Glass Box Solutions, Inc.
Effective Date: January 25, 2026 Last Updated: January 25, 2026
1. Introduction
This Privacy Notice describes how Glass Box Solutions, Inc. ("Glass Box Solutions," "we," "us," or "our") collects, uses, discloses, and protects information when you use the Adjudica.AI platform and related services (collectively, the "Service").
Adjudica.AI is a legal AI platform designed for California Workers' Compensation attorneys. The Service processes documents that may contain Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA").
Important: This Privacy Notice supplements our Master Privacy Policy. For general information about Glass Box Solutions' privacy practices, please review our Master Privacy Policy.
2. Our Role Under HIPAA
2.1 Business Associate Status
Glass Box Solutions operates as a Business Associate under HIPAA when processing PHI on behalf of our customers. We are not a Covered Entity under HIPAA.
When you (a law firm) use Adjudica.AI to process documents containing PHI:
- You may be acting as a Business Associate to healthcare providers (Covered Entities)
- Glass Box Solutions is your Business Associate (or Subcontractor)
- Our AI service providers are our Business Associates
2.2 Business Associate Agreement
Before processing PHI through Adjudica.AI, you must have a Business Associate Agreement ("BAA") in place with Glass Box Solutions. Our BAA outlines our respective obligations regarding the protection of PHI.
To request a BAA, contact: legal@adjudica.ai
3. Information We Collect
3.1 Account Information
| Data Type | Examples | Purpose |
|---|---|---|
| Identity Information | Name, email, firm name | Account management |
| Professional Information | Bar number, practice areas | Service customization |
| Billing Information | Payment method, billing address | Payment processing |
| Authentication Data | Password (hashed), MFA settings | Account security |
3.2 Case and Document Data
When you use Adjudica.AI, you may upload or input documents and information related to your California Workers' Compensation cases. This includes the core document types that define WC practice:
| Data Type | Examples | May Contain PHI |
|---|---|---|
| Case Documents | Medical records from treating physicians, QME reports, AME evaluations, Panel QME reports, depositions | Yes |
| Medical Records | Treatment records, diagnostic reports, surgical notes, medication histories | Yes |
| Legal Documents | WCAB filings, pleadings, correspondence with opposing counsel, case summaries, claim files | Possibly |
| AI Interactions | Queries about case documents, analysis requests, prompts related to PD ratings or apportionment | Possibly |
WC context: When you ask Adjudica to analyze a treating physician's permanent and stationary report, the content of that report — including the claimant's diagnosis, WPI rating, and work restrictions — is processed to provide you with the AI analysis. That content is yours and your client's. We process it to serve you, and only for that purpose.
3.3 Protected Health Information (PHI)
PHI processed through Adjudica.AI may include:
- Patient names and contact information
- Medical record numbers
- Dates of treatment, dates of injury, and industrial injury dates
- Diagnoses and conditions, including body parts injured and permanent disability findings
- Treatment information, including records from treating physicians, QMEs, AMEs, and Panel QMEs
- Disability ratings and evaluations, including whole person impairment percentages
- Medications and prescriptions
- Correspondence with the WCAB related to a specific claimant
3.4 Technical and Usage Data
| Data Type | Examples | Purpose |
|---|---|---|
| Log Data | IP address, browser type, access times | Security, troubleshooting |
| Usage Data | Features used, documents processed | Service improvement |
| Device Information | Operating system, device identifiers | Compatibility |
4. How We Use Your Information
4.1 To Provide the Service
We use your information to:
- Process and analyze legal documents using AI
- Generate case summaries and legal analysis
- Calculate permanent disability ratings
- Provide source citations for AI outputs
- Maintain your account and preferences
4.2 For Security and Compliance
We use your information to:
- Protect against unauthorized access
- Detect and prevent fraud
- Maintain audit logs as required by HIPAA
- Comply with legal obligations
- Enforce our Terms of Service
4.3 To Improve the Service
We use de-identified and aggregated data to:
- Improve AI accuracy and performance
- Develop new features
- Conduct research and analysis
We do not use your PHI or client data to train our AI models without your explicit written consent.
5. How We Share Your Information
5.1 AI Service Providers
To provide AI-powered analysis, we share data with our AI service providers:
| Provider | Service | BAA Status |
|---|---|---|
| Google Cloud | Gemini AI, Vertex AI, Document AI | Required |
Our AI provider (Google) is bound by a Business Associate Agreement that prohibits them from using your data to train AI models.
5.2 Other Disclosures
We may share your information:
- With your consent: When you authorize specific disclosures
- To service providers: Who assist with payment processing, customer support, and infrastructure
- For legal compliance: When required by law, subpoena, or court order
- For safety: To protect the rights, property, or safety of you, us, or others
- In business transfers: If we are involved in a merger, acquisition, or asset sale
5.3 We Do Not
- Sell your personal information or PHI
- Share data for cross-context behavioral advertising
- Use PHI for marketing without authorization
- Provide access to third parties for their own purposes
6. Your Rights
6.1 HIPAA Rights (For PHI)
If you are a patient whose PHI is processed through Adjudica.AI, you have the following rights under HIPAA. These rights should be exercised through your healthcare provider or attorney:
| Right | Description |
|---|---|
| Access | Request a copy of your PHI |
| Amendment | Request correction of inaccurate PHI |
| Accounting of Disclosures | Request a list of certain disclosures of your PHI |
| Restriction | Request restrictions on certain uses or disclosures |
| Confidential Communications | Request communications through alternative means |
To exercise HIPAA rights related to PHI processed through Adjudica.AI, please contact your attorney or healthcare provider, who may then contact us.
6.2 California Confidentiality of Medical Information Act (CMIA)
In addition to your rights under HIPAA, California's Confidentiality of Medical Information Act (Civil Code §§ 56–56.37) provides patients whose medical information is processed in California with additional protections, including:
| Right | Description |
|---|---|
| Authorization Required | A separate, signed authorization is generally required before medical information may be used or disclosed for purposes beyond treatment, payment, or healthcare operations |
| Right to Notice of Disclosure | You may request information about specific disclosures of your medical information |
| Private Right of Action | CMIA provides a statutory right of action with nominal damages of $1,000 per violation, in addition to actual damages |
Glass Box's CMIA position. When PHI is processed through Adjudica.AI on behalf of a California law firm acting for a workers' compensation claimant, Glass Box treats that information as "medical information" under CMIA and applies CMIA's standards in addition to HIPAA's. We do not disclose CMIA-regulated information except as authorized by the patient (typically through their attorney), as required by law, or as expressly permitted under CMIA §56.10.
To raise a CMIA-specific concern about information processed through Adjudica.AI, please contact your attorney or email privacy@adjudica.ai.
6.3 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Know | Request disclosure of information collected | Email privacy@adjudica.ai |
| Right to Delete | Request deletion of your information | Email privacy@adjudica.ai |
| Right to Correct | Request correction of inaccurate information | Email privacy@adjudica.ai |
| Right to Opt-Out | Opt-out of sale/sharing (we do not sell) | N/A |
| Right to Limit | Limit use of sensitive personal information | Email privacy@adjudica.ai |
| Non-Discrimination | Not be discriminated against for exercising rights | Automatic |
Response Time: We will respond to verifiable requests within 45 days.
6.4 Data Portability
You may request an export of your data in a machine-readable format. Contact support@adjudica.ai to request a data export.
7. Data Security
7.1 Technical Safeguards
We implement the following security measures to protect your information:
| Measure | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.3 for all data transmission |
| Access Controls | Role-based access with principle of least privilege |
| Authentication | Multi-factor authentication available |
| Audit Logging | Comprehensive logging of all PHI access |
| Key Management | Secure key management via Google Cloud Secret Manager |
7.2 Administrative Safeguards
- Security awareness training for all personnel
- Background checks for employees with data access
- Incident response procedures
- Regular security assessments
7.3 Physical Safeguards
All data is stored in secure, SOC 2 Type II certified data centers operated by Google Cloud Platform in the United States.
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| PHI and Case Data | 6 years from last access | HIPAA requirement |
| Audit Logs | 6 years | HIPAA requirement |
| Account Information | Duration of account + 30 days | Business necessity |
| Billing Records | 7 years | Tax/legal requirements |
| Technical Logs | 90 days | Security |
8.2 Data Deletion
Upon account termination or at your request (subject to legal retention requirements):
- Case data and documents are securely deleted within 30 days
- Audit logs are retained for 6 years as required by HIPAA
- Backups are purged within 90 days
9. AI Processing and Transparency
9.1 How AI Processes Your Data
Adjudica.AI uses artificial intelligence to:
- Analyze and summarize legal documents
- Extract relevant information from medical records
- Calculate permanent disability ratings
- Provide source-attributed legal analysis
For detailed information about our AI systems, capabilities, and limitations, please review our AI Transparency Disclosure.
9.2 Your Data and AI Model Training
We do not use PHI, document content, or case-specific information to train AI models.
Your medical records from treating physicians, QME and AME evaluation reports, WCAB correspondence, and case queries are processed to provide you with AI-powered analysis — and for no other purpose. They are never retained or used to train AI models.
We do collect de-identified behavioral signals — such as classification corrections (e.g., correcting an AI classification from "Medical Report" to "Panel QME Report"), quality feedback on case summaries, and usage patterns — to improve platform accuracy. These signals contain no PHI, no document content, and no case-specific information. For complete details on how we handle any data derived from your case work, including our PHI firewall architecture, see our Platform Improvement Data Policy.
9.3 Source Attribution
Our "Hover to Source" feature links AI outputs to their underlying sources (statutes, regulations, case law, medical references) to promote transparency and enable verification.
10. Children's Privacy
Adjudica.AI is designed for use by legal professionals and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.
11. International Considerations
11.1 Data Location
All data is stored and processed in the United States. We do not transfer data outside the United States.
11.2 Applicable Law
This Privacy Notice is governed by the laws of the State of California and applicable federal laws, including HIPAA.
12. Changes to This Privacy Notice
We may update this Privacy Notice from time to time. We will notify you of material changes by:
- Email notification to the address associated with your account
- Prominent notice within the Service
- Updating the "Last Updated" date
Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Notice.
13. Contact Information
General Privacy Inquiries
Email: privacy@adjudica.ai
HIPAA-Related Inquiries
Email: hipaa@adjudica.ai
Data Protection Officer
Email: dpo@glassboxsolutions.com
Mailing Address
Glass Box Solutions, Inc. [INSERT ADDRESS]
14. Notice of Privacy Practices Summary
This section provides a summary of how we handle Protected Health Information.
Uses and Disclosures
We may use and disclose your PHI:
- To provide legal AI analysis services as requested by your attorney
- As required by law
- For health oversight activities
- In response to court orders or legal process
- To avert serious threats to health or safety
Your Rights
You have the right to:
- Access your PHI
- Request amendments to your PHI
- Receive an accounting of disclosures
- Request restrictions on uses and disclosures
- Receive confidential communications
Our Duties
We are required to:
- Maintain the privacy and security of your PHI
- Notify you if a breach affects your PHI
- Follow the terms of this Notice
- Not use or disclose your PHI for marketing without authorization
- Not sell your PHI
Contact for HIPAA Concerns
If you believe your privacy rights have been violated, you may file a complaint with:
- Glass Box Solutions: hipaa@adjudica.ai
- U.S. Department of Health and Human Services: www.hhs.gov/ocr/privacy/hipaa/complaints/
We will not retaliate against you for filing a complaint.
This Privacy Notice is effective as of 2026-02-23. Glass Box Solutions, Inc. reserves the right to modify this Privacy Notice at any time in accordance with applicable law.
@Developed & Documented by Glass Box Solutions, Inc. using human ingenuity and modern technology