Moritz Law, a Professional Corporation

Effective Date: June 15, 2026

Last Updated: June 15, 2026

1. Introduction

Moritz Law, a Professional Corporation (Moritz Law, we, us, or our) is a law firm. This Privacy Policy describes how Moritz Law collects, uses, discloses, retains, and protects personal information through https://www.moritzlegal.com (the Site), our online intake forms, our client portal, and the legal services we provide (collectively, the Services).

This Policy applies to visitors to the Site; prospective clients who contact us about possible representation; clients of Moritz Law; and other individuals whose personal information we receive in the course of providing legal services.

We operate the Services on a software platform (the Platform) licensed to us by Parlai, Inc. (Parlai), which hosts and operates the Platform on our behalf. With respect to information processed through the Platform in connection with our legal services, Moritz Law is the controller and Parlai acts as our processor under written agreements that require Parlai to handle that information consistent with our confidentiality and professional-responsibility obligations. References to “we,” “us,” and “our” mean Moritz Law unless the context refers to Parlai’s role.

By using the Services, you acknowledge the practices described here. If you do not agree, do not use the Services.

2. Relationship to Other Documents

• Terms of Service govern your use of the Site and Platform, available at https://www.moritzlegal.com/terms.

• Engagement Letter. If you become a client, your engagement is governed by a separate written engagement letter. Where this Policy and your engagement letter address the same subject matter, the engagement letter controls with respect to your client matter.

• Cookies are addressed in Section 11 and, where required, in a cookie banner.

3. Two Tracks of Information We Process

We process two categories of information subject to different rules:

3.1 Site, Intake, and Platform Data. Information from Site visitors, intake-form submitters, and Platform users in their capacity as users of our website and Platform. This is governed by applicable data-protection laws, including the California Consumer Privacy Act as amended (CCPA/CPRA), the EU and UK General Data Protection Regulation (GDPR and UK GDPR), the Norwegian Personal Data Act, the Australian Privacy Act 1988 and Australian Privacy Principles (APPs), and other applicable laws.

3.2 Client Matter Content. Information we receive, generate, or hold as legal counsel, including client communications, work product, documents, evidence, and case-related materials. This is subject to applicable rules of professional conduct, including duties of client confidentiality, the attorney-client privilege, the work product doctrine, and our records-retention obligations. These rules generally exceed and, in some respects, limit consumer privacy laws. Where a data-protection right conflicts with our professional-responsibility obligations, the latter controls (see Section 9.8).

4. Information We Collect

4.1 Information you provide: identifiers (name, email, phone, address); intake information about your matter; account credentials; client matter content (documents, messages, files submitted in connection with our representation, which is Client Matter Content); billing and payment information (payment details are processed by our processors and not stored by us in full form); identity-verification and conflict-check information, including government-issued identifiers where applicable; and the contents of your communications with us.

4.2 Information collected automatically: device and usage data (IP address, device and browser type, pages visited, and similar); cookies and similar technologies (Section 11); and Platform telemetry (login records, session metadata, feature-usage data, and audit logs), used for security, fraud prevention, abuse detection, and operating and improving the Services.

4.3 Information from third parties: conflict-check sources (public records, court databases, conflict-check services); information about non-clients (opposing parties, witnesses, third parties referenced in documents), treated as Client Matter Content of the relevant client; information from co-counsel and admitted local counsel; information from service providers (payment processors, identity-verification providers); and publicly available sources.

4.4 Sensitive and special category information. Legal matters can require us to receive information treated as “sensitive personal information” under CCPA/CPRA or “special category data” under GDPR/UK GDPR (Article 9), including data revealing racial or ethnic origin, religious beliefs, health, sex life or sexual orientation, criminal-allegation or conviction data, genetic or biometric data, government identifiers, and financial-account information. We process such information only as necessary to provide legal services, with explicit consent where required, or as otherwise permitted by law (including under GDPR Article 9(2)(f) for the establishment, exercise, or defense of legal claims). Your engagement letter contains the specific consents and limitations applicable to your matter. We do not collect biometric identifiers from Site visitors or use them for identification; any biometric data within client materials is handled solely as Client Matter Content.

5. How We Use Information

We use information to: operate the Site, Platform, intake forms, and client portal; evaluate prospective engagements and run conflict checks; provide legal services to clients; bill and process payments, including managing trust accounts as required by applicable rules of professional conduct; secure the Services and prevent fraud and abuse; comply with applicable rules of professional conduct, court orders, subpoenas, and applicable laws; respond to inquiries and send administrative and (where permitted) marketing communications, which you can opt out of at any time; analyze and improve the Services; and develop and operate AI Tools as described in Section 6.

6. Artificial Intelligence

We use artificial intelligence and machine-learning tools (AI Tools) to operate, secure, and improve the Services and to assist in delivering legal services. We may use Site and intake information to develop, train, test, and improve our AI Tools. If you are not a client and wish to opt out of the use of your information to develop our AI Tools, contact privacy@moritzlegal.com.

For clients, the use of Client Matter Content in connection with AI Tools is governed by your engagement letter, which controls. We handle Client Matter Content consistent with our confidentiality, privilege, and professional-responsibility obligations, and will not use it in any manner intended to waive any applicable privilege or protection. Where information constitutes special category data under GDPR/UK GDPR Article 9, we use it for AI Tool development only with explicit consent (typically obtained through your engagement letter) or where another lawful basis under Article 9 applies.

We do not use AI Tools to make decisions producing legal or similarly significant effects about you without meaningful human review. Final legal advice and decisions about your matter are made by qualified attorneys.

7. How We Disclose Information

We disclose information to: service providers (processors) for hosting, communications, payment processing, identity verification, document management, security, analytics, and AI infrastructure, including Parlai as our principal technology provider, each contractually required to handle information consistent with this Policy and our professional-responsibility obligations; co-counsel, local counsel, and experts engaged in connection with a client matter (where Moritz Law engages a foreign-jurisdiction attorney, that attorney is our subcontractor and is bound by confidentiality obligations consistent with our own); counterparties, courts, and tribunals as reasonably necessary to provide legal services; in response to legal process, asserting applicable privileges on behalf of clients; to protect rights and safety; in a business transfer, subject to our continuing obligations under this Policy and applicable rules of professional conduct, with Client Matter Content transferred only as those rules permit; and with your consent.

We do not sell your personal information (as “sell” is defined in CCPA/CPRA), and we do not “share” it for cross-context behavioral advertising. A current list of categories of our material sub-processors, including AI service providers, is available on request to privacy@moritzlegal.com.

8.International Transfers and Foreign Counsel

Moritz Law is established in the United States. We may transfer, store, and process information in the United States and in other jurisdictions where we, our service providers, or our subcontracted local counsel operate.

Where we transfer personal information from the EEA, the UK, or Switzerland to a country not recognized as providing adequate protection, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum) and on derogations permitted under Article 49 GDPR (including Article 49(1)(e) for legal claims). Copies are available on request.

We engage admitted local counsel in the United States, the United Kingdom, EU/EEA member states, and other jurisdictions as required to perform local-law work on client matters. Privilege and professional-secrecy protections vary across jurisdictions. Where this is material to your matter, your engagement letter will address the specific protections that apply.

9. Your Privacy Rights

Depending on your location, you may have rights with respect to your personal information, which we honor as required by law, subject to Section 9.8.

9.1 GDPR/UK GDPR

Subject to applicable conditions and exceptions, you may: access your personal information; rectify inaccurate information; request erasure; restrict processing; object to processing based on legitimate interests or for direct marketing; request data portability; withdraw consent (without affecting prior processing); and lodge a complaint with your supervisory authority (in the UK, the Information Commissioner’s Office; in Norway, the Datatilsynet; elsewhere in the EEA, your local authority).

9.2 Lawful bases (GDPR/UK GDPR)

We rely on: performance of a contract (Art. 6(1)(b)) to provide the Services and perform our engagement-letter obligations; legitimate interests (Art. 6(1)(f)) to operate, secure, and improve the Services, evaluate prospective engagements, and develop our AI Tools, where not overridden by your rights; legal obligations (Art. 6(1)(c)), including applicable rules of professional conduct and court orders; consent (Art. 6(1)(a), and Art. 9(2)(a) where applicable) for cookies requiring consent, special category data, and marketing where required; and establishment, exercise, or defense of legal claims (Arts. 9(2)(f) and 49(1)(e)).

9.3 CCPA/CPRA

If you are a California resident, you may have the right to know what personal information we collect, use, and disclose; to access or obtain a copy; to delete; to correct; to opt out of any “sale” or “sharing” (we do neither as defined); to limit use of sensitive personal information; and to be free from retaliation for exercising your rights.

9.4 California “Shine the Light”

California Civil Code § 1798.83 permits California residents to request information once per year about disclosures of personal information to third parties for those third parties’ own direct marketing. Moritz Law makes no such disclosures. Requests may be sent to privacy@moritzlegal.com.

9.5 Other U.S. state privacy laws

Residents of several U.S. states with comprehensive privacy laws have rights to access, correct, and delete personal information, to opt out of certain processing (including targeted advertising and “sales” as defined under each law), and, in some states, to appeal a denied request. We do not sell personal information or process it for targeted advertising as those terms are defined under these laws. To exercise these rights, contact privacy@moritzlegal.com; if we deny your request, we will provide appeal instructions in our response.

9.6 Australia

If you are in Australia, you have rights under the Privacy Act 1988 and the APPs, including to access and correct personal information and to make a complaint about our handling of it.

9.7 How to exercise your rights

Contact privacy@moritzlegal.com. We will verify your identity before responding and respond within the time periods required by law. We will not discriminate against you for exercising your rights. You may use an authorized agent, subject to proof of authorization.

9.8 Limits — professional responsibility and Client Matter Content

Where you are or were a client (or a person whose information appears in a client matter), our obligations under applicable rules of professional conduct, the attorney-client privilege, the work product doctrine, and records-retention rules may limit our ability to satisfy a request. We are required to retain client files for periods set by professional rules and law and will not delete information we must retain; we may be unable to disclose information subject to privilege, work product, or duties owed to other clients; and where processing is necessary for legal claims, we may continue notwithstanding an objection. Where we cannot fully honor a request for these reasons, we will tell you and explain why.

10. Data Retention

We retain personal information as long as needed for the purposes for which it was collected. Site-visitor data is typically retained up to 24 months unless needed for security or legal-claim purposes. Intake data where no engagement forms is typically retained up to 24 months for conflict-check and recordkeeping purposes, then deleted or anonymized, except that limited identifiers needed for accurate conflict-check records may be kept as long as necessary for that purpose. Client matter files are retained for the period required by applicable rules of professional conduct, bar file-retention guidance, and law (generally at least five years after termination of representation, longer for certain matters), and trust-account records as those rules require. After applicable periods expire, we delete, destroy, or anonymize the information.

11. Cookies and Similar Technologies

We use strictly necessary cookies to enable core Site and Platform functionality (authentication, session management, security) and analytics cookies (including Google Analytics 4) to understand Site usage and improve our content. If you visit from the EEA, the UK, or another jurisdiction requiring prior consent, we display a cookie banner and do not set non-essential cookies until you consent; you can withdraw consent through the Site’s cookie preferences at any time. You can also control cookies through your browser. We do not currently respond to “Do Not Track” signals, as no common standard has been adopted.

12. Security

We maintain technical, administrative, and physical safeguards designed to protect personal information, including encryption in transit and at rest where appropriate, access controls, audit logging, vendor due diligence, and personnel training. The Platform is operated by Parlai under agreements with security commitments consistent with our professional-responsibility obligations. No security measures are perfect, and you are responsible for protecting your own credentials. We support multi-factor authentication for client portal accounts; where authentication codes or security alerts are sent by SMS or call, we send them only to the number you provide for that purpose and not for marketing. If we experience a personal-data breach affecting your information, we will notify you and applicable authorities as required by law (including GDPR Arts. 33-34, the UK GDPR, the Australian Notifiable Data Breaches scheme, and applicable U.S. state laws).

13. Children

The Services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18 through the Site or our intake forms. If you believe a child has provided us personal information through the Site, contact privacy@moritzlegal.com and we will take appropriate steps to delete it.

14. Third-Party Links

The Site may link to third-party websites or services. We are not responsible for their privacy practices; please review their notices.

15. Changes to This Policy

We may update this Policy and will revise the “Last Updated” date above. If we make material changes, we will provide additional notice as required by law. Continued use of the Services after the effective date of an updated Policy constitutes acceptance, except that material changes affecting Client Matter Content will be communicated to clients separately and consistent with our professional-responsibility obligations.

16. How to Contact Us

Moritz Law, a Professional Corporation

455 Market St, Ste 1940, PMB 320349

San Francisco, California 94105-2448, United States

Privacy inquiries: privacy@moritzlegal.com

General inquiries: legal@moritzlegal.com

EU / UK Representative (Article 27). We will designate a representative where required under Article 27 GDPR and UK GDPR. In the meantime, direct inquiries to privacy@moritzlegal.com.

Australia. Privacy complaints under the Australian Privacy Act may be directed to privacy@moritzlegal.com; if you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner.

Parlai, Inc. (Platform provider, acting as our processor) — 455 Market St, Ste 1940, PMB 231441, San Francisco, California 94105-2448, United States.