Data Handling & Data Processing Addendum
Last updated: June 4, 2026
This page explains plainly what PocketPart does and does not do with your data, and sets out DPA-style processing terms. It supplements the Terms of Service and forms part of the agreement between 76 Analytics, Inc. (“Processor,” “we”) and the customer Organization (“Controller,” “you”). Where it conflicts with a signed agreement between your Organization and 76 Analytics, the signed agreement controls.
1. Roles
For most data you put into PocketPart, you are the controller and we are the processor, processing personal data only on your documented instructions (your configuration and use of the Service). For our own account administration, security, billing, and analytics, we act as a controller for the limited data described in our Privacy Policy. Upstream Sources you query are independent providers of their own data.
2. Sub-processors
We will give notice of new or replacement sub-processors and a reasonable opportunity to object before they begin processing your personal data.
| Name | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Postgres database + authentication | Account, org, membership, API-key/OAuth hashes, usage metadata, audit log, encrypted PACER credentials | United States |
| Stripe | Payments & subscription billing | Payment/billing details, customer & subscription state | United States / global |
| Vercel | Hosting + Analytics + Speed Insights | Request/technical data; aggregate, cookieless usage analytics | United States / global edge |
| Sentry | Error & performance monitoring | Diagnostic/error context (may include org/user identifiers) | United States |
| Resend | Transactional & authentication email | Recipient email address + email content | United States |
| Vercel KV (Upstash) | Ephemeral transport/session state for the SSE connection | Transient connection/session data | United States / global edge |
| OpenAI | Text embeddings for semantic-search tools (U.S. Code, MPEP, federal rules, templates) | Your natural-language search query for those tools | United States |
| Mistral AI | OCR text extraction for requested patent/court PDFs (USPTO & EPO read-document tools) | The document you ask us to read | European Union |
| CourtListener / RECAP | Case law, dockets, documents | Your query content for those tools | United States |
| USPTO Open Data Portal | U.S. patent data | Your query content for those tools | United States |
| EPO Open Patent Services | European patent/register data | Your query content for those tools | European Union |
| WIPO (World Intellectual Property Organization) | International trademark register (Madrid Monitor) | Your query content for those tools (search terms, mark text, holder names, registration numbers) | Switzerland |
| Cornell LII | Federal rules | Your query content for those tools | United States |
| govinfo & eCFR (U.S. GPO / OFR) | U.S. Code, MPEP, Code of Federal Regulations | Your query content for those tools | United States |
| SEC EDGAR (sec.gov) | Public company filings, registrant profiles, full-text filing search | Your query content for those tools (company names, tickers, search terms) | United States |
| FINRA BrokerCheck (brokercheck.finra.org) | Broker & brokerage-firm registration, licensing, and disclosure records | Your query content for those tools (broker/firm names, CRD numbers) | United States |
| Delaware Division of Corporations (icis.corp.delaware.gov) | Delaware business-entity registry lookup (name search + entity record) | Your query content for those tools (entity names, Delaware file numbers) | United States |
| Consolidated Screening List (trade.gov / ITA) | Sanctions & restricted-party screening (OFAC SDN + 12 other federal lists) | Screened party names and optional address/country filters (never persisted by us) | United States |
| SAM.gov (U.S. General Services Administration) | Federal contractor registrations, exclusions/debarment screening & contract opportunities | Your query content for those tools (entity names, UEI/CAGE codes, screened party names — never persisted by us) | United States |
| USAspending.gov (U.S. Department of the Treasury) | Historical federal award & spending data (contracts, grants, loans) | Your query content for those tools (recipient names, identifiers, agency/NAICS filters) | United States |
| Federal Register (federalregister.gov) | Federal rulemakings, notices & agency documents | Your query content for those tools | United States |
| CFPB (consumerfinance.gov) | CFPB enforcement actions & the Consumer Complaint Database | Your query content for those tools (company names, search terms, filters) | United States |
| UK Companies House | UK corporate register: company profiles, officers, filing history, beneficial ownership (PSC), charges | Your query content for those tools (company names, company numbers) | United Kingdom |
| NCBI (PubMed / PMC, U.S. National Library of Medicine) | Biomedical literature search & full-text retrieval (prior-art tools) | Your query content for those tools (search terms, PMIDs, PMC IDs) | United States |
| OpenAlex (OurResearch) | Scholarly literature search & citation graph (academic prior-art tools) | Your query content for those tools (search terms, paper ids, DOIs) | United States |
| Semantic Scholar (Allen Institute for AI) | Scholarly literature search & citation graph (academic prior-art tools) | Your query content for those tools (search terms, paper ids, DOIs) | United States |
| arXiv (Cornell University) | Preprint search & retrieval (prior-art tools) | Your query content for those tools (search terms, arXiv ids) | United States |
| bioRxiv / medRxiv (Cold Spring Harbor Laboratory) | Biology & health-sciences preprint search & retrieval (prior-art tools) | Your query content for those tools (search terms, DOIs) | United States |
| ChemRxiv (American Chemical Society / Cambridge Open Engage) | Chemistry preprint search & retrieval (prior-art tools) | Your query content for those tools (search terms, item ids, DOIs) | United States / global |
| ClinicalTrials.gov (U.S. National Library of Medicine, NIH) | Clinical-trial registry search & retrieval (prior-art tools) | Your query content for those tools (condition/drug/sponsor terms, NCT numbers) | United States |
| SerpApi, LLC | Google Patents search/retrieval proxy (google_patents_* tools; bring-your-own key) | Patent search queries and publication identifiers, plus your own SerpAPI key in transit (never logged) | United States |
| U.S. state business registries (California SOS, New York DOS via data.ny.gov, Texas Comptroller of Public Accounts) | State business-entity / Secretary of State records (state_sos_* tools) | Your query content for those tools (entity names, state file numbers, taxpayer numbers) | United States |
| Exa | Web search | Your search query | United States |
| PACER | U.S. federal court records (BYO credentials) | Your query + your PACER login | United States |
3. What we store vs. what we do NOT store
We store: account, organization, and membership records; one-way hashes of API keys, OAuth tokens, and invite tokens (never the plaintext secret); encrypted BYO PACER credentials; usage metadata for each tool call (tool name, outcome, duration, calling-key identifier, timestamps); billing state from Stripe; and an append-only audit log of account, membership, plan, and billing changes.
We do NOT store: the substance of your legal queries — search terms, party names, docket numbers, claim text, prompts, or the content the tools return (query content is transmitted to the relevant Upstream Source to fulfill the request and is not retained in our usage records); full API keys or OAuth secrets (only hashes); plaintext PACER credentials at rest (only AES-256-GCM ciphertext); payment card numbers (held by Stripe); or any data used to train AI models — we do not do this.
4. Retention
- Account/org/membership: life of account, deleted within 30–90 days of deletion.
- Usage metadata: rolling 13-month window.
- Audit logs: up to 24 months.
- Encrypted PACER credentials: until cleared by an owner or the org is deleted.
- Billing records: as required for tax/accounting (commonly up to 7 years, partly via Stripe).
- Backups rotate out on a limited additional schedule.
5. Security & encryption
- TLS for all data in transit.
- HMAC-SHA256 one-way hashing of API keys, OAuth secrets, and invite tokens, using server-side peppers.
- AES-256-GCM reversible encryption for BYO PACER credentials, keyed independently from the hashing peppers (separate blast radii); a tampered ciphertext fails to decrypt rather than returning garbage.
- Row-Level Security isolates each Organization’s data; role-based access (owner/admin/member) governs what each member can see and do.
- Least-privilege service access, audit logging, and error monitoring.
6. Data subject requests
We will assist you, taking into account the nature of processing, in responding to data-subject requests (access, correction, deletion, portability, objection). Much of this is self-service in the dashboard (editing org/member data, revoking keys, exporting usage, deleting an account). For anything else, contact support@pocketpart.io.
7. BYO PACER credential handling
Because PACER requires us to authenticate as you to fetch records, your PACER username and password cannot be one-way hashed — they must be recoverable. Therefore they are stored encrypted with AES-256-GCM, per-field with a fresh random IV, on your Organization record; decrypted only in the server-side request path at the instant a PACER fetch runs (or in an owner-only dashboard action), never returned to the client and never logged; settable only by an organization owner on a plan with BYO enabled (Solo or Firm); and clearable at any time. The dashboard shows only “configured / last updated,” never the values. PACER bills your account directly; PocketPart adds no markup.
8. Breach notification
If we become aware of a personal-data breach affecting your data, we will notify you without undue delay (and, where applicable, within 72 hours of becoming aware), with the information you reasonably need to meet your own notification obligations, and we will cooperate on investigation and remediation.
9. Deletion on termination
On termination, or on your request, we will delete or return your personal data within a commercially reasonable period (targeting 30–90 days), except data we must retain by law (e.g. billing/tax records) or that persists transiently in rotating backups. Account deletion is self-service, subject to the safeguard that a sole owner of an organization with other members or active billing must first transfer ownership or cancel billing.
10. Compliance posture (SOC 2)
PocketPart is not yet SOC 2 certified. We operate with controls aligned to recognized security practices — encryption in transit and at rest, RLS-based tenant isolation, least-privilege access, audit logging, and monitoring — and intend to pursue formal attestation as the product matures. We will update this section when our status changes.