Privacy policy.

Information you give us. When you submit an intake form or referral form on this site, we collect the information you enter — name, email, phone number, preferred contact method, matter category, a short general description, names of any other parties you list for the conflict check, and how you heard about us. When you engage the firm, we collect the additional information required to do the legal work — addresses, identifying numbers where needed, and the matter-specific facts and documents you share with us.

Information collected automatically. When you visit this site, our hosting provider (Cloudflare Pages) records standard web-server logs — IP address, user agent, page visited, and timestamp. These logs are used for site reliability and abuse prevention, retained for a short rolling window, and are not joined to your client file.

Cookies. This site does not set tracking cookies for advertising. Any cookies set are functional (form-state, preferred-color-scheme) and not used to follow you across the web.

Information you submit through the intake or referral form is used to (i) run the Kentucky Rule 1.18 conflict check before we have any substantive conversation, (ii) decide whether the firm can take the matter, and (iii) reach you to confirm next steps. If we engage to represent you, information you share is used to do the legal work and is protected by the attorney-client relationship and Kentucky Rule 1.6 confidentiality.

We do not sell, rent, or trade your information. We do not use your information for advertising or for training any third-party AI model on identifiable client content. The firm's AI-document infrastructure operates under contractual data-handling terms that prevent the AI provider from retaining matter content for training or use beyond the request, consistent with the firm's confidentiality obligations under SCR 3.130(1.6).

The firm's AI use is governed by Kentucky Bar Association Ethics Opinion E-457 (March 15, 2024) and the Rules of Professional Conduct that opinion cites, including SCR 3.130 (1.1) (1.4) (1.5)(a)&(b) (1.6) (5.1)(b) and (8.4). Under E-457 Q#2, no universal client-disclosure duty attaches to the firm's rote AI use; specific disclosure obligations are triggered where third-party outsourcing, AI-cost pass-through, or court rules apply, in which case the engagement letter addresses the trigger.

We share information you submit only with the parties who need it to do the work you've asked us to do, or as law requires:

• Service providers under contract who help us operate the firm — our email-delivery provider for intake notifications, our hosting provider, and our AI-document-infrastructure vendor under the data-handling terms summarized above. Each is bound by data-handling obligations consistent with this policy and the firm's confidentiality obligations under SCR 3.130(1.6).
• When you engage the firm, the courts, county clerks, opposing counsel, title companies, lenders, accountants, and other professionals whose involvement your matter requires — only as your representation needs.
• As required by law (a valid subpoena, a court order, a regulatory inquiry where disclosure is legally mandated).

Bluegrass Cornerstone is a registered assumed name (DBA) of Johnson Legal PLLC under KRS 365.015 — it is the same firm operating under a different brand for its high-volume Kentucky document catalog. Information collected through Cornerstone surfaces is collected by Johnson Legal PLLC and held subject to this policy. We do not share client information with unaffiliated product or marketing channels.

You can ask us at any time what we have about you, ask us to correct it, or ask us to delete it. The firm's client-matter records are retained for at least six years from matter close under our internal record-retention policy. Trust-account records are retained for five years under SCR 3.130(1.15)(a). Other applicable record-keeping laws may extend or override these defaults; deletion requests are honored to the extent the law and our retention obligations permit.

Kentucky's Consumer Data Protection Act (KRS 367.3611–367.3629) creates broader consumer rights for businesses that exceed its volume thresholds (KRS 367.3613: 100,000 Kentucky consumers in a year, or 25,000 plus 50% of revenue from personal-data sales). Johnson Legal PLLC does not currently meet those thresholds, and the KCDPA therefore does not technically apply. We honor the substantive rights anyway: request a copy, request correction, request deletion, or opt out of any sale (we don't sell, but the right is yours regardless).

To exercise any of these rights, email [email protected] with the subject line “Privacy request”.

Form submissions are transmitted over TLS to our serverless handler on Cloudflare Pages and then forwarded over TLS to our email-delivery provider for notification. Client-file content is stored in access-controlled systems with encrypted-at-rest storage and credential-based access limited to the lawyer and any contracted staff bound by Kentucky Rule 5.3 supervision and confidentiality obligations.

The firm operates under a documented business-continuity and disaster-recovery framework that mirrors the access, retention, and incident-response posture described in this policy.

Kentucky's data-breach statute, KRS 365.732, requires that, if a Kentucky resident's unencrypted personal information held by Johnson Legal PLLC is accessed or acquired by an unauthorized person and there is a material risk that the breach has caused or will cause identity theft or fraud, we will notify the affected resident in the most expedient time possible and without unreasonable delay (subject to the legitimate needs of law enforcement and the time required to determine the scope of the breach and restore reasonable integrity to the data system).

Where the statute requires it, we will also notify consumer-reporting agencies and the Office of the Kentucky Attorney General. The statute's good-faith carve-out and deemed-compliance provisions for entities subject to GLBA, HIPAA, and certain other federal regimes are acknowledged where applicable.

Children's privacy. The firm's services are for adults. We do not knowingly collect information from children under 13. If you believe we have, contact us at the address below and we will delete it.

Changes to this policy. If we materially change how we handle data, we will revise this page and update the “Last updated” date at the top.

Contact. Privacy questions, including requests for access, correction, or deletion, go to [email protected] or by mail at the principal-office address below.