Effective Apr 10, 2026 · Last updated Apr 12, 2026
Our fundamental promise
Privacy is a technical guarantee, not a legal promise. BarZero is built on a “Zero Knowledge, Zero Retention” architecture. We don’t store, log, or analyze your contract data on our servers. Your data exists on our infrastructure only in volatile memory for the milliseconds required to process your request, then it’s cryptographically destroyed.
1. Information We DO NOT Collect
To fulfill our promise of Zero Knowledge and Zero Retention, we specifically architect our systems to avoid collecting the following:
Client Documents: Uploaded contracts are parsed client-side (.docx text extraction happens in your browser) and encrypted at rest locally. Our servers never hold your decryption keys and never write your documents to persistent storage.
Prompts and Chat Messages: Prompts submitted to our AI endpoints are relayed directly to Anthropic in Zero Data Retention mode — always on, single code path. They are never written to our databases.
Session History: All chat histories and analyses are stored locally on your device via IndexedDB. If you utilize our End-to-End Encrypted (E2EE) Sync feature, the data is encrypted via AES-GCM on your device before it touches our servers. We cannot decrypt it.
2. Information We DO Collect
We collect only the minimum data necessary to maintain your account, process billing, and ensure the security of the platform.
Account Metadata: Email address, firm name, and payment information handled securely via our payment processor (Stripe).
Authentication Data: Cryptographic signatures for WebAuthn/FIDO2 authentication.
Usage Metrics: Anonymous telemetry regarding API request volumes (to manage rate limits and billing) without any context of the request content.
3. Third-Party Subprocessors (The AI Pipeline)
BarZero utilizes Anthropic's Claude API for AI reasoning. We have established a strict Zero Data Retention agreement with Anthropic. When your encrypted payload reaches our ephemeral container, it is decrypted in memory and pushed to the Anthropic API with flags ensuring that Anthropic does not log, store, or use your prompts or documents to train their models.
4. Batch and Folder Review
BarZero's batch review lets you point the product at a folder of contracts (on your local disk) and review every contract with one playbook position. The architecture preserves Zero Data Retention end to end:
Folder access stays on your device. We use the browser's File System Access API to read the folder you pick. The directory handle is stored only in your browser's IndexedDB and never transmitted to our servers. On Firefox and Safari — which don't expose that API — the fallback upload flow reads files into browser memory for the duration of the batch only.
Document bytes never touch our servers. Each contract is read by your browser, extracted to text on-device, and the resulting text is sent to our inference path the same way a single-contract review works. The raw file bytes are not uploaded.
Shared batch identifier. Items in a batch are linked by a shared batchId so you can audit the batch as a whole.
No server-side batch state in tab-open mode. Tab-open batches (the only mode shipping in this release) are driven from your browser and persisted in your local IndexedDB. We do not mirror the batch on our servers.
Background mode (opt-in) lets a batch continue while your tab is closed. The trust-model difference is narrow but worth stating explicitly:
Document bytes transit BarZero server memory. A queued worker fetches each file from the source you configured (cloud drive via OAuth, CLI-staged upload, etc.), sends it to Anthropic under ZDR, and discards the bytes after response. No file is written to disk, logged, or persisted at any point on BarZero infrastructure — Postgres still has no contract table.
Consent is recorded. Before your first background batch, a one-time dialog explains this difference and records your acknowledgement in your organization's audit log with a timestamp. You can use tab-open mode instead at any time to keep bytes on your device.
Cloud-drive refresh tokens are encrypted at rest. Where background mode pulls from Google Drive or Microsoft 365, the OAuth refresh token is stored on BarZero's Postgres wrapped by a server-side secret. Disconnecting the drive from settings revokes the token at the provider and deletes it from our side.
5. Client-Side Telemetry & Cookies
We use strictly necessary cookies to maintain your authenticated session. We do not use third-party tracking pixels, Google Analytics, or any cross-site tracking mechanisms inside the authenticated application (`/app` routes).
6. ABA Confidentiality Guidelines
Our architecture is designed to align with the confidentiality requirements of ABA Model Rule 1.6(c) and ABA Formal Opinion 512. Zero Data Retention on every inference request and zero server-side persistence of document content are intended to support your professional-responsibility obligations regarding client confidences.
7. Changes to this Policy
If we make material changes to how we handle your data—specifically any changes that alter our Zero Retention guarantees—we will notify you at least 30 days prior to those changes taking effect via the email associated with your account.