docs: add legal disclaimer and privacy notice for professional use

PRIVACY.md

@@ -0,0 +1,182 @@
+# Privacy & Client Confidentiality
+
+**IMPORTANT READING FOR LEGAL PROFESSIONALS**
+
+This document addresses privacy and confidentiality considerations when using this Tool, with particular attention to professional obligations under Israeli legal professional rules.
+
+---
+
+## Executive Summary
+
+**Key Risks:**
+- Queries through Claude API flow via Anthropic cloud infrastructure
+- Query content may reveal client matters and privileged information
+- Israel Bar Association rules require strict confidentiality (חיסיון עורך דין-לקוח) and data handling controls
+
+**Safe Use Options:**
+1. **General Legal Research**: Use Tool for non-client-specific queries
+2. **Local npm Package**: Install `@ansvar/israel-law-mcp` locally — database queries stay on your machine
+3. **Remote Endpoint**: Vercel Streamable HTTP endpoint — queries transit Vercel infrastructure
+4. **On-Premise Deployment**: Self-host with local LLM for privileged matters
+
+---
+
+## Data Flows and Infrastructure
+
+### MCP (Model Context Protocol) Architecture
+
+This Tool uses the **Model Context Protocol (MCP)** to communicate with AI clients:
+
+```
+User Query -> MCP Client (Claude Desktop/Cursor/API) -> Anthropic Cloud -> MCP Server -> Database
+```
+
+### Deployment Options
+
+#### 1. Local npm Package (Most Private)
+
+```bash
+npx @ansvar/israel-law-mcp
+```
+
+- Database is local SQLite file on your machine
+- No data transmitted to external servers (except to AI client for LLM processing)
+- Full control over data at rest
+
+#### 2. Remote Endpoint (Vercel)
+
+```
+Endpoint: https://israel-law-mcp.vercel.app/mcp
+```
+
+- Queries transit Vercel infrastructure
+- Tool responses return through the same path
+- Subject to Vercel's privacy policy
+
+### What Gets Transmitted
+
+When you use this Tool through an AI client:
+
+- **Query Text**: Your search queries and tool parameters
+- **Tool Responses**: Statute text, provision content, search results
+- **Metadata**: Timestamps, request identifiers
+
+**What Does NOT Get Transmitted:**
+- Files on your computer
+- Your full conversation history (depends on AI client configuration)
+
+---
+
+## Professional Obligations (Israel)
+
+### Israel Bar Association and the Bar Association Law
+
+Israeli lawyers are bound by strict confidentiality rules under the Israel Bar Association Law 5721-1961 (חוק לשכת עורכי הדין) and the Israel Bar Association ethics rules.
+
+#### Attorney-Client Privilege (חיסיון עורך דין-לקוח)
+
+- All attorney-client communications are privileged under the Evidence Ordinance [New Version] 5731-1971
+- Client identity may be confidential in sensitive matters
+- Case strategy and legal analysis are protected
+- Information that could identify clients or matters must be safeguarded
+
+### Privacy Protection Law and Client Data Processing
+
+Under the **Privacy Protection Law 5741-1981 (חוק הגנת הפרטיות)** and the Privacy Protection Regulations:
+
+- You are the **Database Owner** when maintaining client databases
+- AI service providers (Anthropic, Vercel) may be **holders** or **managers** of data
+- Database registration requirements may apply under the Privacy Protection Authority regulations
+- Cross-border data transfers must comply with the Privacy Protection Regulations (Transfer of Data to Databases Outside the State's Borders)
+- The **Privacy Protection Authority (הרשות להגנת הפרטיות)** oversees compliance
+
+---
+
+## Risk Assessment by Use Case
+
+### LOW RISK: General Legal Research
+
+**Safe to use through any deployment:**
+
+```
+Example: "What does the Companies Law say about shareholder rights?"
+```
+
+- No client identity involved
+- No case-specific facts
+- Publicly available legal information
+
+### MEDIUM RISK: Anonymized Queries
+
+**Use with caution:**
+
+```
+Example: "What are the penalties for securities violations under Israeli law?"
+```
+
+- Query pattern may reveal you are working on a securities matter
+- Anthropic/Vercel logs may link queries to your API key
+
+### HIGH RISK: Client-Specific Queries
+
+**DO NOT USE through cloud AI services:**
+
+- Remove ALL identifying details
+- Use the local npm package with a self-hosted LLM
+- Or use commercial legal databases with proper privacy agreements
+
+---
+
+## Data Collection by This Tool
+
+### What This Tool Collects
+
+**Nothing.** This Tool:
+
+- Does NOT log queries
+- Does NOT store user data
+- Does NOT track usage
+- Does NOT use analytics
+- Does NOT set cookies
+
+The database is read-only. No user data is written to disk.
+
+### What Third Parties May Collect
+
+- **Anthropic** (if using Claude): Subject to [Anthropic Privacy Policy](https://www.anthropic.com/legal/privacy)
+- **Vercel** (if using remote endpoint): Subject to [Vercel Privacy Policy](https://vercel.com/legal/privacy-policy)
+
+---
+
+## Recommendations
+
+### For Solo Practitioners / Small Firms
+
+1. Use local npm package for maximum privacy
+2. General research: Cloud AI is acceptable for non-client queries
+3. Client matters: Use commercial legal databases (Nevo, Takdin, Pador)
+
+### For Large Firms / Corporate Legal
+
+1. Negotiate privacy agreements with AI service providers under Privacy Protection Law requirements
+2. Consider on-premise deployment with self-hosted LLM
+3. Train staff on safe vs. unsafe query patterns
+
+### For Government / Public Sector
+
+1. Use self-hosted deployment, no external APIs
+2. Follow Israeli government information security requirements (INCD guidelines)
+3. Air-gapped option available for classified matters
+
+---
+
+## Questions and Support
+
+- **Privacy Questions**: Open issue on [GitHub](https://github.com/Ansvar-Systems/israel-law-mcp/issues)
+- **Anthropic Privacy**: Contact privacy@anthropic.com
+- **IBA Guidance**: Consult Israel Bar Association ethics guidance
+
+---
+
+**Last Updated**: 2026-02-22
+**Tool Version**: 1.0.0