Privacy Policy

Effective Date: April 19, 2026

Last Updated: April 19, 2026

Version: 2.0

MTG Softworks ("we," "our," or "us") operates the LegalEase AI mobile application (the "Service"). This Privacy Policy explains in detail what information we collect, how we use it, who we share it with, and what rights you have. By using our Service, you consent to the data practices described in this policy.

Our Core Principle: We follow a "Privacy by Design" and "Privacy by Default" approach as mandated by GDPR Article 25 and the EU AI Act (Regulation 2024/1689). We minimize data collection, we do NOT permanently store your generated documents on our servers, and we do NOT sell your personal data to any third party.

🤖 AI Transparency Disclosure (EU AI Act Article 50): This application uses Generative Artificial Intelligence (Google Gemini API) to produce text content. All outputs are machine-generated and should be clearly identified as such. You are informed that the content you receive is AI-generated and not authored by a human legal professional. This disclosure is provided in compliance with the EU AI Act (Regulation 2024/1689), the Colorado AI Act (SB 24-205), and Google Play's AI-generated content policies (effective 2025).

1. Information We Collect

1.1 Information You Provide Directly

Document Generation Inputs: Data you type into the document forms (e.g., party names, business names, state/jurisdiction selections, contract terms). This data is transmitted to the Google Gemini API solely for the purpose of generating your requested document. We do not store this input data on any MTG Softworks server.
Camera Data: If you use the optional camera feature (e.g., to scan a document), the captured images are processed locally on your device. Images are NOT uploaded to our servers or shared with third parties unless you explicitly choose to do so.
Support Communications: If you contact us via email (support@mtgsoftworks.com), we retain the correspondence and any personal data you voluntarily provide (name, email address) solely for the purpose of resolving your inquiry.

1.2 Information Collected Automatically

Device Information: Device model, operating system version, unique device identifiers, screen resolution, and language settings.
Usage Analytics: App open/close events, feature usage frequency, screen views, session duration, crash reports, and performance metrics. Collected via Firebase Analytics (Google Analytics for Firebase SDK).
Advertising Identifier (GAID): Google Advertising ID is collected by Google AdMob for the purpose of serving ads. Following Google's deprecation of third-party cookies and Android's Privacy Sandbox initiative, we rely on the Google Advertising ID subject to user opt-out controls. You can reset or opt out of your advertising ID in your device's Settings → Privacy → Ads menu.
Purchase Data: Transaction records processed through Google Play Billing (transaction ID, product purchased, timestamp). Payment processing is handled entirely by Google; we never receive or store your credit card, bank account, or other financial payment details.
IP Address: Collected transiently by third-party services (Firebase, AdMob, Gemini API) as part of standard internet communication. We do not independently log or store IP addresses. IP addresses may be used for approximate geo-location (country/region level only) to comply with regional advertising regulations.

1.3 Information We Do NOT Collect

We do NOT collect your real name, email address, phone number, or physical address unless you voluntarily provide it (e.g., by contacting support).
We do NOT require account registration or login.
We do NOT collect precise location data (GPS).
We do NOT collect contacts, call logs, SMS data, or biometric data.
We do NOT engage in profiling as defined by GDPR Article 22 or automated decision-making that produces legal or similarly significant effects on you.

2. How We Use Your Information

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Generate legal documents via AI	Form inputs → Gemini API	Art. 6(1)(b) — Contract performance
Process in-app purchases	Transaction records via Google Play	Art. 6(1)(b) — Contract performance
Display rewarded video ads	GAID, device info via AdMob	Art. 6(1)(a) — Consent (EEA/UK); Art. 6(1)(f) — Legitimate interest (other regions)
Monitor app performance & crashes	Usage analytics, crash logs via Firebase	Art. 6(1)(f) — Legitimate interest
Improve the Service	Aggregated, anonymized usage patterns	Art. 6(1)(f) — Legitimate interest
EU AI Act compliance and recordkeeping	AI interaction logs (anonymized)	Art. 6(1)(c) — Legal obligation
Comply with legal obligations	As required by law	Art. 6(1)(c) — Legal obligation

3. AI-Specific Data Processing (EU AI Act Compliance)

Transparency Notice per EU AI Act (Regulation 2024/1689), Articles 50 and 52:

In compliance with the EU AI Act and the Colorado AI Act (SB 24-205, effective February 1, 2026), we provide the following transparency information about our AI system:

Item	Details
AI System Provider	Google LLC (Gemini API)
AI System Type	General-Purpose AI (GPAI) — Large Language Model for text generation
Risk Classification	Not classified as "high-risk" under Annex III of the EU AI Act. Used for informational text generation only.
Input Data Processing	User-provided prompts are sent to the Gemini API via HTTPS. Prompts are processed in real-time and are not used by MTG Softworks for model training.
Output Nature	All outputs are AI-generated text. Outputs are clearly identified as machine-generated content.
Human Oversight	No human review of individual outputs. User is responsible for all review and verification.
Data used for training	MTG Softworks does NOT train or fine-tune AI models. Google's training practices are governed by Google AI Principles.
Automated Decision-Making	The Service does NOT make automated decisions that produce legal effects on users (GDPR Art. 22 compliant).

4. Third-Party Services & Data Sharing

We do NOT sell, rent, trade, or "share" (as defined by the CPRA, Cal. Civ. Code § 1798.140(ah)) your personal data. We disclose data only to the following categories of service providers, strictly for the purposes described:

Provider	Purpose	Data Shared	Privacy Policy
Google Gemini API	AI-powered document generation	User-provided form inputs (prompts)	Google Privacy
Google Firebase Analytics	App usage analytics & crash reporting	Device info, usage events, crash data	Firebase Privacy
Google AdMob	Rewarded video advertisements	GAID, device info, ad interaction data	Google Ads Privacy
Google Play Billing	In-app purchase processing	Transaction data (no payment card info)	Google Privacy

Sub-processor Disclosure: All third-party providers listed above act as data processors (GDPR Art. 28) or sub-processors on our behalf. Google LLC is our primary sub-processor. Google's data processing terms are available at Google Data Processing Terms.

5. International Data Transfers

Your data may be processed outside of your country of residence, including in the United States, where Google's servers are located. We ensure lawful transfers through the following mechanisms:

EU-US Data Privacy Framework (DPF): Google LLC is certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework, providing adequate protection under GDPR Article 45.
Standard Contractual Clauses (SCCs): Where the DPF does not apply, we rely on the European Commission's Standard Contractual Clauses (2021/914) as a supplementary transfer mechanism per GDPR Article 46(2)(c).
Turkey (KVKK): Cross-border transfers comply with the KVKK Board's Decision No. 2024/839 on international data transfers, and are carried out pursuant to Article 9 of Law No. 6698. Transfers to countries without adequate protection are conducted under explicit consent or contractual necessity exceptions.
UK GDPR: Transfers from the UK rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office (ICO).

6. Data Retention

Data Type	Retention Period	Legal Basis
Document generation inputs	Not stored — transmitted to API and discarded immediately	Data minimization (GDPR Art. 5(1)(c))
Generated documents	Stored locally on your device only; deleted when you uninstall the app or manually delete	User control
Analytics data (Firebase)	Up to 14 months (Firebase default), then automatically deleted	Legitimate interest
Purchase records	Retained by Google Play per Google's retention policy; we retain transaction IDs for up to 3 years for tax/accounting compliance	Legal obligation
Crash reports	90 days, then automatically purged	Legitimate interest
AdMob data	Per Google AdMob's data retention policy	Consent / Legitimate interest
Support correspondence	Up to 2 years after last communication, then deleted	Legitimate interest

7. Your Rights

7.1 Rights Under GDPR (EEA/UK Users)

Under the General Data Protection Regulation (Regulation 2016/679) and UK GDPR (UK Data Protection Act 2018), you have the following rights:

Right of Access (Art. 15): Request a copy of the personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate personal data.
Right to Erasure (Art. 17, "Right to be Forgotten"): Request deletion of your personal data.
Right to Restriction (Art. 18): Request restriction of processing of your data.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent (Art. 7(3)): Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
Right Regarding Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing. Note: We do not engage in automated decision-making that produces legal effects.
Right to Lodge a Complaint: You may file a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

7.2 Rights Under CPRA/CCPA (California Users)

Under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023), California residents have the following rights:

Right to Know (§ 1798.100): Request disclosure of categories and specific pieces of personal information collected, sold, or disclosed in the preceding 12 months.
Right to Delete (§ 1798.105): Request deletion of personal information.
Right to Correct (§ 1798.106): Request correction of inaccurate personal information (CPRA addition).
Right to Opt-Out of Sale/Sharing (§ 1798.120): We do NOT sell or "share" personal information as defined by the CPRA.
Right to Limit Use of Sensitive Personal Information (§ 1798.121): We do not collect sensitive personal information as defined by the CPRA.
Right to Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising your privacy rights.

Authorized Agents: You may designate an authorized agent to make requests on your behalf, subject to verification.

7.3 Rights Under Other U.S. State Privacy Laws

The following U.S. state privacy laws are currently in effect and may apply to you depending on your state of residence:

State	Law	Effective Date	Key Rights
Virginia	VCDPA	Jan 1, 2023	Access, correction, deletion, portability, opt-out of targeted advertising
Colorado	CPA	Jul 1, 2023	Access, correction, deletion, portability, opt-out of targeted advertising & profiling
Connecticut	CTDPA	Jul 1, 2023	Access, correction, deletion, portability, opt-out
Utah	UCPA	Dec 31, 2023	Access, deletion, portability, opt-out of targeted advertising
Texas	TDPSA	Jul 1, 2024	Access, correction, deletion, portability, opt-out of targeted ads, profiling & sale
Oregon	OCPA	Jul 1, 2024	Access, correction, deletion, portability, opt-out, right to list of third parties
Montana	MCDPA	Oct 1, 2024	Access, correction, deletion, portability, opt-out
Delaware	DPDPA	Jan 1, 2025	Access, correction, deletion, portability, opt-out
Iowa	ICDPA	Jan 1, 2025	Access, deletion, portability, opt-out of targeted advertising & sale
New Jersey	NJDPA	Jan 15, 2025	Access, correction, deletion, portability, opt-out
Nebraska	NDPA	Jan 1, 2025	Access, correction, deletion, portability, opt-out
New Hampshire	NHPA	Jan 1, 2025	Access, correction, deletion, portability, opt-out
Minnesota	MCDPA	Jul 31, 2025	Access, correction, deletion, portability, opt-out, AI profiling disclosure
Maryland	MODPA	Oct 1, 2025	Access, correction, deletion, portability, opt-out, data minimization

If you reside in any of the above states, you may exercise your applicable rights by contacting us at support@mtgsoftworks.com. We will process your request within the timeframe required by your state's law (typically 45 days).

7.4 Rights Under KVKK (Turkish Users)

Under Turkey's Kişisel Verilerin Korunması Kanunu (Law No. 6698), you have the following rights pursuant to Article 11:

Right to learn whether your personal data has been processed (Art. 11(1)(a)).
Right to request information about processing activities (Art. 11(1)(b)).
Right to learn the purpose of data processing and whether it is used in accordance with its purpose (Art. 11(1)(c)).
Right to know the third parties to whom personal data is transferred domestically or abroad (Art. 11(1)(ç)).
Right to request correction if personal data is incomplete or inaccurate (Art. 11(1)(d)).
Right to request deletion or destruction of personal data under Article 7 conditions (Art. 11(1)(e)).
Right to request notification of corrections/deletions to third parties (Art. 11(1)(f)).
Right to object to any adverse result arising from analysis of data exclusively through automated systems (Art. 11(1)(g)).
Right to claim compensation for damages arising from unlawful processing (Art. 11(1)(ğ)).

Cross-Border Transfers: In accordance with the KVKK Board's updated Decision No. 2024/839 and the Regulation on Cross-Border Transfer of Personal Data (published in the Official Gazette No. 32552, June 10, 2024), data transfers to countries without adequate protection are conducted under binding corporate rules, standard contractual clauses approved by the KVKK Board, or with explicit consent of the data subject.

To exercise your rights, you can submit your request to support@mtgsoftworks.com. You may also file a complaint directly with the Kişisel Verileri Koruma Kurumu (KVKK) at www.kvkk.gov.tr.

7.5 Rights Under Brazil LGPD

Under Brazil's Lei Geral de Proteção de Dados (Law No. 13.709/2018), Brazilian residents have the right to: confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary data, data portability, information about sharing, and revocation of consent. Contact us at support@mtgsoftworks.com to exercise these rights.

Response Time: We will respond to all data subject requests within 30 days (or sooner as required by applicable law: 15 days for KVKK, 45 days for CCPA/CPRA).

8. Advertising & Ad Personalization

We use Google AdMob to display rewarded video advertisements within the app. AdMob may collect and use the following:

Google Advertising ID (GAID)
Device make, model, and OS version
IP address (for geo-targeting at country level)
Ad interaction data (impressions, clicks, completions)

EEA/UK Users: In compliance with GDPR and the ePrivacy Directive (2002/58/EC), we obtain consent via a Consent Management Platform (CMP) before serving personalized ads to users in the European Economic Area and United Kingdom. Non-personalized ads may be served without consent but still require disclosure under the Transparency and Consent Framework (TCF v2.2).

All Users: You can control ad personalization through your device's Settings → Privacy → Ads menu. You may also reset your Advertising ID or opt out of personalized advertising entirely. On Android 13+, you can additionally manage permissions via Settings → Security & Privacy → Ads.

9. Data Security

We implement industry-standard security measures in accordance with GDPR Article 32 and the EU Data Act (Regulation 2023/2854) to protect your data:

Encryption in Transit: All data transmitted between your device and third-party APIs uses TLS 1.3 encryption (HTTPS).
Encryption at Rest: Generated documents stored locally on your device are protected by Android's native file-based encryption (FBE).
Local Storage Security: Generated documents are stored in your device's application sandbox, accessible only by the LegalEase AI app.
No Server-Side Storage: We do not maintain any database of user-generated documents, minimizing attack surface.
API Key Security: API credentials are managed through secure native bridges (Android Keystore), not embedded in client-side code.
Access Controls: Internal access to any analytics data is restricted to authorized personnel on a need-to-know basis.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. Data Breach Notification

In the unlikely event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33;
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34);
Notify the California Attorney General if the breach affects more than 500 California residents (Cal. Civ. Code § 1798.82);
Comply with the KVKK Board's breach notification requirements (notification within 72 hours to the Board and "as soon as possible" to affected individuals);
Provide a clear description of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

11. Children's Privacy

Our Service is NOT intended for children. We comply with the following age restrictions:

United States: Under 13 (COPPA, 15 U.S.C. §§ 6501-6506)
EEA/UK: Under 16 (or lower age set by individual Member States per GDPR Article 8, minimum 13)
Turkey: Under 18 (KVKK does not define a specific age for digital consent; parental consent required for minors)
Brazil: Under 18 (LGPD Article 14 requires parental/guardian consent)

We do not knowingly collect personal data from children. If we become aware that a child under the applicable age limit has provided us with personal data, we will take immediate steps to delete such information within 30 days. If you believe a child has provided us data, please contact us at support@mtgsoftworks.com.

12. Do Not Track & Global Privacy Control

We honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing request under the CPRA and the Colorado Privacy Act. If your browser or device sends a GPC signal, we will treat it as a request to opt out of any data "sale" or "sharing" as defined by applicable law.

We do not currently respond to "Do Not Track" (DNT) browser signals, as there is no uniform industry standard for DNT compliance.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy within the app;
Updating the "Last Updated" date and version number at the top of this page;
For significant changes, displaying an in-app notification at least 30 days before the effective date.

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the revised terms. If you disagree with any changes, you must discontinue use of the Service.

14. Contact & Data Protection

For any privacy-related questions, data subject access requests (DSARs), or concerns, please contact:

MTG Softworks — Data Protection
Email: support@mtgsoftworks.com
Response time: Within 30 days (15 days for KVKK requests)

Supervisory Authorities:

EU/EEA: Lodge a complaint with your local Data Protection Authority — EDPB Member List
UK: Information Commissioner's Office (ICO) — ico.org.uk
Turkey: Kişisel Verileri Koruma Kurumu — kvkk.gov.tr
California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd