Privacy Policy

1. Who We Are

Auris, Inc. ("Auris," "we," "us," or "our") is a legal technology company incorporated in the United States. Our principal place of business is New York, New York. We operate the Auris AI-powered discovery review platform, accessible at oneauris.com and associated subdomains (the "Service").

Questions regarding this Privacy Policy may be directed to: team@oneauris.com

2. Scope of This Policy

This Privacy Policy governs the collection, use, storage, and disclosure of information by Auris in connection with: (a) visitors to our public website at oneauris.com; (b) clients and authorized users of the Auris platform; and (c) individuals who submit information through our contact or demo request forms.

This Policy does not apply to third-party websites linked from our Service. We are not responsible for the privacy practices of those third parties.

3. Information We Collect

3.1 Information You Provide Directly

• Contact and demo request submissions: Name, email address, firm name, firm size, and any message content you provide through our forms.
• Account registration: Name, email address, law firm affiliation, bar state, and account credentials.
• Billing information: We do not store full payment card numbers. Payment processing is handled by third-party providers (currently Stripe) who maintain their own PCI-compliant infrastructure. We retain billing records including payment confirmations, amounts, and dates.
• Client-uploaded documents: Legal documents, emails, and associated materials uploaded to the platform for discovery review. These are referred to as "Client Data" throughout this Policy.
• Communications with us: Records of correspondence, support requests, and service-related communications.

3.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, referring URLs, pages viewed, and time and date of access.
• Usage data: Feature interactions, document processing activity, classification overrides, and export events within the platform.
• Cookies and similar technologies: We use strictly necessary session cookies required for platform operation, and optional analytics cookies with your consent. We do not serve advertising cookies. See Section 9 for full cookie details.

3.3 Information We Do Not Collect

We do not collect: biometric data, protected health information under HIPAA (unless you separately engage us for a HIPAA-covered service), social security numbers, government-issued identification numbers, or minors' personal information. The Service is intended solely for legal professionals and is not directed to individuals under 18.

4. How We Use Your Information

4.1 To Provide the Service

• Authenticating your identity and authorizing access to your account and matter files
• Processing and classifying Client Data for relevance and privilege as instructed by you
• Generating and delivering review outputs and export files
• Maintaining audit trails required for defensible discovery review
• Responding to support requests and troubleshooting technical issues

4.2 To Operate and Improve the Service

• Monitoring system performance, uptime, and security
• Analyzing aggregate and anonymized usage patterns to improve product features
• Billing and payment processing
• Communicating service updates, maintenance windows, and security notices

4.3 What We Will Never Do With Your Data

• We will never sell your personal information or Client Data to any third party.
• We will never use your Client Data (uploaded documents) to train, fine-tune, or improve any AI or machine learning model, including our own classification systems.
• We will never share Client Data with other Auris clients.
• We will never use your Client Data for any purpose other than providing the discovery review Service you have contracted for.

5. Legal Basis for Processing (Where Applicable)

For clients and users in jurisdictions that require a stated legal basis for processing personal data, we rely on the following bases:

• Contract performance: Processing necessary to provide the Service pursuant to our Terms of Service.
• Legitimate interests: Security monitoring, fraud prevention, system improvement using aggregated data, and business communications.
• Consent: Optional analytics cookies and non-essential marketing communications, with the ability to withdraw consent at any time.
• Legal obligation: Compliance with applicable law, court order, or regulatory requirement.

6. Client Data and Attorney-Client Privilege

Auris understands that Client Data may include materials protected by attorney-client privilege, the work product doctrine, or other applicable privileges. We treat all Client Data as presumptively confidential regardless of its ultimate classification within our system.

Auris does not review Client Data for any purpose other than performing the classification services you have requested. Access to Client Data by Auris personnel is limited to technical support scenarios and only with your express authorization or when required to diagnose a system error affecting your account.

You retain all ownership rights to Client Data at all times. Auris claims no intellectual property rights over Client Data. Our access to Client Data constitutes a limited, revocable license solely to operate the Service.

7. Data Sharing and Third-Party Processors

We do not sell, rent, or trade personal information or Client Data. We share information only as follows:

• Service providers (sub-processors): We engage select third parties to help operate the Service. These sub-processors are contractually prohibited from using your data for any purpose other than providing services to Auris. Current sub-processors include cloud infrastructure providers (US-based), payment processors, and AI model providers used solely for classification inference on your documents.
• Legal compliance: We may disclose information if required by applicable law, subpoena, court order, or other legal process, subject to our obligations to notify you to the extent permitted by law.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice and, where required, obtain your consent prior to any such transfer.
• With your consent: For any other disclosure with your prior written authorization.

8. Data Retention and Deletion

We retain Client Data for the duration of your active subscription plus 30 days, after which it is permanently deleted from our systems and sub-processors unless you request earlier deletion or extended retention in writing.

Account information and billing records are retained for seven years following termination to comply with applicable tax and financial record-keeping obligations.

Anonymized and aggregated usage data (which cannot be used to identify you or your clients) may be retained indefinitely for service improvement purposes.

You may request deletion of your personal information and Client Data at any time by emailing team@oneauris.com. We will confirm deletion within 30 days.

9. Cookies and Tracking Technologies

We use the following categories of cookies:

• Strictly necessary cookies: Required for platform authentication and session management. Cannot be disabled without breaking the Service.
• Analytics cookies (optional, consent-based): We may use privacy-respecting analytics to understand aggregate usage patterns. You can opt out at any time through your account settings or by contacting us.

We do not use advertising, retargeting, or third-party tracking cookies on any page that requires authentication.

10. Data Security

We implement and maintain commercially reasonable technical and organizational security measures, including:

• Encryption of Client Data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Per-client data isolation at the storage layer
• US-only data residency for all Client Data
• Role-based access controls limiting internal access to Client Data
• Audit logging of all access events within the platform
• Regular security reviews and a SOC 2-aligned security framework

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information or Client Data, we will notify you in accordance with applicable law and as promptly as practicable, and in any event within 72 hours of discovering a breach involving personal data where required by law.

11. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access: Request a copy of personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention obligations.
• Portability: Request your personal information in a structured, machine-readable format.
• Objection and restriction: Object to or request restriction of processing in certain circumstances.
• Opt-out of marketing: Unsubscribe from marketing communications at any time using the link in any marketing email or by contacting us directly.

To exercise any of these rights, contact us at team@oneauris.com. We will respond within 30 days. We do not charge fees for reasonable requests.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act. Auris does not sell or share (as defined by CCPA/CPRA) personal information. California residents may submit rights requests as described in Section 11 and may not be discriminated against for exercising their privacy rights.

13. International Transfers

Auris processes and stores all Client Data exclusively within the United States. Personal information of visitors and users located outside the United States is transferred to and processed in the United States. By using the Service, users outside the United States acknowledge that their information will be processed in a jurisdiction with potentially different data protection standards than their home jurisdiction.

14. Children's Privacy

The Service is intended exclusively for legal professionals and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before taking effect. The date of the most recent revision is indicated at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact

For questions, concerns, or rights requests related to this Privacy Policy:

Auris, Inc.
New York, NY
Email: team@oneauris.com