Privacy Policy

This Privacy Policy describes how Chad T. Gill, an Illinois sole practitioner doing business as “Gill Law” (“Firm,” “we,” “our,” or “us”), collects, uses, shares, and protects information when you use the website at gill.law, the client portal accessible from that website, and any related service (collectively, the “Service”).

This Policy supplements, but does not replace, the duties the Firm owes to clients and prospective clients under the Illinois Rules of Professional Conduct, including the duty of confidentiality under Rule 1.6 and the duties to prospective clients under Rule 1.18. To the extent any provision of this Policy conflicts with those duties or with applicable law, those duties and laws control.

Use of the Service is governed by our Terms of Service, which you should read alongside this Policy.

We collect information in the following categories:

(a) Information you provide

• Account information. When you create an account, we collect your name, email address, and, optionally, phone number, along with a password you choose. The password is stored only as a salted bcrypt hash; we never see or store the plaintext password.
• Intake and matter information. If you proceed beyond account creation, we collect information you submit through the intake flow or upload to the portal, such as descriptions of your legal matter, parties involved, dates, supporting documents, and related information.
• Communications. We collect messages you send through the portal’s secure-messaging feature, emails you send to Firm-controlled addresses, and notes from voice or video calls.
• Billing information. We keep records of fees, expenses, invoices, and payments related to any representation. We do not store credit card numbers. If we accept online payments, payment information is processed by a third-party payment processor under that processor’s own privacy and security practices.

(b) Information collected automatically

• Log and device information. When you use the Service, our servers automatically record your IP address, browser user-agent string, request timestamps, requested URLs, and HTTP response codes. This information is used for security, fraud prevention, troubleshooting, and aggregate usage analysis.
• Cookies and similar technologies. The portal sets an HTTP-only authentication cookie that holds your signed session. We may also use a small number of strictly necessary cookies for security, such as CSRF protection and rate-limiting. We do not currently use third-party advertising cookies or cross-site tracking. If we adopt analytics or advertising cookies in the future, we will update this Policy and provide an in-product notice before doing so.
• Bot-defense signals. When you submit a public form, such as a signup form, we use Cloudflare Turnstile to help confirm that the submission is from a real browser. Turnstile receives certain browser-environment signals from your device and processes them on Cloudflare’s infrastructure. See Cloudflare’s Privacy Policy.

(c) Information from third parties

We may receive information about you from third parties when necessary to evaluate a potential representation or provide legal services, such as opposing parties, opposing counsel, courts, public records, your prior counsel with your consent, or service providers we engage on your matter.

We use information to:

• Operate, maintain, and secure the Service;
• Evaluate prospective representations, including running conflict-of-interest checks;
• Provide legal services and communicate with you about your matter, if we agree to represent you;
• Send transactional emails, such as account verification, password resets, and billing notices;
• Detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity;
• Comply with legal, regulatory, and professional obligations, including the Illinois Rules of Professional Conduct and applicable record-retention requirements;
• Defend the Firm’s legal interests, including responding to subpoenas and similar legal process;
• Improve the Service through aggregate, non-identifying usage analysis.

Use of artificial intelligence tools. We may use secure, attorney-approved artificial intelligence tools to assist lawyers and staff with tasks such as organizing information, summarizing materials, drafting, legal research, document review, and administrative support. We do not use client information to train public or general-purpose artificial intelligence models, and we require AI service providers we use not to use client information to train their models. We do not input confidential client information into AI tools unless we have determined that the use is appropriate for the representation and consistent with our duties of confidentiality, competence, supervision, and safeguarding client information under the Illinois Rules of Professional Conduct. AI-generated work product is reviewed by a lawyer before being relied upon or used in a client matter.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as follows:

• With your consent or at your direction. We share information when you direct us to do so, such as filings, correspondence, settlement communications, or other work performed on your behalf in a matter we are handling.
• With service providers. We use vendors to help us operate the Service and the Firm, including cloud hosting, security, bot defense, transactional email, document storage, productivity tools, legal-technology tools, payment processing, and similar operational services. These vendors are permitted to use information only to provide services to us and must protect it under contractual, legal, or professional obligations. Current or planned vendor categories include Amazon Web Services for hosting and infrastructure, Microsoft 365 for Firm email, productivity, and document storage, Cloudflare for security and bot defense, and a payment processor if online payments are enabled.
• For legal and professional reasons. We may disclose information when required to comply with applicable law, valid legal process, court orders, or regulatory obligations; to enforce our Terms of Service; to protect the rights, property, or safety of the Firm or others; or as necessary to comply with the Illinois Rules of Professional Conduct.
• In a business transition. If the Firm is acquired, merged with another firm, or otherwise transfers a legal practice, client information may be transferred only in a manner consistent with the Illinois Rules of Professional Conduct, applicable law, and any notice or consent obligations that apply.

Submitting information through the Service does not by itself create an attorney-client relationship. An attorney-client relationship with the Firm is formed only after (i) the Firm has completed a conflict-of-interest check, (ii) the Firm has agreed in writing to represent you in a specifically identified matter, and (iii) you have signed a written engagement letter or fee agreement.

If you consult with us about the possibility of representation, we treat information you provide consistently with our duties to prospective clients under Illinois Rule of Professional Conduct 1.18. To help avoid unnecessary conflicts, please provide only the information reasonably necessary for us to evaluate your inquiry until we ask for more detail.

After an attorney-client relationship is formed, communications between you and the Firm relating to your matter may be protected by the attorney-client privilege, the work-product doctrine, and the Firm’s duty of confidentiality under Illinois Rule of Professional Conduct 1.6, subject to applicable exceptions and legal requirements.

We use a combination of technical and operational safeguards designed to protect information you submit:

• Transport encryption. Connections to the Service are encrypted in transit using TLS. We also use HTTP Strict Transport Security where supported.
• At-rest encryption. Sensitive fields are encrypted at the application layer using modern authenticated encryption, and encryption keys are restricted to authorized server-side systems.
• Secure messaging. Portal messages are protected using modern cryptographic safeguards. Where end-to-end encrypted messaging is enabled, message content is designed so that the server cannot read it.
• Password storage. Account passwords are stored only as salted bcrypt hashes. We never see or store the plaintext password. We may also check chosen passwords against known breached-password datasets using privacy-preserving methods.
• Bot defense. Signup and account-security forms may be protected by Cloudflare Turnstile, rate-limiting, and honeypot checks designed to deter automated abuse.
• Audit logging. Access to and modification of sensitive records may be logged in an audit trail available to the Firm for security, troubleshooting, and compliance review.
• US-based infrastructure. The Service is hosted on infrastructure located in the United States.

No system is perfectly secure. We cannot guarantee that unauthorized access will never occur. If a security incident triggers notification obligations under the Illinois Personal Information Protection Act or other applicable law, we will provide notices to affected individuals and regulators, as required, in the manner and timeframe required by law.

We retain information for as long as needed to provide the Service, comply with legal and professional-conduct obligations, resolve disputes, and enforce our agreements. Specifically:

• Trust-account and financial records are retained for at least seven (7) years after termination of the representation, as required by Illinois Rule of Professional Conduct 1.15A.
• Matter files are retained for the duration of an active matter and for the period set by the Firm’s file retention policy after the matter closes. Different retention periods may apply depending on the type of matter, client instructions, court orders, applicable law, professional-conduct obligations, or the need to protect the interests of the client or the Firm.
• Account-only records for users who created accounts but never engaged the Firm are retained for up to two (2) years from last activity, after which they may be deleted in the ordinary course.
• Audit-log entries are retained as needed for security investigations, troubleshooting, and compliance review.

When we delete information, we may retain residual copies in backups for a limited period as part of our disaster-recovery process. Backups are encrypted and access-controlled.

Depending on where you live and whether a particular privacy law applies to the Firm, you may have rights to request access to, correction of, deletion of, or portability of certain personal information, and to opt out of certain uses of personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

Even where a particular privacy law does not apply, we may choose to respond to reasonable privacy requests when doing so is consistent with our legal, ethical, and professional obligations.

We may deny, limit, or modify a request when required or permitted by law, including where fulfilling the request would conflict with court rules, legal-process obligations, attorney-client privilege, work-product protections, conflicts duties, record-retention duties, the Illinois Rules of Professional Conduct, or our ability to exercise or defend legal claims.

To submit a privacy request, contact us using the information in Section 12. We may need to verify your identity before responding.

You can configure most browsers to refuse cookies, but doing so may break the portal’s authentication flow because the session cookie is required to stay signed in. The Service does not respond to Do-Not-Track signals because there is no industry consensus on what a compliant response is; we do not engage in cross-site tracking in the first place.

The Service is intended for use by adults. We do not knowingly allow anyone under 18 to create an account or submit information directly through the Service. However, clients and prospective clients may provide information about minors when relevant to a legal inquiry or representation. If you believe a minor has submitted information directly to us without appropriate authorization, please contact us using the information in Section 12.

We may update this Privacy Policy from time to time. If we make material changes, we will notify users with active accounts by email and update the “Last updated” date at the top of this page at least seven (7) days before the changes take effect, except where a shorter period is required for legal, security, or operational reasons. Updated versions will apply to information collected after the effective date of the updated Policy, and your continued use of the Service will be subject to the updated Policy.

To exercise a privacy right or ask a question about this Policy:

Chad T. Gill, Attorney at Law
Gill Law
Email: chad@gill.law

If you are not satisfied with our response to a privacy request, you may have the right to file a complaint with your state attorney general, privacy regulator, or other applicable authority.