// Legal / Privacy Policy

Privacy Policy

Last updated: April 24, 2026

SquareLog is built for people navigating family court. The information you log may include sensitive details about your children, finances, and custody disputes. We take that seriously. This policy explains exactly what we collect, how we use it, and who can see it.

1. Information We Collect

Information you provide directly

  • Account data: email address, first name, last name, jurisdiction (collected at registration).
  • SitRep entries: the events, communications, photos, documents, and observations you log — including dates, descriptions, parties involved, emotional tone, stability metrics, and financial records.
  • Notebook drafts: draft text you write using the Notebook feature.
  • Uploaded files: documents, photos, and other files you attach to SitRep entries or Declarations.
  • Support communications: email or in-app messages you send us.

Information collected automatically

  • Authentication metadata: login timestamps, session tokens, and refresh token activity (managed by Supabase Auth — see Sub-processors).
  • Security logs: IP addresses, user-agent strings, and failed authentication attempts, retained for security purposes for 90 days.
  • Application logs: non-personal operational logs (request latency, error types, feature usage counts) retained for 30 days. These logs do not include the content of your SitRep entries.
We do not use advertising trackers, third-party analytics SDKs, or social media pixels. We do not track you across other websites.

2. How We Use Your Information

  • Providing the service: storing, retrieving, and displaying your SitRep entries, drafts, and documents.
  • AI features: when you query the Intelligence feature, your query text is sent to an AI embedding service to find relevant sections of the Connecticut legal corpus (see Sub-processors). Your SitRep entries are not sent to third-party AI services unless you explicitly use a feature that does so (e.g., Declaration drafting).
  • Security and fraud prevention: monitoring for unauthorized access and abuse.
  • Service communications: account confirmations, password reset emails, and material changes to this policy.
  • Legal compliance: responding to valid legal process.

We do not use your data to train AI models. We do not sell your data. We do not use your data for advertising.

3. How We Store and Protect Your Information

Your data is stored in a PostgreSQL database hosted by Supabase (see Sub-processors), located in the US East region (AWS us-east-1). We apply the following protections:

  • Encryption at rest: Supabase encrypts the database at the storage layer using AES-256. Sensitive fields (e.g., entry content) receive additional application-level encryption.
  • Encryption in transit: all connections use TLS 1.2 or higher.
  • Row-level security: database-enforced policies ensure your data is only accessible to your account. No other SquareLog user can access your records, even if they know your account identifiers.
  • Uploaded files: documents and media are stored in Cloudflare R2 (S3-compatible object storage) with private ACLs. Access is granted via short-lived presigned URLs generated by our API.

A full description of our security practices is in our Security Policy.

4. Who We Share Your Information With

We do not sell, rent, or trade your personal information. We share your data only in these circumstances:

  • Sub-processors: the infrastructure and AI providers listed in §8 below, solely to provide the service to you.
  • Legal process: if we receive a valid subpoena, court order, or law enforcement request, we may be required to disclose your data. Where legally permitted, we will notify you before complying.
  • Safety: if we believe disclosure is necessary to prevent imminent harm to a child or another person, we may share relevant information with appropriate authorities.
  • Business transfer: if SquareLog is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you by email and provide 30 days to export or delete your data before any such transfer completes.

5. Data Retention

We retain your account data and SitRep entries for as long as your account is active. If you delete your account:

  • Your account and personal data are marked for deletion immediately.
  • Content (SitRep entries, notebooks, declarations, files) is purged within 30 days.
  • Security logs (IP addresses, authentication events) are retained for 90 days after account deletion for fraud prevention and legal compliance, then deleted.
  • Backups containing your data are rotated out within 90 days of account deletion.

You may also delete individual SitRep entries or documents at any time without closing your account.

6. Your Rights

You have the right to:

  • Access: request a copy of all personal data we hold about you.
  • Correct: update inaccurate information in your account settings or by contacting us.
  • Export: receive your data in a structured, machine-readable format (JSON and/or PDF) within 30 days of request.
  • Delete: close your account and have your data deleted per the schedule in §5, or delete individual records at any time.
  • Restrict: object to specific processing activities by contacting us, subject to our legal obligations.

To exercise any of these rights, email [email protected]. We will respond within 30 days of a verified request.

7. Connecticut Privacy Rights

Connecticut residents have additional rights under the Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, including the right to opt out of the sale of personal data (we do not sell personal data) and the right to appeal our decisions regarding your rights requests. If you wish to appeal a decision, email [email protected] with the subject line "Privacy Rights Appeal."

8. Sub-Processors

The following third parties process data on our behalf as part of providing the service:

  • Supabase, Inc. — authentication, database hosting, and realtime infrastructure. Data stored in AWS us-east-1. Supabase is SOC 2 Type II certified. Privacy Policy
  • Cloudflare, Inc. — CDN, DNS, object storage (R2) for uploaded files. Privacy Policy
  • Amazon Web Services (AWS) — underlying compute and storage for our application backend, via EC2. Privacy Policy
  • OpenAI / OpenRouter — AI embeddings for the Intelligence feature (your query text is sent to generate vector embeddings to search the legal corpus). Declaration drafting also sends relevant SitRep entry content to generate draft text. We do not send your data for model training; we use API access only. OpenAI Privacy Policy

9. Children's Privacy

SquareLog is not intended for use by anyone under 18. We do not knowingly collect personal information from children. If you believe a child has created an account, contact us at [email protected] and we will delete it promptly.

We recognize that your SitRep entries may include information about your children. This information is treated as yours, subject to all protections in this policy. We do not use it to build profiles of minors.

10. Changes to This Policy

We will post any changes to this policy on this page and update the "Last updated" date. For material changes, we will email registered users at least 14 days before the change takes effect.

11. Contact

Privacy requests and questions: [email protected]
General inquiries: [email protected]