Privacy Policy

We collect information you provide directly when you create an account, request access, or use the platform:

• Account information: name, email address, phone number, law firm name, and state
• Case and lead data including client names, contact information, accident details, case notes, and communications
• Protected Health Information (PHI): medical records, treatment notes, and health-related documents uploaded to the platform
• Messages and communications sent through the platform to leads or clients
• Billing information processed by our payment processor — we do not store full payment card numbers

We also collect certain information automatically:

• Log data: IP address, browser type, pages visited, and timestamps
• Device information: device type, operating system, and identifiers
• Usage data: features used, actions taken, and time in the platform
• Cookies and session tokens to maintain authentication and preferences

We use your information solely to operate and improve PIM:

• To provide, maintain, and improve the PIM platform and its features
• To process your account registration and manage your firm's access
• To send alerts, notifications, and account-related communications
• To respond to support requests
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To comply with legal obligations and enforce our Terms of Service

When you connect Google services (Google Local Services Ads, Google Ads) to PIM:

• We access only the Google data necessary to operate the specific integration you enable
• Google data is used only to provide and improve the PIM features you requested — it is not used for any other purpose
• We do not use Google data to serve advertisements
• We do not allow humans to read your Google data unless you explicitly give us permission, it is necessary for security or legal compliance, or it is required to comply with applicable law
• Lead data received through Google LSA is stored only to display and manage leads within your firm's PIM account
• We do not transfer Google user data to third parties except as necessary to provide the service, or as required by law

PIM is designed for personal injury law firms that routinely handle Protected Health Information (PHI) under HIPAA. As a Business Associate under HIPAA:

• All medical records, treatment documentation, and health-related information is treated as PHI
• PHI is encrypted at rest using AES-256 and in transit using TLS 1.2+
• Access to PHI is restricted by role-based access controls
• We maintain audit logs of all access to PHI
• We do not use PHI for any purpose other than providing the PIM service
• We can execute a Business Associate Agreement (BAA) with your firm upon request at no cost

To request a BAA, contact us at support@picasemachine.com.

When you connect Microsoft Outlook or other Microsoft services to PIM:

• We access only the Microsoft data necessary to operate the integration you enable (calendar, email)
• Microsoft data is used only to sync case-related communications and appointments within your PIM account
• We do not store Microsoft email content beyond what is necessary to display it within PIM
• We do not share Microsoft user data with any third party
• You can disconnect your Microsoft account at any time from Settings, which will stop all access to your Microsoft data
• Upon disconnection or account deletion, cached Microsoft data is deleted within 30 days

PIM uses Twilio to send SMS messages to leads and clients on your behalf. By using PIM's messaging features, you agree to the following:

• You are solely responsible for obtaining proper consent from recipients before sending any SMS or automated messages through PIM
• You must comply with the Telephone Consumer Protection Act (TCPA), which requires prior express written consent before sending automated or pre-recorded messages to mobile numbers
• Standard message and data rates may apply to recipients of SMS messages sent through PIM
• PIM provides the messaging infrastructure — you are the sender of record and bear legal responsibility for message content and recipient consent
• You must maintain records of consent for all recipients you message through PIM
• We do not send marketing messages to your leads or clients on our own behalf

For Twilio's privacy policy, see: twilio.com/en-us/legal/privacy

PIM integrates with CallRail for call tracking and recording. When you use this integration:

• Calls routed through CallRail may be recorded depending on your CallRail account settings
• Call recording consent laws vary by state — federal law requires one-party consent, but many states (including California, Florida, and Illinois) require all-party (two-party) consent
• You are solely responsible for complying with applicable call recording consent laws in your jurisdiction and in the jurisdiction of each caller
• PIM recommends disclosing call recording to all callers as best practice regardless of your state's requirements
• Call recordings and transcripts are stored in your CallRail account and accessed by PIM only to display lead information
• We do not retain call recordings independently of CallRail

For CallRail's privacy policy, see: callrail.com/privacy-policy

If and when PIM integrates with Meta platforms (Facebook, Instagram):

• We comply with Meta's Platform Policy and Data Policy
• We access only the data permissions explicitly granted by you
• Meta data is used only for the specific feature you enable (e.g., lead ads integration)
• We do not use Meta data for advertising or to build audience profiles
• You can revoke Meta access at any time through your Facebook app settings

This section will be updated when Meta integrations are released.

We do not sell or rent your information. We share it only in these limited circumstances:

• Service providers: Supabase (database and authentication), Vercel (hosting), Resend (transactional email delivery), and payment processors — all bound by data processing agreements
• Google: when you enable Google integrations, limited data is shared as necessary per Google's policies
• Microsoft: when you enable Outlook integration, as described in Section 5
• Legal requirements: if required by law, court order, or valid government request
• Business transfers: in the event of a merger or acquisition, with advance notice to you
• With your explicit consent for any other purpose

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: request disclosure of the personal information we collect, use, and share
• Right to Delete: request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out: we do not sell personal information, so there is nothing to opt out of
• Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights

Note for California users: California requires all-party consent for call recording. PIM's CallRail integration is subject to California Penal Code Section 632. Users operating in California are responsible for obtaining all required consents before recording calls.

• We retain your data for as long as your account is active or as needed to provide the service
• You may request a full export of your firm's data at any time
• Upon account cancellation, personal information is deleted or anonymized within 30 days
• Backup copies may persist for up to 90 days before permanent deletion
• We may retain certain records longer if required by law

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls — each user sees only what their role permits
• Firm-level data isolation — your firm's data cannot be accessed by any other firm
• Audit logging of all data access and modifications
• Regular security reviews and vulnerability assessments
• Working toward SOC 2 Type II certification

If you believe your account has been compromised, contact us immediately at support@picasemachine.com.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete personal information
• Request deletion of your personal information
• Request a portable copy of your data in a machine-readable format
• Object to or restrict certain processing of your data
• Withdraw consent where processing is based on consent
• Lodge a complaint with a data protection supervisory authority

To exercise any right, contact us at support@picasemachine.com. We will respond within 30 days.

PIM is operated in the United States. If you are accessing the platform from outside the United States, your information will be transferred to and processed in the United States. By using PIM, you consent to this transfer. We implement appropriate safeguards for international transfers in compliance with applicable law.

• Essential cookies: Required for authentication and core platform functionality — cannot be disabled
• Analytics cookies: Used to understand platform usage and improve features — you may opt out

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in to PIM.

We use the following third-party services to operate PIM. Each processes data on our behalf under a data processing agreement:

• Supabase — database and authentication infrastructure: supabase.com/privacy
• Resend — transactional email delivery (form submissions, notifications): resend.com/legal/privacy-policy
• Google — LSA, Ads, and OAuth integrations: policies.google.com/privacy
• Microsoft — Outlook and calendar integrations: privacy.microsoft.com
• Meta — Facebook lead integrations (when released): facebook.com/privacy/policy
• Twilio — SMS and voice messaging: twilio.com/en-us/legal/privacy
• CallRail — call tracking and recording: callrail.com/privacy-policy
• Stripe — payment processing: stripe.com/privacy
• Vercel — hosting and deployment: vercel.com/legal/privacy-policy

PIM is not directed to anyone under 18. We do not knowingly collect personal information from minors. If we learn that a minor has provided personal information, we will delete it promptly. Contact us at support@picasemachine.com if you believe this has occurred.

Some browsers transmit Do Not Track signals. We currently do not respond to Do Not Track signals, but we do not engage in cross-site tracking of users for advertising purposes.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the platform at least 7 days before the changes take effect. The effective date at the top of this policy will be updated. Your continued use of PIM after any changes constitutes acceptance of the updated policy.

For privacy questions, data requests, or to report a concern: