PROVEAiBLE Privacy Policy

This Privacy Policy explains how Eight LLC ("we", "us", "our"), operator of PROVEAiBLE, collects, uses, stores, and protects personal data when you use our Products. It applies to both PROVEAiBLE Intake (our AI client intake widget for legal organisations) and PROVEAiBLE Desktop (our case-preparation software for individuals and small businesses).

We are committed to complying with the EU General Data Protection Regulation (GDPR) and equivalent applicable privacy laws. Contact us at support@proveaible.com with any questions.

Data Controller

The data controller for personal data processed through PROVEAiBLE is: Eight LLC, Kosovo — support@proveaible.com. Eight LLC is established outside the EEA. We are evaluating the appointment of an EU representative under GDPR Art. 27 and will update this policy when one is designated.

Our Two Products and Their Different Data Models

PROVEAiBLE operates two products with materially different data architectures.

2.1 PROVEAiBLE Desktop — Local-First Architecture. PROVEAiBLE Desktop is installed on your computer. Case files, documents, evidence, and case notes are stored locally on your machine. We do not upload or retain your case files on our servers. When you use AI analysis features, personal identifying information (names, addresses, dates of birth, document IDs) is redacted on your device before any data is transmitted to an AI provider (Anthropic, OpenAI, or Google, per your BYOK configuration). The AI model receives anonymised text only. PROVEAiBLE does not retain a copy of text sent to the AI provider beyond the duration of the API call.

2.2 PROVEAiBLE Intake — SaaS Architecture. PROVEAiBLE Intake is a widget embedded on a legal organisation's website. When a prospective client uses the intake widget:

• Personal identifiers (names, addresses, document IDs) are redacted on our server before any data reaches an AI model. The model only ever processes the redacted version — it never receives the client's identifying details.
• Client intake data is processed transiently and permanently deleted the moment the matter file is delivered to the subscribing organisation. We do not retain matter files, and no client PII is stored in our database.
• The organisation runs the intake on its own AI account (BYOK) and is the data controller for the matter files it receives; for the transient intake step we act only as a processor.
• The only data we store is the organisation's configuration (widget settings, branding, delivery address), for the duration of the subscription — never the substance of a client's matter.

Personal Data We Collect

3.1 Account and Billing Data. When you purchase a subscription, Whop Inc. (our Merchant of Record) collects and processes payment information. We receive: your name, email address, subscription tier, and transaction ID. We do not receive or store full payment card details.

3.2 Usage Data. We collect technical usage data including: session identifiers (with the last octet of IP addresses removed), browser type, operating system, and feature usage events. This data is used to operate, maintain, and improve the Products.

3.3 Support Communications. When you contact us at support@proveaible.com, we retain the communication for the purpose of providing support and resolving disputes.

3.4 Data Submitted for Processing. Under Desktop, documents submitted for AI analysis are processed as described in Section 2.1 — PII is redacted on-device and we do not retain copies. Under Intake, intake submissions are processed as described in Section 2.2 — we do not retain matter files after delivery.

Legal Bases for Processing (GDPR)

• Contract performance — to deliver the Products you have subscribed to.
• Legitimate interests — to operate, maintain, and improve the Products and ensure security.
• Legal obligation — to comply with applicable laws.
• Consent — where we rely on consent (e.g. marketing communications), you may withdraw at any time.

Sub-Processors and Third Parties

We engage the following sub-processors, each bound by appropriate data processing agreements. Note: Whop Inc. also acts as an independent data controller for its own payment and fraud prevention purposes; their privacy policy governs data they collect in that capacity.

• Anthropic (Claude API) — AI text analysis (BYOK) — USA
• OpenAI (GPT API) — AI text analysis (BYOK) — USA
• Google (Gemini API) — AI text analysis (BYOK) — USA
• Google Cloud Vision — OCR for uploaded document images — USA / EU
• Supabase — Firm config + admin dashboard data (Intake) — USA / EU
• Resend — Transactional email (matter file delivery, receipts) — USA
• Render — Headless worker hosting (Intake) — USA
• Whop Inc. — Payment processing, MoR, VAT collection — USA

For transfers to sub-processors in the USA, we rely on Standard Contractual Clauses (SCCs) or applicable transfer mechanisms under GDPR Chapter V.

Data Retention

• Account and billing data: retained for the duration of subscription plus 7 years for tax and accounting compliance.
• Desktop case files: stored locally on your machine only. We hold no copies.
• Intake matter files: delivered to firm inbox and not retained on PROVEAiBLE servers.
• Firm configuration data (Intake): retained for the duration of subscription plus 90 days, then deleted.
• Support communications: retained for 3 years.
• Usage logs: retained for 90 days then aggregated or deleted.

Your Rights Under GDPR

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to request deletion of your personal data, subject to legal retention obligations.
• Right to restriction — to request restriction of processing.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is consent-based, to withdraw at any time.

To exercise these rights, email support@proveaible.com. We respond within 30 days. You may also lodge a complaint with your local supervisory authority.

Cookies and Tracking

proveaible.com uses minimal cookies. We do not use third-party tracking pixels, advertising cookies, or cross-site tracking tools. The intake widget keeps only the transient session state needed to run an active intake; it sets no tracking cookies, and the client can clear the session at any time.

Security

We implement appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS), PII redaction before any AI model call (server-side for Intake, on-device for Desktop), and access controls on our infrastructure. In the event of a personal data breach, we will notify affected individuals and relevant authorities as required by applicable law.

No Sale of Data and No Training on Customer Data

We do not sell, rent, or trade your personal data to third parties for commercial purposes. PROVEAiBLE does not use your documents, case data, or intake submissions to train AI models. We do not retain document content for any purpose beyond delivering the service.

Children's Privacy

PROVEAiBLE is not directed at children under 16. If you believe a child has provided us with personal data, contact us at support@proveaible.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email 14 days before taking effect. The current version is always published at proveaible.com.

Contact

Data protection enquiries: support@proveaible.com — Eight LLC, Kosovo.