Privacy Policy

This Privacy Policy applies to Personal Data that Wesley gathers when you visit our website at askwesley.com(our “Website”), when you interact with our Services, or when you otherwise engage with us through correspondence, events, or support channels.

Wesley's platform is built for professional use by law firms, corporate legal departments, and other organizational clients (collectively, our “Customers”). Our relationship with each Customer is governed by a dedicated agreement—which may take the form of a platform license, pilot program agreement, evaluation terms, subscription terms of service, or a data processing addendum—referred to herein as the “Customer Agreement.”

Please note:Queries, prompts, documents, and other materials submitted to or generated by our platform fall outside the scope of this Privacy Policy. We refer to these materials as “Customer Data” and “Content.” Wesley handles Customer Data and Content strictly as a data processor acting on our Customers' instructions, and such processing is governed exclusively by the applicable Customer Agreement. If you have questions about how your organization handles data within our platform, please direct those inquiries to your employer or the relevant Customer, who serves as the data controller.

This Privacy Policy addresses only those circumstances in which Wesley acts as a data controller with respect to your Personal Data.

Through the normal course of operating our platform and running our business, we gather Personal Data from several sources and through various channels. The categories of data we handle are described below.

2.1 Data You Provide to Us Directly

Whenever you create an account, Request Free Trial, or otherwise communicate with us, you share certain information with us voluntarily. This includes:

• Account Data: To set up and maintain your Wesley account, we collect identifiers such as your full name, work email address, job title, employing organization, preferred language, login credentials, and—where applicable—billing details and payment transaction records associated with your subscription.
• Correspondence Data: When you reach out to us for support, submit feedback, respond to a survey, or otherwise get in touch, we retain your name, contact information, the substance of your inquiry, and metadata about how you engage with our messages and platform interfaces.
• Demo Request Data: If you request a product demonstration via our Website, we collect your name, professional email, company, role, and any additional context you include in your submission. We use this information solely to schedule and conduct the requested demo.
• Social Media Data: Wesley has a presence on platforms such as LinkedIn and X (formerly Twitter). If you interact with our social profiles, comment on posts, or send us messages through these channels, we may collect the information you choose to share, along with any aggregated engagement metrics provided to us by the platform operators.
• Survey & Feedback Data: From time to time, we invite users to complete satisfaction surveys or share product feedback. If you choose to participate, we may collect your name, contact details, professional background, and your individual responses. Participation is always optional.

2.2 Data Collected Through Automated Means

When you access our Website or use our Services, certain technical data is captured automatically by our systems:

• Server Logs: Our servers record information sent by your browser or device, including your IP address, browser type and version, operating system, timestamps, referring URLs, exit pages, and interaction patterns across our platform.
• Platform Engagement Data: As you use the Services, we generate metadata that describes how you interact with the platform—for example, which features you access, the frequency and duration of your sessions, the volume of queries submitted, the types of tasks performed, and performance metrics related to those interactions.
• Device Attributes: We collect hardware and connection details such as device name, operating system version, unique device identifiers, screen resolution, and browser configuration. The specific attributes captured depend on your device type and its privacy settings.
• Cookies & Tracking Technologies: We deploy cookies, web beacons, and comparable technologies to operate our Services and to understand how users interact with our Website. For a detailed breakdown, please see Section 11 below.

2.3 Data Received from Third-Party Sources

We supplement the data we collect directly with information received from trusted external sources, including:

• Cybersecurity vendors who alert us to compromised credentials or emerging threat indicators relevant to our user base.
• Web analytics services that provide aggregated traffic statistics and audience demographic insights for our Website.
• Business development partners who furnish prospective client contact details—such as names, professional emails, and organizational affiliations—to help us identify and reach potential Customers.
• Organizers of legal technology conferences, continuing education seminars, and industry events, who may share attendee contact information and professional profiles with us.

The Personal Data described above is used for the following business and operational purposes:

• Service Delivery & Account Administration: Creating your Wesley account, authenticating your identity, provisioning access to our AI-powered legal tools, executing your requests, and rendering technical support.
• Billing & Financial Operations: Processing subscription payments, generating invoices, managing renewals, and retaining financial records in accordance with applicable accounting and tax regulations.
• Product Development & Enhancement: Studying aggregate usage trends, conducting internal research, and iterating on our platform's features, accuracy, and usability to better serve the needs of legal professionals.
• Customer Support & Issue Resolution: Diagnosing and resolving technical issues, answering your questions, and providing onboarding guidance and training resources.
• Operational Communications: Delivering service announcements, notifying you of policy changes, issuing security advisories, and sending other transactional or administrative messages necessary for our relationship.
• Personalization: Adapting the Services to your practice area, professional role, and interaction patterns so that the platform experience is relevant and efficient.
• Research & Analytics: Measuring service effectiveness, gauging user satisfaction through surveys, and analyzing behavioral data to understand how our tools are adopted and where improvements are needed.
• Marketing & Outreach: Where permitted by law (and, where required, with your prior opt-in consent), informing you about new features, upcoming webinars, legal-industry events, and other offerings that may be of interest. You can unsubscribe from marketing emails at any time using the link provided in each message.
• Security & Fraud Prevention: Monitoring for and defending against unauthorized access, abuse, fraud, Terms violations, and other malicious or unlawful activity directed at our platform and its users.
• Legal & Regulatory Compliance: Fulfilling obligations imposed by law, responding to court orders and regulatory inquiries, and safeguarding the rights, property, and safety of our users, our company, and third parties.

We may also derive aggregated or de-identified datasets from Personal Data—removing all information that could reasonably be used to identify you—and use these datasets for analytics, benchmarking, and service improvement. We do not attempt to reverse-engineer or re-identify such data.

Under applicable data protection frameworks, our processing of your Personal Data rests on one or more of the following lawful grounds:

a) Performance of a Contract

Processing that is essential to fulfilling our contractual commitments to you or your employing organization. For instance, we must process certain identifiers and account details to provision your platform access and deliver the Services.

b) Compliance with a Legal Obligation

Processing required to meet a binding legal duty. Examples include retaining billing records for tax and accounting purposes, or disclosing data in response to a validated request from a regulator or law enforcement authority.

c) Your Consent

In specific situations, we seek your affirmative consent before collecting, using, or sharing your Personal Data. You may revoke your consent at any time by contacting us or using the mechanism described in the relevant communication. Please note that withdrawal does not retroactively affect the lawfulness of processing performed while consent was in effect.

d) Legitimate Interests

Processing carried out in pursuit of interests that are genuinely important to our business, provided those interests do not unreasonably override your individual privacy rights. We rely on the following legitimate interests:

• Sustaining and enhancing the quality, reliability, and feature set of our platform.
• Strengthening our support capabilities and refining internal business processes.
• Growing awareness of our Services through responsible marketing and outreach.
• Tailoring the user experience to each professional's practice area and workflow.
• Identifying and mitigating fraud, platform abuse, and violations of our terms of use.
• Safeguarding the integrity and availability of our IT infrastructure.
• Obtaining legal counsel and asserting or defending legal claims.

Processing Activities Table

The table below maps each processing activity to the categories of Personal Data involved, the lawful basis under the GDPR, and the applicable retention period:

We may disclose your Personal Data to the following categories of recipients, in each case only to the extent necessary for the stated purpose:

• Corporate Group Entities:Personal Data may be shared within our corporate group—including any parent company, subsidiaries, or affiliated entities—to support coordinated business functions such as fraud prevention, payment processing, customer success, business development, and shared IT infrastructure.
• Trusted Vendors & Service Partners: We engage carefully selected third-party organizations to assist with hosting, email infrastructure (such as Resend for transactional email), web analytics, marketing automation, customer relationship management, and data processing. Each vendor operates under binding contractual obligations that restrict their access to your data and prohibit them from using it beyond the scope of the services they provide to us.
• Third-Party Software Integrations:If you opt to connect your Wesley account to an external application or service, the operator of that integration may receive certain information about you. Your use of any third-party integration is subject to that provider's own privacy terms, which we encourage you to review.
• Professional Advisors: From time to time, we share data with our external counsel, auditors, tax advisors, consultants, and insurers to the extent required for the professional services they perform on our behalf.
• Government Bodies & Law Enforcement:We may disclose Personal Data where we are compelled to do so by a valid legal instrument—such as a court order, subpoena, or binding regulatory request—or where we reasonably believe disclosure is necessary to detect or prevent fraud, address violations of our Terms of Service, or protect the safety and rights of our users or the public.
• Corporate Transactions: In the context of a merger, acquisition, asset sale, financing round, corporate restructuring, or insolvency proceeding, your Personal Data may be evaluated during due diligence and transferred to a successor entity. We will provide you with notice if such a transfer occurs.

Wesley does not monetize your Personal Data by selling it to third parties. We do not use Customer Data or Content for the purposes of training our AI models, nor do we make it available to other customers.

Protecting the data entrusted to us is a core operational priority. We employ a layered defense strategy combining technical controls, organizational policies, and ongoing monitoring to minimize the risk of unauthorized access, loss, alteration, or disclosure. Key elements of our security program include:

• Encryption Standards: All data at rest is protected using AES-256 encryption, and all data transmitted between your device and our servers is secured via TLS 1.3, ensuring end-to-end protection throughout the data lifecycle.
• Access Governance: We enforce strict role-based access controls (RBAC) with mandatory multi-factor authentication (MFA) across all internal systems. Access privileges follow the principle of least privilege, and every interaction with production infrastructure is logged and subject to periodic audit review.
• Infrastructure Hardening: Our platform runs on enterprise-grade cloud environments with round-the-clock monitoring, automated intrusion detection and prevention (IDS/IPS), and robust DDoS mitigation capabilities.
• Proactive Vulnerability Management: Independent security firms conduct scheduled penetration tests and vulnerability scans against our systems. Identified weaknesses are triaged by severity and addressed within defined remediation windows.
• Incident Preparedness: We maintain a documented incident response plan covering detection, triage, containment, and notification procedures. Should a data breach affect your Personal Data, we will inform you and the appropriate supervisory authority within the timeframes mandated by law.
• Personnel Security: Every Wesley team member and contractor completes mandatory data-handling and security awareness training before gaining access to any production system. Ongoing refreshers are conducted annually.
• Zero-Training Guarantee: Customer Data and Content are never fed into our model training pipelines. Your data remains compartmentalized within your organization's tenant and is never made visible to, or shared with, any other customer or external party.

While these measures are designed to provide robust protection commensurate with the sensitivity of the data we handle, no system connected to the internet can be guaranteed 100% immune to attack. We continuously refine our defenses in response to the evolving threat landscape.

Because we serve Customers worldwide, your Personal Data may be processed in a country other than the one in which you reside. Data protection standards vary across jurisdictions, and we take deliberate steps to ensure that cross-border transfers do not diminish the level of protection your data receives.

When you access our Website or use our Services, your Personal Data may be routed to and stored on infrastructure located in India, the United States, or other regions. Where the law requires additional safeguards for international transfers, we rely on one or more of the following mechanisms:

• Adequacy Determinations: Transfers to countries that have been formally recognized by an authoritative body (such as the European Commission under Article 45 GDPR) as providing an adequate level of data protection.
• Standard Contractual Clauses (SCCs): For transfers to jurisdictions not covered by an adequacy determination, we execute SCCs—pre-approved contractual terms issued by relevant regulatory authorities—with our group entities and third-party service partners.
• Statutory Derogations: In narrowly defined circumstances, we may rely on an applicable exception—such as your explicit, informed consent, contractual necessity, or the establishment or defense of legal claims—to lawfully transfer your data.

Data Residency Controls:We offer configurable data residency options that allow Customers to specify that their data be processed and stored exclusively within a designated geographic region—such as the United States, the European Union, or Australia—to satisfy local sovereignty and regulatory requirements.

We keep your Personal Data only for as long as there is a clear business or legal reason to do so. Where a Customer Agreement is in place, data deletion follows the terms and timelines set out in that agreement.

The factors that influence our retention periods include:

• The duration and terms of the applicable Customer Agreement.
• Ongoing legal, regulatory, or contractual obligations—including dispute resolution and agreement enforcement.
• Tax, accounting, and audit record-keeping requirements applicable to our jurisdiction.
• The need to preserve business continuity and institutional knowledge.

Once there is no longer a legitimate basis for retaining your Personal Data, we will securely delete or anonymize it. Where immediate deletion is technically infeasible (for instance, because the data resides in encrypted backup archives), we will isolate the data from active processing and queue it for deletion at the earliest opportunity.

Account Data:Following account closure or a Customer's deletion request, account-level data is purged from our active systems within 30 days, unless a legal obligation requires longer retention.

Customer Data & Content:Platform inputs and outputs are deleted within the window specified in the relevant Customer Agreement—typically 30 days after the agreement terminates.

Depending on where you are located, you may be entitled to exercise a number of rights regarding the Personal Data we hold about you. These rights are subject to certain conditions and exemptions under applicable law:

• Access: Obtain confirmation that we are processing your Personal Data and request a copy of it, together with supplementary information about the nature and scope of that processing.
• Correction: Have inaccurate or incomplete records about you updated or rectified without undue delay.
• Deletion: Request that we erase your Personal Data when it is no longer needed for its original purpose, when you revoke consent, or under other qualifying circumstances.
• Processing Limitation: Ask us to temporarily halt or restrict specific processing activities—for example, while we verify the accuracy of disputed data or assess an objection you have raised.
• Portability: Receive a machine-readable export of the Personal Data you have provided to us, or request that we transmit it directly to another service provider where technically feasible.
• Objection: Challenge our processing of your Personal Data where it is based on legitimate interests or where it is used for direct marketing. Upon receiving a valid objection, we will cease the relevant processing unless we can demonstrate overriding legitimate grounds.
• Consent Withdrawal: If processing is based on your consent, you may withdraw that consent at any point. Withdrawal does not affect the legality of processing that occurred before it.
• Supervisory Authority Complaint: If you believe our handling of your data infringes applicable data protection law, you have the right to file a complaint with the data protection authority in your jurisdiction.

Marketing Opt-Out:You can stop receiving promotional communications at any time by clicking the “unsubscribe” link in any marketing email. Opting out of marketing will not affect service-related or transactional messages.

To exercise any of these rights, please contact us at privacy@askwesley.com. We will acknowledge your request and respond within 30 days, in accordance with applicable law.

10.1 European Economic Area (EEA), United Kingdom (UK), and Switzerland

Individuals located in the EEA, UK, or Switzerland benefit from the protections of the General Data Protection Regulation (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection (“FADP”), respectively. The lawful bases on which we rely are detailed in Section 4 above. Where legitimate interests serve as our legal basis, we have conducted a balancing test to ensure that your fundamental rights and freedoms are not unduly overridden.

You may exercise the full set of rights outlined in Section 9, including the right to lodge a complaint with your local supervisory authority. A directory of EEA data protection authorities is maintained by the European Data Protection Board, and the UK Information Commissioner's Office (ICO) handles UK-related inquiries.

10.2 United States

For consumers residing in the United States, we process Personal Data in compliance with applicable state-level privacy statutes, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and comparable laws in other states.

Beyond the rights listed in Section 9, US consumers may also be entitled to:

• Right to Know: Request detailed information about the categories and specific elements of Personal Data we have collected, the business purposes for which they were gathered, and the third-party categories with which they have been shared.
• Right to Opt-Out of Sale or Sharing: Wesley does not sell your Personal Data for monetary compensation. In the event that any data-sharing arrangement with analytics or advertising partners could be characterized as a “sale” or “sharing” under state law, we provide a straightforward opt-out mechanism.
• Non-Discrimination: We will not penalize, deny service to, or impose different pricing on individuals who choose to exercise their privacy rights.

To the best of our knowledge, Wesley does not collect or sell the personal information of individuals under the age of 18.

10.3 India

For individuals in India, our processing of Personal Data adheres to the Digital Personal Data Protection Act, 2023 (“DPDPA”), as well as applicable provisions of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Under Indian law, you are entitled to access, correct, and request erasure of the Personal Data we hold about you, and to withdraw previously granted consent at any time. We process Personal Data exclusively for lawful purposes and obtain consent in all situations where it is legally required. To exercise your rights under Indian data protection law, write to us at the address listed in Section 15.

Our Website and Services employ cookies, pixel tags, web beacons, and similar tracking technologies (collectively, “Cookies”) to deliver core functionality, measure performance, and understand user behavior. A cookie is a small data file placed on your device by your browser; it enables our systems to recognize your session and recall your preferences across visits.

We use the following categories of Cookies:

• Strictly Necessary Cookies: These are indispensable for operating the Website and Services. They power essential functions such as user authentication, session management, network security, and accessibility features. Because they are critical to core functionality, they cannot be disabled.
• Performance & Analytics Cookies: These Cookies collect anonymized data about how visitors navigate our Website—such as page-load times, most-visited sections, and error rates—allowing us to identify and address usability issues and optimize platform performance.
• Preference Cookies: These remember your settings—language, region, display preferences, and saved login credentials—so that you do not need to reconfigure the platform each time you return.
• Marketing Cookies: Where applicable, these Cookies enable our advertising partners to deliver relevant content and measure campaign effectiveness. They may track your interactions across multiple sites to build an interest profile.

Your Cookie Choices: Most browsers let you view, manage, block, or delete cookies through their settings panels. Please be aware that disabling certain Cookies may impair the functionality of specific features within our Website or Services.

Do Not Track Signals:Some browsers transmit a “Do Not Track” (DNT) header. Because no universal technical standard has been adopted for interpreting DNT signals, we do not currently alter our data practices in response to them. We remain committed, however, to the transparency practices described throughout this Privacy Policy.

Wesley's Website and Services are intended exclusively for adults and business professionals. We do not knowingly solicit or collect Personal Data from anyone under the age of 18. If you become aware that a minor has submitted Personal Data to us, please notify us immediately at privacy@askwesley.com. Upon verification, we will promptly take steps to remove the information from our systems.

Because our platform is powered by artificial intelligence, we believe you deserve clear visibility into how AI interacts with your information:

• Zero-Training Commitment: Wesley enforces a strict boundary between customer information and our model development pipelines. Customer Data and Content are never used to train, retrain, fine-tune, or otherwise improve our foundational AI models. This commitment is codified in every Customer Agreement we execute.
• Tenant-Level Isolation: Each Customer's data is logically segregated at the tenant level within our infrastructure. No Customer can access, view, or query another Customer's data—by design, not merely by policy.
• Purpose-Limited Processing: Customer Data and Content are processed exclusively to fulfill the specific task requested—whether that is document analysis, legal research, contract review, or another supported workflow. No secondary use occurs.
• Treatment of Model Outputs: Responses and documents generated by our AI are classified as Customer Data and receive the same contractual and technical safeguards described throughout this Privacy Policy and the applicable Customer Agreement.
• How We Improve: We enhance platform quality using aggregated, de-identified operational telemetry—such as feature adoption rates, latency benchmarks, and error distributions—that is fully stripped of any Customer Data or Content. Where we train or update our models, we rely on publicly available legal corpora, including published court opinions, statutory texts, and regulatory guidance.

We may revise this Privacy Policy periodically to reflect changes in our practices, technological capabilities, legal landscape, or regulatory environment. When material changes are made, we will notify you through one or more appropriate channels—such as a prominent notice on our Website, an email to the address associated with your account, or an in-platform alert—proportionate to the significance of the update.

The “Last updated” date at the top of this page indicates the most recent revision. We recommend checking this page periodically to remain informed about our privacy practices.

If you have any questions about this Privacy Policy, wish to understand more about how we handle your Personal Data, or would like to exercise any of the rights described herein, you may reach us through the following channels:

We strive to acknowledge and substantively respond to all valid requests within 30 calendar days. If your request requires extended processing time due to its complexity or volume, we will inform you of the delay and provide regular progress updates.