Privacy Policy
PRIVACY POLICY
Cross Matter™ Legal AI Platform
Effective date: 07/16/2026 Last updated: 07/16/2026
1. Scope and the Critical Distinction Between Two Kinds of Data
This Privacy Policy explains how Converge Health LLC (“Converge Health,” “we,” “us”) handles personal information that we control: information about visitors to our website at www.crossmatter.com (the “Site”), people who contact us, request a demonstration, or correspond with us, and the business contacts, billing contacts, and administrators of our law-firm customers. We refer to these people collectively as “you.”
Cross Matter is a software platform that law firms use to ingest, organize, and analyze their litigation files. Those files — medical records, billing records, depositions, pleadings, correspondence, and the personal and health information they contain — are Customer Data under our Master Services Agreement (“MSA”). When a law firm loads Customer Data into the platform, Converge Health acts as that firm’s service provider, data processor, and HIPAA business associate, processing the data only on the firm’s instructions.
This Privacy Policy does not govern Customer Data. Our collection, use, retention, return, and deletion of Customer Data — including any protected health information (“PHI”) and any personal data within it — are governed solely by the MSA, the Business Associate Agreement (“BAA”), and the Data Processing Agreement (“DPA”) between Converge Health and the customer, not by this Policy. If you are an individual whose information appears in a law firm’s matter (for example, a client, patient, witness, or opposing party), the law firm — not Converge Health — is the party responsible to you for that data, and you should direct any request about it to that firm.
2. United States Only
The Site and our services are intended for businesses and individuals located in the United States. We do not direct the Site or our services to the European Economic Area, the United Kingdom, or other jurisdictions, and we do not knowingly market to or solicit personal data from individuals in those regions. If you access the Site from outside the United States, you do so on your own initiative and are responsible for compliance with local law.
3. Information We Collect (as a Controller)
We collect the following categories of personal information about Site visitors and business contacts:
3.1 Information you give us
| Category | Examples | Why we collect it |
| Identifiers and contact details | Name, business email, business phone, employer, job title, postal address | Respond to inquiries, schedule demonstrations, manage the customer relationship, send notices |
| Account and administrative data | Login credentials and role for authorized users and administrators of customer accounts | Provision and secure access to the platform; account administration |
| Billing and transaction data | Billing contact, purchase order and invoice details, payment-method information processed by our payment processor | Invoicing, payment, and tax and accounting records |
| Communications | The content of emails, support tickets, demo-request and contact forms, and survey or feedback responses | Provide support, improve our offerings, and keep business records |
| Internet and device activity; online identifiers | Random identifier stored in your browser's local storage; pages and sections viewed, scroll depth, links and buttons clicked, time on page, referring website, and campaign (UTM) parameters; coarse country-level location; browser type | Understand and improve how visitors use the Site; maintain Site security |
3.2 Information we collect automatically
Analytics. We use first-party analytics that we operate and host ourselves to understand how visitors use the Site, for example, pages and sections viewed, scroll depth, links and buttons clicked, time on page, the referring website, and any marketing-campaign parameters (UTM tags) in the link you followed. We collect and store this information ourselves. As currently configured, the Site does not use Google Analytics or other third-party analytics providers, and does not use advertising or conversion pixels such as Google Ads, LinkedIn, or Meta. Our service providers are contractually limited to processing Site data only to provide services to us and may not use it for their own purposes. If we add any third-party analytics or advertising technology, we will update this Policy and provide any opt-out choices the law requires before doing so.
4. How We Use Personal Information
We use the personal information described in Section 3 to: operate and secure the Site; respond to your inquiries and provide demonstrations; establish, administer, and support customer accounts; invoice and collect payment; send administrative, transactional, and (where permitted) marketing communications; maintain business and compliance records; detect, investigate, and prevent fraud, security incidents, and misuse; and comply with law and enforce our agreements.
No advertising sales. No data sales. We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under U.S. state privacy laws.
5. Artificial Intelligence and Model Training
Cross Matter uses AI features to generate Output (such as chronologies, billing audits, and witness-preparation materials) for customers from their own Customer Data. Two commitments govern how that data may ever be used to improve our technology, and they are set out in full in the MSA, BAA, and DPA:
- We do not train AI models on PHI. We will not use protected health information to develop, train, fine-tune, or improve any machine-learning model, except as strictly necessary to generate Output for the customer’s own matters. (BAA §4.)
- We do not train AI models on identifiable Customer Data, and we do not train any cross-customer model on customer-identifying data. We may improve our products and models only using data that has first been de-identified to the HIPAA standard at 45 C.F.R. § 164.514(b), at which point it is no longer PHI or Customer Data and is no longer reasonably linkable to any person or matter. (MSA §§4.4–4.5; DPA §11.2.)
This Section describes our position for transparency only. The binding commitments, and any customer opt-out, live in the MSA, BAA, and DPA, which control.
6. When We Disclose Personal Information
We disclose personal information only as follows:
- Service providers. Vendors that host our infrastructure, process payments, provide analytics, send email, and provide security and IT services, each bound by contract to protect the information and use it only to serve us. (For vendors that process Customer Data, see the DPA sub-processor terms, DPA §6.)
- Affiliates. Entities under common ownership with Converge Health, for the purposes described in this Policy and under equivalent protections.
- Legal and safety. Where required by law, subpoena, or legal process, or to protect the rights, property, or safety of Converge Health, our customers, or others, or to investigate fraud or a security incident.
- Corporate transactions. In connection with a merger, acquisition, financing, or sale of all or part of our business, subject to the protections of this Policy and applicable law.
We do not disclose Customer Data, PHI, or matter content under this Policy; disclosure of that data is governed exclusively by the MSA, BAA, and DPA.
7. Your Privacy Choices and Rights
Depending on your state of residence, U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA, and comparable laws in Virginia, Colorado, Connecticut, Utah, and other states) may give you rights to access, correct, delete, or obtain a portable copy of the personal information we hold about you as a controller, and to be free from discrimination for exercising those rights. Because we do not sell or share personal information for cross-context behavioral advertising, no opt-out of those activities is necessary.
To exercise a right, email [email protected] with enough detail for us to locate your information and verify your identity; we cannot fulfill a request we cannot reasonably verify. We will respond within the time required by applicable law (generally 45 days, extendable once where permitted). An authorized agent may submit a request with proof of authorization.
Requests about matter data. If your request concerns personal information contained in a law firm’s matter on the platform, we will, consistent with our role as processor and business associate, refer the request to the responsible law firm (the controller / covered entity) rather than act on it ourselves, and we will assist that firm in responding as required by the DPA (§7) and BAA (§8).
Marketing communications. You may opt out of marketing email at any time using the unsubscribe link or by emailing us. We will still send transactional and administrative messages necessary to provide our services.
8. Cookies and Do-Not-Track
We use strictly necessary cookies to operate the Site and limited analytics cookies to understand Site usage. You can control cookies through your browser settings; disabling some cookies may affect Site functionality. Because there is no common industry standard for “Do Not Track” signals, the Site does not currently respond to them.
Global Privacy Control (GPC). Because we do not sell or share personal information (see Section 7), we are not required to, and do not, respond to Global Privacy Control signals. GPC is legally distinct from the Do Not Track signal addressed above. If our practices change such that we sell or share personal information, we will honor a GPC signal as a valid opt-out as required by the CPRA.
9. Data Security
We maintain administrative, physical, and technical safeguards designed to protect personal information, including encryption in transit and at rest, access controls, and audit logging. The platform’s safeguards for Customer Data and PHI are described in the DPA (Schedule 2) and BAA (§5). No system is perfectly secure, and we cannot guarantee absolute security.
10. Data Retention
We retain the personal information we control for as long as needed for the purposes described in this Policy — to maintain the customer relationship, meet legal, tax, and accounting obligations, and resolve disputes — and then delete or de-identify it. Retention, return, and deletion of Customer Data and PHI are governed by the MSA (§10.4), BAA (§11), and DPA (§11), which permit a customer to obtain return or deletion of identifiable data and which allow Converge Health to retain only data that has already been de-identified to the HIPAA standard.
11. Children
The Site and our services are intended for businesses and for individuals who are at least 18 years old. We do not knowingly collect personal information from children through the Site. Note that this concerns information we collect as a controller; personal information of minors that appears within a law firm’s matter (for example, in medical or litigation records) is Customer Data handled under the MSA, BAA, and DPA, on the firm’s instructions.
12. Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where required by law or for material changes, provide additional notice. Your continued use of the Site after an update takes effect constitutes acceptance of the updated Policy to the extent permitted by law.
13. How to Contact Us
Converge Health LLC — Privacy
330 S Second Avenue, Suite 200-1028, Minneapolis, MN 55401
Email: [email protected]
Related agreements: Master Services Agreement, Business Associate Agreement, and Data Processing Agreement, provided to customers and prospective customers on request. Those agreements, not this Policy, govern Customer Data and PHI.