Last updated: June 2026

1. Introduction

Moritz Law, APC (“Moritz Law”, “we”, “us”, or “our”) is a California professional corporation and law firm. This Privacy Policy describes how Moritz Law collects, uses, discloses, retains, and protects personal information through https://www.moritzlegal.com (the “Site”), our online intake forms, our client portal, and the legal services we provide (collectively, the “Services”).

This Policy applies to: (a) visitors to the Site; (b) prospective clients who submit information through intake forms or otherwise communicate with us about possible engagement; (c) clients of Moritz Law; and (d) other individuals whose personal information we receive in the course of providing legal services.

Moritz Law operates the Services on a software platform (the “Platform”) licensed to us by Parlai, Inc. (“Parlai”). Parlai is the technology vendor that hosts and operates the Platform on Moritz Law’s behalf. With respect to information processed through the Platform in connection with our provision of legal services, Moritz Law is the controller and Parlai acts as our processor under written agreements that require Parlai to handle that information consistent with our confidentiality and professional-responsibility obligations. Parlai is identified in this Policy where its role is relevant; otherwise, references to “we,” “us,” and “our” mean Moritz Law.

Please read this Policy carefully. By using the Services, you acknowledge the practices described here. If you do not agree, do not use the Services.

2. Scope and Relationship to Other Documents

This Policy works alongside other documents that may apply to you:

• Terms of Service. Your use of the Site and the Platform is governed by our Terms of Service, available at https://www.moritzlegal.com/terms.

• Engagement Letter. If you become a client of Moritz Law, your engagement is governed by a separate written engagement letter. Where this Policy and your engagement letter address the same subject matter, the engagement letter controls with respect to your client matter.

• Cookie Notice. Our use of cookies and similar technologies is described in Section 11 below and, where required, in a cookie banner displayed to users in the European Economic Area (“EEA”), the United Kingdom (“UK”), and other jurisdictions that require prior consent.

3. Two Tracks of Information We Process

We process two categories of information that are subject to different rules:

3.1 Site, Intake, and Platform Data

Information collected from Site visitors, intake-form submitters, and Platform users in their capacity as users of our website and Platform. This information is governed by applicable data-protection laws as described in this Policy, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”), the Norwegian Personal Data Act, the Australian Privacy Act 1988 and Australian Privacy Principles (“APPs”), and other applicable laws.

3.2 Client Matter Information

Information that we receive, generate, or hold in our capacity as legal counsel to a client, including communications with clients, work product, documents, evidence, and case-related materials. Client Matter Information is subject to the California Rules of Professional Conduct (“CRPC”), including Rule 1.6 (Confidentiality), the attorney-client privilege, the work product doctrine, and our records-retention obligations. These rules generally exceed and, in some respects, limit the application of consumer privacy laws. Where a data-protection right or obligation conflicts with our professional-responsibility obligations, the latter controls. We explain how this affects your rights in Section 9.

3.3 Categories of Data Subjects

Personal information processed under this Policy may relate to:

• Site visitors — individuals who browse the Site or interact with public-facing content;

• Prospective clients — individuals (or representatives of organizations) who contact us through intake forms or otherwise inquire about possible representation;

• Clients — individuals (or representatives of organizations) who have entered into a written engagement letter with Moritz Law;

• Authorized users — individuals authorized by a client to access the client portal on the client’s behalf;

• Personnel of Moritz Law — attorneys, employees, and contractors of Moritz Law and its subcontracted local counsel;

• Third parties referenced in client matters — opposing parties, witnesses, family members, beneficiaries, counterparties, and other individuals whose information appears in matter-related materials; and

• Counterparts and contacts of clients — individuals at counterparties, vendors, courts, regulators, and other organizations with whom we communicate on a client’s behalf.
  
  

4. Information We Collect

4.1 Information You Provide Directly

• Identifiers. Name, email address, telephone number, postal address, and similar contact information.

• Intake information. Information you submit through our intake form or otherwise share with us when inquiring about possible representation, which may include the nature of your matter, parties involved, jurisdiction, deadlines, and supporting documents.

• Account information. If you create or are issued a client portal account, your username, authentication credentials, and account preferences.

• Client matter content. Documents, messages, files, and other materials you submit through the Platform in connection with our representation of you, including communications with your matter team. As described above, this is Client Matter Information.

• Billing and payment information. Billing contact information, payment method details (processed by our payment processors and not stored by us in full form), and trust-account-related information.

• Identity verification information. Information we collect to verify your identity and run conflict checks before establishing a representation, including, where applicable, government-issued identifiers.

• Communications. The contents of messages you send to us through the Platform, by email, or otherwise, and your responses to surveys or feedback requests.

4.2 Information Collected Automatically

• Device and usage data. IP address, device type, operating system, browser type, language settings, referring/exit pages, pages visited, time on page, and similar data.

• Cookies and similar technologies. As described in Section 11.

• Platform telemetry. Login records, session metadata, feature-usage data, audit logs, and similar information generated when you use the Platform. We use this for security, fraud prevention, abuse detection, and to operate, maintain, and improve the Services.

4.3 Information from Third Parties

• Conflict check sources. Public records, court databases, and conflict-check services used to clear new matters.

• Opposing parties, witnesses, and others. In the course of representing a client, we may receive information about non-clients (opposing parties, witnesses, third parties referenced in documents, etc.). Such information is treated as Client Matter Information of the client whose matter it relates to.

• Co-counsel and local counsel. We may receive information from co-counsel or admitted local counsel in jurisdictions where work is performed.

• Service providers. Our payment processors, identity verification providers, and similar vendors may share information with us for the purposes for which they are engaged.

• Public sources. Publicly available sources such as government registries, professional directories, and corporate records.

4.4 Sensitive and Special Category Information

Legal matters can require us to receive information that is treated as “sensitive personal information” under CCPA/CPRA or as “special category data” under GDPR/UK GDPR (Article 9), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation data, criminal-allegation or criminal-conviction data, government identifiers, financial-account information, and precise geolocation. We process such information only as necessary to provide legal services, with explicit consent where required, or as otherwise permitted by law (including under GDPR Article 9(2)(f) for the establishment, exercise, or defense of legal claims). Where applicable, your engagement letter contains the specific consents and limitations applicable to your matter.

Biometric identifiers. We do not collect biometric identifiers (such as faceprints, voiceprints, fingerprints, or retina scans) from Site visitors or use biometric identifiers for identification or authentication. To the extent biometric data appears within materials we receive in the course of representing a client (for example, in evidence, exhibits, or third-party records), we handle that data solely as Client Matter Information consistent with our professional-responsibility obligations and applicable law (including, where applicable, the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington biometric-privacy statute, and similar laws). We do not use such data for our own identification, marketing, or training purposes.

5. How We Use Information

We use information for the following purposes:

• Operating the Services. Hosting and operating the Site and Platform; providing and maintaining intake forms; provisioning and maintaining client portal accounts; storing and transmitting client matter content.

• Evaluating prospective engagements. Running conflict checks, evaluating whether we can take on a matter, and communicating with you about possible representation. Submission of an intake form does not, by itself, create an attorney-client relationship; an attorney-client relationship is established only by a signed written engagement letter.

• Providing legal services. Representing clients, communicating with clients and third parties on a client’s behalf, drafting and preparing legal documents, conducting research, and otherwise rendering legal services to clients.

• Billing and payments. Generating invoices, processing payments, managing trust accounts as required by CRPC 1.15, and managing collections.

• Security, fraud prevention, and abuse detection. Protecting the Site, the Platform, and our clients and personnel against unauthorized access, fraud, abuse, malware, and other security threats.

• Compliance with law and professional rules. Complying with our obligations under the CRPC, court orders, subpoenas, applicable laws, and the rules of any tribunal.

• Communications and marketing. Responding to your inquiries, sending administrative communications about the Services, and, where permitted, sending you information about Moritz Law that we think may be of interest. You can opt out of marketing communications at any time.

• Service improvement and analytics. Operating, analyzing, maintaining, and improving the Services; understanding how the Site and Platform are used; and developing new features.

• Artificial intelligence and machine learning. As described in Section 6 below.

6. Artificial Intelligence and Machine Learning

6.1 Types of AI Tools We Use

• Internal AI Tools are AI Tools developed and operated by, or on behalf of, Moritz Law (or by Parlai for our use), where the underlying models are accessible only to Moritz Law and our authorized service providers.

• Third-Party AI Tools are AI Tools provided by third parties (such as foundation-model providers) that we may invoke as sub-processors. We do not enable training of these third-party providers’ publicly available models on Client Matter Information. Our agreements with these providers prohibit them from using your information to train their general-purpose models and require zero or limited retention of inputs and outputs.

6.2 Use of Your Information for AI Training and Improvement

Subject to the limits in this Section 6 and to your engagement letter, you grant Moritz Law a non-exclusive, worldwide, royalty-free license to use information you submit through the Services (including User Content as defined in our Terms of Service and, where applicable, Client Matter Information) to host, store, transmit, process, analyze, and to develop, train, fine-tune, test, validate, and improve our Internal AI Tools, in each case in connection with operating and improving the Services and providing legal services.

Important limits on this license:

• We will handle Client Matter Information consistent with our confidentiality, privilege, and professional-responsibility obligations.

• We will not use your information in any manner intended to waive the attorney-client privilege, work product protection, or any other applicable confidentiality protection.

• We will not use Client Matter Information to train publicly available AI systems in any manner that would permit disclosure of, or use by, unaffiliated third parties.

• We will not sell or license your Client Matter Information to third parties for their own AI development.

• We implement technical and organizational measures designed to reduce the risk that information from one client’s matter is exposed to another client through our AI Tools. These measures may include access controls, output filtering, retrieval-augmented designs, and tenant-level isolation, as appropriate.

6.3 Enterprise Customers

If you are an Enterprise Customer (as defined in our Terms of Service), Client Matter Information you submit will not be used to train or fine-tune any AI model. We may use anonymized, aggregated metadata derived from your use of the Services to operate, secure, and improve the Services. The terms of your master services agreement or equivalent written agreement with Moritz Law control if they differ from this Policy.

6.4 EU/UK and Other Special-Category Data

Where information you submit constitutes special category data under GDPR/UK GDPR Article 9, we will use such information for AI Tool development only with your explicit consent (typically obtained through your engagement letter) or where another lawful basis under Article 9 applies. If you do not provide such consent, we will not use your special category data to train or fine-tune AI Tools, and our use of such data will be limited to providing legal services and complying with law.

6.5 Automated Decision-Making

We do not use AI Tools to make decisions producing legal or similarly significant effects about you without meaningful human review. Final legal advice and decisions about your matter are made by qualified attorneys.

7. How We Disclose Information

We disclose information in the following circumstances:

• Service providers (processors). To vendors that provide services to us, including hosting, communications, payment processing, identity verification, e-discovery, document management, security, analytics, and AI infrastructure. Our service providers are contractually required to handle information consistent with this Policy and our professional-responsibility obligations. Parlai operates the Platform on our behalf and is our principal technology service provider.

• Co-counsel, local counsel, and experts. In the course of representing a client, we may share information with admitted local counsel in other jurisdictions, co-counsel, expert witnesses, investigators, and similar professionals. Where Moritz Law engages a foreign-jurisdiction attorney to perform local-law work on a client matter, that attorney is engaged as our subcontractor and is bound by confidentiality obligations consistent with our own. The privilege and confidentiality protections that apply to such communications can vary by jurisdiction; we explain this further in Section 8.

• Counterparties, courts, and tribunals. As reasonably necessary in connection with the provision of legal services, including making filings with courts or tribunals and corresponding with opposing counsel.

• In response to legal process. To respond to subpoenas, court orders, or other lawful demands. We will assert applicable privileges and protections on behalf of clients to the extent required.

• To protect rights and safety. Where we believe disclosure is necessary to protect the rights, property, or safety of Moritz Law, our clients, or others, or to investigate, prevent, or respond to suspected illegal activity, fraud, or violations of our Terms of Service.

• Business transfers. In connection with a merger, sale, financing, or similar corporate transaction, subject to our continuing obligations under this Policy and the CRPC. Client Matter Information will be transferred only as permitted by applicable rules of professional conduct, including appropriate notice to affected clients where required.

• With your consent. Where you direct us to disclose information or otherwise consent to disclosure.

We do not sell your personal information (as “sell” is defined in CCPA/CPRA), and we do not “share” your personal information for cross-context behavioral advertising.

A current list of categories of our material sub-processors, including AI service providers, is available on request to privacy@moritzlegal.com.

8. International Transfers and Foreign-Counsel Subcontracting

8.1 Where We Operate

Moritz Law is established in California, United States. We may transfer, store, and process information in the United States and in other countries where we, our service providers, or our subcontracted local counsel operate.

8.2 Transfers from the EEA, UK, and Switzerland

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized by the relevant authority as providing an adequate level of data protection, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (“SCCs”) and the UK International Data Transfer Addendum, and on derogations permitted under Article 49 GDPR (including, where applicable, Article 49(1)(e) for the establishment, exercise, or defense of legal claims). Copies of the safeguards in place are available on request.

8.3 Foreign-Counsel Subcontracting

Moritz Law engages admitted local counsel in jurisdictions outside California to perform local-law work on client matters. When we do so, the local-jurisdiction attorney is engaged as our subcontractor and is bound by confidentiality obligations consistent with our own. Privilege and professional-secrecy protections vary across jurisdictions. In particular, the rules governing communications among Moritz Law, our subcontracted local counsel, and clients (and the protection of those communications from disclosure) differ across the United States, the United Kingdom, EU member states (including Germany), Norway, Australia, and other jurisdictions. Where this is material to your matter, your engagement letter will address the specific protections that apply.

9. Your Privacy Rights

Depending on where you are located, you may have rights with respect to your personal information. We honor these rights as required by applicable law, subject to the qualifications described in this Section 9.

9.1 Rights Under GDPR/UK GDPR

Subject to applicable conditions and exceptions, you may:

• Access the personal information we hold about you;

• Rectify inaccurate or incomplete personal information;

• Erase personal information in certain circumstances;

• Restrict our processing in certain circumstances;

• Object to processing based on legitimate interests or for direct marketing;

• Data portability for personal information you provided to us, where processing is based on consent or contract and is carried out by automated means;

• Withdraw consent at any time where processing is based on consent (without affecting prior processing);

• Lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In Norway, this is the Datatilsynet. In other EEA jurisdictions, your local data protection authority.

9.2 Lawful Bases (GDPR/UK GDPR)

We rely on the following lawful bases for processing personal information of EEA/UK data subjects:

• Performance of a contract (Article 6(1)(b)) — to provide the Services and perform our obligations under engagement letters and other agreements.

• Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the Services; to evaluate prospective engagements; to manage our business; and to develop our Internal AI Tools, where this is consistent with your reasonable expectations and not overridden by your interests or rights.

• Compliance with legal obligations (Article 6(1)(c)) — including our obligations under the CRPC, court orders, and applicable laws.

• Consent (Article 6(1)(a) and, where applicable, Article 9(2)(a)) — for cookies and similar technologies that require consent, for processing of special category data, and for marketing communications where consent is required.

• Establishment, exercise, or defense of legal claims (Articles 9(2)(f) and 49(1)(e)) — for processing of special category data and for international transfers necessary for legal claims.

9.3 Rights Under CCPA/CPRA

If you are a California resident, you may have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share;

• Request access to or a copy of your personal information;

• Request deletion of your personal information;

• Request correction of inaccurate personal information;

• Opt out of any “sale” or “sharing” of personal information (we do not sell or share personal information as those terms are defined under CCPA/CPRA);

• Limit use and disclosure of sensitive personal information; and

• Be free from retaliation for exercising your rights.

9.4 California “Shine the Light” Notice

California Civil Code section 1798.83 permits California residents to request information once per calendar year about the disclosure of their personal information by a business to third parties for the third parties’ own direct marketing purposes. Moritz Law does not disclose personal information to third parties for those third parties’ own direct marketing purposes. If you are a California resident and would like to make a request under section 1798.83, please contact us at privacy@moritzlegal.com.

9.5 Rights Under Other U.S. State Privacy Laws

Residents of certain other U.S. states have rights under their states’ comprehensive privacy laws, including (as of the effective date of this Policy) Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, Nebraska, New Jersey, Maryland, Minnesota, Rhode Island, and Kentucky. These rights generally include the right to access, correct, and delete personal information; to opt out of certain processing (including targeted advertising and “sales” as defined under each state’s law); and, in some states, to appeal a denial of a request. We honor these rights as required by applicable law, subject to the qualifications described in Section 9.8. We do not sell personal information or process it for targeted advertising as those terms are defined under these laws. To exercise rights under these laws, contact privacy@moritzlegal.com. If we deny your request, you may have the right to appeal; we will provide instructions for doing so in our response.

9.6 Rights Under Australian Privacy Principles

If you are in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles, including the right to access and correct personal information we hold about you and to make a complaint about our handling of your personal information.

9.7 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@moritzlegal.com. We will verify your identity before responding and will respond within the time periods required by applicable law. We will not discriminate against you for exercising your rights.

You may use an authorized agent to submit a request. We may require the agent to provide proof of authorization and may require you to verify your identity directly with us.

9.8 Limits on Your Rights — Professional Responsibility and Client Matter Information

Important. Where you are or were a client of Moritz Law (or a person whose information appears in a Moritz Law client matter), our obligations under the CRPC, the attorney-client privilege, the work product doctrine, and applicable records-retention rules may limit our ability to satisfy certain requests. For example:

• Right to delete. We are required to retain client files and certain matter-related information for periods established by professional rules and applicable law. We will not delete information that we are required to retain. After you cease to be a client, we will retain information for the periods required by professional rules and applicable law.

• Right to know/access. Where information is subject to attorney-client privilege, work product protection, or duties of confidentiality owed to other clients, we may be unable to disclose it.

• Right to object/restrict. Where processing is necessary for the establishment, exercise, or defense of legal claims, we may continue processing notwithstanding an objection.

Where we cannot fully honor a request because of these obligations, we will tell you so and explain why.

10. Data Retention

We retain personal information for as long as needed to fulfill the purposes for which it was collected, including:

• Site visitor data: typically retained for up to 24 months, unless required for security, fraud prevention, or legal-claim purposes.

• Intake data (no engagement formed): typically retained for up to 24 months for conflict-check and recordkeeping purposes, then deleted or anonymized, except where retention is required by law or applicable rules of professional conduct.

• Client matter files: retained for the period required by the CRPC, the California State Bar’s file-retention guidance, and applicable law (generally a minimum of five years after termination of representation, longer for certain matter types). Trust-account records are retained for the periods required by CRPC 1.15.

• Account and security logs: retained for periods reasonably necessary for security, audit, and fraud-prevention purposes.

After applicable retention periods expire, we delete, destroy, or anonymize personal information.

11. Cookies and Similar Technologies

We use cookies and similar technologies (such as pixels, web beacons, and local storage) on the Site to:

• Strictly necessary — enable core functionality of the Site and Platform (authentication, session management, security).

• Analytics — understand how visitors use the Site, measure traffic, and improve our content. We use Google Analytics 4 and similar analytics tools.

• 
  

If you visit the Site from the EEA, the UK, or another jurisdiction that requires prior consent for non-essential cookies, we will display a cookie banner and will not set non-essential cookies until you consent. You can withdraw consent and adjust your preferences at any time through the cookie preference settings on the Site.

You can also control cookies through your browser settings. Disabling cookies may affect the functionality of the Site.

Do Not Track. Some browsers offer a “Do Not Track” signal. We do not currently respond to Do Not Track signals because no industry consensus on their meaning has been adopted.

12. Security

We maintain technical, administrative, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest where appropriate, access controls, audit logging, vendor due diligence, and personnel training. The Platform is operated by Parlai under written agreements that include security commitments consistent with our professional-responsibility obligations.

No security measures are perfect. You are responsible for protecting your own credentials and for keeping the devices you use secure.

Account authentication. We support multi-factor authentication for client portal accounts. Where authentication codes or security alerts are sent by SMS or telephone call, we send them solely to the number you provide for that purpose, only as needed to authenticate or secure your account, and not for marketing. Standard message and data rates from your carrier may apply.

Breach notification. If we experience a personal-data breach affecting your personal information, we will notify you and applicable authorities as required by law (including under GDPR Articles 33 and 34, the UK GDPR, the Australian Notifiable Data Breaches scheme, and applicable U.S. state laws).

13. Children

The Site and the Services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18 through the Site or our intake forms. If you believe a child has provided personal information to us through the Site, please contact us at privacy@moritzlegal.com and we will take appropriate steps to delete the information.

14. Third-Party Links and Services

The Site may contain links to third-party websites, products, or services. We are not responsible for the privacy practices of those third parties. Please review the privacy notices of any third-party websites you visit.

15. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this Policy. If we make material changes, we will provide additional notice as required by law (for example, by email or through a banner on the Site). Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the updated Policy, except that material changes affecting client matter information will be communicated to clients separately and consistent with our professional-responsibility obligations.

16. How to Contact Us

Moritz Law, APC

455 Market St, Ste 1940, PMB 320349

San Francisco, California 94105-2448, United States

Privacy inquiries: privacy@moritzlegal.com

General inquiries: legal@moritzlegal.com

Data Protection Officer / Privacy Lead. Privacy inquiries are handled by Daniel Dalla Vedova (CA Bar No. 348589), reachable at privacy@moritzlegal.com.

Australia. Privacy complaints under the Australian Privacy Act may be directed to privacy@moritzlegal.com. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).

Parlai, Inc. (Platform provider acting as our processor) — 455 Market St, Ste 1940, PMB 231441, San Francisco, California 94105-2448, United States.