Privacy Policy

At Hoag Law.ai, I take Your privacy seriously. This Policy explains how I collect, use, and protect Your Personal Information when You visit the Site or use My contact form.

By using the Site, You agree to the collection and use of information in accordance with this Policy.

The following capitalized terms have the meanings set forth below when used in this Policy:

• "I," "Me," "My" refers to Marc Hoag, doing business as Hoag Law.ai.
• "You," "Your" refers to the individual or entity accessing or using the Site.
• "Site" refers to the website located at hoaglaw.ai.
• "Policy" refers to this Privacy Policy.
• "Personal Information" refers to information that identifies, relates to, or could reasonably be linked to You or Your device.

Contact Form Data

When You submit the contact form, I collect:

• Full Name - To address You properly
• Email Address - To respond to Your inquiry
• Company Name - To understand Your business context
• Funding Stage - To assess fit for My practice
• Message - To understand Your legal needs

Live Chat Data

The Site uses Crisp, a third-party live chat service, to allow You to communicate with Me in real time. When You use the chat widget, Crisp may collect:

• Messages You send through the chat
• Your email address (if You provide it)
• Browser type, device information, and IP address

Chat conversations are processed by Crisp (headquartered in France, EU) and are subject to Crisp's Privacy Policy. Crisp is GDPR-compliant.

Automatically Collected Information

The Site uses Plausible Analytics, a privacy-friendly analytics service. Plausible does not use cookies, does not collect or store Your IP address, and does not track You across websites. Plausible collects only aggregate, anonymous data such as:

• Pages visited and time spent on the Site
• Referral sources (how You found the Site)
• General device type and browser information
• Country-level location (derived from anonymized data, not stored)

For more information, see Plausible's Data Policy.

I use the information You provide to:

• Respond to Your inquiries about legal services
• Assess whether Your needs align with My practice areas
• Communicate about potential engagement
• Provide the legal services You request (if we enter into an engagement)

I do not: Sell, rent, or share Your information with third parties for marketing purposes. Ever.

Your data security is important to Me. The Site uses:

• HTTPS encryption for all data transmission
• Secure third-party services for form submission and email delivery
• Limited access - Only I (Marc Hoag) have access to submitted information

I retain data for different periods depending on its purpose:

• Active clients: For the duration of Your engagement with Me
• Contact inquiries: Up to 1 year if no engagement is established
• Website logs: 90 days for security and troubleshooting purposes
• Analytics: Retained in anonymized, aggregate form indefinitely (Plausible does not collect Personal Information)
• Client matters: As required by applicable legal ethics rules and professional responsibilities

When data is no longer needed for its stated purpose, it is securely deleted or anonymized.

I use Plausible Analytics, which is fully cookie-free, does not collect or store Your IP address, and does not track You across websites. The only cookies on the Site are set by Crisp, the live chat service, to maintain Your chat session and remember Your conversation history. These are functional cookies necessary for the chat widget to operate. For more information, see Plausible's Data Policy and Crisp's Privacy Policy.

I use trusted third-party services to operate the Site and deliver My services:

Each service maintains its own privacy policy, linked above. I only work with providers that meet industry-standard security and privacy practices.

In operating My practice and representing clients, I may use generative AI tools for tasks such as legal research, drafting, email and file management, and analysis. These tools augment, but do not replace, My professional judgment.

How AI Is Used

• Legal Research & Analysis: AI may assist in researching legal issues, case law, regulatory requirements, and analyzing documents, contracts, or legal issues
• Drafting & Review: AI may help draft, review, or refine documents, contracts, and communications
• Legal AI Platform: I use GC.ai, an enterprise-grade AI platform built by lawyers, for lawyers. GC.ai does not use client data for model training, encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and maintains zero data retention policies with its underlying LLM providers (OpenAI, Anthropic, Cohere, Reducto, and Google). See GC.ai's Trust Center for full security and compliance details.
• Email & File Management: I use Google Workspace (Gmail and Drive), which includes AI features powered by Google Gemini that may assist with drafting, summarizing, and organizing communications and documents. Google's AI features are subject to Google's Privacy Policy.

Ethics & Compliance

Any use of AI tools is consistent with applicable legal ethics rules, including the California State Bar's Practical Guidance on Generative AI, ABA Formal Opinion 512 (duty to review AI provider security), and New York State Bar Formal Opinion 2024-5 (duty to review AI outputs for accuracy).

Confidentiality & Privilege

I take appropriate measures to protect Your confidential information and preserve attorney-client privilege when using AI tools. Consistent with California ethics guidance and ABA Formal Opinion 512 (which requires lawyers to review generative AI provider security practices), I exclusively use AI platforms that meet enterprise-grade security standards.

I use GC.ai because it was purpose-built for legal professionals and attorney-client privilege is maintained, similar to other trusted cloud-based tools like Google Workspace, Slack, or Asana. Specifically:

• No model training on client data - Your information is never used for commercial model training
• Zero data retention with LLM providers - GC.ai maintains zero data retention policies with its underlying providers (OpenAI, Anthropic, Cohere, Reducto, and Google). None of them can train on Your data.
• Data isolation and encryption - Your data is stored in a segregated database, encrypted at rest with AES-256 and in transit via TLS 1.2+. You may delete Your data at any time.
• SOC 2 Type I and Type II certified - Independent audit of security controls and data protection. All GC.ai vendors that process or store user data are also SOC 2 compliant.
• GDPR compliant - With a Data Processing Agreement included in standard terms and Standard Contractual Clauses for cross-border data transfers
• Published subprocessors list - Full transparency about third-party data handling

I maintain human oversight of all AI-assisted work product, consistent with guidance from the New York State Bar (Formal Opinion 2024-5) requiring lawyers to review all generative AI outputs for accuracy before use. AI suggestions are reviewed, verified, and refined before being used or delivered. AI does not make decisions; I do.

If You have questions or concerns about AI use in connection with Your matter, please discuss them with Me directly.

Your Use of AI Platforms: Privilege Waiver Risk

While I take steps to protect privileged communications on My end, You should be aware that sharing attorney-client communications with public, consumer-grade AI platforms may permanently waive attorney-client privilege over those communications.

In United States v. Heppner (S.D.N.Y. 2026), the first court to address this issue, a federal judge held that privileged information shared with a public AI platform is not protected by attorney-client privilege or the work product doctrine. While this ruling is not binding in California, it signals an emerging legal consensus: public AI platforms' terms of service typically permit data review, model training, or third-party disclosure, which eliminates the confidentiality required to maintain privilege.

Do not input legal advice, attorney correspondence, draft contracts, litigation strategy, or any other privileged communications into consumer AI tools such as ChatGPT, Claude, Grok, Gemini, Perplexity, or similar platforms. If You need to use AI tools in connection with Your legal matter, please discuss it with Me so I can recommend enterprise-grade alternatives with appropriate confidentiality protections.

The Site is intended for users who are at least 18 years of age, consistent with the eligibility requirements in the Terms of Service. I do not knowingly collect Personal Information from minors. If You believe a minor has provided information through the Site, please contact Me immediately and I will delete it.

You have the right to:

• Access: Request a copy of the information I have about You
• Correction: Request corrections to inaccurate information
• Deletion: Request deletion of Your information (subject to legal retention requirements)
• Opt-out: Unsubscribe from future communications at any time

To exercise these rights, contact Me via email.

If You are a California resident, You have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Your California Privacy Rights

• Right to Know: You may request disclosure of the categories and specific pieces of Personal Information I have collected about You, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom it is shared.
• Right to Delete: You may request deletion of Your Personal Information, subject to certain exceptions (such as legal retention requirements).
• Right to Correct: You may request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale/Sharing: I do not sell or share Your Personal Information for cross-context behavioral advertising. No opt-out is necessary.
• Right to Non-Discrimination: You will not be discriminated against for exercising Your privacy rights.

Categories of Information Collected

In the preceding 12 months, I may have collected the following categories of Personal Information:

• Identifiers: Name, email address, company name
• Internet Activity: Browsing history on the Site, interactions with the Site (via Plausible Analytics, anonymized and aggregate only)
• Professional Information: Company name, funding stage

How to Exercise Your Rights

To submit a request, email Me at marc@hoaglaw.ai with "California Privacy Request" in the subject line. I will verify Your identity before processing Your request and respond within 45 days.

If You are located in the European Economic Area (EEA) or the United Kingdom, You have rights under the General Data Protection Regulation (GDPR) and UK GDPR:

Legal Basis for Processing

I process Your personal data under the following legal bases:

• Consent: When You submit the contact form, You consent to My processing Your information to respond to Your inquiry.
• Legitimate Interests: I use analytics to improve the Site and My services, which is a legitimate business interest that does not override Your privacy rights.
• Contract: If we enter into an attorney-client engagement, processing is necessary for the performance of that contract.

Your GDPR Rights

• Right of Access: Request a copy of Your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of Your data ("right to be forgotten").
• Right to Restrict Processing: Request limitation of how Your data is used.
• Right to Data Portability: Receive Your data in a structured, commonly used format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

International Data Transfers

If You are located outside the United States, please be aware that Your information will be transferred to and processed in the United States, where data protection laws may differ from those in Your country. By submitting Your information, You consent to this transfer. When transferring data internationally, I rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and ensure service providers comply with applicable data protection requirements.

Supervisory Authority

You have the right to lodge a complaint with Your local data protection supervisory authority if You believe Your rights have been violated.

How to Exercise Your Rights

To exercise any of these rights, email Me at marc@hoaglaw.ai with "GDPR Request" in the subject line. I will respond within 30 days.

If You are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or another state with applicable consumer privacy legislation, You may have rights similar to those described above, including:

• Right to Access: Request access to Your Personal Information
• Right to Correct: Request correction of inaccuracies
• Right to Delete: Request deletion of Your Personal Information
• Right to Data Portability: Receive Your data in a portable format
• Right to Opt Out of Sale: I do not sell Your Personal Information
• Right to Opt Out of Targeted Advertising: I do not engage in targeted advertising
• Right to Opt Out of Profiling: I do not engage in automated profiling that produces legal or similarly significant effects

To exercise Your rights, email Me at marc@hoaglaw.ai with "State Privacy Request" in the subject line. I will respond within the timeframe required by Your state's law. If Your request is denied, You may appeal by contacting Me with additional details.

In the unlikely event of a data breach affecting Your Personal Information:

• Timeline: I will notify affected individuals within 72 hours of becoming aware of the breach
• Method: Email notification to Your contact address and/or prominent notice on the Site
• Content of notice: A description of the breach, the types of Personal Information involved, steps I am taking to address the breach, and steps You can take to protect Yourself
• Regulatory notification: I will notify relevant authorities as required by law, including under the GDPR (Article 33, within 72 hours), California Civil Code Section 1798.82, and any other applicable state or federal data breach notification laws

If You have reason to believe Your data has been compromised, please contact Me immediately at marc@hoaglaw.ai.

The Site honors Do Not Track (DNT) browser signals. In practice, the Site's analytics provider (Plausible Analytics) does not use cookies, does not collect or store IP addresses, and does not track users across websites, regardless of DNT settings. Your privacy is respected by default.

Essential functionality (such as the live chat widget, if accepted) is not affected by DNT signals.

I may update this Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Site after changes constitutes acceptance of the updated Policy.