Legal

Privacy Policy

Last updated: April 15, 2026

Sherlock is built for law enforcement, courts, and prosecution. We take the privacy of every person whose information passes through the platform — officers, attorneys, victims, witnesses, and the accused — seriously. This policy explains, in plain language, what we collect, why, and how we protect it.

Information We Handle

Sherlock processes two broad categories of information on behalf of our agency customers:

  • Justice case data — incident reports, evidence, warrant filings, and related records that agencies upload or generate inside the platform. This may include health information, biometric data, and other sensitive content where required by the nature of a case.
  • Account data — the names, work email addresses, agency affiliations, and audit logs needed to give authorized users access.

How We Use It

We use this information solely to operate Sherlock for the agency that owns the data: connecting case records across the justice chain, powering AI features like Hey Sherlock and the Toolkits, and maintaining the audit trail required by CJIS.

We do not sell personal information. We do not use your agency’s case data to train AI models shared with other agencies or made available to the public. AI features that learn from your agency’s workflows operate entirely within your agency’s environment. That data does not leave your walled instance.

How We Protect It

Sherlock is CJIS compliant and hosted on AWS GovCloud. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is restricted by role and agency, and every action is logged. Sub-processors are vetted for CJIS compliance.

Data Ownership and Retention

Agencies own their data. We act as a processor under the direction of each agency. When our agreement ends, we return or delete agency data upon request. Agencies may also request deletion of specific data at any time, subject to applicable legal holds.

Contact

Questions about this policy? Email privacy@sherlockxr.com or reach us through the contact page. Agencies requiring a data processing agreement for procurement review should reach out directly.