Draft — pending CLO review

Draft — pending review by Brightstack Chief Legal Officer. Not a final policy. For pre-launch review only.

Legal

Privacy Policy

Effective: [Date of public launch]
Last updated: 2026-04-26 (draft)

1. Who we are

SuriLex is a product of Brightstack Information Technology Solutions, a Philippine corporation. Our Data Protection Officer can be reached at dpo@surilex.com.

2. Personal data we collect

  • Account data: name, work email, organization, role (via Clerk authentication).
  • Document analysis: the contracts and legal documents you upload for AI-powered review.
  • Usage data: analysis events, batch jobs, and aggregated metrics for billing and quota enforcement.
  • Marketing/waitlist data: segment, role, contract volume, firm size, and review-method signal collected via the SuriLex waitlist form.

3. How we handle uploaded documents

Uploaded document text is processed in server memory only. We do not persist the raw text of uploaded documents to durable storage. We persist metadata (filename, byte size, page count, SHA-256 hash) and the structured analysis output (risk score, clauses, statute citations, DMW flags). This is consistent with RA 10173 (Data Privacy Act of 2012) data-minimization principles and NPC Advisory 2024-04 on AI-system data handling.

4. Lawful basis

We process personal data under the lawful bases set out in RA 10173 Section 12 — primarily consent (waitlist), contract performance (paid analyses), and legitimate interest (security, billing, product improvement).

5. Sharing

We share personal data only with sub-processors necessary to operate SuriLex: Clerk (authentication), Supabase (database), Upstash (rate-limit/cache), PayMongo (payment processing), Anthropic (AI analysis), Vercel (hosting), and PostHog (product analytics). All sub-processors operate under contracts that meet RA 10173 requirements.

6. Retention

Account data: for the life of the account plus 90 days. Analysis output: for the life of the account or until you delete it, whichever is sooner. Waitlist data: until launch + 180 days, then deleted. Webhook event logs: 365 days for audit. We do not retain raw document text.

7. Your rights

Under RA 10173 you have the right to be informed, to access, to object, to erasure or blocking, to damages, to data portability, and to file a complaint with the National Privacy Commission. To exercise any of these rights, email dpo@surilex.com.

8. Security

We use TLS in transit, encryption at rest via Supabase, HMAC-verified webhooks, signed Clerk JWTs, server-only API keys, and a Content Security Policy with HSTS preload, frame-ancestors 'none', and form-action 'self'.

9. Cross-border transfers

Some sub-processors operate outside the Philippines. Where this occurs, we rely on the lawful-basis framework in RA 10173 Section 21.

10. Updates

We will notify registered users by email of any material change to this policy at least 30 days before it takes effect.

SuriLex provides AI-powered legal document analysis to support professional judgment. SuriLex is not a law firm and does not provide legal advice. Users are responsible for all final legal decisions.