Privacy Policy

1. Introduction

Carlos Sandoval Law Firm (“the Firm,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information obtained in connection with our legal services and the digital tools we employ, including Intuit QuickBooks and QuickBooks Payments (collectively, “Intuit Services”), to manage billing, accounting, and payment processing.

This Policy applies to all clients, prospective clients, vendors, employees, and any other individuals whose personal data the Firm processes. By engaging our services or submitting your information to us, you acknowledge that you have read and understood this Privacy Policy.

If you have questions or concerns about this Policy, please contact us using the information provided in Section 14.

2. Information We Collect

We may collect the following categories of personal information:

2.1 Personal Identification Information

• Full name, date of birth, and government-issued identification numbers

• Postal address, email address, and telephone numbers

• Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN) where required for legal or tax matters

• Immigration status or nationality when relevant to legal representation

2.2 Financial and Payment Information

• Credit card numbers, debit card numbers, and bank account details collected through QuickBooks Payments (Intuit)

• Billing addresses and payment history

• Invoice records and retainer agreements

• Tax-related financial information processed through QuickBooks

2.3 Legal Matter Information

• Case details, legal documents, court records, and correspondence

• Information shared during attorney-client consultations

• Records of legal proceedings, negotiations, or settlements

2.4 Technical and Usage Information

• IP address, browser type, and device identifiers when you visit our website or client portal

• Log files and cookies for site functionality and security purposes

• Communication records including emails and electronic messages

2.5 Information from Third Parties

• Publicly available records, court databases, and government registries

• Information provided by opposing parties or third parties in the course of legal representation

• Credit reports or background check results when necessary for a legal matter

3. How We Use Your Information

We process your personal information for the following lawful purposes:

• Providing legal services, advice, and representation as contracted

• Processing payments, issuing invoices, and managing accounts through Intuit QuickBooks and QuickBooks Payments

• Maintaining accurate accounting records and complying with tax obligations

• Communicating with you about your legal matter, billing, and firm updates

• Verifying your identity and performing conflict-of-interest checks

• Complying with legal, regulatory, and ethical obligations imposed on attorneys

• Detecting and preventing fraud, unauthorized access, and security incidents

• Improving our services, internal processes, and client experience

• Enforcing our engagement agreements and collecting fees owed

We will not use your information for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

4. Sharing and Disclosure of Information

The Firm does not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

4.1 Intuit (QuickBooks and QuickBooks Payments)

We use Intuit QuickBooks for accounting and bookkeeping, and QuickBooks Payments as a payment gateway. Financial and billing information is transmitted to and stored by Intuit, Inc., subject to Intuit’s own Privacy Policy available at https://www.intuit.com/privacy/statement/. Intuit is a trusted service provider acting as a data processor on our behalf.

4.2 LawPay (Affinipay, LLC)

We also use LawPay, a legal-industry payment platform operated by Affinipay, LLC, to accept credit card, debit card, and eCheck payments from clients. LawPay is specifically designed to comply with lawyer trust accounting rules (IOLTA) and applicable bar association guidelines. Payment data processed through LawPay is subject to Affinipay’s Privacy Policy available at https://www.lawpay.com/about/privacy-policy/. LawPay acts as a data processor on our behalf and is bound by applicable data protection obligations.

4.3 Service Providers and Vendors

We may disclose information to carefully vetted third-party vendors who assist us in operating our practice (e.g., cloud storage, document management, cybersecurity), provided they are bound by confidentiality agreements and may only process data under our instructions.

4.4 Legal and Regulatory Requirements

We may disclose information as required by law, court order, subpoena, or government regulation. We may also disclose information to protect the rights, property, or safety of the Firm, our clients, or the public.

4.5 With Your Consent

We may share your information with third parties when you have explicitly authorized us to do so, or when disclosure is necessary to carry out your instructions in a legal matter.

4.6 Business Transfers

In the event of a merger, acquisition, dissolution, or sale of firm assets, your personal information may be transferred as part of that transaction. We will notify you prior to any such transfer and inform you of any changes to this Privacy Policy.

5. Payment Processing – LawPay and QuickBooks Payments

The Firm accepts client payments through two PCI DSS-compliant payment platforms: LawPay (operated by Affinipay, LLC) and QuickBooks Payments (operated by Intuit, Inc.). The Firm does not store full payment card numbers or bank account credentials on its own systems.

5.1 LawPay (Affinipay, LLC)

LawPay is our primary client-facing payment solution. It is purpose-built for law firms and is compliant with IOLTA and lawyer trust account regulations. When you pay through LawPay:

• Card and eCheck data is encrypted and tokenized by Affinipay’s PCI DSS Level 1-certified infrastructure

• Operating and trust account funds are kept strictly separate in compliance with bar association rules

• The Firm receives only a transaction confirmation and the last four digits of your payment method

• LawPay’s Privacy Policy is available at https://www.lawpay.com/about/privacy-policy/

5.2 QuickBooks Payments (Intuit, Inc.)

QuickBooks Payments is used for certain billing and accounting-integrated transactions. When you make a payment through this platform:

• Card data is tokenized and encrypted by Intuit’s PCI DSS-compliant infrastructure

• The Firm receives only a transaction confirmation and last four digits of your card for record-keeping

• Intuit may collect and retain billing information pursuant to its own privacy and data retention policies

• Intuit’s Privacy Policy is available at https://www.intuit.com/privacy/statement/

By authorizing a payment through either platform, you consent to the processing of your financial information by the respective third-party payment processor. You may contact us to determine which payment platform will be used for your transaction.

6. Data Security

The Firm implements reasonable and appropriate administrative, technical, and physical safeguards to protect your personal information against unauthorized access, disclosure, alteration, or destruction, including:

• Encryption of data in transit using TLS/SSL protocols

• Access controls and role-based permissions limiting data access to authorized personnel

• Regular security assessments and vulnerability reviews

• Use of Intuit’s SOC 2-certified and PCI DSS-compliant infrastructure for all payment data

• Employee training on data privacy and confidentiality obligations

• Incident response procedures in the event of a data breach

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a breach affecting your rights, we will notify you as required by applicable law.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including satisfying legal, accounting, and professional obligations. Specific retention periods include:

• Client matter files: minimum seven (7) years following the conclusion of representation, or as required by applicable state bar rules

• Financial and billing records: minimum seven (7) years for tax and accounting compliance

• Payment transaction data: retained by Intuit per their data retention policies; accessible to the Firm for up to seven (7) years for reconciliation

• Marketing communications: until you opt out or withdraw consent

When personal information is no longer required, we will securely dispose of it in accordance with applicable professional and legal standards.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

8.1 Right to Access

You may request a copy of the personal information we hold about you and information about how we process it.

8.2 Right to Correction

You may request that we correct inaccurate or incomplete personal information.

8.3 Right to Deletion

You may request deletion of your personal information, subject to our legal and professional retention obligations. We cannot delete information that is part of an active legal matter or required by law or bar rules to retain.

8.4 Right to Restrict or Object to Processing

You may object to or request restriction of certain processing activities, to the extent permitted by law.

8.5 Right to Data Portability

Where applicable, you may request that we provide your personal information in a structured, commonly used, machine-readable format.

8.6 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us in writing at mnaranjo@carlosesandoval.com. We will respond within thirty (30) days of receiving your verifiable request. We may need to verify your identity before processing your request.

9. California Residents – CCPA/CPRA Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.

• Right to Delete: You may request deletion of personal information we have collected, subject to applicable exemptions.

• Right to Correct: You may request correction of inaccurate personal information.

• Right to Opt-Out of Sale or Sharing: We do NOT sell or share personal information for cross-context behavioral advertising.

• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information to certain purposes as permitted by the CPRA.

• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a California privacy request, contact us at mnaranjo@carlosesandoval.com or by mail at the address in Section 14. We will verify your identity prior to processing your request.

10. Cookies and Tracking Technologies

Our website may use cookies and similar tracking technologies to enhance your browsing experience, analyze traffic, and improve our online services. These may include:

• Strictly Necessary Cookies: Required for the website to function properly; cannot be disabled.

• Analytics Cookies: Collect aggregate information about how visitors use our site (e.g., Google Analytics). Data is anonymized and used only to improve our website.

• Functional Cookies: Remember your preferences and settings.

You may control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website. We do not use cookies for advertising or selling your data to third parties.

11. Attorney-Client Privilege and Confidentiality

Information shared with Carlos Sandoval Law Firm in the context of seeking or receiving legal advice is protected by the attorney-client privilege and professional rules of confidentiality. This Privacy Policy does not diminish or waive those protections. Our obligation to maintain client confidences is governed by the applicable Rules of Professional Conduct and supersedes general privacy disclosures where they conflict.

Access to client files is restricted to attorneys and authorized staff with a legitimate need to know. All personnel with access to client information are bound by confidentiality obligations.

12. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be effective immediately upon posting the updated Policy on our website or notifying you directly. We will indicate the “Last Updated” date at the top of this document. Your continued engagement with our services following notice of a material change constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: