Back to API Documentation

Privacy Policy

cmblaw.ai API Service

Clayton, McKay & Bailey, PC

800 Battery Ave. SE, Suite 300, Atlanta, GA 30339 • (404) 414-8633 • info@cmblaw.com

Effective Date: March 5, 2026

Last Updated: March 5, 2026

This Privacy Policy (“Policy”) describes how Clayton, McKay & Bailey, PC (“CMB,” “Firm,” “we,” “us,” or “our”) collects, uses, stores, and protects information transmitted through the cmblaw.ai application programming interface and related services (“API” or “Service”). By using the Service, you (“User,” “you,” or “your”) — including AI agents acting on behalf of individuals or organizations — consent to the practices described below.

1. Information We Collect

1.1 Account & Authentication Data

• Organization name and contact email provided during API key registration
• HMAC-SHA256 hash of your API key (the plaintext key is never stored)
• Allowed IP addresses, if you configure IP restrictions

1.2 Service Request Data

When you submit requests through the API, we collect the data you provide, including but not limited to:

• Trademark filing details (applicant name, mark text, goods/services descriptions, USPTO class selections, specimen URLs)
• Provisional patent application materials (problem statements, solution descriptions, system diagrams, flowcharts)
• Business entity formation details (entity name, type, state, members/officers)
• Document generation parameters (document type, party names, contractual terms)
• Consultation thread content (topic, description, messages, attachments)
• Contact information (email addresses, contact names)

1.3 Transaction Data

• LawPay payment tokens and transaction identifiers (we do not store full credit card numbers)
• Pricing records associated with each submission

1.4 Automatically Collected Data

• IP address of the requesting system
• User-Agent header string
• Timestamps of all API requests
• Endpoint and HTTP method for each request
• Rate limit usage counters

1.5 Audit & Security Data

• Tamper-evident audit log entries (event type, actor, IP, endpoint, response status, hash chain)
• Abuse detection signals (request frequency per key, per IP)
• Authentication success and failure events

2. How We Use Your Information

2.1 Providing Legal Services

Your service request data is used by CMB attorneys to prepare, review, and file legal documents on your behalf. Provisional patent applications undergo AI-assisted drafting followed by attorney review and refinement. Trademark filings include AI-powered conflict analysis followed by attorney review.

2.2 Payment Processing

Payment tokens are forwarded to our payment processor, LawPay (a product of AffiniPay), to verify and process charges. We do not access or store your full payment card details. LawPay’s privacy policy governs their handling of payment data.

2.3 Communication

We use your contact email to send submission confirmations, status updates, attorney correspondence within consultation threads, and important service announcements.

2.4 Security & Abuse Prevention

IP addresses, request patterns, and authentication data are used for rate limiting, abuse detection, and to protect the integrity of the Service.

2.5 Service Improvement

Aggregated, de-identified usage data may be used to improve API performance, reliability, and the quality of our legal services.

3. Data Storage & Retention

3.1 Storage

Service data is stored in encrypted databases hosted in the United States. API keys are hashed using HMAC-SHA256 and never stored in plaintext. We implement write-ahead logging (WAL) and regular backups to prevent data loss.

3.2 Retention Periods

• Client matter data: Retained for a minimum of 7 years from the date of creation, consistent with Georgia State Bar record-keeping requirements for legal matters
• Rate limit records: Automatically purged after 7 days
• Audit logs: Retained for a minimum of 7 years for compliance and security purposes
• IP tracking data: Retained for up to 1 year for security purposes

3.3 Data Purge

Submissions that have exceeded their retention period are automatically purged via the data retention system. You may request early deletion of non-essential data by contacting info@cmblaw.com, subject to our legal and regulatory obligations.

4. Data Sharing & Disclosure

4.1 We Do Not Sell Your Data

CMB does not sell, rent, or trade your personal information or service request data to third parties for marketing purposes.

4.2 Limited Sharing

We may share your data only in the following circumstances:

• Government agencies: When required to file documents on your behalf (e.g., USPTO for trademark and patent filings, Secretary of State for entity formations)
• Payment processor: LawPay/AffiniPay processes payment transactions on our behalf
• Legal obligations: When required by law, regulation, subpoena, court order, or other legal process
• Professional obligations: When necessary to comply with attorney ethical duties, including conflict checks
• AI-assisted processing: Service request data may be processed by AI models (e.g., Anthropic Claude) for conflict analysis and draft preparation; these providers are bound by data processing agreements

4.3 Webhook Callbacks

If you register a webhook URL for consultation reply notifications, we will send status updates and message notifications to that endpoint. You are responsible for the security of your webhook receiver.

5. Security Measures

We implement the following security measures to protect your data:

• HMAC-SHA256 key hashing: API keys are irreversibly hashed before storage
• Persistent rate limiting: Database-backed rate limits (30 requests/hour, 200/day) survive server restarts
• Abuse detection: Multi-signal detection across per-key and per-IP request patterns, with automatic key pausing
• Input validation: Strict validation and HTML sanitization on all API inputs
• URL sanitization: Blocking of internal/private IPs, dangerous schemes, and excessively long URLs
• Tamper-evident audit logging: Hash-chained audit log entries for forensic integrity
• Admin authentication: Separate admin key system with full audit trail
• Global kill switch: Ability to immediately pause all API intake
• HTTPS only: All API communication is encrypted in transit via TLS

6. AI Processing

Certain services involve AI-assisted processing:

• Trademark conflict analysis: Submitted mark text is analyzed by AI models for potential conflicts. AI output is reviewed by a CMB attorney before any filing decision.
• Provisional patent drafting: AI assists in preparing initial drafts based on your submission data. An attorney reviews, refines, and finalizes all applications before filing.
• Document generation: Legal documents are generated from vetted templates with AI assistance. An attorney reviews every document before delivery.

AI processing is a tool to improve efficiency. All legal work product is reviewed and approved by a licensed attorney before it is filed or delivered.

7. Your Rights

7.1 Access

You may request a copy of the data we hold about your account and submissions. Use the GET /api/v1/portfolio/status endpoint to retrieve your current matter data, or contact info@cmblaw.com for a comprehensive data export.

7.2 Correction

If any data associated with your account or submissions is inaccurate, contact us at info@cmblaw.com and we will correct it promptly.

7.3 Deletion

You may request deletion of your data by contacting info@cmblaw.com. Please note that certain data must be retained to comply with legal, regulatory, and professional obligations. We will delete or anonymize all data not subject to a retention requirement.

7.4 API Key Revocation

You may request revocation of your API key at any time by contacting info@cmblaw.com. Revocation is immediate and irreversible. Existing submissions will continue to be processed.

7.5 Data Portability

Upon request, we will provide your data in a structured, machine-readable format (JSON). This includes all submissions, consultation threads, and associated metadata.

8. Cookies & Tracking

The cmblaw.ai API does not use cookies. The API documentation website (cmblaw.ai) may store a theme preference (light/dark mode) in your browser’s local storage. We do not use third-party analytics, advertising trackers, or social media pixels on the API documentation site.

9. Children’s Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, contact us at info@cmblaw.com and we will delete it promptly.

10. Third-Party Services

This Policy does not apply to third-party services that may interact with the API, including:

• LawPay (AffiniPay): Payment processing — see LawPay Privacy Policy
• AI model providers: Data processing agreements govern how AI providers handle data sent for conflict analysis and drafting
• USPTO / State agencies: Government privacy policies apply once filings are submitted

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose
• The right to request deletion of your personal information
• The right to opt out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at info@cmblaw.com or call (404) 414-8633.

12. International Users

The Service is operated from the United States. If you access the API from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. If you are located in the European Economic Area (EEA) or United Kingdom, additional protections under the GDPR may apply; contact info@cmblaw.com for more information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the email address associated with your API key at least 30 days before they take effect. The “Last Updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

14. Contact Information

For questions about this Privacy Policy, data requests, or privacy concerns:

• Email: info@cmblaw.com
• Phone: (404) 414-8633
• Mail: Clayton, McKay & Bailey, PC, 800 Battery Ave. SE, Suite 300, Atlanta, GA 30339

We will respond to all privacy inquiries within 30 days.