Vinny AI Logo
Create Account

Vinny Privacy Policy

Last updated: December 5, 2025

Vinny is built for legal and business professionals. We designed Vinny so that your account information, documents, and sensitive content stay private and secure, and are never used to train Vinny's underlying AI models or large language models ("LLMs").

In plain language:

  • Your account data (e.g., name, email, subscription details) is used only to run and support your account.
  • Your documents, prompts, and chats are used only to power your interactions with Vinny, provide support, and improve the service's performance and reliability at a system level - not to train base AI models.
  • We do not use your data to train or finetune thirdparty foundation models or our own generalpurpose foundation models.

This Privacy Policy explains how we collect, use, and share information when you use Vinny, our professional legal AI chat assistant and subscription service, available via our website and mobile apps (the "Services"). It also explains your privacy rights and how to contact us.

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

For information about the terms upon which we do business, please also read our Terms of Use.

Table of Contents (Summary)

  • Key Terms – Who "we" are and what "Personal Information" means.
  • Personal Information We Collect – Account data, billing details, usage data, and content you submit to Vinny.
  • How and Why We Use Personal Information – To provide and improve Vinny, support you, secure the Services, comply with law, and (subject to your choices) send you updates and marketing.
  • Cookies, Analytics & Tracking – How we use cookies and similar technologies.
  • Universal Opt-Out Mechanisms – Global Privacy Control and "Do Not Track."
  • Links to Third Party Sites and Content
  • Who We Share Information With – Service providers, partners, and others as described.
  • How Long We Keep Information – Retention periods and criteria.
  • International Data Transfers – How we protect data transferred outside your region.
  • U.S. State-Specific Rights – Additional rights for U.S. residents.
  • EEA/UK Supplemental Information – Legal bases and GDPR-style rights.
  • Security – How we protect Personal Information.
  • Children – Our Services are not for children under 16.
  • Changes – How we will notify you of material changes to this Policy.
  • Contact Us – How to reach us with questions or requests.

1. Key Terms

Vinny, we, us, our Vinny is a professional legal AI assistant and subscription service operated by Vinny AI, LLC, together with its subsidiaries and affiliates (collectively, "we," "us," or "our").

Services This Privacy Policy applies to:

  • Our websites and web apps that link to this Privacy Policy;
  • Our mobile applications that link to this Privacy Policy; and
  • Related tools, features, and services offered through those channels, including the Vinny legal AI chat assistant and related subscription plans.

This Privacy Policy does not apply to websites, apps, or services that do not display or link to it, or that have their own privacy policies.

Personal Information Any information relating to an identified or identifiable individual (or household, where applicable), including information that can reasonably be linked to that individual (directly or indirectly).

You, your The individual to whom the Personal Information relates, including visitors, free users, trial users, and paid subscribers of the Services.

2. Personal Information We Collect About You

The Personal Information we collect depends on how you use the Services (e.g., as a website visitor, free user, or paid subscriber).

2.1 Information You Provide to Us Directly

Account and profile information

  • Name, email address, password or authentication credentials;
  • Role, company name, and practice area or industry focus (if you choose to provide it);
  • Preferences (e.g., notification settings, language, and interface preferences).

Plain language: we need this information to create and manage your account and to give you a tailored, professional experience.

Subscription and billing information

  • Billing name, contact details, and billing address;
  • Payment details processed via our payment processor (e.g., last four digits of card, transaction IDs, subscription tier, billing history).

We do not store full payment card numbers; these are collected and processed on our payment provider's systems.

Content you submit to Vinny ("User Content")

  • Prompts, questions, instructions, and feedback you enter into the chat;
  • Documents, contracts, policies, or other materials you upload for analysis or drafting support; and
  • Metadata associated with that content (e.g., filenames, timestamps, document type).

User Content may contain Personal Information about you or others, depending on what you choose to submit.

Plain language: this is the work product you bring to Vinny—your drafts, templates, questions, and documents.

Communications with us

  • Information in emails, in-app messages, or other communications (including support tickets and feedback);
  • Information you provide in surveys, beta programs, webinars, or marketing signups.

Employment-related information (if you apply to work with us)

  • CV/resume, contact details, work history, and other information you choose to submit in connection with recruitment.

2.2 Information We Collect Automatically

When you use the Services, we may use automatic data collection or tracking technologies to collect certain information including:

Usage and log information

  • Date and time of access, pages viewed, features used, session duration;
  • Clickstream data, referral URLs, and in-app navigation;
  • Chat usage metrics (e.g., number of messages, features accessed, error rates).

Device and technical information

  • IP address, device type, device identifiers, operating system, browser type and version, app version, and language;
  • Mobile device identifiers, mobile operating system, and network provider;
  • Crash logs and diagnostics to help us debug and improve performance.

Approximate location information

  • Country, region, or city inferred from your IP address or app configuration (for things like localization, fraud prevention, and legal compliance).

We do not collect precise GPS location unless you explicitly enable a feature that requires it.

2.3 Information Collected via Cookies and Similar Technologies

We use cookies, SDKs, and similar technologies to:

  • Authenticate you and keep you logged in;
  • Remember your preferences and settings;
  • Understand how the Services are used;
  • Improve performance and security; and
  • In limited cases, support marketing and measurement (subject to applicable consent requirements).

More detail is provided in the Cookies, Analytics & Tracking section below.

2.4 Information from Third Parties

We may receive:

Identity, contact, and account information from:

  • Single signon providers or authentication services (if enabled for your account);
  • Business partners, resellers, or referral partners; and
  • Enterprise customers (e.g., when your employer provisions you with a Vinny account).

Billing and payment information from payment processors.

Analytics and marketing information from analytics and marketing partners (aggregated or pseudonymized where possible).

Where we combine thirdparty data with data we collect, we will treat the combined data as Personal Information as long as it remains identifiable.

3. How and Why We Use Your Personal Information

We use your Personal Information for the purposes described in this Privacy Policy (or for compatible purposes). If you choose not to provide certain Personal Information, some features of the Services may not be available or may not function properly.

If you are in the EEA or UK, we are required to identify a lawful basis for our processing. These are included in the table below.

Plain language: we use your information to run Vinny, keep it secure and reliable, provide support, and meet legal obligations.

We will obtain your consent where required by applicable law, and you can withdraw your consent at any time (this will not affect the lawfulness of processing before withdrawal).

4. Cookies, Analytics & Tracking Technologies

We use the following types of cookies, analytics and tracking technologies:

  • Strictly necessary cookies – Required for core functionality (e.g., sign-in, security, load balancing).
  • Functional cookies – Remember your preferences (e.g., language, layout).
  • Analytics cookies/SDKs – Help us understand how the Services are used and improve performance.
  • Marketing and measurement technologies – In limited cases, to understand how our marketing performs and to tailor messages (subject to applicable consent obligations).

You can control cookies through:

  • Your browser or device settings;
  • In-app settings or cookie preferences (where available); and
  • Opt-out tools provided by analytics or marketing partners, where applicable.

If you disable or reject certain cookies, some parts of the Services may not function properly.

5. Universal Opt-Out Mechanisms

Our web-based Services recognize the Global Privacy Control ("GPC") signal. If you use a browser or extension that sends a GPC signal, we will treat it as a valid request to opt out of "sale" or "sharing" of Personal Information and/or targeted advertising where required by applicable U.S. state privacy laws.

To learn more about GPC and compatible browsers or extensions, visit: https://globalprivacycontrol.org

Your browser may also allow you to send a "Do Not Track" (DNT) signal. There is currently no consistent industry standard for responding to DNT, and we do not respond to DNT signals at this time, unless and until the law clearly requires us to do so.

6. Links to Third Party Sites and Content

Our Services may include links to other sites or content operated by third parties. We do not exercise control over third party sites, services or content, and we are not responsible for the privacy practices of any such third parties. Once you leave our Services via a link or by clicking on an advertisement, it is important that you check the applicable privacy policy of the third party's site or service. The fact that we link to a website or display a banner ad or other type of advertisement is not an endorsement, authorization, or representation of our affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices.

7. Who We Share Your Personal Information With

We do not sell your Personal Information in the ordinary sense of the word. We may, however, disclose certain information to third parties in ways that could be considered a "sale," "sharing," or "targeted advertising" under certain U.S. state privacy laws.

Plain language: we share only what we need to share to run Vinny (e.g., hosting, payment, analytics) under contracts that limit how vendors can use your data.

We share Personal Information with:

Service providers and vendors

  • Cloud hosting and infrastructure providers;
  • AI model providers and related tooling, subject to contractual protections, including commitments not to train their foundation models on your data;
  • Customer support and ticketing platforms;
  • Email, notification, and communication service providers;
  • Analytics and monitoring providers;
  • Payment processors and billing platforms; and
  • Security and fraud-prevention vendors.

Professional advisors

  • Lawyers, auditors, accountants, and other professional service firms, as needed to support our business and comply with law.

Business and integration partners

  • Partners who help distribute, resell, or integrate the Services; and
  • Single sign-on or identity providers, as configured by your organization.

Corporate transactions

  • Actual or potential acquirers, investors, or other parties in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets. These parties will be subject to confidentiality obligations.

Legal, compliance, and safety

  • Law enforcement, regulators, courts, or other third parties when we believe disclosure is required or appropriate to:
    • comply with law, regulation, or legal process;
    • protect the rights, property, or safety of us, our users, or others; and
    • investigate and respond to suspected illegal activities or policy violations.

We may also share aggregated or deidentified information that does not identify any individual.

8. How Long We Keep Your Personal Information

We retain Personal Information for as long as reasonably necessary to:

  • Provide and support the Services you request;
  • Maintain business and financial records;
  • Meet our legal, accounting, and regulatory obligations;
  • Resolve disputes and enforce our agreements; and
  • Protect and defend our rights and those of our users.

Retention periods vary depending on the type of data and the purpose of processing. When we no longer need Personal Information for the purposes for which it was collected (and any compatible purposes), we will either delete it or deidentify it, unless we are required by law to keep it longer.

If you request deletion of your data, we will comply as required by applicable law, subject to requirements to retain certain information (for example, transaction records) for legal, regulatory, or security reasons.

9. International Data Transfers

We may transfer, store, and process your Personal Information in countries other than your own, including the United States and other jurisdictions where we or our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction and may not be as protective.

Where required (for example, for data originating from the EEA or UK), we implement appropriate safeguards, such as:

  • European Commission-approved Standard Contractual Clauses;
  • The UK's International Data Transfer Addendum; and/or
  • Other legally recognized transfer mechanisms.

You can contact us for more information about these safeguards (see How to Contact Us).

10. Supplemental U.S. State-Specific Privacy Rights

If you are a resident of certain U.S. states (such as California, Colorado, Connecticut, Delaware, Oregon, Utah, Virginia, or others with similar laws), you may have additional rights regarding your Personal Information. These may include, depending on your state:

  • The right to know/confirm what Personal Information we process;
  • The right to access and obtain a copy of certain Personal Information;
  • The right to request deletion of Personal Information we collected from and/or about you, subject to legal exceptions;
  • The right to request correction of inaccurate Personal Information;
  • The right to obtain a list of specific third parties to which we have disclosed personal data;
  • The right to obtain a list of categories of third parties to which we have disclosed your personal data;
  • The right to opt out of:
    • "sales" of Personal Information,
    • "sharing" for crosscontext behavioral advertising / targeted advertising, and
    • certain forms of profiling in furtherance of decisions that produce legal or similarly significant effects;
  • If your personal data is profiled in furtherance of decisions that produce legal or similarly significant effects concerning you, you have the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions you might have taken to secure a different decision (and the actions that you might take to secure a different decision in the future). If applicable, you also have the right to review the personal data used in the profiling and, if the decision is determined to have been based upon inaccurate personal data, the right to have the data corrected and the profiling decision reevaluated based upon the corrected data;
  • Where applicable, the right to limit certain uses of sensitive Personal Information;
  • If we are required by applicable law to obtain your consent to process sensitive Personal Information, the right to withdraw your consent;
  • The right not to be discriminated against for exercising any of these rights; and
  • The right to appeal our decision if we decline to act on your request (where provided by law).

To exercise these rights, please contact us as described in How to Contact Us. We may need to verify your identity before fulfilling your request. Where permitted, you may designate an authorized agent to submit requests on your behalf, subject to verification and documentation requirements under applicable law.

If your state law provides an appeal right and you are dissatisfied with our response, you may appeal by contacting us and referencing our prior decision. We will respond in accordance with applicable law.

We will also honor valid Global Privacy Control (GPC) signals as an optout of "sales" and/or "sharing" for targeted advertising where required by law (see Universal Opt-Out Mechanisms above).

Notice at Collection of Personal Information

We currently collect and, in the 12 months prior to the Last Updated Date of this Privacy Policy, have collected the following categories of Personal Information:

  • Identifiers (name, postal address, online identifier, Internet Protocol address, email address, account name, other similar identifiers)
  • Unique personal identifiers (device identifier; cookies, beacons, pixel tags, mobile ad identifiers, or other similar technology; customer number, unique pseudonym or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device)
  • Personal information described in California's Customer Records statute (California Civil Code § 1798.80(e)) (signature, telephone number, employment, bank account number, credit card number, debit card number, or any other financial information as well as the categories listed in "Identifiers" category above)
  • Commercial information (records of products or services purchased, obtained or considered; other purchasing or consuming histories or tendencies)
  • Internet or other electronic network activity information (browsing history; search history; and information regarding consumer's interaction with website, application or advertisement)
  • Geolocation data

We collect Personal Information directly from California residents and from single sign‑on providers or authentication services, resellers, referral partners, enterprise customers, and analytics and marketing partners. We do not collect all categories of Personal Information from each source.

In addition to the purposes stated in this Privacy Policy, we currently collect and have collected the above categories of Personal Information for the following business or commercial purposes:

  • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards
  • Helping to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for these purposes
  • Debugging to identify and repair errors that impair existing intended functionality
  • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytic services, providing storage, or providing similar services
  • Providing advertising and marketing services, except for cross-context behavioral advertising, to you provided that, for the purpose of advertising and marketing, our service providers and/or contractors shall not combine the Personal Information of opted-out consumers that the service provider or contractor receives from us, or on our behalf with Personal Information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with you
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Advancing our commercial or economic interests, such as by inducing another person to buy, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction

Sale, Sharing, and Disclosure of Personal Information

The following table identifies the categories of Personal Information that we sold or shared to third parties in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, the categories of third parties to whom we sold or shared Personal Information:

We sold or shared Personal Information to third parties to advance our commercial or economic interests.

We disclosed all of the categories of Personal Information identified in the Notice at Collection of Personal Information section above to service providers or contractors for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy.

We disclosed Personal Information for the following business or commercial purposes:

  • Helping to ensure security and integrity
  • Debugging to identify and repair errors
  • Providing advertising and marketing services
  • Providing services
  • Advancing our commercial or economic interests

Retention of Personal Information

For an explanation of how long we retain Personal Information, please see the How Long We Keep Your Personal Information section above.

Right to Opt Out of Sale of Sharing of Personal Information

If you are a California resident, you have the right to direct us to stop selling or sharing your Personal Information. You may submit a request to opt out of sales or sharing by contacting us as described in How to Contact Us. We will also honor valid Global Privacy Control (GPC) signals as an optout of "sales" and/or "sharing" for targeted advertising where required by law (see Universal Opt-Out Mechanisms above).

11. Supplemental Information for Persons in the EEA and UK

If you are located in the EEA or UK, you may have the following rights regarding your Personal Information, subject to applicable law:

  • Right of access – To obtain confirmation and a copy of Personal Information we hold about you.
  • Right to rectification – To correct inaccurate or incomplete Personal Information.
  • Right to erasure – To request deletion of your Personal Information in certain circumstances.
  • Right to restriction – To request that we restrict processing of your Personal Information in certain circumstances.
  • Right to data portability – To receive certain Personal Information in a structured, commonly used, machine-readable format, and to transfer it to another controller where technically feasible.
  • Right to object – To object to processing based on our legitimate interests, including profiling, and to object at any time to processing for direct marketing.
  • Rights related to automated decisionmaking – To not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, except where allowed by law and subject to safeguards.
  • Right to withdraw consent – Where we rely on consent, you may withdraw it at any time (without affecting the lawfulness of prior processing).
  • Right to lodge a complaint – With your local data protection authority if you believe our processing of your Personal Information infringes applicable law.

To exercise your rights, please contact us using the details in How to Contact Us and let us know:

  • Which right(s) you wish to exercise; and
  • Enough information for us to verify your identity and locate your records.

We will respond to your request in accordance with applicable law.

If we have appointed an EU or UK representative (where required), their contact information will be provided separately (for example, in our EEA/UK-specific notices or on our website).

12. Keeping Your Personal Information Secure

We use appropriate technical and organizational measures designed to protect your Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, as appropriate:

  • Access controls and authentication;
  • Encryption in transit and at rest (where appropriate);
  • Network and application security measures;
  • Regular backups and recovery procedures;
  • Internal policies, training, and confidentiality obligations for personnel; and
  • Vendor due diligence and contractual security commitments, including restrictions on how vendors can use your data.

Plain language: we apply industrystandard security controls and additional contractual protections so that your confidential information and documents remain private to you and are not repurposed for model training.

No system can be guaranteed to be 100% secure. If we become aware of a data breach that affects your Personal Information, we will notify you and relevant authorities as required by applicable law.

13. Children Under the Age of 16

The Services are not intended for and are not directed at children under 16 years of age. We do not knowingly collect, sell, or share Personal Information from children under 16.

If we learn that we have collected Personal Information from a child under 16, we will take steps to delete that information as required by law. If you believe we may have information about a child under 16, please contact us (see How to Contact Us).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page.

If we make material changes that affect how we use or disclose your Personal Information, we will provide additional notice, such as by:

  • Posting a prominent notice in the Services;
  • Sending you an email or inapp notification (where we have your contact details); or
  • Other appropriate means, consistent with applicable law.

Your continued use of the Services after any changes become effective means you accept the revised Privacy Policy.

15. How to Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or if you wish to exercise your rights, you can contact us at:

Vinny AI, LLC
4235 Redwood Ave.
Los Angeles, CA 90066

Email: privacy@vinnypro.ai

Please include your name, contact details, and a clear description of your request.