Effective Date: 2026-06-12
Astrea eDiscovery, provides eDiscovery, litigation support, document processing, data hosting, document review, production, and related services to law firms, corporations, government entities, and other organizations.
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with our website, communications, client relationships, user accounts, and services.
Because our services may involve the processing of legal matter data, litigation documents, business records, emails, files, metadata, and other client-provided materials, this Privacy Policy distinguishes between:
| Data Type | Description |
|---|---|
| Business and Website Information | Information we collect directly through our website, communications, sales process, billing, support, and account administration. |
| Platform and User Information | Information relating to authorized users of our services, including account credentials, access logs, permissions, and usage activity. |
| Client Data | Documents, files, emails, records, metadata, productions, legal hold information, review work product, and other data submitted, uploaded, collected, processed, hosted, reviewed, or produced through our services on behalf of a client. |
When we process Client Data, we generally do so as a service provider, processor, contractor, or similar role on behalf of our client and in accordance with the client’s instructions, our agreement with the client, applicable law, and any relevant protective orders, confidentiality obligations, or legal requirements.
Privacy laws often require businesses to disclose the categories of personal information collected, the purposes for collection, how information is disclosed, retention criteria, and individual rights. For example, California privacy requirements include notice obligations around categories of personal information, purposes of use, disclosures, sale/share practices, retention, sensitive personal information, and consumer rights. Canadian private-sector privacy obligations under PIPEDA are based on principles including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, safeguards, openness, individual access, and challenging compliance.
This Privacy Policy applies to personal information we collect or process through:
This Privacy Policy does not replace or override any written agreement, data processing addendum, protective order, confidentiality agreement, statement of work, or other contract between Astrea and a client. If there is a conflict between this Privacy Policy and a written agreement governing Client Data, the written agreement will control to the extent permitted by law.
Depending on the context, Astrea may act in different roles.
| Context | Astrea’s Role |
|---|---|
| Website visitors, sales contacts, vendors, billing contacts, and general inquiries | Astrea may act as a business, controller, or organization responsible for determining how the information is used. |
| Authorized users of our services | Astrea may act as a business/controller for account administration and security, and as a processor/service provider for use of the platform on behalf of a client. |
| Client Data submitted for eDiscovery, litigation, investigations, review, hosting, or production | Astrea typically acts as a service provider, processor, contractor, or similar role on behalf of the client. |
Where we process Client Data on behalf of a client, the client is generally responsible for determining the purpose and means of processing, including what data is collected, uploaded, reviewed, produced, retained, deleted, or disclosed.
We may collect the following categories of information.
We may collect names, business email addresses, phone numbers, company names, job titles, mailing addresses, and other contact information from clients, prospective clients, vendors, partners, and other business contacts.
We may collect information related to authorized users of our services, including:
When you visit our website or interact with our online services, we may collect:
We may collect information when you contact us, request support, submit a form, participate in a meeting, or communicate with our team. This may include:
We may collect billing, invoicing, tax, payment contact, contract, and procurement information. We do not intend to collect full payment card information directly unless specifically stated; payment processing may be handled by third-party payment or accounting providers.
In providing eDiscovery and litigation support services, we may process Client Data submitted, uploaded, collected, transferred, hosted, reviewed, analyzed, exported, or produced by or on behalf of a client.
Client Data may include, depending on the matter:
Because Client Data is controlled by the client, Astrea may not know or control all categories of personal information contained in Client Data.
Client Data may contain sensitive personal information, depending on the nature of the legal matter, investigation, collection, or production. This may include information relating to:
We process sensitive personal information contained in Client Data only as necessary to provide services to the client, comply with client instructions, maintain security, comply with law, or satisfy contractual obligations.
We do not use sensitive personal information in Client Data for advertising, sale, cross-context behavioral advertising, or unrelated commercial purposes.
We may use personal information for the following purposes.
| Purpose | Examples |
|---|---|
| Providing services | Processing, hosting, reviewing, searching, analyzing, exporting, and producing Client Data. |
| Account administration | Creating accounts, managing users, assigning permissions, authenticating users, and maintaining access controls. |
| Security | Monitoring access, detecting suspicious activity, preventing unauthorized access, investigating incidents, and maintaining audit logs. |
| Support | Responding to questions, troubleshooting issues, and resolving service requests. |
| Client management | Managing contracts, statements of work, billing, invoicing, and client communications. |
| Website operation | Maintaining, securing, and improving our website. |
| Compliance | Complying with legal, regulatory, contractual, audit, tax, and recordkeeping obligations. |
| Business operations | Managing vendors, professional advisors, insurance, corporate governance, and internal administration. |
| Service improvement | Improving services using aggregated, de-identified, or non-confidential operational information where appropriate. |
Astrea uses Client Data only as authorized by the client, the applicable agreement, this Privacy Policy, and applicable law.
Unless otherwise agreed in writing, we do not:
Our services may include or support eDiscovery-related technologies such as:
These tools are used to provide services to clients and are subject to client configuration, client instructions, applicable agreements, and matter-specific requirements.
Astrea does not use Client Data to train public AI models. Where third-party AI, analytics, or machine learning tools are used, such use will be subject to applicable contractual, confidentiality, security, and data protection obligations.
Clients remain responsible for legal strategy, privilege determinations, responsiveness determinations, review decisions, redactions, productions, and compliance with court orders, discovery rules, and applicable law.
We may disclose personal information in the following circumstances.
We disclose Client Data and platform information to the client and the client’s authorized users, representatives, reviewers, counsel, experts, consultants, or other parties as instructed or authorized by the client.
We may disclose information to third-party service providers that support our operations and services, including:
These providers are required to protect information and use it only for authorized purposes. Where required, we maintain contractual obligations with service providers relating to confidentiality, security, privacy, and data protection.
We may disclose information where we believe disclosure is necessary to:
If we receive legal process seeking Client Data, we will attempt to notify the relevant client unless prohibited by law, court order, or the circumstances of the request.
We may disclose or transfer information in connection with a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or similar business transaction. Where required, we will take reasonable steps to ensure that personal information remains protected.
Astrea may use subprocessors and vendors to provide, host, secure, support, and operate the services.
Where required by contract or applicable law, we will provide information about subprocessors and notify clients of material changes. Subprocessor details may be provided in a separate subprocessor list, data processing addendum, statement of work, or client agreement.
Clients with specific hosting, residency, vendor, or subprocessor requirements should address those requirements in the applicable agreement or statement of work.
We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, disclosure, or destruction.
These safeguards may include:
No method of transmission, storage, or processing is completely secure. We cannot guarantee absolute security, but we maintain safeguards appropriate to the nature of the information we process and the services we provide.
Client Data may include confidential, privileged, protected, or legally sensitive information.
Astrea maintains confidentiality obligations with respect to Client Data and limits access to personnel, contractors, vendors, and subprocessors who have a need to access such information for authorized purposes.
Astrea does not determine whether information is privileged, confidential, responsive, non-responsive, protected, or producible. Those determinations are the responsibility of the client, counsel, or other authorized legal decision-makers.
Nothing in this Privacy Policy is intended to waive, limit, or alter any attorney-client privilege, attorney work product protection, litigation privilege, common interest privilege, confidentiality obligation, protective order, or other legal protection that may apply to Client Data.
We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support business operations.
We retain Client Data in accordance with the applicable agreement, statement of work, client instructions, legal hold requirements, protective orders, retention schedule, or documented matter requirements.
Upon termination of services or upon written client request, and subject to applicable law and contractual requirements, we will return, export, delete, or securely dispose of Client Data as agreed with the client.
Client Data may continue to exist for a limited period in backups, disaster recovery systems, audit logs, or archival systems until deleted in accordance with ordinary retention and backup cycles, unless earlier deletion is technically feasible and required by agreement.
We may retain business contact, billing, tax, accounting, contract, support, and security records for as long as necessary for legitimate business, legal, regulatory, audit, tax, insurance, and compliance purposes.
We may retain logs and security records for purposes such as access monitoring, incident response, fraud prevention, audit, and compliance.
We may create or use de-identified, aggregated, or anonymized information for security, analytics, service improvement, reporting, and business purposes.
We will not attempt to re-identify information that has been de-identified or anonymized, except as permitted by law, such as to test whether our de-identification processes are effective.
Our website may use cookies, pixels, tags, analytics tools, and similar technologies to operate the website, remember preferences, understand website usage, and improve performance.
Cookies may include:
| Cookie Type | Purpose |
|---|---|
| Essential cookies | Required for website functionality, security, and authentication. |
| Analytics cookies | Help us understand website usage and performance. |
| Preference cookies | Remember settings or choices. |
| Marketing cookies | Used only if enabled and disclosed where required. |
We do not use advertising cookies or tracking technologies to analyze Client Data within eDiscovery matters.
Users can control cookies through browser settings or, where available, cookie preference tools. Disabling cookies may affect website functionality.
Astrea may process personal information in Canada, the United States, or other jurisdictions where we, our clients, vendors, or subprocessors operate.
Where Client Data is subject to specific data residency, regional hosting, or cross-border transfer restrictions, those requirements should be addressed in the applicable agreement or statement of work.
For personal information subject to international transfer rules, we use appropriate contractual, organizational, and technical safeguards where required. GDPR-related guidance recognizes the importance of controller/processor roles and appropriate safeguards for processing and transfers.
Depending on your location and applicable law, you may have rights regarding your personal information, such as the right to:
California privacy law, for example, provides rights relating to knowing/accessing personal information, deletion, correction, opt-out of sale/share, limiting use of sensitive personal information, and non-discrimination for exercising privacy rights. Canadian privacy principles also include openness, individual access, safeguards, and challenging compliance.
To exercise privacy rights, contact us at:
Privacy Contact: support@astrea-ediscovery.com Mailing Address: 1702-1 Palace Pier Court, Etobicoke ON M8V 3W9
We may need to verify your identity before responding to a request. We may decline or limit a request where permitted or required by law, including where disclosure would affect the rights and freedoms of others, reveal confidential or privileged information, conflict with legal obligations, or relate to information we process only on behalf of a client.
If your request relates to personal information contained in Client Data, you should direct your request to the relevant client, data controller, law firm, organization, employer, or party responsible for the matter.
Because Astrea processes Client Data on behalf of clients, we may not be authorized to respond directly to requests concerning Client Data. If we receive a privacy rights request relating to Client Data, we may:
This section applies to California residents where the California Consumer Privacy Act, as amended, applies to Astrea.
In the preceding 12 months, we may have collected the following categories of personal information:
| Category | Examples | Sources | Purposes |
|---|---|---|---|
| Identifiers | Name, email, phone number, IP address, account ID | You, clients, users, systems | Account administration, services, security, support, billing |
| Commercial information | Services purchased, billing records, client relationship details | You, clients, accounting systems | Billing, contracting, client management |
| Internet or network activity | Login activity, access logs, device data, usage activity | Systems, website, platform | Security, auditing, service operation |
| Professional or employment information | Company, title, role, employer | You, clients, business contacts | Client management, user administration |
| Geolocation information | Approximate location from IP address | Systems, website | Security, analytics, fraud prevention |
| Audio, electronic, or similar information | Support communications, meeting records, submitted files | You, clients, users | Support, service delivery, compliance |
| Sensitive personal information | May appear in Client Data depending on matter content | Clients, authorized users | eDiscovery processing under client instruction |
| Inferences | Limited business or usage insights | Systems, analytics | Service improvement, security, business operations |
Client Data may contain additional categories of personal information determined by the client, the custodians, the data sources, and the legal matter.
Astrea does not sell Client Data.
Astrea does not share Client Data for cross-context behavioral advertising.
Astrea does not knowingly sell or share personal information of individuals under 16 years of age.
If Astrea uses website advertising or analytics technologies that may be considered “selling” or “sharing” under California law, we will provide required notices and opt-out mechanisms.
Astrea does not use sensitive personal information in Client Data for purposes unrelated to providing services, maintaining security, complying with client instructions, or meeting legal obligations.
California residents may have the right to:
To exercise these rights, contact us at support@astrea-ediscovery.com.
Requests relating to Client Data should be directed to the relevant client.
If Canadian privacy law applies, individuals may have the right to request access to their personal information, request correction of inaccurate information, challenge our compliance with applicable privacy obligations, and contact the Office of the Privacy Commissioner of Canada or applicable provincial regulator.
We handle personal information in accordance with applicable Canadian privacy principles, including accountability, identifying purposes, limiting collection, limiting use, disclosure and retention, safeguards, openness, individual access, and challenging compliance.
Requests relating to Client Data should be directed to the relevant client.
Where the GDPR, UK GDPR, or similar laws apply, individuals may have rights such as access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.
Where Astrea processes Client Data on behalf of a client, the client is typically the controller and Astrea is typically the processor. Requests concerning Client Data should be directed to the relevant client.
Where Astrea acts as a controller for business contact, website, account administration, or similar information, we process such information based on legal grounds that may include performance of a contract, legitimate interests, compliance with legal obligations, consent, or steps taken before entering into a contract.
Our website and services are not directed to children, and we do not knowingly collect personal information directly from children through our website for our own purposes.
Client Data may contain information about minors if such information is included in materials submitted, collected, uploaded, reviewed, or processed by or on behalf of a client. In such cases, we process that information only as part of the services and in accordance with client instructions and applicable law.
We may send service-related, administrative, billing, security, and support communications. These communications are necessary for the operation of our services and may not be subject to opt-out.
We may also send marketing or informational communications where permitted by law. You may opt out of marketing communications by using the unsubscribe link in the message or contacting us at support@astrea-ediscovery.com.
Our website or services may contain links to third-party websites, platforms, or services. We are not responsible for the privacy practices of third parties. You should review the privacy policies of any third-party services you use.
We maintain procedures for responding to suspected security incidents involving personal information.
Where an incident involves Client Data, we will notify the affected client in accordance with the applicable agreement, legal requirements, and our incident response procedures.
Where required by law, we or the relevant client may notify affected individuals, regulators, or other parties.
We may update this Privacy Policy from time to time. The updated version will be posted on our website with a revised “Last Updated” date.
If we make material changes, we may provide additional notice where required by law or contract.
For questions about this Privacy Policy or our privacy practices, contact us at:
Astrea eDiscovery 1000795299 Ontario Inc. o/a Astrea eDiscovery 1702-1 Palace Pier Court, Etobicoke ON M8V 3W9 support@astrea-ediscovery.com