a Shoal Valley System
StartManaging-Legal
Sign in

Legal

Privacy Policy

Effective: May 13, 2026

This Privacy Policy explains how StartManaging-Legal, LLC (“StartManaging-Legal,” “we,” or “us”), a Shoal Valley Systems company, handles information when a law firm uses the StartManaging-Legal studio (the “Service”). It applies to attorneys, staff, and administrators of subscribing firms (the “Firm Users”) and to visitors of our public marketing pages.

Information that a firm stores in the Service about its clients and matters is the firm’s own client confidential information. We act as a data processor with respect to that material; our own privacy obligations toward end clients flow through the firm under the firm’s own privacy policy and the Data Processing Agreement linked in the sidebar.

1. Information we collect

From the firm

  • Account credentials of each attorney and staff member — name, email, password hash, time-based one-time password (TOTP) secret for multi-factor authentication, optional phone number.
  • Firm-identity material — firm name, addresses, logo, branding choices, contact info — entered by the firm.
  • Client, matter, billing, bookkeeping, time-tracking, document, and engagement-letter content the firm chooses to store in the Service. This material is held on the firm’s behalf and we do not access it for our own purposes.

Automatically

  • Technical access logs — IP address, user-agent string, timestamps, the URL requested, response status. Retained for 90 days for abuse-detection and operational debugging.
  • Audit trail of authenticated actions inside the studio — who created, updated, or deleted a record, when, and from what IP. Surfaced to the firm’s Owner under Firm Settings → Audit Log.
  • Strictly-necessary session cookies (see the Cookie Notice). We do not use third-party advertising or analytics cookies in the application.

2. How we use information

  • To operate the Service and authenticate Firm Users.
  • To provide technical support to the firm’s designated administrators, including (with the administrator’s express consent) limited support-impersonation sessions.
  • To monitor for fraud and abuse, including detecting brute- force authentication attempts and unusual cross-tenant access.
  • To send transactional emails — password reset, multi-factor recovery, teammate invitations, security alerts. We do not send marketing email through the in-product channels.
  • To comply with legal obligations.

3. How we share information

We do not sell personal information. We share information only:

  • With service providers strictly necessary to operate the Service — our cloud database provider (Neon), our application host (Vercel), our email delivery provider (Resend), our error-tracking provider (Sentry), and our backup-storage provider (Cloudflare R2). Each is bound by a contract that mirrors the obligations of our Data Processing Agreement.
  • When the firm directs us to (for example, by exporting a backup file and emailing it to a third party of the firm’s choosing).
  • In response to a valid legal process — a court order, civil subpoena, or government request. We will, where lawful and practical, notify the affected firm so it can assert any available client privilege or otherwise object before we respond.
  • In connection with a corporate transaction (merger, acquisition, sale of assets) — under a confidentiality agreement and with notice to the firm.

4. Retention

We retain firm content for the lifetime of the firm’s subscription. On termination the firm has 30 days to export a backup; we then delete production copies within 60 days and cold backups within 12 months. Authentication logs are retained for 13 months; audit-trail entries for 7 years (to support the firm’s own retention obligations under Texas attorney record-keeping rules).

5. Security

See the Security Practices page for the details. In short: TLS in transit, AES-256 at rest, per-tenant row-level isolation at the database, mandatory multi-factor for every account, and immutable off-site backups.

6. Texas residents & breach notification

Under Texas Business & Commerce Code §521.053 we will notify the affected firm without unreasonable delay, and in any event within 60 days, of any unauthorized acquisition of sensitive personal information. The notice will describe what happened, what data was involved, what we are doing about it, and what the firm should do.

7. Children’s data

The Service is not directed to children under 13. We do not knowingly collect their personal information; if a firm stores such information about its clients (for example, in a family- law matter) it is the firm’s responsibility under its own privacy policy.

8. Your choices

  • Firm Users may update or delete their own account information at any time from the user menu.
  • The firm’s Owner may export the entire studio as a single JSON file from the /backup page.
  • Firms based outside Texas have any additional rights granted by their local jurisdiction (GDPR, CCPA, etc.) — exercise them by contacting privacy@startmanaging-legal.com.

9. Changes

Material changes to this Policy are posted here and announced in-product 30 days before they take effect. Continued use after the effective date constitutes acceptance.

10. Contact

StartManaging-Legal, LLC
Attn: Privacy
privacy@startmanaging-legal.com