Privacy Policy – GLF WC PD Rater

This Privacy Policy describes how Gimbel Law Firm PC ("we," "us," or "our") handles information in connection with the GLF WC PD Rater macOS application ("App"). Please read this policy carefully. By using the App, you agree to the practices described herein.

Overview

GLF WC PD Rater is a California workers' compensation permanent disability rating tool designed for licensed legal professionals and claims administrators. The App operates in two tiers — a Free tier and a Pro tier — each with distinct data handling characteristics described below.

We are committed to handling all data, including sensitive claimant information, with the care and confidentiality that legal professionals are obligated to maintain.

Information We Do — and Do Not — Collect

      Key Point — We Do Not Collect Your Data: Gimbel Law Firm PC does not collect, receive, retain, transmit, or store any user-entered data of any kind. We do not operate servers, databases, or cloud services that receive your information. All claimant and case information remains exclusively on your device. We have no analytics, no telemetry, no tracking, and no mechanism whatsoever to access, view, or retrieve the information you enter into the App. Your data is yours alone.
    

A. Claimant and Case Data (User-Entered — Stored Locally Only)

To perform permanent disability calculations, you may enter case-related information into the App, which may include:

Injured worker name
Date of birth and date of injury
Claim or adjudication number (ADJ number)
Body part(s) affected, whole person impairment (WPI) percentages, and occupation/age modifiers

We do not collect, receive, retain, or have access to any of this information. It is stored solely on your device within the App's sandboxed container and is never transmitted to Gimbel Law Firm PC, any server we operate, or any third party (except when you voluntarily invoke Pro tier AI or MerusCase features, as described below). We have no ability to access, view, retrieve, or recover this data under any circumstances.

We do not request, and users should not enter, Social Security numbers, financial account numbers, or other highly sensitive government identifiers.

B. Subscription and Payment Information

Pro tier subscriptions are processed exclusively through Apple's in-app purchase system. We do not collect, store, or have access to your payment card details. All billing is governed by Apple's Privacy Policy.

C. Third-Party API Credentials (Pro Tier Only)

If you enable AI-powered extraction features in the Pro tier, you will be asked to provide your own API key for a supported AI provider (Anthropic Claude or OpenAI GPT-4o). This key is stored securely in your device's macOS Keychain and used solely to authenticate requests you initiate. We do not transmit your API key to our servers.

If you enable MerusCase integration, you will provide a MerusCase bearer token obtained through MerusCase's OAuth authorization process. This token is also stored in your macOS Keychain and used only to communicate directly with MerusCase's API at your direction.

How We Use Information

Feature	Free Tier	Pro Tier
PD Calculations	Computed entirely on-device. No data leaves your Mac.	Same as Free. Calculations remain local.
AI Extraction / Analysis	Not available.	Case data you select is transmitted to your chosen AI provider (Anthropic or OpenAI) using your own API key. We do not intermediate, log, or store this data.
Subscription Management	N/A	Handled by Apple. We receive only a tokenized entitlement confirmation.
Analytics / Telemetry	We do not collect usage analytics, crash reports, or behavioral telemetry at this time.

Data Storage and Local Processing

All case data entered into the App is stored locally on your device. We do not operate servers that receive, store, or process your case data. You are solely responsible for the security and backup of data stored on your device.

We strongly encourage users to:

Enable FileVault full-disk encryption on their Mac
Use a strong device passcode and lock screen
Follow all applicable professional obligations regarding the safeguarding of client information under the California Rules of Professional Conduct and applicable confidentiality laws

Third-Party AI Providers (Pro Tier)

When you use AI-powered features, data is transmitted directly from your device to the AI provider whose API key you have configured. This transmission is governed by that provider's own privacy policy and terms of service, not ours.

Important: You are responsible for ensuring that your use of third-party AI services complies with your professional obligations, your firm's data security policies, and any applicable confidentiality requirements. We recommend reviewing the applicable provider policies before transmitting case information:

      HIPAA Disclaimer — Please Read Carefully:

      Neither Gimbel Law Firm PC nor the GLF WC PD Rater application is a HIPAA-covered entity or business associate. The App does not represent, warrant, or guarantee HIPAA compliance in connection with the transmission or processing of any information.

      Third-party AI providers supported by the App's Pro tier features (including but not limited to Anthropic and OpenAI) are not HIPAA-compliant and have not entered into Business Associate Agreements (BAAs) with Gimbel Law Firm PC. If you choose to use AI-powered features and submit case-related data — including any information that may constitute protected health information (PHI) under HIPAA or confidential medical-legal information under California law — you do so entirely at your own risk.

      You are solely responsible for determining whether your use of any AI feature complies with HIPAA, the California Confidentiality of Medical Information Act (CMIA), applicable workers' compensation confidentiality statutes, your firm's data security policies, and any other applicable professional or legal obligations. We make no representations and provide no warranties of any kind regarding the compliance, security, or suitability of third-party AI providers for handling sensitive legal or medical information.

      We strongly recommend that you only upload medical reports for AI analysis that have been properly redacted of all personally identifying information (PII), including but not limited to Social Security numbers, home addresses, dates of birth, and any other information not essential to the PD rating analysis.

      We further recommend consulting with your firm's compliance counsel before transmitting any PHI or sensitive claimant medical information through AI-powered features.

Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise share your personal information or case data with third parties, except in the following limited circumstances:

With AI providers (Pro, at your direction): As described in Section V above, solely when you invoke an AI feature.
With MerusCase (Pro, at your direction): If you connect MerusCase integration, case data is transmitted directly to MerusCase servers using your own bearer token when you pull case data or upload PDF reports.
Apple (subscription management): As required to process and validate in-app purchases.
Legal compliance: If required by applicable law, court order, or governmental authority.
Business transfers: In connection with a merger, acquisition, or sale of assets, subject to standard confidentiality obligations.

California Privacy Rights (CCPA)

We are headquartered in California and take our obligations under the California Consumer Privacy Act (CCPA) seriously. Because we do not transmit or store your personal information on our servers in the course of normal App operation, most CCPA rights (access, deletion, portability) are exercised directly on your own device by managing your App data locally.

If you have questions about California privacy rights as they apply to this App, please contact us at the address below.

Children's Privacy

The App is intended solely for use by licensed legal professionals, claims administrators, and related workers' compensation practitioners. It is not directed at children under the age of 13, and we do not knowingly collect information from children.

Data Retention

Because all case data is stored locally on your device, retention is entirely in your control. Uninstalling the App will remove App-specific files, but you should verify any locally cached data has been removed in accordance with your records retention obligations.

Security

We design the App to avoid unnecessary data transmission. For data that does leave your device (Pro tier AI and MerusCase features), communications are conducted over encrypted HTTPS connections to the respective provider. Your API keys and bearer tokens are stored in your device's macOS Keychain — Apple's secure, encrypted credential store — and are not transmitted except to authenticate requests to the providers you have designated.

No security measure is perfect. We encourage you to maintain appropriate device-level security controls consistent with your professional obligations.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page and, where appropriate, provide notice within the App or via the App Store update notes. Continued use of the App following any update constitutes acceptance of the revised policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact:

Gimbel Law Firm PC
503 Seaport Court, Suite 105
Redwood City, CA 94063
Email: peter@gimbel.law