Privacy Policy

This Privacy Policy applies to personal information processed by the Company in connection with:

• Visits to or use of served123.com and any subdomains;
• Engagement of Services, including process service, subpoena domestication, skip tracing, court filing, notary, apostille, courier, and investigative services;
• Email, phone, portal, and in-person correspondence with the Company;
• Marketing, business-development, and recruitment activities undertaken by the Company.

For purposes of this Policy, the following terms have the meanings below. Capitalized terms not defined here have the meanings ascribed in the Terms of Service.

The Company's role under applicable privacy law depends on the context in which Personal Information is Processed:

The Company Processes Personal Information about the following categories of Data Subjects:

• Clients. Individuals, attorneys, law firms, and business representatives who place Orders, remit payment, or otherwise engage the Company's Services.
• Subjects of Service. Individuals whose Personal Information appears in Client-submitted documents because they are the named recipient of process, a witness, or otherwise identified in the matter.
• Locate & Skip-Trace Targets. Individuals for whom the Company is asked to develop a current address, place of employment, or alternate contact information in support of service.
• Investigative Subjects. Individuals who are the subject of authorized investigative work, surveillance, or asset-verification assignments.
• Website Visitors. Individuals who browse the Company's website without placing an Order.
• Vendors, Subcontractors & Job Applicants. Individuals associated with vendors, subcontractors, field operatives, or applicants for employment with the Company.

The Company does not collect, request, or retain the following categories of information unless they are voluntarily and necessarily included in Client-submitted documents for the performance of a specific Order:

• Full credit-card numbers, debit-card numbers, or bank account credentials (payment is processed through PCI-compliant third-party processors);
• Social Security numbers or other government identifiers, beyond what is contained in Client-submitted documents;
• Health, medical, or genetic information not necessary for a Service;
• Religious affiliation, political opinions, union membership, or sexual orientation;
• Biometric identifiers, except as required for remote online notarization (RON) where the Client has elected that service;
• Information about minors under 18 (see § 32 Children's Privacy).

The Company collects the following categories of Personal Information:

• Identity & Contact. Full name, email address, phone number, mailing address, company name, billing contact details.
• Service / Matter Data. Case-specific information submitted with each Order — recipient names, service addresses, case numbers, court details, party information, and documents submitted for service, filing, or other Services.
• Payment & Billing. Order totals, invoice records, payment timestamps, and the last four digits of payment methods retained for reconciliation. Full payment credentials are not retained.
• Communication Records. Records of email correspondence between the Client and the Company, including order discussions, status updates, dispute communications, and phone notes documented by Company staff.
• Technical Information. IP address, browser type and version, device type, operating system, pages visited, time spent on site, referral source — collected automatically (see Cookie Policy).
• Service Documentation. GPS-stamped attempt logs, photographs, and (where authorized) video documentation captured by field operatives in the course of performing Services.
• User-Submitted Documents. Legal documents, identification materials, or supporting files uploaded or emailed by Clients in connection with an Order.

Several U.S. state privacy laws (notably the California CPRA) and the GDPR designate certain categories of Personal Information as Sensitive PI and impose heightened protections on its Processing. The Company may Process Sensitive PI only to the extent it appears in Client-submitted documents necessary for the requested Service. Categories that may be encountered include:

• Government identifiers contained within Client-submitted legal documents (driver's license numbers, ID numbers, occasionally Social Security numbers in subpoenas);
• Precise geolocation generated by field operatives' GPS-stamped attempt logs;
• Biometric identifiers incidentally captured during remote online notarization or video documentation, where the Client has authorized those Services;
• Health information incidentally appearing in matters that involve healthcare facilities, hospital service, or medical-records subpoenas;
• Contents of mail, email, or messages contained within legal documents the Client submits for Service or filing.

The Company collects Personal Information from the following sources:

• Directly from the Client when an Order is placed, a quote is requested, or a communication is sent;
• Indirectly through Client-submitted documents that contain Personal Information about recipients, witnesses, opposing parties, or other named individuals;
• Through field operations — GPS data, photos, observations, and reports generated during the performance of Services;
• From publicly available sources — court records, Secretary of State filings, property records, and licensed commercial databases used for skip tracing;
• From third-party service providers — payment processors confirming successful transactions, courier and postal services confirming deliveries, courts confirming filings;
• Automatically through website use — cookies and similar technologies as described in the Cookie Policy.

The Company Processes Personal Information for the following business and commercial purposes:

• To process, confirm, fulfill, and manage Orders for legal-support Services;
• To communicate with Clients regarding Order status, service updates, affidavit delivery, and related operational matters;
• To verify Client identity, eligibility, and authorized-contact status;
• To maintain billing records, payment history, and Client correspondence for legal compliance and dispute resolution;
• To improve website functionality, user experience, and service quality through aggregated analytics;
• To investigate and respond to complaints, disputes, or potential misconduct;
• To detect, prevent, and respond to fraud, security incidents, and unauthorized access;
• To comply with applicable legal obligations, court orders, subpoenas, and law-enforcement requests;
• To protect the rights, safety, and interests of the Company, its staff, Subcontractors, and other clients.

Where the GDPR or another comprehensive privacy law applies, the Company relies on the following legal bases for Processing:

The Company discloses Personal Information only to the categories of recipients described below, and only as necessary for the purposes identified in § 09:

• Subcontractors and field operatives. Process servers, notaries, couriers, investigators, and local affiliates engaged to fulfill specific Orders, limited to information necessary to complete the assignment. All Subcontractors are subject to written confidentiality and data-protection obligations.
• Courts, clerks, and government agencies. As required by applicable law, court order, or the procedural requirements of the matter.
• Payment processors. PayPal, Square, Stripe, ACH/wire intermediaries, and the Company's banking institution, processing payment transactions under their own privacy policies and PCI-DSS standards.
• Operational vendors and sub-processors. Email and hosting providers, secure storage providers, customer-relationship-management platforms, and similar operational vendors, each bound by contractual confidentiality and data-protection terms.
• Law enforcement and regulators. When required by law, when responding to valid legal process, or when the Company reasonably believes disclosure is necessary to protect against fraud, abuse, or threats to physical safety.
• Professional advisors. The Company's legal counsel, accountants, auditors, and insurance carriers, each bound by professional confidentiality.
• Business successors. In the event of a merger, acquisition, reorganization, or asset sale, Personal Information may be transferred to the successor entity subject to the protections of this Policy.

As disclosed in Terms of Service § 11, the Company may use artificial-intelligence tools to assist with internal administrative and operational functions. The following safeguards apply when AI tools or third-party vendors Process Personal Information:

• Vendor diligence. AI tools and other vendors are evaluated for their privacy and security practices — including encryption, data-handling, training-data use, and applicable certifications — before deployment.
• Contractual restrictions. Vendors and sub-processors are bound by written agreements that limit their Processing to specified purposes, prohibit the sale or unauthorized use of Personal Information, and require appropriate technical and organizational safeguards.
• Data minimization. The Company does not transmit confidential case details, Sensitive PI, or privileged content to AI platforms in a manner that allows the platform provider to train models on Client data without contractual restriction.
• Same standards. AI-processed data remains subject to the same confidentiality, retention, and security standards as non-AI-processed data.
• Human review. Human review is maintained over all AI-generated outputs before they are acted upon or delivered to Clients.

The Company does not engage in solely automated decision-making, including profiling, that produces legal effects concerning Data Subjects or similarly significantly affects them. Specifically:

• Order acceptance, refund eligibility, and dispute-resolution decisions involve substantive human review by Company personnel;
• AI tools used by the Company are operational aids only and do not produce binding determinations affecting Data Subjects;
• The Company does not use profiling for behavioral advertising, credit scoring, employment decisions, or similar significant purposes.

The Company employs administrative, technical, and physical safeguards to protect Personal Information against unauthorized access, disclosure, alteration, and destruction. Safeguards include:

• Encryption. Personal Information is encrypted in transit (TLS) and at rest where supported by the underlying storage system;
• Access controls. Role-based access restricts Personal Information to personnel and Subcontractors with a need to know in connection with a specific Order;
• Authentication. Multi-factor authentication is required for administrative access to systems containing Personal Information;
• Logging and monitoring. Access to Personal Information is logged; logs are reviewed periodically and on event for unauthorized access;
• Vendor security review. Third-party vendors and sub-processors are evaluated for security posture before engagement and periodically thereafter;
• Training. Personnel complete privacy and information-security training and acknowledge confidentiality and acceptable-use obligations.

The Company retains Personal Information only for as long as necessary to fulfill the purposes for which it was collected, satisfy legal obligations, resolve disputes, and enforce its agreements. Specific retention periods include:

• Paid, completed Order files (including Affidavits, attempt logs, GPS data, and case records): seven (7) years from Order completion;
• Billing and tax records: seven (7) years from the date of issuance, or longer where required by applicable tax law;
• Email correspondence related to active or completed Orders: seven (7) years (aligned with the Order file it accompanies);
• Unpaid or abandoned Orders: purged after a reasonable administrative period;
• Website analytics and technical data: in aggregated, non-identifiable form indefinitely; in identifiable form for no longer than necessary;
• E-signature records applied under the Subpoena Domestication authorization (Terms of Service § 10): seven (7) years;
• Records under litigation hold, subpoena, or other legal process: retained as long as the legal hold remains in effect.

In the event the Company discovers a security breach resulting in unauthorized access to or disclosure of Personal Information, we will:

• Contain and assess. Immediately contain the breach and assess the scope, nature, and severity of compromised data;
• Notify affected Data Subjects. Provide timely written notification to all individuals whose Personal Information was affected, to the extent required by applicable law and in accordance with state-specific timing requirements;
• Regulatory notification. Notify appropriate state, federal, or international regulatory authorities (including, where applicable, the relevant Attorney General, state regulator, or EU supervisory authority) where required by applicable law;
• Forensic review. Conduct a forensic review to determine root cause and prevent recurrence;
• Remediation. Implement appropriate remediation measures, including credit-monitoring or identity-protection services where required or appropriate.

Regardless of where you reside, the Company makes the following privacy rights available to all Data Subjects, subject to applicable law and verification requirements:

To exercise any of the privacy rights described in this Policy, submit a written request to info@served123.com with the subject line "Privacy Rights Request" and the following information:

• Your full name and contact email;
• The specific right(s) you wish to exercise;
• Sufficient detail to identify the Personal Information at issue (e.g., Order number, date of submission);
• The state, country, or jurisdiction in which you reside (so the Company can apply the correct legal framework);
• A daytime contact method for follow-up questions or verification.

If the Company declines, in whole or in part, to take action on a verified privacy rights request, the Data Subject may submit an appeal to the Company within a reasonable period of receiving notice of the decision.

• How to appeal. Email info@served123.com with the subject line "Privacy Rights Appeal" and include the original request, the Company's response, and the basis for the appeal.
• Independent review. Appeals are reviewed by a Company representative who was not involved in the original decision.
• Response timeline. The Company will respond to the appeal within forty-five (45) days of receipt; this period may be extended once by an additional sixty (60) days where reasonably necessary, with notice.
• Right to complain. If the appeal is denied or the response is unsatisfactory, the Data Subject may submit a complaint to the relevant state Attorney General or, for EU/EEA/UK residents, to the supervisory authority in their member state or country of residence.

• Right to Know. Request disclosure of the categories and specific pieces of Personal Information collected, the sources, the business or commercial purposes for collection, and the categories of third parties with whom information has been shared.
• Right to Delete. Request deletion of Personal Information, subject to statutory exceptions including completion of the transaction, security, legal compliance, and internal uses reasonably aligned with consumer expectations.
• Right to Correct. Request correction of inaccurate Personal Information maintained by the Company.
• Right to Opt Out of Sale or Sharing. The Company does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. You may still submit a request to confirm this status.
• Right to Limit Use of Sensitive PI. Request that the Company limit the use and disclosure of Sensitive Personal Information to purposes necessary to perform the requested Services or as otherwise permitted by the CPRA.
• Right to Opt Out of Automated Decision-Making. Opt out of solely automated decisions that produce legal or similarly significant effects. As disclosed in § 13, the Company does not engage in such automated decision-making.
• Right to Non-Discrimination. The Company will not discriminate against you for exercising any CCPA/CPRA right.

• Right of Access — confirm whether the Company Processes your Personal Information and obtain a copy;
• Right of Correction — correct inaccuracies in your Personal Information;
• Right of Deletion — delete Personal Information provided by or obtained about you;
• Right of Portability — obtain a copy of your Personal Information in a portable and readily usable format;
• Right to Opt Out of the sale of Personal Information, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects. The Company does not engage in any of these activities.

• Right of Access to confirm Processing and obtain a copy of your Personal Information;
• Right of Correction for inaccurate Personal Information;
• Right of Deletion of Personal Information concerning you;
• Right of Portability in a portable and readily usable format, where technically feasible;
• Right to Opt Out of the sale of Personal Information, targeted advertising, and profiling with legal or similarly significant effects;
• Universal Opt-Out Mechanism. Colorado residents may use a Universal Opt-Out Mechanism (such as Global Privacy Control) to communicate opt-out preferences. See § 34 for how the Company honors these signals.

• Right of Access to confirm Processing and obtain your Personal Information;
• Right of Correction, Deletion, and Portability on terms substantially similar to the rights described above;
• Right to Opt Out of the sale of Personal Information, targeted advertising, and profiling with legal or similarly significant effects;
• Universal Opt-Out Mechanism. Connecticut residents may use Global Privacy Control or another recognized universal mechanism to communicate opt-out preferences.

• Right of Access to confirm Processing and obtain a copy of your Personal Information;
• Right of Deletion of Personal Information you provided to the Company;
• Right of Portability where technically feasible;
• Right to Opt Out of the sale of Personal Information and targeted advertising.

• Right of Access, Correction, Deletion, and Portability on terms substantially similar to the other comprehensive state laws described above;
• Right to Opt Out of the sale of Personal Information, targeted advertising, and profiling with legal or similarly significant effects;
• Sensitive Data Consent. Texas residents have the right to require affirmative consent before Sensitive PI is Processed for certain purposes, consistent with the TDPSA.

• Right of Access, Correction, Deletion, and Portability on terms substantially similar to the other comprehensive state laws described above;
• Right to a List of Recipients. Oregon residents have the unique right to request the specific third parties to whom the Company has disclosed their Personal Information, in addition to the categories of recipients;
• Right to Opt Out of the sale of Personal Information, targeted advertising, and profiling with legal or similarly significant effects;
• Universal Opt-Out Mechanism. Oregon residents may use Global Privacy Control or another recognized universal mechanism.

Additional U.S. states have enacted or are in the process of implementing comprehensive consumer privacy laws — including (among others) Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Rhode Island, and Tennessee. To the extent any such law applies to your Processing, the Company will honor the substantially equivalent rights described in §§ 21–27 above:

• Right of Access to your Personal Information;
• Right of Correction and Right of Deletion as applicable in your state;
• Right of Portability in a usable format;
• Right to Opt Out of sale, sharing, targeted advertising, and significant profiling;
• Right to Appeal denial of a rights request, where the law provides for one (and otherwise as a courtesy under § 20).

• Right of Access (Article 15). Obtain confirmation of Processing and a copy of your Personal Information together with information about the purposes, categories of data, recipients, retention period, and the source of the data where not collected from you;
• Right to Rectification (Article 16). Have inaccurate Personal Information corrected and incomplete data completed;
• Right to Erasure (Article 17). Have your Personal Information erased where one of the statutory grounds applies, subject to overriding legal obligations and the Company's legitimate interests in record retention;
• Right to Restriction (Article 18). Restrict Processing in defined circumstances, such as while accuracy of the data is being verified;
• Right to Data Portability (Article 20). Receive Personal Information you have provided in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible;
• Right to Object (Article 21). Object to Processing based on legitimate interests, including profiling, and to Processing for direct marketing purposes;
• Right Regarding Automated Decision-Making (Article 22). Not be subject to a decision based solely on automated Processing, including profiling, that produces legal or similarly significant effects. As disclosed in § 13, the Company does not engage in such automated decision-making;
• Right to Withdraw Consent. Where Processing is based on consent, withdraw that consent at any time without affecting the lawfulness of Processing performed before withdrawal;
• Right to Lodge a Complaint. Submit a complaint to the supervisory authority in your member state of residence, place of work, or alleged infringement; UK residents may complain to the Information Commissioner's Office (ICO).

The Company is based in the United States and primarily Processes Personal Information within the U.S. In some circumstances, however, Personal Information may be transferred to, accessed from, or Processed in jurisdictions other than the Data Subject's country of residence:

• International service Orders. Where a Client requests international service of process, Personal Information necessary to effect service is transferred to vetted foreign agents, central authorities, or diplomatic channels in the destination country;
• Foreign sub-processors. Some operational vendors and sub-processors may be located outside the U.S. or may Process data through global infrastructure;
• Transfer mechanisms. Where the Company transfers Personal Information from the EU/EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the Company implements appropriate safeguards, including Standard Contractual Clauses approved by the European Commission (and the UK addendum where applicable);
• Data minimization. Only the minimum Personal Information necessary to perform the authorized purpose is transferred internationally.

The Company will honor privacy rights afforded by comprehensive privacy laws in jurisdictions outside the U.S. and EU/EEA/UK to the extent those laws apply to its Processing — including but not limited to Canada (PIPEDA and provincial laws), Brazil (LGPD), Japan (APPI), South Korea (PIPA), Singapore (PDPA), Australia (Privacy Act), and Switzerland (FADP).

Residents of these jurisdictions should submit privacy rights requests in accordance with § 18 and identify their country of residence so that the correct legal framework can be applied. Response timelines and verification procedures will follow the requirements of applicable local law.

The Company's Services are intended solely for adults aged 18 years or older. The Company does not knowingly collect, store, or Process Personal Information from individuals under the age of 18 for its own commercial or operational purposes.

The Company recognizes that Personal Information about minors may incidentally appear in Client-submitted documents for matters such as family-law cases, dependency proceedings, child-support enforcement, and similar proceedings. In those cases:

• The minor's Personal Information is Processed solely to effect the requested Service or comply with applicable law;
• The Company applies enhanced confidentiality controls and does not use the minor's information for any secondary purpose;
• Clients are required to handle minors' Personal Information in compliance with applicable law (including any sealing orders or address-confidentiality programs).

• When a GPC signal is received from a visitor's browser, the Company treats it as a valid request to opt out of the "sale" or "sharing" of Personal Information under applicable state law — even though the Company does not engage in either activity;
• GPC signals are processed automatically and do not require account creation or identity verification;
• The Company also honors opt-out signals required by Colorado, Connecticut, Oregon, Texas, and other states whose laws recognize universal opt-out mechanisms;
• Because GPC operates at the browser level, an opt-out signal applies to that specific browser on that specific device. Clearing cookies or switching browsers may require re-sending the signal.

The Company's website and communications may contain links to external websites, services, and resources that are not operated or controlled by Served 123 LLC. The Company is not responsible for the content, privacy practices, or data handling of any third-party website or service.

The Company reserves the right to modify this Privacy Policy at any time. The most current version will always be published at served123.com/privacy-policy with a revised effective date.

• Material changes — changes that materially expand the categories of Personal Information Processed, the purposes of Processing, or the categories of recipients — will be communicated by email to active Clients, by prominent notice on the Company's website, or both, prior to taking effect;
• Non-material changes may take effect upon posting;
• Continued use of the Company's Services following any change constitutes acceptance of the updated Policy as to subsequent Orders. Amendments do not retroactively reduce the rights of Data Subjects whose Personal Information was collected under a prior version of this Policy.

Privacy questions, rights requests, data concerns, breach reports, or requests to update or delete your information should be directed to: