← Back to home

Privacy Policy

Last updated: March 21, 2026

1. Introduction

FirmFront.ai ("we," "us," or "our") provides an AI-powered client intake and FAQ chatbot platform for law firms. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our services, visit our website, or interact with our platform in any capacity. We are committed to protecting your privacy and handling your data with transparency.

This policy applies to all users of FirmFront.ai, including law firm administrators, team members, and website visitors who interact with FirmFront-powered chatbots embedded on law firm websites.

2. Information We Collect

We collect information necessary to provide our AI-powered client intake services. The types of information we collect depend on how you interact with our platform.

2.1 Account Information (Law Firm Users)

  • Name, email address, and password provided during registration
  • Firm name, practice areas, and business details provided during onboarding
  • Billing information processed by Stripe (we do not store credit card numbers)
  • Calendar integration tokens (Google Calendar, Calendly) for booking features
  • Team member information added by firm administrators

2.2 Conversation Data (Website Visitors)

  • Messages exchanged with the AI chatbot during intake conversations
  • Contact information voluntarily provided (names, email addresses, phone numbers)
  • Case descriptions and legal matter details shared during intake
  • Consent records for data collection and communication
  • Conversation ratings and feedback

2.3 Automatically Collected Information

  • IP addresses and browser user agent strings (for security and abuse prevention)
  • Pages visited and features used within the dashboard
  • System logs and error reports for service reliability

3. How We Use Information

We use collected information for the following purposes:

  • Service delivery: Operating the AI chatbot, processing intake conversations, scoring leads, and routing inquiries to the appropriate practice area
  • Calendar booking: Checking availability and creating appointments on connected calendars
  • Analytics: Providing law firms with conversation metrics, lead quality reports, and intake performance data
  • Notifications: Sending email alerts for new leads, appointment reminders, and system notifications
  • Service improvement: Analyzing aggregate usage patterns to improve AI accuracy and platform reliability
  • Security: Detecting and preventing fraud, abuse, and unauthorized access

We do not sell personal data to third parties. We do not use conversation data to train AI models. Each firm's data is strictly isolated and used solely to provide services to that firm.

4. Data Protection & Encryption

We implement multiple layers of security to protect your data:

  • Encryption at rest: Personally identifiable information (PII) including client names, email addresses, and phone numbers are encrypted using AES-256-GCM encryption with per-field encryption keys
  • Encryption in transit: All data transmitted between clients and servers is protected by TLS 1.2 or higher
  • Multi-tenant isolation: Every database query is scoped to a specific firm identifier, ensuring complete data separation between firms
  • Access controls: Role-based access control (RBAC) with granular permissions for firm owners, administrators, and team members
  • Audit logging: All administrative actions and data access events are recorded in an immutable audit log

5. Data Retention

Conversation data is retained according to each firm's configured retention period, which can be set between 30 days and 2 years. Firms can configure their retention period in the dashboard settings.

Upon account deletion, personal data is soft-deleted immediately (removed from active queries) and permanently erased from all systems after 30 days. This grace period allows account recovery if the deletion was accidental.

Aggregate, anonymized analytics data (conversation counts, response times) may be retained indefinitely as it cannot be linked to any individual.

6. Third-Party Services

We use the following third-party services to operate our platform:

  • Stripe: Payment processing. Stripe handles all credit card data directly; we never store card numbers. See Stripe's Privacy Policy.
  • Google Calendar / Calendly: Calendar integration for appointment booking. Access is granted via OAuth and can be revoked at any time.
  • AI language models: We use AI language models to power the chatbot. Conversation data sent to AI providers is not used for model training and is subject to the provider's data processing agreements.
  • Email delivery: Transactional emails (notifications, reminders) are sent through our email infrastructure.

7. Cookies & Tracking

FirmFront.ai uses essential cookies only. We use a session cookie to maintain your authentication state when logged into the dashboard. We do not use advertising cookies, tracking pixels, or third-party analytics on our marketing pages.

The embeddable chat widget uses a session identifier stored in the browser to maintain conversation continuity. This identifier is automatically cleared when the browser session ends.

8. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to data portability: Export your data in a machine-readable format (JSON)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to the processing of your personal data for specific purposes

Law firm administrators can exercise data access, export, and deletion rights directly through the dashboard settings under the GDPR section. Website visitors who interacted with a FirmFront-powered chatbot can request data access or deletion by contacting the law firm directly or by emailing us at privacy@firmfront.ai.

We respond to all data rights requests within 30 days, as required by GDPR. For CCPA requests, we will not discriminate against you for exercising your privacy rights.

9. Children's Privacy

FirmFront.ai is a business-to-business service designed for law firms. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

11. Contact

For privacy-related inquiries, data access requests, or concerns about how we handle your information, contact us at privacy@firmfront.ai.