How Vinny Protects Your Legal Documents and Data

At Vinny, we understand that legal documents contain some of your most sensitive information. Whether you're reviewing contracts, drafting agreements, or managing your document repository, you need absolute confidence that your data is secure.

We've built Vinny from the ground up with security and privacy as core principles, not afterthoughts. This post explains exactly how we protect your information and what measures we've put in place to earn your trust.

Our Security Commitment

Your data is yours. We don't sell it, we don't share it without your permission, and we protect it like it's our own (because we treat it even better than that).

🔐 How We Secure Your Data

1. Bank-Level Encryption

Encryption in Transit: Every single interaction with Vinny uses industry-standard HTTPS/TLS encryption. This means:

• Your documents are encrypted when traveling between your device and our servers
• Your conversations with the AI are encrypted
• No one can intercept your data in transit

Encryption at Rest: All your documents are stored using Google Cloud's enterprise-grade encryption:

• AES-256 encryption standard (the same used by banks)
• Your data is encrypted before it touches the disk
• Encryption keys are managed by Google Cloud's secure key management system

2. Strong Authentication

We use Firebase Authentication, a trusted Google service used by millions of applications:

Sign-in Options:

• Google Sign-In (OAuth 2.0)
• Email and password with secure hashing
• Automatic session management with short-lived tokens
• No passwords stored in plain text (ever)

What This Means for You:

• Your account can't be accessed without your credentials
• Sessions automatically expire for security
• Two-factor authentication available through your Google account

3. Strict Data Isolation

Your data is completely isolated from other users:

How It Works:

• Every user gets their own secure data compartment
• Your documents, chats, and projects are tied exclusively to your user ID
• Our database security rules prevent any user from accessing another user's data
• Even our administrators can't accidentally access your data without proper authorization

Repository & Projects:

Your Data Structure:
└── Your User Account
    ├── Your Projects
    ├── Your Documents
    ├── Your Chats
    └── Your Attachments

Each folder is locked to your account only.

4. Secure Document Processing

Upload Security:

• Only specific file types accepted (PDF, DOCX, TXT)
• File validation before processing
• Virus and malware scanning (planned)
• No executable files allowed

Storage Security:

• Documents stored in Google Cloud Storage with robust security
• Each document gets a unique, unguessable identifier (UUID)
• Access controls prevent unauthorized downloads
• Optional signed URLs with expiration for sensitive documents

5. AI Integration Done Right

How We Work with OpenAI: We use OpenAI's GPT models to power Vinny's legal research capabilities. Here's what happens with your data:

What We Send:

• Your questions and prompts
• Document content you choose to attach
• Context from your chat history

What We DON'T Send:

• Your email address or personal information
• Documents you haven't explicitly attached
• Data from other users

OpenAI's Commitments:

• OpenAI doesn't use API data to train models (per their policy)
• Data is processed and not stored long-term
• Industry-standard security and encryption

Your Control:

• You choose what to share in each conversation
• You can clear your chat history anytime
• Attachments are only included when you explicitly add them

6. Document Signing with Complete Audit Trails

Our electronic signature feature includes enterprise-grade audit logging:

Every Signature Includes:

• Cryptographically random signature ID
• Timestamp of signing action
• Signer's email address
• IP address and browser information
• Full audit trail of document views

Audit Trail Events:

• When signing request was sent
• When recipient viewed the document
• When document was signed or declined
• If the signing link expired

Security Features:

• Signing links expire after a set time
• One-time use tokens (can't be reused)
• Documents are cryptographically sealed when signed
• Tamper-evident signatures

🛡️ What We Do With Your Data

We Use Your Data To:

✅ Provide legal research assistance
✅ Process and store your documents
✅ Generate embeddings for document search
✅ Improve your experience with Vinny
✅ Send transactional emails (e.g., signing notifications)

We Do NOT:

❌ Sell your data to third parties
❌ Use your documents to train AI models
❌ Share your data with advertisers
❌ Read your documents (except when processing them for you)
❌ Keep your data longer than necessary

📊 Privacy-First Analytics

We collect minimal analytics to improve Vinny:

What We Track:

• Feature usage (which parts of Vinny you use)
• Error rates (to fix bugs)
• Performance metrics
• Email domain (e.g., "@company.com") for business insights

What We DON'T Track:

• Full email addresses in analytics
• Document content
• Specific legal questions
• Personal conversations

Your Analytics Data:

• Anonymous by default
• Used only for product improvement
• Never sold or shared
• Aggregated for reporting

🌍 Compliance & Standards

GDPR Compliance (EU Users)

We respect your rights under GDPR:

Your Rights:

• Right to Access: See what data we have about you
• Right to Rectification: Correct any inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Portability: Export your data
• Right to Object: Opt out of certain processing

How to Exercise Your Rights: Contact us at contact@vinnypro.ai with your request. We'll respond within 30 days.

CCPA Compliance (California Users)

California users have additional rights:

• Right to know what data we collect
• Right to delete your data
• Right to opt out of data "sales" (we don't sell data anyway)
• Right to non-discrimination

Security Standards

Our infrastructure aligns with:

• SOC 2 principles (through Google Cloud/Firebase)
• ISO 27001 (Google Cloud certified)
• Industry best practices for SaaS security

🔒 Access Controls

Who Can Access Your Data?

You:

• Full access to all your data
• Can export and delete anytime
• Control over sharing and collaboration

Authorized Support Staff:

• Access only with your explicit permission
• Limited to troubleshooting specific issues
• All access logged and audited

System Operations:

• Automated backups (encrypted)
• Automated security monitoring
• No human access without authorization

Third Parties:

• OpenAI: Only prompts you send and documents you attach
• Google Cloud: Infrastructure provider (encrypted data only)
• No one else

Admin Access

Some Vinny team members (@system1.com) have admin access for:

• System monitoring and maintenance
• Aggregate analytics (no individual user data)
• Security incident response

Admin Restrictions:

• Cannot access individual user documents
• Cannot view chat histories
• All admin actions are logged
• Least-privilege access principle

🚨 Security Incident Response

If We Detect a Breach:

1. Immediate containment and investigation
2. Notification to affected users within 72 hours
3. Detailed incident report
4. Steps taken to prevent recurrence
5. Assistance with protective measures

We Monitor For:

• Unauthorized access attempts
• Unusual data access patterns
• Security vulnerabilities
• System anomalies

🔐 Best Practices for You

While we secure our systems, here's how you can stay safe:

1. Protect Your Account

• Use a strong, unique password
• Enable two-factor authentication (via Google)
• Never share your login credentials
• Log out on shared devices

2. Handle Documents Carefully

• Only upload documents you're authorized to share
• Review documents before attaching to chat
• Use the signing feature for sensitive agreements
• Delete documents when no longer needed

3. Be Cautious with Sharing

• Don't include sensitive personal information in chat unless necessary
• Remember that AI responses are generated, not legal advice
• Verify important information with a qualified attorney

4. Keep Software Updated

• Use the latest browser version
• Keep your operating system updated
• Install security patches promptly

🤝 What Vinny Does NOT Do

Let's be crystal clear about what we don't do:

We Are NOT a Law Firm

• We don't provide legal advice
• We don't create attorney-client relationships
• We're a research tool, not a lawyer

We Do NOT:

• Train AI models on your documents
• Share your data with other AI companies
• Read your documents for purposes other than serving you
• Sell your data to anyone
• Store payment information (handled by payment processors)

📞 Security Questions or Concerns?

We take security seriously and want to hear from you:

Report a Security Issue: Email: contact@vinnypro.ai
Response time: Within 24 hours for security issues

General Privacy Questions: Email: contact@vinnypro.ai
Response time: Within 3 business days

Data Requests (GDPR, CCPA): Email: contact@vinnypro.ai with "Data Request" in subject
Response time: Within 30 days

🔍 Transparency & Trust

Regular Security Audits

• Internal security reviews every quarter
• External penetration testing annually
• Continuous vulnerability scanning
• Immediate patching of critical issues

Open Communication

• This blog post will be updated as we improve security
• We'll notify users of major security enhancements
• Transparency in how we handle your data

Bug Bounty Program

Coming soon! We'll reward security researchers who help us identify vulnerabilities responsibly.

📚 Additional Resources

Security Policies:

• Privacy Policy (link to be added)
• Terms of Service (link to be added)
• Data Processing Agreement (available on request)

Security Documentation:

• Security Audit Report (for technical users)
• Compliance Certifications

🚀 Our Commitment Moving Forward

Security and privacy aren't one-time achievements, they're ongoing commitments. As Vinny grows, we will:

Short-term (Next 30 Days):

• Implement API rate limiting
• Add enhanced file validation
• Set up advanced monitoring and alerting

Medium-term (Next 90 Days):

• Add data export functionality for users
• Implement user-initiated data deletion
• Enhanced encryption options for sensitive documents

Long-term (Next 6 Months):

• Pursue formal SOC 2 Type II certification
• Regular third-party security audits
• Continuous security enhancements based on industry best practices

💙 Thank You for Your Trust

Choosing to use Vinny with your legal documents is a significant trust decision. We don't take that lightly. Every day, we work to earn and maintain that trust through:

• Transparent security practices
• Industry-leading encryption and access controls
• Respect for your privacy and data rights
• Continuous improvement and monitoring
• Responsive support for security concerns

Your legal documents deserve the best protection, and we're committed to providing it.

---

Questions or Feedback?

We'd love to hear from you:

• Email: contact@vinnypro.ai

Last Updated: November 20, 2025
Version: 1.0

---

Vinny AI - Your Trusted Legal Research Assistant