Privacy Policy
Last Updated: May 10, 2026
1. Introduction
Purpose of This Privacy Policy. This Privacy Policy describes how Recourse LLC, an Alabama limited liability company (“Recourse,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes Personal Data in connection with our provision of software-as-a-service offerings and related websites, applications, and services (collectively, the “Services”). This Privacy Policy is intended to provide transparency regarding our data handling practices and to support the due diligence obligations of our customers, including law firms and other professional services organizations, when selecting and supervising technology vendors.
Scope of This Privacy Policy. This Privacy Policy applies to:
Individuals who access or use the Services on their own behalf or on behalf of an organization (“Users”).
Individuals whose Personal Data may be submitted to the Services by our customers (for example, clients of law firms or other end clients) in the course of using the Services (“Customer End Clients”).
Visitors to our public websites and individuals who otherwise interact with us (for example, by attending events, receiving marketing communications, or communicating with us) (“Site Visitors”).
Controller and Processor Roles. For:
Personal Data we collect directly from Site Visitors and Users for our own business purposes (such as account administration, billing, marketing, and service improvement), Recourse generally acts as an independent “controller” (or equivalent term under applicable law).
Personal Data submitted to the Services by or on behalf of a customer (for example, client matter data uploaded by a law firm customer), Recourse generally acts as a “processor,” “service provider,” or equivalent role, processing such data only on behalf of and in accordance with the instructions of the applicable customer, pursuant to the governing subscription agreement and any applicable data processing addendum (“DPA”). In those cases, the customer is responsible for providing any required privacy notices to and obtaining any required consents from the relevant data subjects.
Relationship to Other Agreements. This Privacy Policy is a standalone public-facing document and is intended to be read together with:
Any master subscription agreement, terms of service, or similar agreement that governs the commercial relationship between Recourse and its customers (the “Subscription Agreement”).
Any applicable DPA between Recourse and its customers that governs our processing of Personal Data as a processor or service provider.
Any acceptable use policy or security policy that may be referenced in the Subscription Agreement. In the event of any conflict between this Privacy Policy and a DPA or Subscription Agreement, the DPA or Subscription Agreement will govern to the extent of the conflict, solely with respect to the subject matter of such agreement.
Jurisdictional Application. Recourse is organized under the laws of the State of Alabama, United States of America, and operates primarily from the United States. However, our customers and Users may be located in other states and countries. This Privacy Policy is intended to address, to the extent applicable:
United States federal and state privacy and consumer protection laws (including, as applicable, laws modeled on or similar to the California Consumer Privacy Act as amended (“CCPA/CPRA”) and comparable state comprehensive privacy laws).
International data protection laws, including the European Union General Data Protection Regulation (“EU GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and other analogous regimes, where they apply to our processing activities. Additional notices and rights that apply only in certain jurisdictions are set out in Section 13 (Jurisdiction-Specific Disclosures).
Professional Responsibility Context. We recognize that many of our customers are law firms or other regulated professional organizations whose use of our Services must comply with strict duties of confidentiality, competence, and supervision under applicable professional rules of conduct. This Privacy Policy describes measures Recourse takes to support those obligations; however, nothing in this Privacy Policy is intended to or shall be construed as relieving any customer or User of its own independent professional responsibilities.
Acceptance. By accessing or using the Services, or by otherwise providing Personal Data to Recourse, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, you should not access or use the Services or otherwise provide Personal Data to us.
2. Definitions
“Account Data.” Information relating to the creation, administration, and management of Service accounts, including but not limited to User names, contact details, login credentials, role or title, organization name, preferences, and associated identifiers.
“Administrative Data.” Information reasonably necessary to administer the commercial relationship between Recourse and its customers, including billing contact information, tax information as required by applicable law, subscription tier details, payment records, and related operational data.
“Authorized User.” Any individual who is authorized by a customer to access and use the Services on the customer’s behalf pursuant to the Subscription Agreement.
“Customer Data.” All data, information, documents, records, files, text, graphics, and other materials submitted to or stored in the Services by or on behalf of a customer or its Authorized Users, including any associated Personal Data. Customer Data may include, without limitation, client names, contact details, matter descriptions, case-related data, and other content that may be subject to attorney-client privilege or confidentiality.
“Output.” Any content, data, information, results, responses, recommendations, analyses, models, calculations, or other material generated, produced, or returned by the Services (including any artificial intelligence–enabled features) based on Customer Data, User inputs, or other data processed by the Services.
“Personal Data.” Any information relating to an identified or identifiable natural person or, where applicable law so provides, a household. Personal Data includes “personal information,” “personally identifiable information,” and similar terms under applicable law.
“Processing.” Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Sensitive Personal Data.” Personal Data afforded heightened protection under applicable law, which may include (depending on the jurisdiction) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, health data, data concerning a natural person’s sex life or sexual orientation, and certain financial account, identification, or geolocation data.
“Subprocessor.” Any third party engaged by Recourse to process Personal Data on Recourse’s behalf in connection with the provision of the Services.
“You.” Depending on the context, a User, a Site Visitor, or any other individual whose Personal Data is processed by Recourse.
3. Categories of Personal Data We Collect
Information You Provide Directly. We may collect the following categories of Personal Data when you or your organization interact with us:
Account Data, including:
Full name, title, and role.
Business contact information (such as email address, telephone number, mailing address).
Login credentials (such as username and password) and security questions where applicable.
Administrative Data, including:
Organization name, billing contact, billing address.
Tax identification numbers where required by law for invoicing or compliance.
Records of subscriptions, plan tiers, usage limits, and related contractual data.
Correspondence and Support Data, including:
Information contained in communications sent to us via email, support tickets, or other channels.
Feedback, survey responses, testimonials, and other information you choose to provide.
Customer Data Submitted to the Services. Customers and Authorized Users may upload, enter, or otherwise submit Customer Data to the Services, which may include Personal Data relating to:
Clients and counterparties of law firms or other customers (names, contact details, case details, financial information relevant to matters, or other matter-specific information).
Employees, contractors, and other personnel of customers (for example, as part of timekeeping, task management, or project records).
Any other individuals whose Personal Data is included in documents, notes, attachments, or other content stored in or transmitted through the Services. Recourse processes such Customer Data solely for the purpose of providing and improving the Services to the applicable customer, as described in Section 5 (How We Use Personal Data) and in the applicable Subscription Agreement and DPA.
Automatically Collected Information. When you access or use the Services or visit our websites, we may automatically collect certain information about your device and usage, which may include Personal Data or may be considered Personal Data when combined with other information:
Technical identifiers and device information, such as IP address, browser type and version, device type, operating system, language settings, and other technical identifiers.
Usage and interaction data, such as:
Pages and screens viewed, features used, links clicked, and time spent on parts of the Services.
Log files recording access times, authentication events, system events, performance metrics, and error logs.
Approximate location information derived from IP address, subject to applicable law.
Cookies and similar technologies information, such as identifiers stored in cookies, web beacons, pixels, or local storage, used for authentication, session management, security, analytics, and, where permitted, preference or marketing purposes.
Information from Third Parties. We may receive Personal Data about you from:
Your organization, if your access to the Services is provided through your employer or another entity.
Integration partners or other third-party applications that you or your organization connect with the Services, subject to the permissions and settings of those integrations.
Service providers, business partners, and publicly available sources, as permitted by applicable law.
Sensitive Personal Data. We do not intentionally require Sensitive Personal Data for the ordinary operation of the Services. However, customers may submit such data as part of Customer Data in connection with particular matters or use cases. Where we process Sensitive Personal Data as part of Customer Data, we do so only on behalf of and in accordance with the instructions of the applicable customer, and such processing is subject to the security and confidentiality measures described in this Privacy Policy and any applicable DPA.
4. How We Collect Personal Data
Direct Interactions. We collect Personal Data when you:
Register for, access, or use the Services.
Request information, marketing communications, or support.
Participate in surveys, events, training sessions, or other programs.
Communicate with us by email, telephone, or other channels.
Use of the Services and Websites. We collect information automatically through:
Server logs and event logs.
Cookies, pixels, and similar tracking technologies.
Client software and application telemetry, where implemented.
Third-Party Sources. We may receive Personal Data from:
Customers or other users who provide us with your information.
Third-party identity or access management systems that are integrated with our Services.
Payment processors and financial institutions, to the limited extent necessary for reconciliation and anti-fraud purposes.
Publicly available sources and professional networking platforms, in connection with business development and outreach activities, where permitted by applicable law.
Combined Information. To the extent permitted by law, we may combine Personal Data collected from different sources, including directly from you, through your use of the Services, and from third parties, to improve the accuracy and completeness of our records and to provide more tailored Services.
5. How We Use Personal Data
Provision and Operation of the Services. We process Personal Data to:
Create and manage user accounts and profiles.
Authenticate Users and authorize access to the Services.
Provide, maintain, and support the functionality, features, and performance of the Services.
Process and store Customer Data in accordance with customer instructions.
Customer Support and Communications. We use Personal Data to:
Respond to inquiries and requests.
Provide technical, operational, and security support.
Send information about updates, enhancements, scheduled maintenance, incident notifications, and other service-related communications.
Billing, Finance, and Administration. We use Administrative Data to:
Process and administer orders, subscriptions, and payments.
Issue invoices, receipts, and account statements.
Conduct audits, reconciliations, and accounting activities.
Comply with applicable tax, financial reporting, and record retention obligations.
Security, Integrity, and Abuse Prevention. We use Personal Data to:
Monitor, detect, investigate, and prevent security incidents, fraud, abuse, or unauthorized access to or use of the Services.
Protect the rights, property, and safety of Recourse, our customers, Users, and the public.
Enforce our Subscription Agreements, acceptable use policies, and other contractual terms.
Service Improvement and Analytics. We use Personal Data, including aggregated or de-identified data, to:
Analyze how the Services are used to improve usability, performance, and functionality.
Develop new products, features, and offerings.
Conduct internal research, benchmarking, and statistical analysis. Where feasible and appropriate, we use de-identified or aggregated data for these purposes.
Marketing and Business Development. Where permitted by applicable law, we may use Personal Data to:
Send newsletters, product announcements, event invitations, and other marketing communications.
Personalize marketing content and measure the effectiveness of our marketing campaigns. You may opt out of receiving marketing communications at any time, as described in Section 12 (Your Choices and Controls). We do not use Customer Data submitted to the Services as a basis for marketing communications to Customer End Clients unless expressly authorized by the relevant customer.
Compliance with Law and Legal Process. We may process Personal Data to:
Comply with applicable laws, regulations, and legal obligations.
Respond to subpoenas, court orders, government requests, or other legal process, consistent with the commitments in Section 9.4 (Government and Legal Process Requests).
Establish, exercise, or defend legal claims.
Other Purposes with Notice and Consent. We may process Personal Data for other purposes that are compatible with the purposes described in this Privacy Policy, where:
We provide specific notice at or prior to the time of collection; and
We obtain any required consent in accordance with applicable law.
6. Legal Bases for Processing (EU/UK and Similar Jurisdictions)
Where the EU GDPR, UK GDPR, or similar laws apply, our processing of Personal Data is based on one or more of the following legal bases:
Performance of a Contract. Processing necessary to enter into or perform our obligations under a contract with you or your organization, such as providing the Services, managing your account, or responding to your support requests.
Legitimate Interests. Processing necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms, such as:
Securing and maintaining the integrity of the Services.
Improving and developing our Services.
Marketing to existing customers or professional contacts, within applicable law.
Ensuring appropriate recordkeeping and business operations.
Compliance with Legal Obligations. Processing necessary to comply with legal obligations to which we are subject, including tax, accounting, regulatory, data protection, and law enforcement requirements.
Consent. Processing based on your freely given, specific, informed, and unambiguous consent, such as for certain marketing activities, certain cookies or tracking technologies, or processing of certain categories of Sensitive Personal Data. You may withdraw your consent at any time as described in Section 12 (Your Choices and Controls), without affecting the lawfulness of processing prior to such withdrawal.
When Recourse acts as a processor or service provider on behalf of a customer, the customer is responsible for determining and communicating the appropriate legal bases for processing Personal Data, and we process such data in accordance with the customer’s instructions.
7. How We Disclose Personal Data
Disclosure to Customers and Authorized Users. Where you access the Services as an Authorized User of a customer, we may disclose:
Usage information, account activity, and support interactions to the customer’s designated administrators, to facilitate account management and oversight.
Customer Data and associated Personal Data in accordance with the customer’s configuration and instructions within the Services.
Subprocessors and Service Providers. We may disclose Personal Data to Subprocessors and other service providers who process data on our behalf to provide, secure, and improve the Services, including:
Cloud hosting and deployment: Vercel, Inc. (application hosting and infrastructure).
Database and authentication: Supabase, Inc. (data storage and user authentication).
Artificial intelligence processing: Anthropic, PBC (AI language model API). Anthropic does not use Customer Data submitted through our API to train or improve its AI models.
Payment processing: Stripe, Inc. (subscription billing and payment processing).
Email and transactional communications: Resend, Inc. (notification and transactional email delivery).
Error monitoring: Sentry (functional software error tracking and diagnostics).
Product analytics: PostHog, Inc. (usage analytics and product telemetry).
Professional advisors such as auditors, legal counsel, and consultants. We require Subprocessors and service providers to implement appropriate technical and organizational measures to protect Personal Data and to process such data only in accordance with our written instructions and for the purposes specified by us.
Business Transfers. In connection with any actual or contemplated merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction, we may disclose Personal Data to prospective or actual acquirers or their advisors, subject to appropriate confidentiality obligations. In such cases, we will take reasonable steps to ensure that any successor entity honors the commitments described in this Privacy Policy with respect to Personal Data previously collected.
Government and Legal Process Requests. We may disclose Personal Data:
As required by applicable law, regulation, or legal process.
In response to valid subpoenas, court orders, government requests, or other compulsory legal process.
To protect the rights, property, or safety of Recourse, our customers, Users, or the public, where we believe such disclosure is reasonably necessary. Where Customer Data is the subject of a legal request and where not legally prohibited, we will:
Treat the request as if it were directed to the applicable customer and not to Recourse, to the maximum extent permitted by law.
Provide prompt notice to the relevant customer before producing any Customer Data, enabling the customer to seek a protective order or other appropriate remedy.
Disclose only the minimum amount of data reasonably required to comply with the legal obligation.
Legal and Professional Advisors. We may disclose Personal Data to our legal, accounting, or other professional advisors to the extent necessary to obtain their services and advice, subject to appropriate confidentiality obligations.
Aggregated and De-Identified Information. We may disclose aggregated, anonymized, or otherwise de-identified data that does not reasonably identify any individual, for purposes such as analytics, research, and Service improvement. Where we create such data from Personal Data, we will take reasonable steps to prevent re-identification where required by applicable law.
Other Disclosures with Consent. We may disclose Personal Data for other purposes with your consent or at your direction, or as otherwise permitted or required by applicable law.
No Sale or Sharing of Customer Matter Data for Advertising. We do not sell Customer Data or use Customer Data for cross-context behavioral advertising or targeted advertising to third parties. Where applicable law defines “sale” or “sharing” broadly, we limit our activities to those permitted for “service providers” or “processors” and do not use Customer Data for our own advertising or marketing to unrelated third parties.
8. International Data Transfers
General. Recourse is based in the United States, and Personal Data we collect may be stored and processed in the United States and in other jurisdictions where we or our Subprocessors maintain facilities. These jurisdictions may have data protection laws that differ from those of your home jurisdiction and, in some cases, may not be considered to provide an adequate level of protection by your local regulators.
Transfers from the European Economic Area, the United Kingdom, and Similar Jurisdictions. Where we transfer Personal Data from the European Economic Area (“EEA”), the United Kingdom (“UK”), or other jurisdictions with similar cross-border data transfer restrictions to countries that are not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, which may include:
Standard contractual clauses approved by the European Commission, the UK Information Commissioner’s Office, or other competent authorities.
International data transfer agreements or addenda.
Other lawful mechanisms permitted by applicable data protection laws. Additional details regarding applicable transfer mechanisms may be set forth in the relevant DPA with our customers.
Customer Responsibilities. Where a customer uses the Services to transfer Personal Data to Recourse or to third parties via the Services, the customer is responsible for ensuring that any cross-border transfer complies with applicable laws, including by:
Obtaining necessary consents.
Implementing appropriate transfer safeguards.
Providing any required disclosures to data subjects.
Onward Transfers to Subprocessors. We require Subprocessors and service providers that receive Personal Data from Recourse to process such data in accordance with applicable data transfer requirements and to implement measures providing substantially similar protection to that described in this Privacy Policy and any applicable DPA.
9. Data Security and Confidentiality
Security Program. Recourse maintains an information security program designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. While specific measures may evolve over time, our security program includes industry-standard administrative, technical, and physical safeguards.
Technical Measures. Without limitation, and subject to reasonable technical feasibility and proportionality, our safeguards include:
Encryption of data in transit using protocols such as TLS 1.2 or higher.
Encryption of data at rest using industry-standard algorithms (for example, AES-256 or comparable safeguards).
Access controls, including role-based access permissions, unique user identifiers, and authentication mechanisms.
Network security measures, including firewalls, intrusion detection or prevention systems, and security event logging.
Logical segregation of customer environments and data where applicable.
Organizational Measures. We implement policies, training, and procedures to:
Limit access to Personal Data to personnel with a legitimate business need to know.
Require confidentiality undertakings from employees and contractors who may have access to Personal Data.
Address incident response, business continuity, and disaster recovery planning.
Confidentiality of Customer Data. We recognize that Customer Data may include information subject to attorney-client privilege, work-product doctrine, or comparable professional confidentiality obligations. Recourse and its Subprocessors:
Treat Customer Data as confidential and do not access or disclose Customer Data except:
As necessary to provide, maintain, and secure the Services.
As instructed by the applicable customer.
As required by applicable law and subject to Section 7.4 (Government and Legal Process Requests).
Are prohibited from using Customer Data for independent commercial purposes unrelated to the provision of the Services.
Security Certifications and Audits. We may pursue or maintain relevant security certifications or undergo third-party audits as appropriate for the nature and scale of our Services. Upon reasonable request and subject to confidentiality obligations, we may provide customers with a summary of relevant security reports or certifications to support their vendor due diligence obligations.
Incident Detection and Breach Notification. In the event of a Personal Data breach affecting Customer Data, Recourse will:
Take appropriate remediation measures to contain, investigate, and remediate the incident.
Notify affected customers without undue delay and, where reasonably practicable and consistent with applicable law and our contractual obligations, within seventy-two (72) hours after becoming aware of the breach.
Provide customers with information reasonably necessary to enable them to meet their own legal and professional obligations in connection with the breach, including a description of:
The nature of the breach.
The likely consequences.
Measures taken or proposed to address the breach.
Cooperate with customers in any legally required notifications to data subjects or regulators, subject to any legal or regulatory restrictions.
No Absolute Security Guarantee. While we employ reasonable and appropriate security measures, no system or transmission of data over the internet can be guaranteed to be completely secure. You are responsible for selecting strong passwords, maintaining the confidentiality of your credentials, and promptly notifying us of any suspected unauthorized account activity.
10. Data Retention and Deletion
General Retention Principles. We retain Personal Data for as long as reasonably necessary to:
Provide the Services to our customers and Users.
Fulfill the purposes described in this Privacy Policy.
Comply with our legal, regulatory, and contractual obligations.
Resolve disputes, enforce agreements, and protect our legal rights.
Customer Data. Unless otherwise specified in the Subscription Agreement or DPA:
We retain Customer Data for the duration of the customer’s subscription to the Services.
Following termination or expiration of a customer’s subscription, we will:
Provide a limited period during which the customer may access and export Customer Data, consistent with the customer’s professional obligations to maintain client records, in accordance with applicable law and any contractual commitments.
Thereafter, delete or securely de-identify Customer Data in our possession within a commercially reasonable time, subject to any retention required by law or necessary for legitimate business purposes (for example, security logs, financial records, or backup archives).
Account and Administrative Data. We retain Account Data and Administrative Data for periods consistent with:
The duration of the customer relationship.
Applicable statutes of limitations and recordkeeping obligations.
Internal business needs for auditing, fraud prevention, and dispute resolution.
Site Visitor Data and Marketing Information. We retain Site Visitor and marketing-related Personal Data for as long as reasonably necessary to manage our relationship with you, provide requested communications, and comply with applicable laws, or until you object to such processing or withdraw consent, as applicable.
Backups and Archives. Data may persist for a limited time in backup or archival copies that are maintained for business continuity and disaster recovery purposes. Such copies are generally subject to periodic overwriting or destruction according to our backup retention schedules.
Customer Instructions and Legal Requirements. Where Recourse acts as a processor or service provider, we will retain and delete Personal Data in accordance with:
The written instructions of the customer, including instructions in the applicable Subscription Agreement and DPA.
Applicable legal and regulatory requirements that may mandate or restrict certain retention or deletion periods.
11. Cookies and Similar Technologies
Use of Cookies. We may use cookies, web beacons, pixels, and similar technologies (“Cookies”) on our websites and, where applicable, in our Services to:
Authenticate Users and maintain session state.
Remember preferences and settings.
Perform analytics and measure Service performance.
Enhance security and prevent fraudulent activity.
Where permitted, facilitate marketing and personalization.
Types of Cookies. The Cookies we use generally fall into the following categories:
Strictly Necessary Cookies: Essential for enabling core functionality, such as secure log-in and page navigation. These Cookies cannot be disabled via cookie preference tools, though you may be able to disable them in your browser; however, doing so may impair the functionality of the Services.
Functional Cookies: Enable the Services to remember choices you make, such as language or region, and provide enhanced features.
Performance and Analytics Cookies: Collect information about how visitors interact with our websites or Services so we can analyze and improve performance.
Marketing Cookies: Used, where permitted, to deliver relevant advertising or to measure the effectiveness of marketing campaigns.
Your Choices Regarding Cookies. You may:
Adjust your browser settings to refuse or delete Cookies; however, this may affect the functionality of the Services.
Where available, use cookie banners or preference tools we provide to manage non-essential Cookies.
Opt out of certain third-party analytics or marketing tools where such mechanisms are provided by those third parties.
Do Not Track. Our websites and Services may not respond to “Do Not Track” signals or similar mechanisms at this time. You may use other mechanisms described in this Privacy Policy and in your browser settings to manage your privacy preferences.
12. Your Rights and Choices
Account and Profile Information. You may review, update, or correct certain Account Data by logging into your account or by contacting your organization’s administrator. If you need further assistance, you may contact us using the details provided in Section 15 (Contacting Recourse).
Marketing Communications. You may opt out of receiving marketing emails from us by:
Following the unsubscribe or opt-out instructions included in each marketing email.
Contacting us directly with your request. Even if you opt out of marketing communications, we may continue to send you non-promotional communications related to your account or the Services (for example, service announcements, security notifications, or billing communications).
Rights Under Applicable Privacy Laws. Depending on your jurisdiction, you may have certain rights regarding your Personal Data, which may include:
Right of access: To obtain confirmation as to whether we process your Personal Data and to receive a copy of such data.
Right to rectification: To request correction of inaccurate or incomplete Personal Data.
Right to deletion or erasure: To request deletion of your Personal Data, subject to applicable legal exceptions.
Right to restriction: To request restriction of processing in certain circumstances.
Right to data portability: To receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where technically feasible.
Right to object: To object to processing based on our legitimate interests, including direct marketing.
Right to withdraw consent: Where processing is based on consent, to withdraw such consent at any time.
Right not to be subject to certain automated decisions: To request human review of certain decisions made solely by automated means that produce legal or similarly significant effects. Additional rights available to residents of specific jurisdictions are described in Section 13 (Jurisdiction-Specific Disclosures).
Exercising Your Rights. To exercise applicable rights, you may:
Submit a request using the contact information provided in Section 15 (Contacting Recourse).
Identify your jurisdiction, the nature of your request, and sufficient details to allow us to verify your identity and locate your data. We may request additional information as reasonably necessary to verify your identity or authority and to protect against fraudulent or unauthorized requests. Where we act as a processor or service provider on behalf of a customer, we may redirect your request to the relevant customer or request that you contact them directly, as they are typically the appropriate party to respond to such requests.
Authorized Agents and Representatives. Where permitted by law, you may designate an authorized agent or representative to submit certain privacy rights requests on your behalf, subject to appropriate verification of the agent’s authority and your identity.
Response Times. We will respond to privacy rights requests within the timeframes required by applicable law and will inform you if we require additional time.
No Discrimination. Where required by law, we will not unlawfully discriminate against you for exercising your privacy rights.
13. Jurisdiction-Specific Disclosures
California and Similar U.S. Privacy Laws. For individuals in California and in other U.S. states with comprehensive privacy laws modeled on or analogous to the CCPA/CPRA, the following additional disclosures may apply:
Categories of Personal Data Collected: Over the past twelve (12) months, we may have collected the following categories of Personal Data as defined under applicable state privacy laws:
Identifiers (for example, name, email address, IP address, account identifiers).
Professional or employment-related information (for example, role, employer, professional contact details).
Internet or other electronic network activity information (for example, usage logs, device information, browsing history on our sites).
Commercial information (for example, records of Services purchased or considered).
Inferences drawn from the above categories to create profiles reflecting preferences or use patterns, where applicable.
Sources: The sources of these categories of Personal Data are as described in Sections 3 and 4 of this Privacy Policy.
Purposes: The business and commercial purposes for collecting and using Personal Data are as described in Section 5.
Disclosure for Business Purposes: We may disclose the categories of Personal Data listed above to the types of recipients described in Section 7 for business purposes, including provision of the Services, security, analytics, and compliance with law.
Sales and Sharing: We do not sell Customer Data. We do not “sell” Personal Data or “share” Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, except to the extent that use of certain third-party analytics or marketing tools may be interpreted as such. Where required, we will provide appropriate mechanisms to opt out of such activities.
Service Provider and Contractor Status: In many cases, Recourse acts as a “service provider” or “contractor” to its customers within the meaning of applicable state privacy laws and will not retain, use, or disclose Personal Data for purposes other than the business purposes specified in the governing agreement, except as otherwise permitted by law.
European Economic Area, United Kingdom, and Switzerland. For individuals located in the EEA, UK, or Switzerland, the following additional disclosures apply:
Controller Details: For Site Visitors and Users for whom Recourse acts as an independent controller, Recourse LLC is the controller of your Personal Data.
Data Protection Officer or Representative: If required by applicable law, we may appoint a data protection officer or local representative. Details will be made available upon request.
Complaints to Supervisory Authorities: You have the right to lodge a complaint with a data protection authority in your country of residence, your place of work, or the place of an alleged infringement. Without limiting the foregoing, if you are in the EEA, you may contact your local supervisory authority; if you are in the UK, you may contact the Information Commissioner’s Office.
Other Jurisdictions. To the extent other jurisdictions grant additional or different rights regarding Personal Data, we will comply with those rights where they apply to our processing activities. Please contact us for further information regarding rights available in your jurisdiction.
14. Children’s Privacy
No Directed Services to Children. The Services are not directed to or intended for use by children under the age of majority in their jurisdiction (for example, under 16 or 18), and we do not knowingly collect Personal Data directly from such children as independent Users.
Customer Relationship Context. In certain limited circumstances, Customer Data submitted by our customers may include Personal Data relating to minors (for example, in connection with legal matters involving minors). In such cases, Recourse processes such Personal Data solely on behalf of and under the instructions of the applicable customer and does not control any notices or consents required with respect to such processing.
Parental Inquiries. If you believe that we have inadvertently collected Personal Data directly from a child contrary to this section, please contact us using the details in Section 15 so that we can take appropriate steps to delete such data or otherwise address the issue in accordance with applicable law.
15. Contacting Recourse
General Contact. If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact Recourse at: Email: privacy@recourse.app Mail: Recourse LLC, Attn: Privacy, 2 20th St. N, Suite 900, Birmingham, AL 35203
Data Protection Queries. For questions regarding:
Our roles as controller and processor.
International data transfers.
Requests to exercise data subject rights. You may contact us using the same channels, indicating that your inquiry is a “Data Protection Inquiry.”
Response and Escalation. We will make reasonable efforts to respond to your inquiry within a reasonable time and in accordance with applicable law. If you are not satisfied with our response, you may have the right to escalate the matter to an appropriate data protection authority as described in Section 13.
16. Changes to This Privacy Policy
Right to Modify. We may modify or update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
Notification of Changes. When we make material changes to this Privacy Policy, we will:
Update the “Last Updated” date at the beginning of this document.
Provide additional notice as appropriate under the circumstances, which may include:
Posting a prominent notice on our websites or within the Services.
Sending an email or other communication to account owners or designated contacts.
Continued Use. Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acknowledgement and, to the extent permitted by law, acceptance of the updated Privacy Policy. If you do not agree with any changes, you should discontinue use of the Services and may request closure or deletion of your account, subject to applicable retention obligations.
This PrivacyPolicy is intended to be consistent with applicable law and with our obligations under our agreements with our customers. In the event of any inconsistency between this Privacy Policy and applicable law, applicable law will control. In the event of any inconsistency between this Privacy Policy and a Subscription Agreement or DPA with a customer regarding our processing of Customer Data, the Subscription Agreement or DPA will control with respect to the subject matter of such agreement.