Privacy Policy

Daubert AI, Inc. (“Daubert,” “we,” or “us”) provides a workspace for technical legal cases. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to our marketing site (dauberts.ai), the application (app.dauberts.ai), and related services (collectively, the “Service”).

Daubert is a B2B service. We act as a processor of personal information that your organization or its customers put into the Service in the course of their work, and as a controller of account and usage information we collect to operate the Service.

1. Information We Collect

1.1 Account information

When you create an account or accept an invitation, we collect your email address, name, organization name, role, profile photo (if your sign-in provider supplies one), and any optional name or note set by the inviter or by you. We use a third-party identity provider (Firebase Authentication) to verify your sign-in.

1.2 Sign-in metadata

We record the method you used to sign in (Google, Microsoft work account, or email code), the time of sign-in, and a unique identifier provided by the identity provider. We do not store your password or any credential from your identity provider.

1.3 Customer Data

When you use the Service, you can upload, link, generate, or otherwise input case information, documents, blockchain addresses, investigation notes, AI prompts, and related content (collectively, “Customer Data”). Customer Data may include personal information about third parties (counterparties, witnesses, subjects of investigation). Your organization is the controller of Customer Data; we process it on your behalf under our Terms of Service.

1.4 Usage and device information

We collect technical information about how you use the Service: pages visited, features used, actions taken (create case, run trace, etc.), IP address, browser type and version, operating system, and approximate location derived from IP. We use this to operate, secure, and improve the Service.

1.5 Communications

When you email us, request a demo, or sign up for updates on our marketing site, we collect your message, your email address, and any information you choose to provide. We use this to respond to you and to follow up about the Service.

1.6 Cookies and similar technologies

We use a small number of cookies and similar local-storage mechanisms to keep you signed in, remember your preferences (such as your active organization), and measure aggregate usage. We do not use cross-site advertising cookies, and we do not sell personal information.

1.7 Wallet and entity labels

Within the Service, you can apply labels and annotations to public blockchain addresses to identify the businesses, protocols, exchanges, or categories they belong to. These labels are paired with the (public) addresses they describe. Daubert may use wallet and entity labels — in aggregate, and excluding labels that on their face contain case-specific personal information — to enrich and improve entity-identification and auto-labeling features across the Service for you and other customers. See Section 4.4 of our Terms of Service for the scope of that use.

1.8 Data room files

Each case includes a data roomwhere members can store case files. Files you upload — or import from Google Drive (see Section 1.9) — are copied into and stored by the Service as Customer Data. For each file we retain its name, content type, size, the member who added it, and the time it was added. We also keep an access log of file uploads, downloads, and deletions (recording the member, the action, and the time) so that case teams can audit who handled case documents.

1.9 Google Drive import

If you choose to import files from Google Drive, we request access under Google’s drive.filescope. This is a per-file scope: it lets the Service access only the specific files you select through Google’s file picker, not your entire Drive. When you confirm a selection, we use a short-lived access token to download those files and copy them into your case data room. We do not store your Google credentials, we do not retain the access token after the import completes, and we do not request ongoing or background access to your Drive. Google Workspace documents (Docs, Sheets, Slides) are exported to standard Office formats (.docx, .xlsx, .pptx) as part of the import; the imported copy is independent of the original in Drive.

Daubert’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Drive data only to provide the data room import feature you request; we do not use it for advertising, we do not allow humans to read it except as needed to provide or secure the feature or as required by law, and we do not sell it or transfer it to others except as needed to provide the Service.

2. How We Use Information

• Provide and operate the Service: authenticate you, fulfill your requests, sync your data across devices, send transactional messages (sign-in codes, invitation deliveries you trigger, security notices).
• Improve the Service: understand which features are used, identify bugs and performance issues, and prioritize roadmap decisions based on aggregate behavior. We do not use Customer Data to train foundation models.
• Enrich entity labeling: use wallet and entity labels you apply to public blockchain addresses — in aggregate and excluding labels containing case-specific personal information — to improve entity-identification and auto-labeling for you and other customers. See Section 1.7 above and Section 4.4 of our Terms of Service.
• Secure the Service: detect and prevent fraud, abuse, unauthorized access, and other harmful activity. Limit rate of certain endpoints to deter automated abuse.
• Communicate: respond to your support requests, send notices about the Service, and (with your consent or where legally permitted) send periodic product updates. You can opt out of non-essential communications at any time.
• Comply with law: meet our legal, regulatory, and contractual obligations, and respond to lawful requests from authorities.

3. Legal Bases (EEA, UK, and Switzerland)

If the GDPR or a comparable framework applies to you, we rely on the following legal bases:

• Contract— to provide the Service you or your organization requested.
• Legitimate interests— to operate, secure, and improve the Service in ways that do not override your rights.
• Legal obligation— when we are required to retain or disclose information under applicable law.
• Consent— where we ask for it and you choose to give it (for example, certain marketing communications).

4. How We Share Information

We do not sell personal information. We share it only with the following categories of recipients, and only as needed to operate the Service:

4.1 Service providers (sub-processors)

We rely on the following third parties to deliver the Service:

• Google Cloud and Firebase— hosting, database storage, file storage for data room documents, authentication, identity management.
• Microsoft Azure / Entra ID— identity verification when you sign in with a Microsoft account.
• Resend— transactional email delivery (sign-in codes, account notices). Resend processes the recipient email address and message content only to deliver the message.
• Anthropic— AI model inference for features that use generative AI. Customer Data sent to Anthropic is processed under terms that prohibit use of your data to train their foundation models.
• Etherscan and equivalent blockchain explorers— public blockchain data lookups. We send the blockchain address you query; we do not share any other Customer Data.

We require each sub-processor to handle information consistently with this Policy and applicable law, including signing data-processing agreements where required.

4.2 Members of your organization

Within the Service, information you contribute is visible to other members of your organization or case according to their assigned role. Organization administrators can see organization-level membership and invitation history. Case owners and editors can see case-level Customer Data they have been granted access to.

4.3 Legal and safety

We may disclose information when we believe in good faith that disclosure is necessary to comply with a valid legal request, enforce our Terms of Service, protect the rights or safety of Daubert or our users, or investigate suspected fraud or abuse. Where permitted, we will notify the affected customer before disclosing Customer Data in response to a legal request.

4.4 Business transfers

If Daubert is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections and notice obligations.

5. Data Retention

We retain account information for as long as your account is active and for a reasonable period afterward to support business, legal, and audit purposes. Customer Data is retained for as long as your organization’s subscription is active. After termination, your administrator may export Customer Data within a reasonable window; after that, we delete or de-identify it unless legally required to retain it.

One-time sign-in codes expire within five minutes of issuance and are deleted shortly after verification or expiration.

6. Security

We use industry-standard technical and organizational measures to protect information, including encryption in transit (TLS 1.2+), encryption at rest for hosted data, access controls based on principle of least privilege, audit logging of administrative actions, and ongoing review of our infrastructure providers. No system is perfectly secure; if we become aware of a breach affecting your information, we will notify affected customers without undue delay and as required by law.

7. International Transfers

We are headquartered in the United States and use service providers in the United States and other countries. When personal information is transferred from the EEA, UK, or Switzerland to a country that has not been deemed adequate, we rely on appropriate safeguards (such as Standard Contractual Clauses) and supplementary measures to protect that information.

8. Your Rights and Choices

Depending on your jurisdiction, you may have rights to access, correct, delete, or object to certain processing of personal information about you, to receive a portable copy of your information, or to withdraw consent. You can exercise most of these rights directly from your account settings (updating your name, leaving an organization, signing out). For other requests, email us at hello@dauberts.ai. If we hold information about you as a processor on behalf of your organization, we will refer your request to that organization, who is responsible for responding.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take prompt steps to delete it.

10. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you through the Service or by email to your administrator and update the “Last updated” date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

11. Contact

Questions about this Privacy Policy or our handling of your information? Email us at hello@dauberts.ai.