Privacy Policy

Last updated: April 2026

The Liggett Group ("we," "our," or "us") operates the TLG Claims Validation Platform at app.theliggettgroup.com and the marketing website at www.theliggettgroup.com. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

1. Information We Collect

Account information. When you create an account, we collect your email address, display name, and organization name. If you sign in with Google or Microsoft SSO, we receive your name and email address from the identity provider. If you register a passkey (WebAuthn), the cryptographic credential is stored with your account.

Uploaded documents. When you submit a PDF document for analysis, we process the document content to extract claims, retrieve evidence, and generate a scorecard. Documents are retained for the duration of the analysis run and a short period afterward (24 hours by default), after which the document data expires from the system.

Scorecard data. The resulting scorecards (extracted claims, evidence scores, fair balance findings) are persisted in our database and associated with your account and organization for ongoing access and review.

Usage data. We collect information about how you use the platform, including session activity, the number and timing of analysis runs, credit usage, and feature interactions. We use HttpOnly session cookies for authentication (see our Cookie Policy).

AI processing logs. When an AI call fails during document processing, we log diagnostic information about that failure. These logs contain the extracted claim text and evidence snippets that were being processed at the time of failure, along with the AI model's response and error details. These logs are used exclusively for product quality improvement and debugging. They do not contain personal information such as your name, email address, or account details — they contain only the claim and evidence data that was part of the failed AI operation.

Contact form submissions. If you submit an inquiry through our contact form, we collect your name, company, email address, and message content.

2. How We Use Your Information

• Provide the service. We use your account information to authenticate you and manage your access. We process your uploaded documents to deliver claims validation scorecards.
• Improve product quality. We analyze failed AI call logs (which contain extracted claim text and evidence snippets, not personal information) to identify patterns, improve AI performance, and enhance the reliability of the platform.
• Communicate with you. We use your email address to send verification codes, run completion notifications, and respond to your inquiries.
• Maintain security. We use session data and audit logs to detect and prevent unauthorized access, abuse, and security incidents.
• Comply with legal obligations. We may use or disclose your information as required by applicable law.

3. Data Retention

• Uploaded documents: Run data (including the uploaded PDF and intermediate processing data) expires 24 hours after the run is created. After expiry, document content is no longer accessible.
• Scorecards: Scorecard results (claims, scores, findings) are retained in the database and remain accessible to you and your organization until you request deletion.
• Account data: Your account information is retained until you delete your account or request deletion.
• AI processing logs: Failed AI call logs are retained for product quality improvement purposes and may be periodically purged during maintenance.
• Contact submissions: Contact form data is retained for as long as necessary to respond to your inquiry and maintain business records.

4. Third-Party Services

We use the following third-party services in the operation of our platform:

• vast.ai — We rent dedicated GPU hardware from vast.ai to run AI models for document processing. Your document content is processed on this rented hardware, which is connected to our infrastructure via encrypted tunnels. Document content is not shared with vast.ai as a company — the hardware operates as an extension of our own infrastructure.
• Microsoft Graph API — We use Microsoft's email infrastructure to deliver verification codes and notification emails to you.
• Google and Microsoft (SSO) — If you choose to sign in with Google or Microsoft, your authentication is handled through their OAuth protocols. We receive only your name and email address from these providers.
• Evidence databases — We query publicly available databases (DailyMed, Europe PMC, PubMed, ClinicalTrials.gov, FDA FAERS, Drugs@FDA) to retrieve published evidence. These are public APIs; no user data is sent to them beyond the search queries derived from document content.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

5. Data Security

• Encryption in transit. All communication between your browser and our services is encrypted via HTTPS. Internal service communication uses encrypted WireGuard tunnels (Tailscale).
• Tenant isolation. Your data is isolated from other organizations using PostgreSQL Row-Level Security (RLS). Each organization's data is scoped to its own security boundary.
• Authentication security. We use HttpOnly session cookies that are not accessible to client-side scripts. We support multiple authentication methods including email verification, SSO, and passkeys.
• Access controls. Role-based access controls, domain-level administration policies, and audit logging govern who can access data within the platform.
• No third-party access to documents. Your uploaded documents are processed on infrastructure we control. Document content is not sent to third-party AI APIs — we run AI models on dedicated rented hardware connected via encrypted tunnels.

6. Your Rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete your account and associated personal data. You can delete your account through the platform (DELETE /auth/account) or by contacting us.
• Request information about how your data is processed.

To exercise any of these rights, please contact us at info@theliggettgroup.com.

7. Children's Privacy

Our services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to delete that information.

8. International Data

Our services are operated from Canada. If you access our services from outside Canada, your information may be transferred to and processed in Canada. By using our services, you consent to such transfer and processing.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of our services after any changes constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

The Liggett Group
Email: info@theliggettgroup.com
Website: www.theliggettgroup.com