Privacy Policy

Tembo (“we,” “us,” or “our”) operates a legal practice management platform (the “Service”) designed for law firms and legal professionals. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Service.

1. Information We Collect

1.1 Account Information

When you sign up for Tembo, we collect:

Full name
Email address
Password (stored as a cryptographic hash; we never store plaintext passwords)
Organization (law firm) name
Professional role (e.g., partner, associate, paralegal, admin)

1.2 Profile Information

Users may optionally provide:

Profile avatar (photo)
Phone number
Bar admission number
Hourly billing rate
Professional title

1.3 Organization Information

When a law firm registers, we collect:

Firm name and logo
Billing address
Subscription tier and payment information
Tax identification numbers (for billing purposes)

1.4 Client and Contact Data

Law firms using Tembo store information about their clients and contacts, including:

Names, email addresses, phone numbers, and mailing addresses
Company affiliations
Contact roles (client, vendor, expert witness, opposing counsel, fact witness)
Notes and communication records

1.5 Matter and Case Data

Firms manage legal matters within Tembo, which may include:

Matter descriptions, case numbers, and court information
Party names and roles
Time entries and billing records
Expenses, invoices, and payment records
Trust account transactions (IOLTA/client trust)
Documents and file attachments
Internal notes and communications
Access control and confidentiality designations

1.6 Usage and Technical Data

We automatically collect:

Browser type, operating system, and device information
IP address and approximate geographic location
Pages visited, features used, and session duration
Error logs and performance metrics

1.7 Cookies and Similar Technologies

We use essential cookies to:

Maintain authenticated sessions
Remember user preferences
Ensure security (CSRF protection)

We do not use third-party advertising or tracking cookies.

2. How We Use Your Information

We use collected information to:

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Performance of contract (Art. 6(1)(b))
Authenticate users and protect accounts	Legitimate interest (Art. 6(1)(f))
Process billing and payments	Performance of contract (Art. 6(1)(b))
Send service-related communications (e.g., invitations, password resets)	Performance of contract (Art. 6(1)(b))
Monitor and improve platform performance	Legitimate interest (Art. 6(1)(f))
Enforce our Terms of Service	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations (e.g., tax reporting)	Legal obligation (Art. 6(1)(c))
Respond to data subject access requests	Legal obligation (Art. 6(1)(c))

We do not use your data to:

Sell personal information to third parties
Serve targeted advertisements
Train machine learning models on your legal data
Profile users for purposes unrelated to the Service

3. Data Sharing and Disclosure

We share personal information only in the following circumstances:

3.1 Within Your Organization

All data entered into Tembo is scoped to your organization (law firm). Team members within your organization can access data according to their assigned roles and matter-level access controls.

3.2 Service Providers

We use the following categories of service providers to operate the Service:

Provider Category	Purpose	Data Shared
Cloud infrastructure	Database hosting, authentication, file storage	All Service data (encrypted)
Payment processing	Subscription billing	Billing contact and payment details
Email delivery	Transactional emails (invitations, resets)	Email addresses, names

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

3.3 Legal Requirements

We may disclose information when required by:

Court order or subpoena
Applicable law or regulation
Governmental or regulatory request

We will notify affected users of such requests unless legally prohibited from doing so.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify users before their data becomes subject to a different privacy policy.

4. Data Retention

4.1 Active Accounts

We retain your data for as long as your account is active and the Service is in use.

4.2 Legal Industry Retention Requirements

Due to the regulated nature of legal practice, certain data categories are subject to mandatory retention periods:

Data Category	Retention Period	Legal Basis
Client matter files	7 years after matter closure	State bar rules (Model Rule 1.15A)
Billing and time records	7 years	Tax law, malpractice defense
Trust accounting records	7 years	Bar trust accounting rules
Conflict check records	10 years	Ethics and malpractice defense
Employee/team member records	3 years after departure	Employment law
Prospect/lead data	Deleted upon request	No mandatory retention

4.3 Account Deletion

When an organization cancels its account:

A 30-day grace period allows for data export
After the grace period, active data is deleted
Data subject to legal retention obligations is retained for the required period, then permanently deleted
Backups containing deleted data are purged within 90 days

5. Data Security

We implement industry-standard security measures to protect your data:

5.1 Technical Safeguards

Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2+
Encryption at rest: Database and file storage are encrypted at rest using AES-256
Authentication: Passwords are hashed using bcrypt; sessions use secure, HttpOnly cookies
Row-Level Security (RLS): Database policies enforce organization-level data isolation, ensuring no cross-tenant data access
Access control: Matter-level permissions restrict data visibility within organizations

5.2 Organizational Safeguards

Access to production systems is restricted to authorized personnel
Security incidents are investigated and affected users notified within 72 hours (per GDPR Art. 33)
Regular security reviews of infrastructure and application code

5.3 Your Responsibilities

Use strong, unique passwords
Do not share account credentials
Report suspected unauthorized access immediately
Configure appropriate matter access controls for your team

6. Your Rights

6.1 Rights Under GDPR (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

Right	Description
Access (Art. 15)	Request a copy of your personal data
Rectification (Art. 16)	Correct inaccurate personal data
Erasure (Art. 17)	Request deletion of your personal data
Restriction (Art. 18)	Request limited processing of your data
Portability (Art. 20)	Receive your data in a structured, machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interest
Withdraw consent (Art. 7)	Withdraw consent at any time where processing is consent-based

Important limitation: The right to erasure does not apply where retention is required for compliance with legal obligations (Art. 17(3)(b)) or the establishment, exercise, or defense of legal claims (Art. 17(3)(e)). Legal practice data subject to bar-mandated retention periods cannot be erased until those periods expire.

6.2 Rights Under CCPA (California Users)

California residents have the right to:

Know what personal information is collected and how it is used
Request deletion of personal information (subject to legal retention exceptions)
Opt out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising privacy rights

6.3 How to Exercise Your Rights

To submit a data subject request:

Email: support@tembo.legal
In-app: Settings > Privacy > Submit Data Request

We will respond to verified requests within 30 days. Identity verification may be required to prevent unauthorized access to personal data.

7. International Data Transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA/UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with all sub-processors

8. Children’s Privacy

The Service is designed for legal professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

9. Third-Party Integrations

Tembo may integrate with third-party services (e.g., calendar providers, email providers) at the user’s direction. When you connect a third-party integration:

We access only the data necessary for the integration to function
Data from integrations is stored within your Tembo organization and subject to this Privacy Policy
You can disconnect integrations at any time from Settings > Integrations
Disconnecting an integration stops future data synchronization; previously synced data remains in Tembo until you delete it

Third-party services are governed by their own privacy policies. We encourage you to review them before connecting.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will update the “Last Updated” date at the bottom of this page
We will notify users via email or in-app notification for significant changes
Continued use of the Service after changes take effect constitutes acceptance of the updated policy

11. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Email: support@tembo.legal
Mail: Tembo Legal Technology, Inc.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Effective Date: February 6, 2026

Last Updated: February 6, 2026