This Privacy Policy ("Policy") describes how Lenz CRM, a Nevada limited liability company ("Lenz," "we," "us," or "our"), collects, uses, retains, and protects information in connection with our call tracking, customer relationship management, marketing attribution, and related software-as-a-service platform (the"Services"). This Policy applies to all users of the Services, including law firm customers, their authorized users, and visitors to our website at lenzcrm.com (the "Site").

Lenz provides Services to law firms and legal professionals. We recognize the sensitive nature of the data processed through our platform, including potential attorney-client privileged communications, and have designed our data practices accordingly.

LENZ DOES NOT SELL, SHARE, OR DISCLOSE END-USER OR CONSUMER DATA TO THIRD PARTIES FOR THOSE THIRD PARTIES’ OWN MARKETING, ADVERTISING, OR COMMERCIAL PURPOSES. Lenz does not sell or share consumer opt-in data, consent information, telephone numbers, call recordings, or any data collected through our telephony services to or with any third party, affiliate, or unrelated entity. All data processing described in this Policy is performed solely to provide the Services to our Customers.

Lenz CRM | 732 S 6th St, Ste N, Las Vegas, NV 89101 | privacy@lenzcrm.com

1. DEFINITIONS

"Authorized User" means any individual granted access to the Services by a Customer, including attorneys, paralegals, intake specialists, and administrative staff.

"Call Data" means data generated through the call tracking features of the Services, including call recordings, transcripts, caller identification data, call metadata (date, time, duration, source number, destination number), and call disposition information.

"Customer" means the law firm or legal entity that has entered into a subscription agreement with Lenz for use of the Services.

"Customer Data" means all data submitted to, generated by, or processed through the Services on behalf of a Customer, including Call Data, CRM Records, Marketing Data, and any data relating to the Customer’s clients or prospective clients.

"CRM Records" means contact information, case details, intake forms, notes, communications, and other records stored within the CRM features of the Services.

"End User" means any individual whose Personal Information is collected or processed through the Services, including callers, website visitors, and prospective clients of Customers.

"Google Integration Data" means data received from or transmitted to Google services through the Services, including Google Ads performance data, Google Business Profile information, and Local Service Ads data.

"Marketing Data" means data relating to advertising campaigns, marketing attribution, lead sources, website analytics, and conversion tracking processed through the Services.

"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person, as defined under applicable law.

"Subprocessor" means a third-party service provider engaged by Lenz under a written data processing agreement to perform specific, limited processing functions on behalf of Lenz in connection with the provision of the Services. Subprocessors are contractually prohibited from using Customer Data for any purpose other than performing the delegated function.

2. DATA PROCESSING ROLES AND RESPONSIBILITIES

2.1 Customer as Controller

With respect to Customer Data, the Customer acts as the data controller (or equivalent designation under applicable law). The Customer determines the purposes and means of processing Customer Data and is responsible for ensuring that its collection and use of Personal Information through the Services complies with all applicable laws, including obtaining any required consents from End Users.

2.2 Lenz as Processor

Lenz acts as a data processor (or service provider under the CCPA) with respect to Customer Data. Lenz processes Customer Data solely on behalf of and in accordance with the Customer’s documented instructions, as set forth in the applicable subscription agreement, Data Processing Addendum, and this Policy. Lenz does not sell Customer Data. Lenz does not share Customer Data with third parties for cross-context behavioral advertising or for any purpose unrelated to providing the Services. Lenz does not disclose, transfer, or make available End User data—including telephone numbers, opt-in information, call recordings, or consent data—to any third party for that third party’s own use.

2.3 Lenz as Controller

Lenz acts as a data controller with respect to: (a) Account Data provided by Customers and Authorized Users during registration and account management; (b) Billing Data necessary to process payments; (c) Usage Data generated through interaction with the Services; and (d) data collected from visitors to the Site.

3. CATEGORIES OF DATA COLLECTED

3.1 Account Data

When a Customer or Authorized User creates an account, we collect:

• Name, email address, phone number, and job title of Authorized Users
• Law firm name, address, bar admissions, and practice areas
• Login credentials (passwords are stored using industry-standard hashing)
• Account preferences, notification settings, and role assignments

3.2 Billing Data

We collect payment information necessary to process subscription fees, including credit card details (processed and stored by Stripe; Lenz does not store full card numbers), billing address, and transaction history.

3.3 Call Data

Through the call tracking features of the Services, powered by Twilio’s telecommunications infrastructure, we process:

• Inbound and outbound call recordings (audio files)
• Call transcripts generated through automated speech-to-text processing
• Call metadata: originating number, destination number, date, time, duration, geographic data associated with phone numbers, and call disposition
• Caller identification data, including name and number where available via caller ID
• Call source attribution data linking calls to specific marketing campaigns, keywords, or advertising channels

Important Notice Regarding Call Recordings: Call recordings processed through the Services may contain sensitive information, including communications that may be subject to attorney-client privilege. Customers are solely responsible for ensuring compliance with all applicable federal and state call recording consent laws, including but not limited to the Telephone Consumer Protection Act (TCPA) and state wiretapping and eavesdropping statutes. Lenz provides configurable call recording announcement features; however, the Customer bears full responsibility for enabling and configuring appropriate consent mechanisms.

3.4 Telephony Data Handling

All telephony data—including caller and recipient telephone numbers, call recordings, transcripts, opt-in and consent information, and call metadata—is processed exclusively within Lenz’s infrastructure and its designated telephony Subprocessor (Twilio) for the sole purpose of providing the call tracking and recording features of the Services to the Customer. Specifically:

• No sharing: Telephony data is not disclosed, sold, shared, or made accessible to any third party, affiliate, or unrelated entity for any purpose, including marketing, advertising, analytics, or data enrichment.
• No sale of opt-in data: End User consent information, opt-in records, and telephone numbers collected through the Services are never sold, shared, or transferred to any party other than the Customer on whose behalf the data was collected.
• No secondary use: Telephony data is used only to route, record, transcribe, and attribute calls as directed by the Customer. It is not used for profiling, behavioral analysis, advertising targeting, or any purpose unrelated to delivering the Services.
• Subprocessor restrictions: Twilio processes telephony data solely as a telecommunications infrastructure provider under a written agreement that prohibits Twilio from using such data for its own purposes. Twilio does not have access to data beyond what is necessary to route and record calls.

3.5 CRM Records

Customer Data stored within the CRM features of the Services may include:

• Contact information for the Customer’s clients and prospective clients (name, phone, email, address)
• Case and matter information, including case type, incident details, status, and notes
• Intake form responses and lead qualification data
• Communication history, including logged calls, emails, and text messages
• Task assignments, follow-up schedules, and internal notes created by Authorized Users

3.6 Marketing and Attribution Data

We process data related to the Customer’s marketing campaigns, including:

• Google Ads campaign performance data (impressions, clicks, cost, conversions)
• Google Business Profile metrics and review data
• Local Service Ads performance and lead data
• Marketing attribution data linking leads to specific campaigns, keywords, ad groups, or landing pages
• Website visitor analytics, including pages visited, referral sources, and session data
• Conversion tracking data associating marketing spend with case sign-ups

3.7 Usage Data

We automatically collect information about how Authorized Users interact with the Services, including:

• Login timestamps, session duration, features accessed, and actions taken within the platform
• Device information, including browser type, operating system, and screen resolution
• IP address and approximate geographic location derived from IP address
• Error logs, performance data, and diagnostic information

4. PURPOSES OF DATA PROCESSING

Lenz processes data for the following purposes:

• Providing the Services: To operate the call tracking, CRM, marketing attribution, and integration features of the platform in accordance with the Customer’s subscription agreement.
• Call Processing: To route, record, and transcribe telephone calls; to provide call analytics and attribution; and to integrate call data with CRM records and marketing campaigns.
• Marketing Attribution: To track and attribute leads to specific advertising channels, campaigns, and keywords; to provide return-on-investment reporting; and to optimize advertising spend allocation.
• Integration Services: To synchronize data with third-party platforms, including Google Ads, Google Business Profile, Local Service Ads, and Customer-designated case management systems.
• Billing and Account Management: To process payments, manage subscriptions, send invoices, and communicate account-related information.
• Service Improvement: To analyze aggregated, de-identified usage patterns, diagnose technical issues, and improve platform performance. Customer Data used for service improvement is aggregated and stripped of identifying information.
• Security and Compliance: To detect and prevent fraud, unauthorized access, and other security threats; to enforce our Terms of Service; and to comply with applicable legal obligations.
• Communications: To send service-related notices, respond to support requests, and, with consent where required, provide information about new features or services.

5. AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE

5.1 Automated Features

The Services may employ automated processing, including artificial intelligence and machine learning technologies, for the following purposes:

• Automated speech-to-text transcription of call recordings
• Call classification, tagging, and sentiment analysis
• Lead scoring and qualification assistance
• Marketing attribution modeling and campaign optimization recommendations
• Content generation assistance for Customer websites and marketing materials
• Automated data extraction and summarization from call transcripts

5.2 How Automated Processing Works

All automated processing of Customer Data is performed within Lenz’s own infrastructure or by Subprocessors listed in Section 8.1 of this Policy, acting solely on Lenz’s behalf under written data processing agreements. Automated processing is an internal capability of the Services—it does not involve sharing, disclosing, or transferring Customer Data to any external party for that party’s own purposes.

5.3 Data Usage Restrictions for AI

Lenz applies the following strict restrictions to all automated processing of Customer Data:

• No External Model Training: Customer Data is never used to train any publicly available artificial intelligence or machine learning model. Customer Data is never provided to any external party for model training purposes.
• No Data Sharing: Automated processing does not involve sharing, selling, or disclosing Customer Data—including call recordings, transcripts, telephone numbers, or End User information—to any third party. All AI and machine learning features operate within Lenz’s service delivery infrastructure.
• Processor-Only Processing: Automated processing of Customer Data is performed solely to provide the Services in accordance with the Customer’s instructions and the applicable subscription agreement.
• No Retention Beyond Service Delivery: Customer Data processed by automated features is not retained beyond the period necessary to deliver the specific Service feature. Transcripts, classifications, and summaries are stored as part of the Customer’s account data subject to the retention policies in Section 9.
• Subprocessor Controls: Any Subprocessor involved in automated processing functions is bound by a written data processing agreement that prohibits the Subprocessor from (i) using Customer Data for any purpose other than performing the delegated processing function, (ii) retaining Customer Data beyond the processing operation, and (iii) training its own models on Customer Data. The current list of Subprocessors is maintained in Section 8.1.

5.4 Human Oversight

Automated processing features are designed to assist, not replace, human decision-making. No automated decision with legal or similarly significant effects is made without the opportunity for human review by the Customer or its Authorized Users.

6. GOOGLE API SERVICES DATA

6.1 Data Received from Google

The Services integrate with Google APIs to provide advertising management and attribution features. Through these integrations, Lenz may receive and process:

• Google Ads account and campaign performance data
• Google Business Profile listing information, reviews, and performance metrics
• Local Service Ads lead and performance data
• Google Analytics data where the Customer has authorized such access

6.2 Google API Services User Data Policy Compliance

Lenz’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Google API data is used only to provide and improve the Services as described in this Policy.
• Google API data is not sold to third parties.
• Google API data is not used for serving advertisements.
• Google API data is not used to derive data for advertising profiles.
• Google API data is not transferred to any third party except as necessary to provide the Services, as required by law, or with the Customer’s explicit consent.
• Human access to Google API data is limited to essential service operations, security investigation, legal compliance, or at the Customer’s explicit request.

7. COOKIES, TRACKING TECHNOLOGIES, AND WEBSITE ANALYTICS

7.1 Cookies Used by the Services

The Services and the Site use the following categories of cookies and similar technologies:

• Strictly Necessary Cookies: Required for authentication, session management, security, and core platform functionality. These cookies cannot be disabled.
• Functional Cookies: Used to remember user preferences, display settings, and account configurations.
• Analytics Cookies: Used to understand how Authorized Users interact with the platform, identify usage patterns, and improve the Services.
• Marketing Attribution Cookies: Used on Customer websites (where the Customer has implemented Lenz tracking scripts) to attribute leads to specific marketing campaigns, keywords, and advertising channels.

7.2 Third-Party Tracking

When Customers implement Lenz call tracking numbers and attribution scripts on their websites, those scripts may collect visitor data (including IP address, referral source, pages visited, and session identifiers) for the purpose of marketing attribution. This data is collected on behalf of and controlled by the Customer. Customers are responsible for disclosing the use of these tracking technologies in their own privacy policies and for obtaining any required consent from their website visitors.

7.3 Do Not Track

The Services do not currently respond to Do Not Track (DNT) browser signals. However, Customers and their website visitors may manage cookie preferences through their browser settings.

8. DATA SHARING, DISCLOSURE, AND RESTRICTIONS

Lenz does not sell Customer Data. Lenz does not sell, share, or disclose End User data—including telephone numbers, call recordings, transcripts, opt-in information, or consent records—to any third party for that third party’s own purposes. Lenz does not share consumer data with affiliates or unrelated entities for marketing, advertising, data enrichment, or any purpose other than providing the Services.

Lenz may engage the limited categories of Subprocessors described below, solely to perform specific processing functions necessary to deliver the Services. Subprocessors operate under Lenz’s instruction pursuant to written data processing agreements and do not have independent rights to use Customer Data.

8.1 Subprocessors

Lenz engages the following Subprocessors. Each Subprocessor is bound by a written agreement that limits its processing to the stated purpose and prohibits any independent use, retention, or disclosure of Customer Data:

The current Subprocessor list is maintained at lenzcrm.com/subprocessors. This list is exhaustive. No entity not listed above or at that URL receives Customer Data from Lenz.

8.2 Subprocessor Changes

Lenz will provide Customers with at least thirty (30) days’ prior written notice before engaging a new Subprocessor or materially changing the scope of an existing Subprocessor’s engagement. Notice will be provided via email to the Customer’s designated contact and by updating the Subprocessor list on lenzcrm.com/subprocessors. If a Customer objects to a new Subprocessor, the Customer may terminate the affected Services in accordance with the subscription agreement.

8.3 Customer-Directed Integrations

Where a Customer configures integrations with its own third-party case management systems, marketing platforms, or other services (for example, syncing CRM records to Customer’s own Filevine or Litify account), Customer Data may flow to those systems at the Customer’s sole direction and under the Customer’s own account with that third-party service. These Customer-directed data transfers are initiated and controlled by the Customer, not by Lenz. Lenz does not independently share Customer Data with these systems. Lenz is not responsible for the data practices of third-party systems that Customer chooses to integrate, and Customer is responsible for reviewing the privacy and security practices of those systems.

8.4 Legal Disclosure

We may disclose data where required by applicable law, regulation, legal process, or enforceable governmental request. Where legally permitted, Lenz will provide the Customer with advance notice of such disclosure to allow the Customer to seek protective measures, including assertion of attorney-client privilege or work product protections. Lenz will disclose only the minimum data legally required.

8.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of Lenz’s assets, Customer Data may be transferred to the successor entity, subject to the same privacy protections described in this Policy. Lenz will provide Customers with notice of any such transfer. The successor entity will be bound by the same restrictions on data use, sharing, and disclosure set forth in this Policy.

9. DATA RETENTION AND DELETION

9.1 Retention Periods

Lenz retains Customer Data for the duration of the Customer’s active subscription. Specific retention practices include:

• Call Recordings: Retained for the duration of the subscription unless the Customer configures a shorter retention period through the platform’s settings or requests earlier deletion.
• Call Transcripts: Retained consistent with the associated call recording.
• CRM Records: Retained for the duration of the subscription.
• Marketing and Attribution Data: Retained for the duration of the subscription.
• Usage Data: Retained for up to twenty-four (24) months for analytics and service improvement purposes, after which it is aggregated or deleted.
• Billing Data: Retained for the period required by applicable tax and financial record-keeping laws (typically seven (7) years).

9.2 Post-Termination

Following termination or expiration of a Customer’s subscription:

• Lenz will make Customer Data available for export for a period of thirty (30) days.
• After the thirty (30)-day export period, Lenz will delete Customer Data from production systems within sixty (60) days. Residual copies in encrypted backups will be overwritten in accordance with Lenz’s backup rotation schedule, not to exceed ninety (90) additional days.
• Customers may request immediate deletion of Customer Data at any time by contacting privacy@lenzcrm.com. Lenz will process such requests within thirty (30) days, subject to applicable legal retention obligations.

9.3 Aggregated Data

Lenz may retain aggregated, de-identified data derived from Customer Data indefinitely for benchmarking, analytics, and service improvement purposes. Such data will not identify any individual Customer, Authorized User, End User, or data subject, and cannot be used to re-identify any individual.

10. DATA SECURITY

Lenz implements administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. These measures include:

10.1 Infrastructure Security

• All Customer Data is hosted on Amazon Web Services (AWS) infrastructure within the United States.
• Data is encrypted in transit using TLS 1.2 or higher.
• Data is encrypted at rest using AES-256 encryption.
• Network security controls include firewalls, intrusion detection, and DDoS mitigation.

10.2 Access Controls

• Role-based access controls (RBAC) limit access to Customer Data based on job function and necessity.
• Multi-factor authentication is available for all Authorized User accounts and is required for Lenz administrative access.
• All administrative access to production systems is logged and subject to periodic audit.
• Lenz personnel access to Customer Data is limited to authorized support, engineering, and security personnel acting in the course of their duties.

10.3 Operational Security

• Regular vulnerability scanning and security assessments of the platform.
• Secure software development lifecycle practices, including code review and testing.
• Employee security awareness training upon hire and annually thereafter.
• Incident response procedures with designated response team and escalation protocols.
• Regular backup and disaster recovery testing.

10.4 Customer Security Controls

Customers and Authorized Users are responsible for maintaining the security of their account credentials, configuring appropriate access controls within their accounts, and promptly notifying Lenz of any suspected unauthorized access at security@lenzcrm.com.

11. SECURITY INCIDENT AND BREACH NOTIFICATION

In the event of a confirmed security incident involving unauthorized access to, acquisition of, or disclosure of Customer Data:

• Lenz will notify the affected Customer without undue delay and in no event later than seventy-two (72) hours after confirmation of the incident.
• Notification will include, to the extent known at the time: (a) the nature of the incident; (b) the categories and approximate volume of data affected; (c) the likely consequences of the incident; (d) measures taken or proposed to address the incident and mitigate potential harm; and (e) the identity and contact information of Lenz’s designated incident response contact.
• Lenz will cooperate with the Customer’s investigation of the incident and provide reasonable assistance in the Customer’s compliance with its own breach notification obligations under applicable law.
• Lenz will document all confirmed security incidents and remediation measures taken.

12. INDIVIDUAL DATA SUBJECT RIGHTS

12.1 Rights Under Applicable Law

Individuals whose Personal Information is processed through the Services may have rights under applicable state privacy laws, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act, and other state privacy statutes. These rights may include:

• The right to know what Personal Information is collected, used, and disclosed
• The right to access and obtain a copy of Personal Information
• The right to delete Personal Information
• The right to correct inaccurate Personal Information
• The right to opt out of the sale or sharing of Personal Information (Lenz does not sell or share Personal Information for cross-context behavioral advertising)
• The right to non-discrimination for exercising privacy rights

12.2 Exercising Rights

Because Lenz processes Customer Data as a processor on behalf of Customers, individuals seeking to exercise their data subject rights should direct their requests to the applicable Customer (the law firm or legal entity that controls their data). Lenz will assist Customers in responding to verified data subject requests in accordance with the applicable Data Processing Addendum and subscription agreement.

For data that Lenz controls directly (Account Data, Usage Data, and Site visitor data), individuals may submit requests to privacy@lenzcrm.com. Lenz will verify the requestor’s identity and respond within the timeframes required by applicable law.

13. CHILDREN’S PRIVACY

The Services are not directed to children under the age of sixteen (16), and Lenz does not knowingly collect Personal Information from children. If Lenz becomes aware that Customer Data contains Personal Information of a child under sixteen (16), Lenz will work with the Customer to ensure appropriate handling in accordance with applicable law, including the Children’s Online Privacy Protection Act (COPPA). If you believe that a child’s Personal Information has been submitted to Lenz, please contact privacy@lenzcrm.com.

14. DATA TRANSFERS

All Customer Data is stored and processed within the United States. Lenz does not transfer Customer Data outside the United States unless required to do so at the Customer’s specific written instruction (for example, in connection with an integration with a third-party service hosted outside the United States). If such a transfer occurs, Lenz will ensure appropriate safeguards are in place in accordance with applicable law.

Callers who contact a Lenz tracking number from outside the United States should be aware that their call data will be processed and stored in the United States, subject to United States law.

15. ATTORNEY-CLIENT PRIVILEGE AND CONFIDENTIALITY

Lenz recognizes that Customer Data may include communications subject to attorney-client privilege, work product doctrine protections, or other legal confidentiality protections. Lenz’s access to Customer Data in its capacity as a service provider and processor does not constitute a waiver of any privilege or protection that may attach to such data. Lenz personnel are instructed to treat all Customer Data as confidential, and access to Customer Data is limited to the minimum necessary to provide and support the Services.

Customers should be aware that the use of any cloud-based service to store or process privileged communications may have implications under applicable rules of professional conduct. Customers are responsible for evaluating these implications and for ensuring that their use of the Services complies with their ethical obligations.

16. CALIFORNIA-SPECIFIC DISCLOSURES (CCPA/CPRA)

The following disclosures are provided pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

16.1 Categories of Personal Information

In the preceding twelve (12) months, Lenz has collected the following categories of Personal Information as defined by the CCPA: identifiers; commercial information; Internet or other electronic network activity information; geolocation data; professional or employment-related information; and audio information (call recordings). The specific data elements, sources, purposes, and disclosures for each category are described in Sections 3, 4, and 8 of this Policy.

16.2 No Sale or Sharing

Lenz does not sell Personal Information. Lenz does not share Personal Information for cross-context behavioral advertising. Lenz has not sold or shared Personal Information in the preceding twelve (12) months. Lenz does not sell or share consumer opt-in information, telephone numbers, call recordings, or any End User data.

16.3 Sensitive Personal Information

Customer Data may include sensitive Personal Information as defined by the CCPA, including precise geolocation data (derived from phone numbers) and the content of communications (call recordings and transcripts). Lenz uses sensitive Personal Information solely to provide the Services as reasonably expected by the Customer and does not use it for purposes beyond those described in this Policy.

16.4 Service Provider Designation

With respect to Customer Data, Lenz operates as a "service provider"as defined by the CCPA. Lenz processes Customer Data solely for the business purposes specified in the applicable subscription agreement and this Policy, and certifies that it will not retain, use, or disclose Customer Data for any purpose other than providing the Services or as otherwise permitted by the CCPA.

17. CHANGES TO THIS POLICY

Lenz may update this Policy from time to time to reflect changes in our data practices, legal requirements, or the Services. Material changes will be communicated to Customers via email to the designated account contact at least thirty (30) days prior to the effective date of the change. The current version of this Policy will always be available at lenzcrm.com/privacy. Continued use of the Services following the effective date of a material change constitutes acceptance of the updated Policy.

18. CONTACT INFORMATION

For questions, concerns, or requests related to this Privacy Policy or Lenz’s data practices, please contact:

19. GOVERNING LAW

This Policy is governed by and construed in accordance with the laws of the State of Nevada, without regard to its conflict of laws principles. Any disputes arising under or in connection with this Policy shall be resolved in accordance with the dispute resolution provisions set forth in the Terms of Service.