LawTru Consulting ("LawTru," "we," "us," or "our") is a consulting practice serving law firms and in-house legal departments. This Privacy Policy explains what information we collect through our website at lawtruconsulting.com and the supporting diagnostic platform, how we use it, who we share it with, how long we keep it, and the choices and rights you have.
This policy covers our website visitors, the administrators who set up an engagement, and the leaders and professionals ("respondents") who complete our diagnostic instruments. It does not cover any third-party website we link to.
Our role: controller and processor
We act in two capacities, and your rights run differently depending on which applies:
- As a controller — for our own website analytics, marketing inquiries, whitepaper downloads, and the account records we need to operate the platform, we decide why and how the information is processed.
- As a processor (service provider) — for the survey responses, scored results, and reports generated during a client engagement, we process that information on behalf of the client organization that retained us. The client organization is the controller of that engagement data. If you are a respondent and you want to access, correct, or delete your engagement responses, we will help, but we may need to direct your request to, or confirm it with, your organization.
Information we collect
Account and authentication data. When an account is created — at signup, by accepting an invitation, or when we set one up — we collect a name, work email address, a password (stored in hashed form by our authentication provider), and your role within the engagement. We may also collect a title, practice area, and experience level where provided.
Organizational profile. During intake, an administrator provides information describing the organization: type (law firm, in-house department, and similar), size band, self-described priorities and focus areas, and other context used to tailor the diagnostic.
Survey and instrument responses. Respondents answer the diagnostic instruments. We store responses at the item level (not only the aggregate score) so the instruments can be validated and improved over time. Some items are free-text. Please do not enter privileged, client-confidential, or personally sensitive information into free-text fields (see our Terms of Service).
Scores and computed results. From responses we compute dimension scores, aggregate scores, and pattern detection results.
Reports and deliverables. We generate narrative reports and, where the engagement includes it, an integrated findings package. Reports are stored as records and as PDF files in private storage.
Engagement records and consultant notes. We keep records about each engagement (dates, scope, status). As part of delivering the engagement, our consulting personnel also record qualitative working notes — impressions of organizational dynamics, leadership context, strategic considerations, and identified risks. These notes are visible only to LawTru consulting personnel, inform the diagnostic work, and are not reproduced verbatim in client-facing deliverables.
Communications. If you contact us, request our whitepaper, or receive a transactional email, we process the contents of that communication. Whitepaper download requests also record the visitor's IP address.
Cookies and usage data. We use a small number of cookies needed to keep you signed in, and — on our public marketing pages only — privacy-respecting analytics (see "Cookies and analytics").
Logs. Our hosting and application platforms generate operational logs that may incidentally contain identifiers such as an email address or account ID in an error trace.
We do not collect payment card data, government IDs, biometric data, location data, or any special-category data by design, and we do not accept file uploads from clients.
How we use information
We use the information above to: operate and secure your account; deliver the diagnostic engagement and generate its reports; communicate with you about your engagement, inquiry, or download; validate and improve our instruments; respond to your requests and legal obligations; and understand, at an aggregate level, how our public pages are used.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
Confidentiality of individual responses
Protecting respondent candor is central to how the platform is built. As a matter of design:
- An organization's administrators cannot retrieve any individual respondent's report. Administrators receive aggregate and role-group results only.
- Culture-survey results are reported only for role groups of five or more respondents; this minimum cannot be lowered.
- Each respondent can see only their own personal results.
Two limits to this you should understand:
- LawTru consulting personnel access individual responses to deliver the service. Our consultant can view item-level responses and individual results across engagements as needed to produce the diagnostic. This access is internal to LawTru.
- Small groups can be inferable. When an organizational instrument has only a few respondents, individual answers are not disclosed in any report, but in a very small group it may still be possible for others to infer who responded how. We cannot guarantee inferential anonymity at small group sizes.
- Consultant-directed access. At the close of an engagement, the client organization may direct us to grant specific named individuals access to specific findings. We record who was granted access to what, by whom, and when. Such grants never override the engagement's release controls and can be revoked.
How we use AI
We use the Anthropic Claude API to help generate the narrative portions of reports. When we do, we send the relevant organizational context and scored data (and, where present, our internal consultant notes for that engagement). We do not send item-level survey responses, respondent names, respondent email addresses, authentication credentials, or any other engagement's data. Under Anthropic's commercial terms in force, prompts and outputs sent through the API are not used to train their models.
Sub-processors
We rely on a small set of vetted service providers ("sub-processors") to operate the platform — for hosting, database and storage, authentication, AI narrative generation, PDF rendering, transactional email, and marketing-page analytics. Our current sub-processors, their purpose, and their hosting regions are listed on our Sub-processors page. We maintain that list, date it, and provide advance notice of additions as described there.
Cookies and analytics
We use cookies that are strictly necessary to keep you authenticated. On our public marketing pages only, we use Google Analytics 4 to understand page usage. We honor your browser's "Do Not Track" signal — when it is set, our analytics script does not load and no analytics requests are sent. We use no advertising or retargeting pixels, no session-replay tools, and no cross-site tracking.
How long we keep information
We keep information only as long as needed for the purposes above. Our current schedule:
| Information | Retention |
|---|---|
| Account and organizational profile | For the life of the account; deleted within 30 days of an account-deletion request (after a 7-day grace period to undo) |
| Survey responses, scores, and reports | Duration of the engagement plus 24 months after it closes; thereafter retained only in de-identified form for instrument validation |
| Consultant engagement notes | Life of the engagement plus 12 months, then deleted |
| Contact-form submissions | 24 months |
| Whitepaper download records (incl. IP) | 24 months |
| Invitations | Accepted: 90 days after acceptance. Expired: 30 days after expiry |
| Report-access grants | Deleted with the engagement they belong to |
| Resource-access logs | 12 months |
| Operational/server logs | Per our hosting providers' retention settings |
When an organization or account is deleted, the associated engagement data is removed from our database. Some report files in backup or storage may persist briefly until routine purges complete; once the underlying records are gone, those files are no longer accessible.
Your rights and choices
Depending on where you live (including under the EU/UK GDPR and the California CCPA/CPRA), you may have the right to access, correct, delete, or receive a portable copy of your personal information, to object to or restrict certain processing, to withdraw consent, and not to be discriminated against for exercising these rights.
- In-product: account holders can export their data as a downloadable file and request account deletion from their settings.
- By request: email privacy@lawtruconsulting.com. We will respond within 30 days (sooner where practical). For requests about engagement responses we process on behalf of a client organization, we may need to direct or confirm the request with that organization.
Security
We protect information with measures including: encryption in transit (HTTPS/TLS); private file storage accessible only through short-lived, signed URLs; role-based access controls enforced in the application on every request; and database row-level security as defense-in-depth. Authentication is email and password; multi-factor authentication is not currently required but can be enabled on request. Our application keeps an access log for resource downloads and a record of report-access grants; beyond that, detailed application-level audit logging is limited and platform logs are retained by our hosting provider. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
International users and data transfers
We process and store information in the United States. If you access the service from the European Economic Area, the United Kingdom, or another region, your information will be transferred to and processed in the United States. Where required, cross-border transfers to our sub-processors rely on Standard Contractual Clauses or equivalent safeguards incorporated in each sub-processor's data processing agreement. To request more information about these safeguards, contact privacy@lawtruconsulting.com.
Children
The service is intended for adults using it in a professional capacity. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the "last updated" date and, for material changes, provide a more prominent notice. Your continued use after an update means you accept the revised policy.
Contact
Questions, concerns, or requests: privacy@lawtruconsulting.com
LawTru Consulting — lawtruconsulting.com