Privacy Policy

DRAFT 2026-05-15. Attorney review recommended before publishing. Jordan: you are a lawyer but probably want a second set of eyes on this. Tailored to the locked Docket V1 architecture as of commit adbbd64 (minimum-scope, Resend outbound, Postmark inbound, no Gmail or Outlook outbound OAuth).

Last updated: 2026-05-15

1. Introduction

This Privacy Policy explains how Docket ("Docket", "we", "us", or "our") collects, uses, shares, and protects information about you and your firm when you use our software-as-a-service platform at docket-legal.com and at api.docket-legal.com (collectively, the "Service").

Docket is operated by Dizik | Kaplan, Attorneys at Law (or the legal entity that succeeds it; we will update this policy if ownership changes). The Service helps Michigan litigation attorneys automatically capture e-filings from MiFile and TrueFiling and route those filings into the attorney's own cloud storage. Docket is a tool for the attorney. We are not your attorney's law firm's vendor of record unless a separate written agreement says so.

This policy covers:

  • What information Docket collects when you sign up, connect your Google or Microsoft account, and use the Service.
  • How that information is used and who can see it.
  • The sub-processors Docket relies on, including Clerk for authentication, Postmark for inbound mail, Resend for outbound mail, and Railway for hosting.
  • How to access, correct, or delete the information Docket holds about you.
  • How to contact us.

If you are an attorney's client whose case documents pass through Docket, please note: Docket does not process your personal information. Docket only routes the file-stamped PDF from MiFile or TrueFiling into the attorney's own cloud storage. Docket never reads the contents of those PDFs. Docket has no record of who the parties to a case are beyond the case number on the e-filing notification email. If you have questions about your data, ask your attorney; they are the custodian of the documents that flow through Docket.

2. What information Docket collects

Docket collects three categories of information.

2.1 Account information

When you sign up for the Service, Docket collects:

  • Your name (first and last).
  • Your email address.
  • A password hash (created by Clerk, our authentication provider; Docket itself never sees your password).
  • The timestamp of your account creation and most recent sign-in.

This information is stored in Clerk's user database and replicated into Docket's own Postgres database (hosted on Railway) as a tenants row keyed by the Clerk user ID.

2.2 OAuth and credential information

When you connect Docket to your Google Drive or Microsoft OneDrive account, Docket receives:

  • An OAuth refresh token issued by Google or Microsoft. This token lets Docket act on your behalf within the scopes you granted: for Google, that is drive.file (create files in your Drive, and read/write files you explicitly grant via the Google Picker), userinfo.email, and openid. For Microsoft, it is Mail.Read, Files.ReadWrite, User.Read, and offline_access. Docket does not request Gmail scopes of any kind. Docket does not request the ability to send mail as you.
  • The Google Drive or OneDrive folder ID you designated as Docket's upload root.
  • Your MiFile username and password, when you choose to enter them so Docket can download served filings. These credentials are required only if you want Docket to retrieve documents from MiFile on your behalf.

All OAuth refresh tokens and MiFile credentials are encrypted at rest using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). The master encryption key is stored only in Docket's production environment (Railway environment variable ENCRYPTION_KEY) and in a designated 1Password vault accessible to two trustees.

2.3 Filing receipts (metadata, not bodies)

Each time Docket processes an e-filing for your account, Docket creates a "processed filing" record containing:

  • The case number from the filing notification email.
  • The name of the document filed (e.g. Order Granting Motion to Compel.pdf).
  • The timestamp Docket received the filing notification.
  • The timestamp Docket uploaded the PDF to your Drive.
  • A SHA-1 hash of the PDF bytes (used by Docket to detect duplicate filings; it is a fingerprint, not the document body).
  • The Drive or OneDrive folder path where the PDF was uploaded.

Docket does not store the document itself. The PDF lives only in your own Drive or OneDrive folder. Docket retains the metadata listed above so the daily and weekly recap emails can list what was filed, and so Docket can avoid uploading the same document twice if it arrives via two channels.

Docket also temporarily holds the inbound forwarded email (received via Postmark Inbound at filings+<tenant-id>@docket-legal.com) for the seconds or minutes it takes to extract the filing URL, download the PDF from Tyler Technologies, and upload to your Drive. The forwarded email is discarded after processing. Postmark itself retains a copy of the email in its inbound logs for its own retention period (currently 45 days per Postmark's policy at the time of writing); see Postmark's privacy policy for details.

3. How Docket uses information

Docket uses the information described above to:

  • Authenticate you when you sign in (Clerk).
  • Receive your forwarded MiFile and TrueFiling notification emails (Postmark Inbound).
  • Download the corresponding file-stamped PDFs from Tyler Technologies' MiFile and TrueCertify systems on your behalf.
  • Upload those PDFs into your Drive or OneDrive at the folder you designated.
  • Send you a daily end-of-day summary email (around 6 PM local time on weekdays) and a Monday morning weekly summary email, from recaps@docket-legal.com via Resend, listing what was filed.
  • Show you the status of your account in the Docket portal at app.docket-legal.com.
  • Diagnose problems and provide customer support.
  • Send transactional emails about your account (signup confirmation, billing receipts, OAuth reconnection prompts).
  • Comply with our legal obligations and respond to lawful requests.

Docket does not use your information to:

  • Train any artificial-intelligence model.
  • Send marketing emails to anyone other than you, the account holder.
  • Profile you for advertising.
  • Sell or rent your information to anyone.

4. Who Docket shares information with

Docket relies on a small set of sub-processors to deliver the Service. Each sub-processor receives only the information necessary to perform its function. None of them have access to your encrypted OAuth tokens or MiFile credentials, because the encryption key never leaves Docket's environment.

Sub-processorWhat they receiveWhy
Clerk (https://clerk.com)Your name, email, password (hashed), sign-in metadata.Authentication and user management.
Postmark (https://postmarkapp.com)The body of every email forwarded to filings+<tenant-id>@docket-legal.com. Postmark retains a copy of inbound messages per its retention policy.Inbound mail handling. Postmark parses the MIME and posts a webhook to Docket.
Resend (https://resend.com)The recipient address, subject, and body of every recap email Docket sends. Resend retains delivery metadata for 30 days.Outbound mail delivery for recaps from recaps@docket-legal.com.
Railway (https://railway.app)The entire Docket application, including the encrypted Postgres database.Hosting.
Google LLC (Drive API)Whatever OAuth grant you give Docket; in practice, the right to create files in your Drive and read files you explicitly grant via the Picker. Google's privacy policy governs Google's own handling.Storage of your filings, in your Drive.
Microsoft Corporation (Microsoft Graph)Whatever OAuth grant you give Docket; for Microsoft customers, that includes the right to read your Outlook mail and read/write your OneDrive. Microsoft's privacy policy governs Microsoft's own handling.Storage of your filings, in your OneDrive; reading of filing-notification emails from your Outlook inbox.
Tyler Technologies (MiFile / TrueCertify)Your MiFile username and password (transmitted only to log in and download served filings on your behalf, then discarded from memory after use). Tyler is the operator of MiFile and TrueFiling; their privacy policy governs their handling.Downloading the actual PDFs of your filings.
2captcha (https://2captcha.com), where required for Oakland County and similar legacy courts.A single CAPTCHA image at the moment of solving. No personal information.Solving the TrueCertify CAPTCHA challenge.
Stripe (https://stripe.com), once Docket bills you.Your name, billing email, billing address, and payment method (handled by Stripe; Docket never sees your card number).Payment processing.

Docket may add or remove sub-processors as the Service evolves. We will update this Privacy Policy at least 14 days before a new sub-processor begins receiving customer information, and email you at the address on file.

Docket will share information with law enforcement or governmental authorities only when required by valid legal process (subpoena, warrant, court order). We will tell you about any such request unless the legal process forbids us from doing so.

5. Your attorney's clients

Docket is designed so that the documents flowing through it never expose attorney-client communications to Docket. The flow is:

  1. A court (operated by Tyler Technologies) emails a filing notification to your Gmail or Outlook inbox.
  2. Either (a) your Gmail filter forwards that email to Docket's inbound address at Postmark, or (b) Docket polls your Outlook inbox via Microsoft Graph and finds the new message.
  3. Docket extracts the filing URL from the email body, downloads the PDF from Tyler Technologies, and uploads it to your Drive or OneDrive.
  4. Docket discards the inbound email and retains only the metadata listed in section 2.3.

Docket never sends email to your clients. Docket never reads your clients' emails. Docket never reads your case files in Drive or OneDrive beyond the files Docket itself created. Docket does not have a client-facing interface.

If you are concerned about whether Docket's data practices comply with your specific malpractice carrier's requirements or your jurisdiction's professional responsibility rules, please review this policy with your malpractice carrier before signing up.

6. International transfers

Docket and its sub-processors are based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer. We do not specifically target customers outside the United States and the Service is designed for Michigan litigation attorneys.

Some sub-processors operate global infrastructure; Google and Microsoft in particular may store your data in any region they choose, subject to their own privacy policies.

7. Data retention

Docket retains the categories of information described above for the following periods:

  • Account information (name, email, sign-in metadata): for the duration of your account, and for 90 days after you delete the account, to allow account recovery if the deletion was accidental.
  • OAuth refresh tokens: until you revoke them in your Google or Microsoft account settings, or until you delete your Docket account. We rotate tokens on each refresh per Google's and Microsoft's recommended cadence.
  • MiFile credentials: until you remove them in the Docket portal, or until you delete your Docket account.
  • Processed-filing receipts (case numbers, document names, SHA-1 hashes, timestamps): for seven (7) years after the filing was processed. This duration matches the standard Michigan attorney file-retention practice (MRPC 1.15(d) custody requirements and related guidance). It exists so that if a question arises later about whether Docket delivered a specific filing on a specific date, the receipt is still available.
  • Inbound emails received at Postmark: discarded by Docket as soon as the filing is processed (seconds to minutes). Postmark separately retains a copy per its own retention policy; see Postmark's privacy policy.
  • Outbound recap emails sent via Resend: Resend retains delivery metadata for 30 days; the content of each recap is also stored in your own inbox where Resend delivered it.
  • Billing records (Stripe): retained per Stripe's policies and applicable tax record-keeping requirements (typically seven years).

You may request deletion of your account at any time by emailing privacy@docket-legal.com. Within 30 days of confirming the request, Docket will delete your account information, OAuth tokens, and MiFile credentials. Processed-filing receipts are also deleted on request, unless we have a legal obligation to retain them (which we generally do not).

8. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Right to access: ask Docket what information we hold about you and obtain a copy.
  • Right to correct: ask Docket to correct information that is wrong.
  • Right to delete: ask Docket to delete information about you, subject to lawful exceptions.
  • Right to portability: receive a copy of your information in a structured, machine-readable format.
  • Right to object or restrict: ask Docket to stop using your information for certain purposes.
  • Right to withdraw consent: where Docket relies on consent, you may withdraw that consent at any time.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what categories of personal information Docket has collected, the right to delete personal information (subject to exceptions), the right to opt out of any "sale" or "sharing" of personal information (Docket does not sell or share personal information for cross-context behavioral advertising), and the right not to be discriminated against for exercising these rights.

European Economic Area and United Kingdom residents have rights under the General Data Protection Regulation (GDPR) and the UK GDPR, including the rights listed above plus the right to lodge a complaint with a data protection authority. Docket processes information about EEA/UK residents under contract (to provide the Service) or legitimate interests (to operate and improve the Service). Docket does not have a designated EU representative because we do not specifically target EEA/UK customers.

To exercise any of these rights, email privacy@docket-legal.com. We will respond within 30 days. We may need to verify your identity before honoring a request.

9. Security

Docket takes reasonable technical and organizational measures to protect your information:

  • All traffic to and from Docket is encrypted in transit with TLS 1.2 or higher.
  • OAuth refresh tokens and MiFile credentials are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256). The master encryption key is stored in Docket's hosting environment and in a 1Password vault accessible only to a small number of trustees.
  • Docket's database, hosted on Railway, is accessible only by Docket's application service and by a small number of operators who use Railway's private connection tooling. Database backups are encrypted.
  • Docket uses Clerk for authentication, which manages password hashing, multi-factor authentication, and session management.
  • Docket logs operational events without including credential material or document bodies.
  • Docket has not undergone a third-party security audit (SOC 2 Type 1 or 2, ISO 27001, or CASA) as of the date of this policy. We commit to publishing the results of any such audit on this page once completed.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify you without undue delay and in any event within the timeframes required by applicable law.

10. Children

The Service is not directed to children under 13 years of age, and Docket does not knowingly collect information from children under 13. If you believe a child has provided information to Docket, please email privacy@docket-legal.com and we will delete it.

11. Changes to this policy

Docket may update this Privacy Policy from time to time. If we make material changes, we will:

  • Email all active account holders at the email on file at least 14 days before the change takes effect.
  • Update the "Last updated" date at the top of this policy.
  • For material changes, prominently display a notice on the Docket portal for at least 30 days after the change.

Your continued use of the Service after the change takes effect constitutes your acceptance of the updated policy. If you do not agree with a change, you may delete your account at any time.

12. Contact us

For any privacy-related question, request, or complaint, email:

privacy@docket-legal.com

Or write to:

Docket c/o Dizik | Kaplan, Attorneys at Law [Mailing address placeholder - Jordan to fill in] Birmingham, Michigan United States

If you do not receive a response within 30 days of your initial email, or if you are dissatisfied with our response, you may have the right to lodge a complaint with your local data protection authority.