PocketPart
Legal

Privacy Policy

Last updated: June 4, 2026

PocketPart (“PocketPart,” “we,” “us”) is a hosted Model Context Protocol (MCP) server that gives legal practitioners access to legal-research tooling from inside their AI client. PocketPart is operated by 76 Analytics, Inc.This policy explains what personal data we collect, why, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. Questions: support@pocketpart.io.

1. Scope

This policy covers the PocketPart service at pocketpart.io and its subdomains (including the MCP endpoint at mcp.pocketpart.io, the customer dashboard, and the marketing and documentation site). It does not cover third-party services you connect to PocketPart, or the upstream legal-data providers whose data you query through the service (each has its own privacy practices — see Section 5). 76 Analytics is the controller for account, billing, security, and operational data, and a processor acting on your organization’s instructions for the content and usage your organization puts into the service (see our Data Handling & DPA page for the breakdown).

2. The data we collect

We collect only what we need to run the service. We do not sell personal data, and we do not use your legal-research activity to train AI models.

  • Account information. Your email and authentication credentials (a password stored only as a salted hash by our auth provider, or a magic-link/OAuth identity). If you sign in through an identity provider, we receive the basic profile it returns.
  • Organization & membership data. Your organization’s name and billing email, your role (owner, admin, or member), invitations, and any per-member pack restrictions or tool preferences.
  • API keys & connection metadata. We store a one-way HMAC-SHA256 hash of each API key plus a short redacted prefix and label — never the full key, which is shown once at creation. For OAuth connections (e.g. Claude.ai) we store hashed tokens, the connected app, and a last-used timestamp.
  • Usage & request metadata. For each tool call we record metadata only — tool name, outcome, duration, the calling key’s identifier, and timestamps. We do not store the substance of your queries (search terms, party names, docket numbers, prompts) or the content the tools return.
  • Bring-your-own credentials (PACER). If you use PACER-backed tools, an owner can store the organization’s PACER login. It is encrypted at rest with AES-256-GCM and decrypted only in the server-side request path at the moment a fetch runs — never returned to the client, never logged.
  • Billing information. Paid plans are processed by Stripe, which stores your card and billing details directly; we store only the non-sensitive state Stripe reports back (customer ID, plan, seat count, subscription status, billing email).
  • Support correspondence and technical/diagnostic data (IP, timestamps, user-agent, error context) processed by our hosting and monitoring providers to operate, secure, and debug the service.

3. How we use your data

  • Create and administer your account and authenticate requests.
  • Provide the MCP tooling — routing tool calls to the right upstream sources and returning results.
  • Enforce plan entitlements, request limits, and access controls.
  • Process payments and manage subscriptions and seats (via Stripe).
  • Show usage analytics and produce billing/metering signals.
  • Maintain security, detect and investigate abuse, and keep an audit trail of account, membership, plan, and billing changes.
  • Respond to support requests and send essential service notices.
  • Comply with legal obligations and enforce our Terms and AUP.

We do not use your data for advertising, and we do not use your queries or results to train machine-learning models.

4. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the service), legitimate interests (security, abuse and fraud prevention, audit logs, error monitoring, privacy-protective analytics), legal obligation (tax, accounting), and consent where we ask for it (withdrawable at any time).

5. Sharing and sub-processors

We share personal data with service providers that help us run PocketPart and with upstream legal-data providers that fulfill your queries. We do not sell personal data or share it for cross-context behavioral advertising. Infrastructure sub-processors: Supabase (database + authentication), Stripe (payments), Vercel (hosting + cookieless analytics), Sentry (error monitoring), and Resend (transactional & auth email). When you invoke a tool, your query is transmitted to the relevant upstream provider to fulfill it: CourtListener/RECAP, USPTO, EPO, WIPO (Madrid Monitor), Cornell LII, govinfo, the Federal Register, the eCFR, SEC EDGAR, FINRA BrokerCheck, the Delaware Division of Corporations (icis.corp.delaware.gov), the Consolidated Screening List (trade.gov), the CFPB (consumerfinance.gov), SAM.gov (GSA), USAspending.gov (Treasury), UK Companies House, NCBI (PubMed/PMC), OpenAlex (OurResearch), Semantic Scholar (Allen Institute for AI), arXiv (Cornell University), bioRxiv / medRxiv (Cold Spring Harbor Laboratory), ChemRxiv (American Chemical Society / Cambridge Open Engage), ClinicalTrials.gov (NIH/NLM), SerpApi (Google Patents, with your own key), U.S. state business registries (California Secretary of State, New York Department of State via data.ny.gov, and the Texas Comptroller of Public Accounts), Exa, and PACER (with your own credentials). Some tools rely on additional processors to function: semantic-search tools send your search query to OpenAI to generate embeddings, and document-reading tools send the requested PDF to Mistral for OCR. A full list with purposes and locations is in our Data Handling & DPA page. We may also disclose data when required by law or in connection with a merger or acquisition (with notice where required).

6. Data retention

  • Account, org, and membership data — for the life of your account, deleted within 30–90 days of deletion.
  • API key & OAuth records — until revoked or your account is deleted; OAuth refresh tokens expire on a 90-day sliding window.
  • Encrypted PACER credentials — until an owner clears them or the org is deleted.
  • Usage/request metadata — rolling 13-month window.
  • Audit logs — up to 24 months. Billing records — as required for tax/accounting (commonly up to 7 years). Support correspondence — up to 24 months.

7. Your rights

Depending on where you live (e.g. under the GDPR/UK GDPR or CCPA/CPRA), you may have rights to access, export, correct, and delete your data, to object to or restrict certain processing, to withdraw consent, and not to be discriminated against for exercising your rights. Much of this is self-service in the dashboard (editing org/member data, revoking keys, exporting usage, deleting your account). For anything else, email support@pocketpart.io; we verify identity and respond within the time required by law. You may also lodge a complaint with your local data protection authority.

8. Security

We protect data with TLS in transit; one-way HMAC-SHA256 hashing of API keys, OAuth secrets, and invite tokens; AES-256-GCM encryption at rest for bring-your-own PACER credentials; database Row-Level Security so each organization’s data is isolated; role-based access controls; least-privilege service access; audit logging; and error monitoring. No system is perfectly secure, but we work to detect and respond to incidents promptly (see the DPA for our breach-notification commitment).

9. Children’s data

PocketPart is a professional tool for practicing lawyers and other authorized professionals. It is not directed to children, and we do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact support and we will delete it.

10. International transfers

We are based in the United States, and our sub-processors may process data in the U.S. and other countries. Where we transfer data out of the EEA, UK, or other restricted regions, we rely on appropriate safeguards such as the Standard Contractual Clauses (and the UK Addendum) or other lawful mechanisms.

11. Changes & contact

We may update this policy as the service evolves; for material changes we will update the date above and, where appropriate, notify you. Contact: 76 Analytics, Inc. — PocketPart · support@pocketpart.io · pocketpart.io · Mailing/notice address: 30 N Gould St, Ste N, Sheridan, WY 82801, USA.