Last updated: January 15, 2026. This policy applies to Citelock, Inc. and its legal hold platform.
Citelock, Inc. ("Citelock," "we," "our," or "us") operates a legal hold management platform used by legal teams, in-house counsel, and compliance organizations. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our platform, website, and related services (collectively, the "Services").
By using our Services, you agree to the practices described in this policy. If you are accessing Citelock on behalf of an organization, you represent that you have the authority to bind that organization to these terms.
Account and Identity Information. When you register for an account, we collect your name, email address, job title, organization name, and password hash. Enterprise customers may provision user accounts through single sign-on (SSO) integrations, in which case your identity provider supplies the relevant claims.
Legal Hold and Matter Data. The core function of Citelock involves processing legal hold notices, custodian records, matter details, acknowledgment responses, and associated documents. This data is provided directly by your organization and is considered Customer Data. We process it on your behalf as a data processor under your instructions.
Usage and Log Data. We collect standard log data including IP addresses, browser type, operating system, referral URLs, pages viewed, timestamps, and session identifiers. This data supports security monitoring, performance optimization, and debugging.
Communication Data. If you contact us for support, request a demo, or correspond with our team, we retain those communications and any information you provide within them.
Payment Information. Billing is processed through our third-party payment processor. We do not store full card numbers. We retain transaction records, plan tier, and billing contact information.
We use collected information to:
We do not use Customer Data — meaning your legal hold records, matter data, or custodian information — for any purpose other than providing and improving the Services. We do not sell, rent, or use Customer Data for advertising.
We do not sell your personal information. We share information only in the following circumstances:
Service Providers. We engage third-party vendors to support hosting, email delivery, payment processing, error monitoring, and security scanning. These vendors process data on our behalf under written data processing agreements and are prohibited from using your data for their own purposes.
Legal Requirements. We may disclose information when required by law, court order, or government authority, or when we believe disclosure is necessary to protect our legal rights, prevent imminent harm, or enforce our agreements.
Business Transfers. If Citelock is acquired by or merged with another company, Customer Data may be transferred as part of that transaction. We will notify affected customers before Customer Data becomes subject to a materially different privacy policy.
With Your Consent. We share information in other contexts only with your explicit prior consent.
Citelock is SOC 2 Type II certified. Our security program includes:
No security program eliminates all risk. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law and our Data Processing Agreement.
We retain account information for the duration of your subscription plus 90 days, after which it is deleted from production systems. Backups are purged within 30 days of the deletion date. Customer Data is retained according to your organization's configuration and any applicable legal hold obligations your organization has placed on the data within our platform.
Audit logs are retained for a minimum of seven years to support legal and regulatory compliance requirements. You may request deletion of personal information subject to our legal retention obligations and your contractual terms.
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation or applicable national law:
To exercise these rights, contact us at [email protected]. We respond to verified requests within 30 days. Citelock acts as a data processor with respect to Customer Data. Rights requests related to Customer Data processed on behalf of your organization should be directed to your organization as the data controller.
Our legal bases for processing include: performance of a contract (account provision and service delivery), legitimate interests (security, fraud prevention, service improvement), compliance with legal obligations, and consent where specifically indicated.
California residents have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. You have the right to know what personal information we collect, the right to delete personal information we hold, the right to correct inaccurate information, the right to opt out of any sale or sharing of personal information, and the right to non-discrimination for exercising these rights.
We do not sell personal information as defined by the CCPA, and we do not use it for cross-context behavioral advertising. To exercise your rights, contact us at [email protected] or submit a request through your account settings. We will verify your identity before processing the request.
Our marketing website uses cookies to support analytics and remember user preferences such as theme selection. Our application does not use third-party advertising cookies. Specifically, we use:
You can disable non-essential cookies through your browser settings. Our application functions without analytics cookies.
Questions, requests, or complaints regarding this Privacy Policy should be directed to:
If you are in the EEA and believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection authority.