Privacy Policy

This Privacy Policy is issued by CONGREAT LTD (Israeli company registration / ח.פ. 517190351) (“Congreat”, “we”, “us”, or “our”), which operates the congreat.co website and the Congreat legal-intelligence platform.

We are based in Israel and our processing is governed primarily by the Israeli Privacy Protection Law, 1981 (the “Privacy Protection Law”, PPL) and its regulations, including the Protection of Privacy (Data Security) Regulations, 2017. Where we process personal data of individuals in the European Economic Area, the EU General Data Protection Regulation (GDPR) applies as a secondary framework.

By accessing or using our services, you agree to this Privacy Policy. If you do not agree, please do not use our website or services.

Our role differs depending on the type of data, and this distinction defines our responsibilities:

• Processor — For client business data (the curated matter slice processed on behalf of a law firm or client), Congreat acts strictly as a data processor. We process this data only on the documented instructions of our client (the controller), solely to deliver the service, and never for our own purposes.
• Controller — For our own website, marketing, and account data (e.g. a contact name and email you submit, or website usage data), Congreat is the controller and determines the purposes and means of processing.

Account & Contact Data (we are controller)

When you contact us, request a demo, or create an account, we may collect your name, email address, phone number, company name, and job title.

Website Usage Data (we are controller)

We automatically collect limited technical information when you visit our website, including IP address, browser type, pages viewed, and timestamps.

Client Business Data (we are processor)

In the course of delivering our services, we process data from a client’s connected systems (such as email and cloud storage). Crucially, we apply data minimization: we do not ingest the raw mailbox or drive. At connect time we build a curated, case-relevant matter slice — only the threads, messages, and files involving the parties the user designates for a specific legal matter. We process this slice strictly on behalf of, and on the instructions of, our client.

Pinned client evidence is persisted using envelope encryption with a per-case data encryption key (DEK). The key is client-owned: it is controlled by, and bound to, the client’s case. Because the data is only readable while that key exists, destroying the key renders the underlying data permanently and irreversibly unrecoverable.

This means deletion = key destruction. Destroying the client-owned key is our mechanism for honoring the right to deletion under the Privacy Protection Law (§14) and the right to erasure under GDPR (Article 17). Each case is cryptographically isolated from every other case.

Client data is stored in the European Union (Frankfurt, Germany). Data is encrypted in transit (TLS 1.3) and at rest (AES-256), with strict access controls and audit logging. No method of transmission or storage is completely secure, but we apply technical and organizational measures consistent with the Data Security Regulations under the Privacy Protection Law.

Our agent reads the encrypted evidence corpus for a case to produce cited, on-demand answer cards that the lawyer curates. To perform inference, the relevant text is transmitted to a Large Language Model (LLM) sub-processor and returned as a model response.

• We use direct-to-provider LLM access under a Data Processing Agreement (DPA) with Zero Data Retention (ZDR) and EU-resident processing where available.
• No model training: sub-processors do not use our or our clients’ inputs or outputs to train foundation models.

When you connect your Google or Microsoft account, we request only the OAuth scopes necessary to deliver our services. This section names every scope we use, what we access, and what we never access.

Google — Gmail

• Scope: gmail.readonly
• What we access: Email headers, message bodies, and attachments — limited to correspondence with the specific people the user designates for a case.
• What we do NOT access: We do not modify, send, or delete any email; access is read-only and scoped to the case parties the user selects.

Google — Drive

• Scope: drive.readonly
• What we access: File metadata and content only for files inside the specific folders the user explicitly selects via the Google Drive folder picker.
• What we do NOT access: Contents of any files outside the folders the user has explicitly selected.

Microsoft — Graph (Outlook & OneDrive)

• Scopes: Mail.Read, Files.Read, User.Read, offline_access
• What we access: Read-only access to the case-relevant mailbox messages and to the OneDrive files the user has authorized, plus the connected account’s display name and email to confirm the linked account.

Refresh Tokens & Revocation

• OAuth refresh tokens are encrypted at rest (AES-GCM-256) so we can re-authenticate on your behalf while a case is processed in the background.
• Tokens are deleted automatically when the associated case is deleted.
• You can revoke access at any time: Google / Microsoft.

• Deliver, operate, and maintain our website and services
• Process the curated matter slice on behalf of, and on the instructions of, our clients
• Respond to inquiries and provide support
• Send service and (with consent where required) marketing communications
• Detect, prevent, and address security threats and comply with legal obligations

We do not sell personal information. Client business data processed as processor is never shared with third parties except the sub-processors named above (acting on our instructions) and as authorized by the client. We may disclose information where required by law or in connection with a merger or acquisition.

Account and website data is retained only as long as necessary for the purposes in this policy. Client business data is retained for the life of the matter and the associated case key; on deletion the client-owned key is destroyed, which irreversibly deletes the data. We otherwise return or delete client data on termination of the engagement, unless retention is required by law.

Under the Privacy Protection Law you have the right to access and to correct the personal data we hold about you, and the right to deletion. Where the GDPR applies, you additionally have the rights of access, rectification, erasure, restriction, data portability, and objection.

For client business data we process as a processor, please direct rights requests to the relevant controller (your law firm / the client); we will assist them as required. To exercise rights regarding data for which we are the controller, contact us (Section 13). We respond within 30 days.

Client data is hosted in the European Union (Frankfurt). Israel and the EU each recognize the other as providing an adequate level of data protection, supporting lawful transfer between them. Where data is transferred to a country without an adequacy decision, we put appropriate safeguards in place.

For privacy and data-subject requests, contact our privacy contact:

• Privacy / data requests: nadavnaveh7@gmail.com
• Business inquiries: amitai@congreat.co
• Legal entity: CONGREAT LTD, ח.פ. 517190351, Israel

We may update this Privacy Policy from time to time. We will post the updated policy on this page and revise the “Last updated” date.