Privacy Policy
This Privacy Policy explains what information Suture AI LLC collects, how we use it, who we share it with, and the rights the Customer and its users have over it. It is written for our customer base of U.S. professional services firms and is grounded in the actual data flows of the Suture platform.
1. Introduction
Suture AI LLC (“Suture,” “we,” or “us”) is a multi-tenant software platform that serves U.S. businesses and professional services firms. This Privacy Policy describes our practices for the information we collect from and on behalf of those customers (each, a “Customer”) and the personnel of those Customers (each, a “User”).
Suture is not directed to consumers. Most of the data we process belongs to a Customer and relates to that Customer’s own clients. As to that data, Suture acts as a service provider and data processor on the Customer’s behalf. The Customer’s own privacy practices govern how that data is collected from, and disclosed to, the underlying individuals.
The terms of the Data Processing Addendumfurther define the parties’ obligations with respect to data processed on the Customer’s behalf.
2. Information We Collect
We collect information in three categories.
2.1 Account Information
When a User signs in to the Service via our authentication provider (Clerk), we receive the User’s name, email address, and the Customer with which the User is associated. If a User authenticates via Google or Microsoft OAuth, we receive only the profile fields the User authorizes during the OAuth flow (typically email, display name, and profile picture). We do not store passwords; password hygiene is handled entirely by Clerk.
2.2 Service Data Submitted by the Customer
Customers upload or transmit content to the Service so that the enabled Tools can act on it. Depending on the Tools the Customer has enabled, this content may include:
- email messages and metadata accessed via authorized inbox integrations (e.g., Gmail OAuth);
- PDF documents and other files uploaded for processing, including redaction or analysis;
- records, contacts, and notes accessed via case-management or other third-party software the Customer has authorized;
- audio and video files uploaded for transcription;
- transcripts and other text content uploaded or pasted for structuring; and
- Customer-uploaded templates, exhibits, and supporting materials used by the Tools enabled in the Customer’s Firm Portal.
This content may contain personal information of the Customer’s own clients, opposing parties, witnesses, and other identified individuals. Suture processes that content only as a service provider on the Customer’s instructions and does not use it for any other purpose.
2.3 Usage Metadata
We collect structural metadata about User activity in the Service: which Tools were opened, which actions were taken (e.g., draft generated, document redacted, package built), the duration of operations, AI model identifiers, input and output token counts, the estimated cost of each AI call, and the User and Customer involved. This metadata is stored in our AiCall and UsageEvent tables and is used to operate, secure, and improve the Service, including invoicing.
What we do NOT collect or store: the text of prompts sent to AI models or the text of AI responses. Our database schema deliberately omits any column that would hold prompt or response content; this is enforced both contractually with our AI providers and structurally in our own code.
3. How We Use Information
We use the information described in Section 2 to:
- provide and operate the Service and the individual Tools;
- authenticate Users and enforce per-firm access control;
- process payments and invoicing through Stripe;
- maintain audit logs of administrative actions for security and incident response;
- diagnose bugs, performance issues, and AI quality regressions; and
- communicate with Customers about their account, billing, and material changes to the Service.
We do not use personal information for advertising, sell personal information, train AI models on Customer content, or share data with parties other than the subprocessors disclosed in Section 4.
4. Sharing With Third Parties
We share information only with the subprocessors necessary to operate the Service. The current list of subprocessors — including each vendor’s purpose, the category of data it processes, the location of that processing, and its BAA/DPA status — is maintained at /legal/subprocessors and is part of this Privacy Policy by reference.
We do not sell personal information. We do not share personal information with advertisers, data brokers, or social networks. We may disclose personal information in response to a subpoena, court order, or other valid legal process; in such cases we will give the affected Customer prompt written notice where legally permitted so that the Customer may seek a protective order or other appropriate remedy.
We will provide at least thirty (30) days’ prior notice to Customers before adding a new subprocessor that processes Customer content, giving the Customer the opportunity to object and, if objection cannot be resolved, terminate the affected Service.
5. AI Training Posture
Suture’s contractual posture with its AI providers is zero data retention: prompts and responses are not retained beyond the minimum required for request completion, and provider organizations do not use Customer content to train their underlying models.
- AWS Bedrock (the runtime for Anthropic Claude models we use): zero data retention is the contractual default; Anthropic does not see request content via Bedrock.
- Google Cloud Vertex AI (Gemini models): customer data is not used to train Google models by default under the Vertex AI data processing terms we have accepted.
- AssemblyAI (audio transcription): processing under HIPAA-eligible terms with deletion of audio after processing. A Business Associate Agreement with AssemblyAI is on file (signed May 1, 2026).
Suture itself does not train AI models on Customer content. We may analyze aggregate, non-identifying usage patterns (e.g., the average duration of a redaction job) to improve performance — never the substance of any Customer’s clients or matters.
6. Data Security
Suture implements technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These measures are described in detail in Annex A of the Data Processing Addendum and include:
- encryption of OAuth refresh tokens at rest using AWS KMS-wrapped Data Encryption Keys (AES-256-GCM) with per-row encryption context that prevents cross-tenant decryption;
- TLS 1.2 or higher for all data in transit;
- per-firm row-level isolation enforced at the Prisma query layer and verified by an ESLint rule that flags unscoped queries;
- a 404-not-403 response pattern on administrative routes to prevent enumeration of internal endpoints by external parties;
- append-only audit logging of platform-administrator actions with allowlisted metadata;
- signature verification on every inbound webhook (Stripe HMAC, Clerk Svix, AssemblyAI per-job secret, AWS SNS for Textract);
- two-phase webhook deduplication so handler failures stay re-attemptable on retry without lost events; and
- 24-hour notification to affected Customers in the event of a personal-data breach affecting their data.
No system can be made perfectly secure. We commit to commercially reasonable measures appropriate for the sensitivity of the data the Service handles, including litigation case data subject to protective orders and other professional services records subject to confidentiality obligations.
7. Data Retention
| Category | Retention |
|---|---|
Audit log of administrative actions (AuditEvent) | 18 months (configurable) |
Usage metadata (UsageEvent, AiCall) | 18 months |
| Customer Data uploaded to the Service | For the duration of the engagement; deleted within 30 days after termination unless legal hold applies |
| Signed contracts (MSAs, SOWs) | 7 years (legal hold; not purged by retention sweeps) |
| S3 staging buffers for OCR jobs | 24 hours via bucket lifecycle rule |
| AssemblyAI audio files | Deleted after processing, per the AssemblyAI ZDR contract |
A Customer may request earlier deletion of its Customer Data by emailing the contacts in Section 13, except where retention is required by applicable law or to enforce our agreements.
8. Your Rights Under the California Consumer Privacy Act
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”):
- Right to know: request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: request deletion of personal information we have collected from you, subject to certain exceptions (e.g., where we need to retain information to complete a transaction or comply with a legal obligation).
- Right to correct: request correction of inaccurate personal information.
- Right to non-discrimination: we will not deny service, charge a different price, or provide a different level of quality because you exercised any of these rights.
- Right to limit use of sensitive personal information: Suture does not use sensitive personal information beyond what is necessary to provide the Service, so this right does not change anything in practice — but it is yours to exercise.
- Right to opt out of sale or sharing for cross-context behavioral advertising: Suture does not sell personal information and does not share personal information for cross-context behavioral advertising; this right is moot in our context but disclosed for completeness.
To exercise any of these rights, email nkarhan0403@sdsu.edu and eweiss5244@sdsu.edu. We will respond within forty-five (45) days, extendable by another forty-five (45) days where reasonably necessary, and will confirm receipt within ten (10) business days.
If you make a request on behalf of a Customer whose data we process as a service provider, we will direct the request to that Customer, which acts as the “business” under CCPA. We will assist the Customer in responding to the request as required by our Data Processing Addendum.
9. Children
The Service is not directed to children under sixteen (16), and we do not knowingly collect personal information from children. If you believe a child has provided personal information to the Service, please contact us at the addresses in Section 13 and we will delete it.
10. Cookies & Tracking
Suture uses only the cookies strictly necessary to operate the Service:
- Clerk session cookies: required to keep Users signed in across page loads.
- Stripe cookies: set by Stripe on its hosted checkout page for fraud prevention and session management; governed by Stripe’s own privacy practices.
- Suture impersonation cookie: set only when a Suture platform administrator is acting on a Customer’s behalf with that firm’s knowledge.
We do not use advertising cookies, social-media tracking pixels, or third-party analytics that profile individual Users. We do not honor or deny “Do Not Track” signals because we do not engage in the kind of tracking those signals were designed to address.
11. International Users & Jurisdiction
The Service is operated from, and intended for, the United States. Personal information that we collect is processed and stored in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, and processed in, the United States, which may have data protection laws different from those of your home country.
This Privacy Policy is governed by the laws of the State of California for Customers based in California or any state west of the Mississippi River, and by the laws of the State of Florida for Customers based in Florida or any state east of the Mississippi River, consistent with the governing-law provisions of the Terms of Service and the Data Processing Addendum. Where applicable data protection law provides mandatory protections in addition to those described here, those mandatory protections apply.
12. Changes
We may update this Privacy Policy from time to time. Material changes will be communicated to Customers by email and an in-portal banner at least thirty (30) days before the change takes effect. Each version is identified by version number and date at the top of this page. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Privacy Policy.
13. Contact
For privacy questions, data-subject requests, or breach reports:
- Nick Karhan — nkarhan0403@sdsu.edu
- Enzo Weiss — eweiss5244@sdsu.edu
Suture AI LLC — San Diego, California.