Solutions
Product
About Us Integrations Security Pricing FAQ Careers
Contact Us
Log in Book a Demo

Privacy Policy

Last updated: April 15, 2026 · Document version 3.0

Plain-language summary. Esqio is paid by its customers (law firms, consultancies, accounting firms, and professional-services teams), and those customers are our data controllers. We do not sell personal data. We do not use your matter or client content to train shared AI models. Your firm's data sits in a logically isolated tenant, encrypted in transit and at rest. You control what Esqio connects to through OAuth; you can disconnect, export, or delete at any time.

1. Who We Are and Scope of this Policy

Esqio Technologies, Inc. ("Esqio," "we," "us," or "our") is a Delaware-incorporated software company with offices in the United States. We provide a consent-based AI timekeeping and billing automation platform (the "Services") primarily to law firms, consulting firms, accounting firms, and other professional-services organizations (each a "Customer").

This Privacy Policy describes how we handle personal information in two distinct capacities:

  • As a data controller for personal information collected about you when you visit our website, engage with our marketing, or contact us — for example, by booking a demo.
  • As a data processor for personal information that our Customers process through the Services. In that capacity, the Customer is the controller and governs the purposes and means of processing. Our processing is governed by our Master Services Agreement ("MSA") and Data Processing Addendum ("DPA").

This Policy covers both the website (esqio.ai and subdomains) and the Services. It does not cover third-party applications that integrate with the Services, even when accessed via Esqio.

2. Information We Collect

2.1 Information you provide directly

  • Identifiers — name, business email, business phone, firm or company name, job title
  • Account credentials — SSO identifiers, passwords (hashed and salted; we never see plaintext)
  • Billing & payment information — handled by our PCI-DSS-compliant payment processor (Stripe); we retain only billing name, email, last four digits of card, and invoice history
  • Communications — support tickets, feedback submissions, sales correspondence, recorded demo calls (with consent)

2.2 Information automatically collected from the website

  • Device information (browser, OS, device class), IP address, language preference
  • Log data — access timestamps, pages viewed, referring URL, search terms leading to Esqio
  • Cookies and similar technologies — see Section 9 below

2.3 Information processed through the Services (Customer Data)

  • Calendar metadata, email metadata, document metadata, call-session metadata, and application-usage metadata — ingested only from the productivity tools the Customer administrator explicitly connects via OAuth
  • Time entries, narratives, task codes, matter references, and attorney edits generated or edited within the Services
  • Audit-log events recording authentication, data access, and administrative actions

We do not by default ingest email bodies, document bodies, call recordings, keystrokes, or screen captures. Content-level ingestion is available only per-matter and only when the Customer administrator explicitly enables it.

3. How We Use Your Information

3.1 Website and marketing (controller)

  • Respond to your requests (demos, quotes, support)
  • Send service communications, security alerts, and, with your opt-in, marketing communications
  • Analyze website performance, conversion paths, and content effectiveness
  • Detect, investigate, and prevent fraudulent or unauthorized activity

3.2 Services (processor)

  • Generate time-entry drafts, narratives, and billing outputs for review by the authorized user
  • Adapt a firm-scoped model to the firm's voice and preferences (weights never leave the firm's tenant)
  • Maintain audit logs and support compliance obligations
  • Provide technical support and troubleshooting when authorized by the Customer

We do not use Customer Data to train shared or general-purpose AI models. This is both a contractual and an engineering guarantee.

4. Legal Bases for Processing (GDPR/UK GDPR)

  • Contract performance — to provide the Services you or your firm has engaged.
  • Legitimate interests — to operate and secure the Services, improve website experience, and run relevant B2B marketing to business contacts. Your objection rights are preserved and described below.
  • Consent — for non-essential cookies and opt-in marketing communications.
  • Legal obligation — where we must retain or disclose information to comply with applicable law.

5. Data Sharing and Disclosure

We do not sell your personal information. We do not share personal information with third parties for their independent marketing.

We share information only with:

  • Subprocessors who operate the Services under a written agreement imposing data-protection obligations no less protective than ours. The current subprocessor list is published in our Security & Data Handling Brief and updated with 30 days' notice.
  • Professional advisers (counsel, auditors, insurers) bound by duties of confidentiality.
  • Government authorities only when legally compelled, and after notifying the Customer unless notification is prohibited by law.
  • Successor entities in connection with a merger, acquisition, reorganization, or asset sale, subject to equivalent data-protection obligations and advance notice.

6. International Transfers

Our primary production environment is in the United States (AWS us-east-1 and us-west-2). Enterprise Customers may elect alternative regions. Where personal data originating in the EU/EEA, UK, or Switzerland is transferred to the United States, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Agreement. We publish a transfer impact assessment on request.

7. Data Security

Security measures include, at minimum:

  • Encryption in transit using TLS 1.3 with legacy-cipher deprecation
  • Encryption at rest using AES-256 with AWS KMS; 90-day key rotation; FIPS 140-2 Level 3 HSM for root keys
  • Tenant isolation at the application, database, and object-storage tiers
  • SSO (SAML/OIDC), MFA enforcement, role-based and matter-level access controls
  • Comprehensive audit logging with configurable retention
  • Continuous monitoring, quarterly penetration testing, annual third-party security assessment
  • Written incident response plan aligned to NIST SP 800-61; 24-hour breach notification commitment for confirmed incidents affecting Customer Data

Full control details are published in the Security & Data Handling Brief.

8. Data Retention and Deletion

  • Website visitor data — retained for 24 months after last visit unless extended by opt-in.
  • Sales and support correspondence — retained for 36 months after last interaction, unless the Customer becomes an active account.
  • Customer Data — retained for the term of the MSA and deleted within 30 days of termination, subject to Customer-elected regulatory hold (available up to 7 years on Enterprise).
  • Billing records — retained for 7 years to comply with US federal tax and state accounting obligations.
  • Backups — continuous incremental plus daily full; 30-day rolling retention; cryptographically destroyed on tenant termination.

9. Cookies and Tracking Technologies

We categorize cookies as follows:

  • Strictly necessary — session, authentication, load balancing, security. These are set without consent under applicable law.
  • Functional — preference storage, language, UI state. Opt-in where required.
  • Analytics — aggregated, privacy-respecting website analytics (e.g., page visits, conversion). Opt-in in the EU/UK; opt-out elsewhere.
  • Marketing — limited to retargeting of visitors to our own site. Opt-in in the EU/UK; opt-out elsewhere.

A cookie preferences control is available in the website footer. You may additionally manage cookies through your browser.

10. Your Rights and Choices

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, VCDPA, and other US state privacy laws), you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information (subject to legal-hold exceptions)
  • Port your personal information to another service
  • Object to or restrict certain processing, including direct marketing
  • Withdraw consent where processing is consent-based
  • Not be subject to solely automated decisions producing legal or similarly significant effects — the Services are designed so that every AI-generated output is reviewable and approvable by the authorized human user
  • Lodge a complaint with a supervisory authority (EU/UK) or Attorney General (applicable US states)

Requests are processed within 30 days (extendable once to 60 days for complex requests). Send requests to privacy@esqio.ai. We verify identity before acting on requests.

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with privacy rights, the same process applies; we do not discriminate against consumers exercising privacy rights.

11. Customer Data Requests

If you are an end user of the Services at a Customer firm and wish to exercise rights over data processed via the Services, please first contact your Customer (your firm). We support the Customer in responding to such requests.

12. Children's Privacy

The Services are intended for business users aged 18 and older. We do not knowingly collect personal information from individuals under 18. Contact us if you believe we hold such information and we will delete it.

13. Third-Party Links and Integrations

The website and Services link to third-party products and services. This Policy does not apply to those third parties. We encourage you to review their privacy practices. For third-party integrations (e.g., Outlook, Teams, Clio), the data practices of the third party are separately governed by their own terms.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or product. Material changes will be communicated via email (to active-account Customers) and by prominent notice on this page at least 30 days before they take effect. The "Last updated" and "Document version" fields are maintained above.

15. Contact and Supervisory Information

Privacy inquiries and requests: privacy@esqio.ai
Security reports: security@esqio.ai · PGP at /.well-known/security.asc
Data Protection Officer (EU representative): dpo@esqio.ai
General sales and support: contact@esqio.ai

Esqio Technologies, Inc.
Attention: Privacy Office
Delaware, United States
Registered agent and mailing address available on request to legal@esqio.ai.

This Privacy Policy does not create contractual rights. Contractual rights concerning Customer Data are set forth in the executed Master Services Agreement and Data Processing Addendum between Esqio and each Customer.