Security

Last updated: April 2026

LegalMind is built with a local-first architecture. Your legal documents, research, and annotations never leave your device unless you explicitly choose to share them. Here's how we keep your data safe.

Local-First Architecture

All document processing, highlighting, annotation, and AI query preparation happens on your device. We do not upload, store, or process your legal documents on our servers.

Documents are stored in the app's local database on your phone
Highlights, notes, and bookmarks are persisted locally
Uninstalling the app removes all local data

What We Store in the Cloud

Only the minimum required for account and subscription management:

Account identity — name, email (via Clerk)
Subscription state — plan tier, billing status (via Supabase)
Payment records — transaction IDs, not card details (via Razorpay)

Authentication

Authentication is handled by Clerk, an industry-standard auth provider
Passwords are never stored by LegalMind — Clerk handles hashing and storage
Session tokens are short-lived and rotated automatically
OAuth sign-in (Google) is supported for passwordless access

Encryption

All network traffic uses TLS 1.3 (HTTPS)
API keys and secrets are stored in environment variables, never in client code
Payment data is encrypted end-to-end by Razorpay (PCI DSS Level 1 compliant)

AI Queries

When you use AI search, only the query text is sent to our backend for processing. The full document context stays on your device. AI responses are grounded in our indexed legal corpus — we do not train models on your queries or data.

Infrastructure

Website hosted on Vercel with automatic DDoS protection
Database on Supabase with row-level security policies
No server-side logging of document content or user research activity

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly by emailing amaagra@matrikar.org with details. We take all reports seriously and will respond within 48 hours.