Good Standing AI Privacy Policy

Good Standing AI ("we", "us" or "our") is a legal-tech company providing an AI-powered, cloud-based platform that automates corporate records management for law firms. Our software helps law firms manage minute books, streamline compliance workflows, automate document generation, and maintain a single source of truth for corporate records. In serving our clients, we handle highly sensitive corporate data, and we understand that security, confidentiality, and privacy are of paramount importance. This Privacy Policy describes how Good Standing AI collects, uses, discloses, and protects information, including personal data, in connection with our services. It is tailored to the needs and risks of legal services, where data privacy and confidentiality are critical expectations.

This Privacy Policy is intended for our customers (currently primarily in Canada) and their users, including law firms and their employees or clients who use the Good Standing AI platform. We are committed to complying with applicable data protection laws, including Canada's privacy laws and, to the extent applicable, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We apply industry best practices and standards to protect your information and minimize legal and operational risks for both our customers and our company. By using our services, you agree to the practices described in this Privacy Policy.

We collect various types of information to provide and improve our services. This includes information you provide to us directly, information that is uploaded or generated as part of using our platform, and information collected automatically about your use of the service. The categories of data we collect include, but are not limited to, the following:

• Account and Contact Information: When a law firm or user creates an account, we collect personal identifiers and contact details such as the user's name, business email address, phone number, job title, firm name, and mailing address. This information is necessary to register and administer accounts, authenticate users, and communicate with you. We may also collect billing or payment information if you subscribe to a paid service (e.g. billing name, address, and payment method details), though payment processing may be handled by third-party processors (in which case we only receive confirmation of payment and limited details).
• Minute Book and Client Data: Our platform is designed to store and manage corporate minute books and related records that you or your firm upload. This means we will collect and store all information contained in those minute books and documents, which often include personal and corporate data. For example, minute books typically contain corporate governance documents and filings (articles, bylaws, resolutions, meeting minutes), as well as personal information about individuals such as directors, officers, shareholders, and other stakeholders (names, business or home addresses, contact information, titles/roles, dates of birth or appointment, share ownership details, signatures, etc.). Any content you upload to Good Standing AI—up to and including entire digital minute book documents—is collected and stored on our systems. We use this data to provide the service features, such as indexing the documents, enabling search and retrieval, and generating compliance insights. Good Standing AI may also process the data within these documents using AI-assisted features for your benefit (for example, to support search, summaries, and compliance insights). Your data stays private and is never repurposed for AI model training. Please note: if you upload personal data about third parties (for example, information about your clients or business associates), you are responsible for having a legal basis to do so and (if required) obtaining consent from those individuals. We rely on you as the customer to ensure you have the authority to disclose that personal data to our service.
• Publicly Available Corporate Data: To streamline onboarding and keep records up-to-date, we may collect certain corporate information from public sources or third parties at your direction. For example, our Instant Onboarding feature can pull basic corporate information from official records to create an initial corporate record in the platform. Such data, once imported into our platform, will be treated under this Privacy Policy.
• Usage Data and Log Information: Like most online services, we automatically collect certain technical information about how you use our platform. This includes log data such as your device or browser type, operating system, IP address, device identifiers, and timestamps of access. We record user activities on the platform (e.g. login times, features used, clicks, and actions taken on documents) to maintain audit trails and for security monitoring. For example, our system may log when a user views or edits a document, or when an administrator adds a new corporate entry, to provide accountability and compliance tracking. These logs help us troubleshoot issues, provide audit reports to our customers, and ensure the integrity of the records.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies on our website and platform to provide and improve the user experience. For instance, when you log into the Good Standing AI web portal, our system will set a secure cookie to keep you logged in and remember your preferences. These cookies are typically essential for site functionality (e.g. session cookies). We may also use cookies or third-party analytics tools to collect information about how users navigate our site or to measure the effectiveness of certain features. Any non-essential cookies or analytics are used only in accordance with applicable law, and where required, we will obtain your consent. You have the option to disable or block cookies via your browser settings, but note that doing so might affect your ability to use some features of our service (for example, you may be unable to stay logged in if cookies are disabled).
• Communications: If you contact us with an inquiry, support request, or through customer support channels, we will collect the information you provide in that communication. This may include your contact information (like email or phone number) and the content of your correspondence. We will use this information to respond to you and resolve any issues. We may also keep records of these communications for training and quality assurance purposes.
• Client Portal Access: In some cases, our law firm customers may use Good Standing AI's features to grant their own clients (e.g. the corporations or individuals whom the law firm represents) access to certain documents or information through our platform. If you are an end-client being given access to our system by a law firm, we will collect your contact information (such as name and email) to create a secure login for you, as well as any usage data as you interact with the platform. Any personal data about you contained in the documents you view (for example, if you are an officer or shareholder mentioned in a minute book) will be processed as part of the stored minute book data. In these situations, the law firm is usually the entity that controls your data, and we simply process it on their behalf. We treat such data as highly confidential and use it only as needed to provide the services to the law firm. Clients of our customers who have questions about their personal information in our system should direct inquiries to the law firm, but you can also contact us and we will assist in accordance with the Your Rights section below.

Note: Good Standing AI does not knowingly collect personal information from anyone under the age of 13, and our services are not directed to minors. Given the nature of our business (serving professional law firms), it is highly unlikely that children's data would be provided to us. If we do discover that we have inadvertently collected personal information from a child under 13 (or under the applicable age of consent in certain jurisdictions), we will delete it promptly as required by law.

We use the collected information for the following purposes, all in line with providing a secure and effective legal-tech service to our customers:

• Providing and Improving the Service: We use your information to operate the Good Standing AI platform and deliver its functionality. This includes using personal account data to authenticate users and personalize their experience, and using the uploaded minute book data to allow you to manage corporate records, search documents, generate reports, and maintain compliance. For example, our system will parse and index your uploaded documents so that you can quickly search for a resolution or retrieve a corporate filing when needed. We also use data (including usage and log data) to monitor the performance of our service, fix bugs, and improve features. This continuous improvement may involve analyzing how users interact with the platform to identify usability issues or opportunities to optimize workflows (using aggregated information). We do not use the content of your minute books for any purpose except to provide and enhance the services you have signed up for, and we never sell that content or use it to profile you or your clients for marketing.
• Automation and AI Assistance (User-Opt-In): Good Standing AI offers optional AI-powered features to help users work more efficiently with their corporate records. For instance, our AI Assistance feature can answer questions about the contents of a minute book or help draft routine corporate documents by analyzing your stored data. If you choose to use these features (which may require an explicit opt-in or action on your part within the platform), we will process relevant portions of your data through our AI algorithms and third-party AI service providers to generate the responses or outputs you request. Specifically, we integrate with OpenAI's language model API to power some of these features. This means that some of your data may be sent to and processed by OpenAI's servers in the United States when you invoke an AI function (see International Data Transfers below for details). We only send the minimum necessary information to the AI service (for example, the text of a specific corporate document or query context) and the data is used solely to return the requested result. OpenAI does not use data submitted through its API to train its general models by default, so your content remains confidential; it is not stored by OpenAI beyond the temporary processing needed to generate the AI answer. Good Standing AI will use the AI-provided output to assist you (e.g. provide an answer or draft document) and may store that output in our system if you choose to save it. Use of the AI features is completely optional – if you prefer that your data never leave Canadian servers, you can choose not to use these features, in which case no data will be sent to the external AI service.
• Third-Party Integrations: As part of delivering a seamless legal service platform, we use and may share data with certain third-party services that integrate with our system, strictly to the extent needed for functionality. For example, Good Standing AI is hosted on Amazon Web Services (AWS) cloud infrastructure, so any data you store in our platform will be stored in AWS data centers (in our case, in Canada-based servers) for reliable cloud storage and backup. We also plan to integrate an electronic signature solution (such as DocuSign) into our document workflow. If you choose to utilize e-signature functionality through our platform, the documents and relevant signer information necessary for signing will be transmitted to the e-signature provider to facilitate that process. Similarly, if we integrate with email or calendar services to send filing reminders or schedule meetings, the necessary data (like email addresses and event details) will be used for that purpose. All such integrations are solely to fulfill the services you've requested (e.g., getting documents signed, pulling official records, etc.), and we do not permit our providers to use your data for their own purposes. More details on third-party service providers are provided in Disclosure of Information below.
• Communications and Customer Support: We will use contact information (such as your email address or phone number) to send you service-related communications. These include administrative emails (e.g. confirmations of account creation, billing invoices, and important system alerts like planned downtime notices or security updates) as well as legal/contractual notices (such as updates to this Privacy Policy or our Terms of Service). We may also send customer service communications to help you use the platform – for example, if you haven't completed setup, we might send a reminder, or if you ask a question, we will reply at the contact you provided. If you subscribe to any marketing communications (such as a newsletter with legal tech tips or product updates), we will use your contact info to deliver those; however, such communications are optional and you can opt-out at any time. We will not spam you or your end-clients – communications will be reasonable in frequency and mostly focused on service utility. We may also use feedback you provide to improve our services; for instance, if you report a bug or request a feature, we may reach out for more information and will use that input to enhance the platform.
• Security and Compliance: We use information (particularly usage data, system logs, and account data) to maintain the security of our platform, our users, and their data. This includes monitoring for suspicious or unauthorized activities, detecting fraud or misuse, verifying account credentials, and enforcing our terms of service. For example, we might use IP address logs and other indicators to identify a possible breach attempt and can alert the user or take action (such as locking an account temporarily) if we suspect malicious activity. We also may use personal data as necessary to meet legal requirements – for instance, keeping records required by financial or corporate regulations, or responding to lawful requests by authorities (see below). When necessary, we will use and disclose personal information to investigate and address violations of law or contract, to collect owed fees, or to handle legal claims and disputes.
• Aggregate and Anonymized Data: We may aggregate or de-identify personal data to generate statistical insights that help us understand how our services are used or to guide product development. For example, we might measure the average number of corporate entities managed per account, or the frequency of use of a new feature, in order to gauge its popularity and reliability. These insights do not identify any individual or specific company. We may use such aggregated data internally to improve our service and, in some cases, to publish industry insights (e.g., trends in corporate compliance) or marketing materials. Any publication of aggregate information will contain no personally identifiable data or any confidential details of our customers.

If you are located in a jurisdiction that requires a legal justification for processing personal data (such as the European Economic Area under the GDPR), Good Standing AI processes your information under the following legal bases:

• Performance of a Contract: Most of our data processing is justified by the fact that it is necessary to provide you with the services you have requested under our contract with you. When you sign up for and use Good Standing AI, we process your personal data and your minute book content to perform our obligations and deliver the functionality promised (e.g. storing your documents, enabling searches, providing compliance tools). Without this data, we cannot provide the core services.
• Legitimate Interests: In some cases, we process data to further our legitimate business interests, in a manner that does not outweigh your privacy rights. For example, it is in our legitimate interest to secure our platform and prevent fraud, to improve and innovate our product, and to communicate with our customers to support and grow our business. When we rely on this basis, we ensure that the processing is not intrusive and is expected by users. We only rely on legitimate interests after considering any potential impacts on individuals' rights, and we will not use personal data for activities where our interests are overridden by the harm to your privacy.
• Consent: We rely on consent in situations where it is legally required or appropriate. For instance, if we ever want to use your personal data for a new, unrelated purpose, we would first obtain your consent. Also, for optional features like AI analysis of your data that involve transferring data to a third country (USA) or any non-essential cookies/analytics, we will ask for your consent. If consent is our legal basis, you have the right to withdraw that consent at any time (for example, you can choose to stop using the AI features, or unsubscribe from marketing emails), which will not affect the lawfulness of processing before withdrawal.
• Legal Obligation: Where we are subject to a legal obligation that requires processing of personal data, we will process on that basis. For example, applicable law might require us to retain certain transaction records for tax, audit, or regulatory purposes, or to comply with a subpoena or court order. In such cases, we process the data as necessary to fulfill our legal responsibilities.

We will gladly clarify the specific legal basis applicable to any particular processing of your personal data upon request.

Good Standing AI is committed to protecting the confidentiality of your data. We do not sell or rent your personal information to third parties. We only share your information in the following circumstances, and always under appropriate safeguards and only to the extent necessary:

• Service Providers (Processors): We use trusted third-party companies to facilitate our services and operate our business. These providers act under our direction and perform functions such as cloud infrastructure hosting, data storage, analytics, email delivery, customer support tools, and similar services. We ensure any service provider we use is bound by strict confidentiality and data protection obligations (via contracts or Data Processing Agreements) and can only use your data for the specific purpose of providing services to Good Standing AI. Key service providers include:
  • Cloud Hosting: As noted, we rely on Amazon Web Services (AWS) to host the Good Standing AI platform and databases. Our servers (including backups and disaster recovery) are located in Canada for primary storage of customer data. AWS, as our processor, does not access the content of your minute books unless needed for troubleshooting at our request, and AWS maintains high security standards (including compliance with ISO 27001, SOC 2, etc.) to protect the infrastructure.
  • Artificial Intelligence Provider: For AI-driven features, we integrate with OpenAI API (currently located in the United States). When you opt to use an AI feature, certain data is securely transmitted to OpenAI's system to generate the response, as described earlier. OpenAI is contractually forbidden from using our customers' data for any purpose other than providing the AI service to us, and they implement security and privacy controls around the processing. We only share data with OpenAI when necessary for an AI query you initiate.
  • Electronic Signature Provider: When we introduce our e-signature integration (e.g., DocuSign or a similar service) to allow documents to be signed through our platform, we will share the necessary document content and signer information with that provider when you send out a document for signature. The e-signature provider will process that data to obtain signatures and will have its own legal obligations to protect it. We will ensure any such provider is reputable and compliant with privacy laws (DocuSign, for instance, adheres to stringent security certifications).
  • Email and Communication Tools: We may use third-party services to send transactional emails (for example, using an email delivery service to send invitations or notifications) or to provide in-app chat support. These providers would process your contact info or chat content solely to send the messages or facilitate support, and we require them to secure that data.
  • Analytics and Error Monitoring: To improve our product, we might use tools to collect crash reports or aggregate analytics (for instance, a service like Sentry for error logging, or a usage analytics tool). If used, these tools might receive some technical data about your device or actions. We would configure such tools to avoid collecting any content from your documents, focusing only on metadata needed to diagnose issues or trends.

  In all cases, our service providers are "data processors" acting on our behalf. We remain responsible for their handling of your data and ensure they only process it under our instructions and in compliance with this Privacy Policy and applicable laws.

• Within Our Corporate Group and Personnel: If Good Standing AI in the future has affiliates or subsidiaries, your data may be shared within our controlled group of companies for the purposes described (for example, if we establish a subsidiary in another region to assist in providing support or development). Any such entity will uphold the same privacy protections. Additionally, your information may be accessed by our limited authorized personnel (employees or contractors) who have a legitimate need to access it to perform their duties (such as technical support, data migration assistance, or system administration). All Good Standing AI personnel with access to personal or sensitive data are bound by strict confidentiality obligations (including NDAs and internal policies), undergo training on data protection, and are subject to discipline (including termination and legal consequences) if they misuse data. We follow the principle of least privilege, meaning staff can only access the minimum data necessary for their task, and any access to customer content (like viewing a document you uploaded) would only occur with your authorization (for example, if you ask our support team to help troubleshoot an issue in a specific document, and even then, we limit what is viewed and log such access).
• Business Transfers: If Good Standing AI undergoes a business transaction such as a merger, acquisition by another company, or sale of all or a portion of its assets, your data (including personal and corporate information stored in our platform) may be transferred to the successor or acquiring entity as part of that transaction. We would ensure that any such entity is bound by confidentiality and privacy obligations with respect to your data. In the event of a merger or acquisition, we will provide notice on our website and/or directly to customers, and your information would remain protected by the promises in this Privacy Policy (unless you are notified of changes and given a chance to opt out).
• Legal Compliance and Protection: We may disclose personal information to third parties (such as courts, law enforcement or government agencies, or opposing counsel) if we determine that such disclosure is reasonably necessary to:
  • Comply with any applicable law, regulation, legal process, or enforceable governmental request (e.g., a court order or subpoena). If we receive a demand for your data, we will attempt to redirect the request to you or notify you of it (for example, if a law enforcement agency requests data belonging to one of our law firm customers, we will, unless legally prohibited, let the customer know so they can seek to quash or limit the disclosure). We will only release the data to the extent required by law.
  • Enforce our Terms of Service or other agreements, or investigate potential violations thereof. For example, if required to investigate fraudulent billing or abuse of our platform, we might share relevant information with investigators or attorneys.
  • Protect the rights, property, or safety of Good Standing AI, our users, or the public, as required or permitted by law. This could include sharing information with relevant parties to prevent harm or in response to a security incident (e.g., sharing attack information with cybersecurity centers).

  We will always evaluate such requests carefully and only disclose the minimum data necessary. Our general approach is to preserve the confidentiality of client data to the maximum extent possible, especially given the sensitivity of legal records.

• With Your Consent: In situations other than those above, if we ever need to share your information for some other purpose, we will ask for your consent. For instance, if a partner company wanted to offer you a special integrated service and we needed to transfer contact information for that purpose, we would not do so without your agreement. Similarly, if you request or authorize us to share data with a third party (e.g., if you are using a feature to export data to another system or you invite a consultant onto your account), we will do so at your direction.

No Selling of Personal Data: We want to reiterate that we do not sell personal data. In the context of CCPA, we also do not "share" personal information for cross-context behavioral advertising. All data sharing is solely for legitimate business purposes as outlined above. If this ever changes, we will update this policy and provide any required opt-out or consent mechanisms.

Good Standing AI is based in Canada, and we primarily store and process customer data in Canada. If you are a customer in Canada, this means your data is kept within Canadian jurisdiction (which has robust privacy protections). Our policy is to store all primary customer data on servers located in Canada to comply with Canadian data residency preferences and to mitigate international transfer risks.

However, as part of providing our services, certain data may be transferred across international borders in specific scenarios:

• Data Transfers to the United States (OpenAI and Other Services): As noted, if you utilize our AI features which leverage the OpenAI API, the relevant data needed for that feature will be sent to servers in the United States where OpenAI operates. This constitutes an international transfer of personal data (potentially including personal information from your minute books or from user queries) from Canada (or from whatever country you are in) to the U.S. Similarly, if we use other service providers or integrations that operate out of the U.S. (for example, an email delivery service or, in the future, DocuSign's infrastructure for e-signatures), some data may be processed or stored on U.S. servers. The U.S. may not be deemed to have the same level of data protection as your home jurisdiction (for instance, the EU has not recognized the U.S. as providing adequate protection under GDPR). Nonetheless, we take measures to protect personal data in these transfers.
• Safeguards for International Transfers: Whenever we transfer personal data out of its country of origin, we will ensure appropriate safeguards are in place as required by applicable law. For transfers from the European Economic Area (EEA) or UK to a country not deemed adequate (like the U.S.), we would rely on mechanisms such as the European Commission's Standard Contractual Clauses (SCCs) or an equivalent legal transfer mechanism, supplemented by additional technical and organizational measures as needed. In the case of our integration with OpenAI or other U.S.-based processors, we have agreements in place that include standard data protection clauses obligating them to protect the data. We also only transfer the minimum data necessary and, where feasible, apply encryption and other protections during transit and processing. Additionally, by opting to use certain features that involve U.S. processing, you (as the data controller in many cases) may be deemed to be consenting to that transfer – we present clear notices when you activate such features so you can make an informed choice.
• Other International Users: If you are using our services from outside of Canada, please be aware that your data will be transferred to and stored in Canada (and possibly to the U.S. or other countries as described). Depending on your location, this might mean your data is subject to foreign laws and jurisdictions which may have different privacy rules. Rest assured, no matter where your data is processed, Good Standing AI will apply the same level of data protection as stated in this policy. We implement global privacy practices that meet or exceed the requirements in Canada, which are generally high standards. If local law in your country imposes additional requirements, we will comply with those as applicable (for example, honoring GDPR rights for EU users, or CCPA rights for California users, as described below).

If you have questions about our international data handling or need more specifics about cross-border safeguards (such as wanting a copy of the Standard Contractual Clauses we use), you can contact us at the information in the Contact Us section and we will be happy to provide more detail.

We recognize that the data you entrust to Good Standing AI, including sensitive corporate records and personal information of clients, is highly confidential. We are committed to protecting it using strong security measures and best practices, to prevent unauthorized access, disclosure, or loss of data. Our approach to security includes:

• Encryption: All data in transit between your device and our platform is encrypted using industry-standard protocols (such as HTTPS/TLS). This means that when you upload or download documents, or use our web application, the information is protected from eavesdropping. We also employ encryption at rest for stored data – the databases and storage volumes holding your documents and personal information are encrypted using strong, industry-standard methods on the server side. This adds a layer of protection for your data in case of physical theft of drives or unauthorized access to the storage infrastructure.
• Access Controls: We implement strict access controls both at the infrastructure level and within our organization. Within our platform, each user's access to data is governed by authentication and authorization checks – you can only access the minute books and information associated with your account/firms. We support secure authentication practices (our system requires strong passwords, and we plan to support multi-factor authentication for accounts for added security). Within our company, only a small, vetted team of administrators can access the production systems, and even then, any access to customer data is tightly limited and logged. We require administrative passwords and keys to be strong and rotated regularly, and use role-based access such that, for example, a support engineer can only see what they absolutely need. All employees and any contractors are bound by confidentiality agreements and undergo background checks as permitted. Law firms care deeply about security and data privacy, and we have made it a core value to uphold their trust by robust security measures and reliability.
• Monitoring and Auditing: We continuously monitor our systems for any anomalies or potential security events. We use firewalling, intrusion detection systems, and automated alerts to flag unusual activities. Our audit trail feature not only helps our customers see user actions, but it also allows us to internally trace who did what in the system, providing accountability. We conduct periodic audits of access logs to ensure no unauthorized access has occurred. If we or our monitoring tools detect any potential security incident or suspicious activity, our team is alerted immediately to investigate and respond.
• Secure Development Practices: We follow secure coding guidelines and best practices in our software development lifecycle. This includes regular code reviews for security issues, using up-to-date frameworks and libraries, and performing testing (including security testing) before releasing new features. We are adopting a "clean-room methodology with AI assistance" in development, but ensuring that we allocate ample time for Quality Assurance and security testing, as we know legal clients expect a highly secure product even in early versions. Our architecture is designed with separation of environments (e.g., testing vs production data), principle of least privilege in how services interact, and use of secure defaults.
• Third-Party Security and Certifications: We select our third-party service providers carefully, reviewing their security certifications and compliance. For instance, AWS (our host) is certified under numerous standards (SOC 2, ISO 27001, etc.), and we configure our cloud environment following AWS best practices (use of VPC isolation, security groups, encryption keys management, etc.). While Good Standing AI is a new startup and has not yet attained its own certifications, we aspire to meet industry standards such as ISO 27001 and SOC 2 Type II as we scale. We understand that such certifications demonstrate a commitment to security for legal clients. Achieving these certifications is part of our roadmap to further cement trust. In the interim, we regularly review our security posture against these standards and perform risk assessments.
• Confidentiality and Training: All Good Standing AI team members are trained on the importance of data confidentiality. We treat all customer data as confidential business records. Internally, we operate on a need-to-know basis: for example, our support team may have tools to see metadata (like user account info or system status) but not the content of documents, unless you explicitly grant temporary access for troubleshooting. We also ensure that any printed or downloaded materials (though we rarely, if ever, need to export customer data outside the system) are handled with care and destroyed when not needed. Our offices (if any physical records existed) maintain physical security controls as well.
• Testing and Improvement: We will periodically conduct security testing such as vulnerability scans and potentially third-party penetration testing of our application to uncover and fix vulnerabilities. We also maintain a security incident response plan – if an issue arises, we know how to contain and remediate it quickly. We keep our software dependencies updated to patch security issues, and follow developments in cyber threats to adapt accordingly. Additionally, we encourage responsible disclosure of security vulnerabilities. We have a published security contact (for instance, security@goodstandingai.com) and will act promptly on any reports.

Despite all these measures, it is important to acknowledge that no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. However, in the unlikely event of a data breach or security incident affecting your data, we will notify you and the appropriate authorities as required by law, and will transparently inform you of the scope of the incident and the steps we are taking to address it.

By using Good Standing AI, you acknowledge that you understand the inherent risks of data storage and transmission in the cloud. We work hard to mitigate these risks and provide a secure environment, and your use of the service is an indication of trust that we take extremely seriously.

We retain personal data and corporate records for as long as necessary to fulfill the purposes for which it was collected, including to provide our services, comply with legal or accounting requirements, and to maintain accurate business and financial records.

Given the nature of our product – serving as a long-term repository for corporate minute books and compliance records – our default practice is to retain your data on an ongoing basis until you actively request deletion or until your account is terminated, subject to any legal obligations to retain data. In practice, this means:

• Active Accounts: If you are an active customer, we will keep your minute book data, account information, and related records indefinitely, as part of providing the service. We understand that corporate records may need to be kept for the lifetime of the company plus additional years for regulatory compliance, so we do not impose arbitrary deletion deadlines on data in active use. All your information will persist in our system to give you continuous access and historical reference, unless you remove it or ask us to remove it.
• Deletions at User Request: You have the ability to delete certain data through the interface (for example, deleting a document or an entire entity's records). Deleting data within the product will typically move it to a trash or archive for a short period (in case it was an accident) and then permanently remove it from our active databases. If you need data to be fully deleted, you can also contact us with a deletion request (see Your Rights below). When you request deletion of specific data or your entire account, we will delete the requested information from our active systems, unless we are required to keep it for legal reasons. We will also instruct our processors to do the same. Note that due to the nature of backups and caching, copies of your data might persist in our backups or disaster-recovery systems for a limited period (typically these are rotated and overwritten after some time). All such backups are stored securely. We will not restore deleted data except if required for legal reasons or if it was deleted in error and you request restoration (if available).
• Account Closure: If you terminate your subscription or your account becomes inactive (for example, your trial ended and you chose not to continue), we will generally retain your data for a period of time in case you reactivate or need to export information. By default, we plan to retain data from closed accounts for a reasonable retention period (e.g., 90 days) before deletion, to give you a chance to retrieve any needed files. We will notify account owners prior to permanent deletion after closure. You may also request immediate deletion upon closure. After the retention period, we will securely delete or anonymize your personal data and documents.
• Legal Requirements: We may retain certain pieces of data for longer if necessary to comply with law or enforce agreements. For instance, we might keep invoice records, tax records, or communications with you for the legally required duration. If a legal hold or litigation is anticipated, we may retain relevant information until that matter is resolved. We strive to minimize retention of data that is not needed.

In summary, our policy is to keep your data for as long as you are a customer, and to delete it upon request or within a set time after you stop using Good Standing AI, except for any data we must keep longer by law. We do not impose a data expiration on minute book content because doing so could jeopardize your compliance obligations; instead, you control how long that information should stay. If you have specific retention requirements or requests, please let us know and we will work with you to accommodate them.

We respect your rights to your personal data. Depending on your jurisdiction and role (e.g., whether you are our direct customer or an individual whose data is managed by one of our customers), you may have some or all of the following rights regarding personal information we hold about you:

• Access and Portability: You have the right to request a copy of the personal data we hold about you and to obtain information about how it is processed. For data in your Good Standing AI account, you can typically access and download much of your information directly through our platform (for example, you can view your profile information, and export documents and records). If you require a comprehensive export of personal data, or if you are an individual whose data is contained in a customer's minute book and you want to know what information of yours we store, you can contact us. We will provide you with a copy of your data in a common format. If you need the data in a machine-readable format for portability (and this right is applicable to you, such as under GDPR), we will accommodate that as well (for instance, providing CSV or JSON exports of structured data).
• Correction (Rectification): We strive to keep your information accurate and up-to-date. If you discover that any personal information we have about you is incorrect or incomplete, you have the right to request that we correct it. For our direct users, you can correct many things on your own (e.g., update your contact details in your account settings). For other data (like content in documents), typically the law firm user controls that content and can edit it; if you as an individual client notice an error in data about you within the system, you may contact the law firm or us to facilitate correction. We will promptly make the corrections you request, provided we have sufficient information to verify the accurate information.
• Deletion (Right to be Forgotten): You have the right to request deletion of your personal data. As described in Data Retention, you can delete certain data through the app, and you can ask us to delete personal data we hold. If you are a direct customer and wish to delete your account and all associated data, you can contact support and we will guide you through that process (which may involve verification steps for security). If you are an individual whose information is in a customer's minute book (for example, you are a director in a corporation that our customer manages through Good Standing AI) and you want your personal data removed, you will likely need to request the law firm to remove or update your information in their records, as they are the controller of that data. However, if such a request is communicated to us (either by you or by our customer), we will assist in deleting or anonymizing your data in our system as appropriate. Please note that certain data cannot be deleted if we are required to keep it by law or if it is essential to continuing to provide the service you still want (for instance, we cannot delete your login credentials while your account remains active, and a law firm cannot ask us to delete all data about a client's company while still expecting to maintain that company's records on the platform – they would need to remove the company entirely). We will explain any exceptions if they apply. There is no charge for deletion requests, and we do not discriminate in providing our service based on exercising these rights (see CCPA Non-Discrimination below).
• Restriction of Processing: In certain circumstances, you may have the right to ask us to limit the processing of your personal data. For example, if you contest the accuracy of data, you can request we refrain from processing it (other than simply storing it) until we have verified the accuracy and updated it. Or if you object to a specific processing activity (see below), you might ask us to pause processing while the objection is resolved. Where applicable, we will comply by putting the data "on hold" – e.g., not deleting it (to preserve it) but also not using it in the interim. We'll inform you once the restriction is lifted.
• Objection to Processing: If we are processing your data based on legitimate interests, you have the right to object to that processing in certain cases. You also have a right to object to processing for direct marketing. Good Standing AI does not use personal data for much marketing (and any we do is based on consent or our own business contact relationship), but if you ever receive marketing emails from us, you may opt out at any time by using the unsubscribe link or contacting us. For other processing, if you feel our legitimate interest is not sufficient, let us know your specific objection. For example, an EU user might object to us using some data for analytics – we would then consider if we can accommodate that (perhaps by opting you out of analytics, or by demonstrating our compelling need). We will either comply with your objection or provide a compelling legitimate ground for continuing (per legal requirements).
• Data Portability: As a complement to access rights, data portability is the right to receive certain data in a format that can be transferred to another provider. For our direct customers, we support portability by allowing export of data (for instance, you can download all documents, or export lists of entities and records). If you require assistance to port your data elsewhere, we will provide the data in a commonly used machine-readable format. For instance, if a customer decided to move to another service, we would cooperate by providing database exports or other formats of their records, upon a verified request by an authorized person.
• Automated Decision-Making: Good Standing AI does not make any decisions about individuals that have legal or similarly significant effects based solely on automated processes. The AI features we provide are user-initiated and for assistive purposes (e.g. summarizing text) and do not make binding decisions about you. If in the future we introduce any automated processing that could significantly affect someone, we will ensure it complies with legal requirements and that you have the right to request human intervention or to contest the decision.
• Withdraw Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. For example, if you consented to share data for an integrated third-party service, you can withdraw by disabling that integration. If you consented to receive a newsletter, you can unsubscribe. Withdrawing consent will not affect the legality of what we did prior, but will stop that particular processing going forward.
• California Privacy Rights (CCPA/CPRA): If you are a California resident, in addition to many of the rights above (which CCPA grants, like access and deletion), you have the right to know what categories of personal information we collect, for what purposes, and the categories of sources and third parties with whom we share it – this Privacy Policy is intended to provide exactly that information. You also have the right to opt out of the "sale" of your personal information. As noted, we do not sell personal information. If we change our practices, we will provide a "Do Not Sell or Share" link. You have a right not to receive discriminatory treatment for exercising your privacy rights – Good Standing AI will never deny you services or provide different quality of service just because you exercised your rights. California law also allows you to request certain information about third parties that have received your personal information for their direct marketing, but as we do not disclose personal data to third parties for direct marketing without consent, this is generally not applicable.
• Canadian Privacy Rights: If you are in Canada, you similarly have rights to access and correct your information under Personal Information Protection and Electronic Documents Act (PIPEDA) or equivalent provincial laws. We will respond to access requests within the timeframe required by law (generally 30 days in Canada) and make reasonable efforts to assist. You also have the right to make complaints to Privacy Commissioners. We follow the 10 Fair Information Principles under PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. This Privacy Policy and our practices are designed to uphold those principles.

How to Exercise Your Rights: To exercise any of your rights or make inquiries about your personal data, you can contact us using the information in the Contact Us section. Please specify your request clearly, and provide relevant details to help us verify your identity (we need to ensure we're modifying or releasing data to the right person) and locate the information. For example, if you are an individual related to a corporate record in our system, we might need the name of the law firm or company so we can find the data. For access, we will provide the information in a commonly used electronic form (unless you request otherwise). For deletion or correction, we will confirm once it's done. If we cannot fulfill your request (due to a legal exception or insufficient verification), we will explain the reasons.

Please note that if you are an end-user of one of our law firm customers (meaning the law firm entered your data into our system), we may refer your request to that customer (the data controller) and assist them in responding, since they are typically responsible for deciding how your data is used. We will, however, do our best to facilitate your rights in any case.

If you have concerns about how we handle your request or your data, you also have the right to lodge a complaint with a supervisory authority (such as the Data Protection Authority in your EU country, or the Privacy Commissioner in Canada, or the FTC/State Attorney General in the US). We encourage you to contact us first so we can address your concerns directly.

Our platform or website may contain links to external websites or services that are not operated by Good Standing AI. For example, our informational website might link to third-party resources or we might offer a link to a government registry site for convenience. Additionally, as mentioned, we integrate with certain third-party services (like e-signature or AI API). This Privacy Policy does not cover third-party websites or services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party site or service that you visit or utilize.

When you leave our site or platform (for instance, by clicking a documentation link to an external page), any information you provide to those external sites is governed by their policies. However, if a third-party service is integrated into our platform in a way that we send your data to them (like the AI or e-signature providers), then our contracts with those providers restrict how they can use your data, as described earlier. Still, you may also be subject to the third party's terms (for example, using DocuSign via our platform might also bind you to DocuSign's terms of service or privacy policy, though your data handling is primarily covered by our agreement with them).

We strive to only partner with or link to reputable and trustworthy third parties, but we cannot control them. If you have any issue or question about how a third-party handles your personal data, we recommend contacting them directly.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes to how we handle your personal information, we will provide you with notice in accordance with the law. For example, we may post a prominent notice on our website or within the application, and/or email account owners to alert you to the update. The "Last Updated" date at the top of this policy will always indicate the date of the latest revisions.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continued use of Good Standing AI after any update to the Privacy Policy constitutes your acceptance of the changes, to the extent permitted by law. If you do not agree with any changes, you should stop using the service and can request that your data be deleted.