. Contact Us
For privacy-related questions, concerns, or requests:
- Email: privacy@gpai.network
- Data Protection Officer: dpo@gpai.network
- Support: support@gpai.network
13. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify you within 72 hours of discovery
- Describe the nature of the breach
- Outline steps we're taking to address it
- Provide recommendations to protect yourself
- Notify relevant authorities as required by law
14. Aggregate and Anonymous Data
We may create aggregated, anonymized statistics about:
- Total API requests per day/month
- Most commonly verified cases
- Average confidence scores
- Geographic distribution of usage (country-level only)
This data cannot be used to identify individual users and may be used for research, marketing, or shared publicly.
← Back to Home