Skip to main content

Privacy Policy

Last Updated: August 30th, 2025

CapturePI, LLC (“CapturePI,” “we,” “us,” or “our”) provides embeddable, multi-step lead-capture flows and related services for law firms (the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our website, admin/communications, and embedded flows on our clients’ sites.

By using our website or Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

1) Who We Are & How We Operate

  • CapturePI as Service Provider/Processor. For information submitted by end users through a client’s embedded flow (“Client Data”), we generally act as the client’s service provider/processor. The client (law firm) is the business/controller that determines the purposes and means of processing.

  • CapturePI as Business/Controller. For our own marketing site, billing, support, and account communications (“Site/Account Data”), CapturePI acts as the business/controller.

Questions? Contact: privacy@capturepi.com or
CapturePI, LLC, [Street Address], [City], Pennsylvania [ZIP], USA.

2) What We Collect

A. Site/Account Data (we are the controller)

We collect information you provide directly to us (e.g., when you request a demo, subscribe, or communicate with us):

  • Identifiers & contact info (name, firm, role, email, phone, mailing address).

  • Billing info (payment method details handled by our PCI-compliant processor).

  • Communications (emails, support tickets, feedback).

  • Marketing preferences (newsletter opt-ins/opt-outs).

We also automatically collect:

  • Device/usage data (IP address, pages visited, timestamps, referrer, approximate location, browser & OS, session identifiers).

  • Cookies/pixels & similar tech for analytics, performance, and (limited) audience measurement.

B. Client Data in Embedded Flows (we are the processor)

When an end user completes a law firm’s embedded flow, we collect the fields the client configures, which may include:

  • Contact details (name, email, phone), basic case facts, intake responses.

  • Optional sensitive data if the client configures fields that elicit such data (e.g., incident descriptions).

  • Prohibited without BAA: PHI under HIPAA unless a Business Associate Agreement (BAA) is executed and HIPAA mode is enabled (see Section 9).

C. Other Sources

We may receive business contact data from lead providers, events, referrals, or public sources (e.g., firm websites, bar directories) to support B2B outreach.

3) How We Use Information

Site/Account Data (as controller)

  • Provide, operate, and improve our website and Services.

  • Process subscriptions, payments, renewals, and customer support.

  • Send administrative notices, security alerts, and service updates.

  • Send marketing emails or texts (with consent where required) — you may opt out at any time.

  • Analyze usage to improve performance, reliability, and user experience.

  • Detect, prevent, and address fraud, abuse, or security incidents.

  • Comply with law and enforce our Terms.

Client Data (as processor)

We process Client Data only on the client’s documented instructions to:

  • Deliver the flow experience, capture submissions, and route/export to destinations the client selects (e.g., CRM, email, webhook).

  • Provide analytics, scoring/flagging (e.g., Lead Grade™, Hot Lead Alert™), and anti-abuse.

  • Maintain, secure, and support the Services.

We do not sell Client Data or use it to build profiles for our own advertising.

4) Cookies & Similar Technologies

We and our service providers use cookies, pixels, tags, and SDKs to operate the site, remember preferences, analyze traffic, and (limited) measure campaign performance. You can manage cookies via your browser settings; disabling some cookies may limit functionality.

Do Not Track: Our Services do not respond to browser DNT signals. We honor legally required opt-out mechanisms where applicable.

5) How We Share Information

We may share information as follows:

  • With Service Providers/Subprocessors. We use vendors for hosting, infrastructure, email/SMS, analytics, support, and payments. Key example: Heyflow GmbH (“Heyflow”) as an underlying platform provider for our embedded flows (see Section 10). Vendors may only process information to perform services for us and must implement appropriate safeguards.

  • With Client-Directed Destinations (Client Data). At a client’s instruction, we transmit submissions to systems the client configures (e.g., CRM, inbox, webhook). The client controls those destinations and their privacy practices.

  • Business Transfers. In a merger, acquisition, financing, restructuring, or sale of assets, information may be transferred to the acquiring entity subject to this Policy.

  • Legal, Safety, and Rights. We may disclose information to comply with law, lawful requests, or legal process; enforce our terms; protect rights, safety, and security; or investigate fraud or abuse.

  • Aggregated/De-identified Data. We may use and share aggregated or de-identified information that does not identify an individual or client.

We do not sell personal information and we do not share Client Data for cross-context behavioral advertising.

6) Your Privacy Choices

  • Marketing Emails. Unsubscribe via the link in our emails or email privacy@capturepi.com.

  • SMS/Texts (TCPA). If you opt in to receive texts, you consent to receive messages at the number provided. Message & data rates may apply. Reply STOP to opt out; HELP for help. Opt-in is not required to use the Services. We do not share mobile numbers with third parties for their marketing.

  • Cookies. Manage via your browser; some states provide additional choices.

  • Client Data Rights. End users should send requests (access/correction/deletion) to the law firm that controls the flow; we support our clients in fulfilling those requests.

7) State Privacy Rights (including California)

Depending on your state (e.g., CA, CO, CT, UT, VA), you may have rights to access, correct, delete, or obtain a copy of certain personal information, and to opt out of certain processing. For Site/Account Data we control, submit requests to privacy@capturepi.com with “Privacy Request” in the subject, your name, state, and what you’re requesting. We’ll verify your identity and respond as required by law.

California (CPRA) Disclosures:

  • We do not sell personal information.

  • We do not share personal information for cross-context behavioral advertising.

  • Categories we collect (for Site/Account Data): identifiers, commercial info, internet activity, geolocation (approximate), and inferences (limited).

  • Sensitive data: we do not use or disclose sensitive personal information for purposes requiring a “Limit Use” link.

  • Retention: see Section 8.

Authorized agents may submit requests with proof of authority. We won’t discriminate against you for exercising your rights.

8) Retention

We retain Site/Account Data for as long as needed for the purposes in this Policy (typically the duration of your relationship plus a reasonable period) and to comply with legal obligations.
For Client Data, retention is governed by the client’s instructions and our agreements; we may retain limited logs/archives for security, continuity, and compliance.

9) HIPAA & PHI

CapturePI is not a HIPAA Covered Entity. PHI must not be submitted to the Services unless and until the client executes our Business Associate Agreement (BAA) and we enable HIPAA-compatible features. In HIPAA mode, some features may be restricted. Clients are solely responsible for determining HIPAA applicability, minimizing PHI collection, and configuring their flows accordingly. To request a BAA, contact privacy@capturepi.com.

10) Underlying Platform (Heyflow) & Subprocessors

Our embedded flows are built and delivered using third-party software provided by Heyflow GmbH. CapturePI is not the developer or operator of Heyflow and makes no warranties regarding Heyflow’s platform availability, security, or features. We provide our proprietary CapturePI customizations on top of Heyflow. We may engage additional infrastructure and support vendors. Upon request, we can provide a current list of material subprocessors.

11) Security

We implement commercially reasonable technical and organizational measures to protect information (encryption in transit, access controls, logging, least-privilege practices, and vendor diligence). No security program is perfect; transmission and storage involve risk. If we believe the security of your information has been compromised, we will take appropriate steps and notify clients/end users as required by law.

12) Children’s Privacy

Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided information, contact privacy@capturepi.com and we will delete it promptly.

13) International Transfers

We operate in the United States. If you access the Services from outside the U.S., you understand that your information may be transferred to, stored, and processed in the U.S. and other countries, which may have different data-protection laws than your jurisdiction.

14) Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the update and revise the “Last Updated” date, and we may also notify you by email or through the Services. Your continued use of the Services after an update means you accept the revised Policy.

15) Contact Us

Questions or requests about this Policy or our data practices:
privacy@capturepi.com
CapturePI, LLC
[Street Address] • [City], PA [ZIP], USA