Website Data

We collect the following information when you visit our website, both automatically and through voluntary submissions:

• IP address, cookie/session IDs, referrer, landing page
• Pages viewed, time on page, UTM parameters
• Screen size, operating system, browser/version, device type
• City/state/country (via IP geolocation), bandwidth, error logs
• Information you voluntarily provide through website forms, such as contact forms, demorequests, and newsletter sign-ups. This may include your name, email address,company, phone number, and the content of your message. We use this information torespond to your inquiries, provide requested information, and, with your consent, sendyou marketing communications

We use first-party cookies, localStorage, and sessionStorage to store data for authentication, session management, analytics, and performance monitoring. These are distinct from third-party cookies, which we do not utilize for marketing purposes.

For analytics, we use Statsig (product analytics/experimentation) and Google Analytics 4(website analytics). These services collect anonymized usage data, such as pages viewed and time on page, to help us understand user behavior and improve our Service. We do not use marketing pixels or share data with these providers for advertising purposes. Users have the right to opt-out of analytics data collection as part of their privacy rights.

Service Data

When you use our Service, we collect:

Documents:

• Files that are uploaded to our system for processing
• Metadata associated with those files

Usage and Telemetry Data:

• Product telemetry to support quality of service

Automatically Generated Data:

• Data that is generated to support the service such as OCR, summaries, extracted insights.

Data Categories

We process the following categories of data:

• Account/administrative data
• Billing information
• User activity data
• Client legal documents and related data (e.g., pleadings, discovery, contracts, communications)
• AI analysis outputs
• Backups and audit logs

Sensitive and Privileged Information

While we do not actively seek sensitive personal information, we acknowledge that documents uploaded to our Service may contain such data. We treat all uploaded content as confidential and potentially privileged, implementing appropriate safeguards as described in this policy.

Website Data Use

We use website data for:

• Security and fraud prevention
• Basic analytics
• Performance monitoring

Service Data Use

We use Service data to:

• Provide and improve platform functionality, adhering to data minimization principles
• Enable search and investigation capabilities
• Enhance quality and reliability
• Troubleshoot issues and provide support (with strict access controls)
• Generate aggregated and anonymized analytics that cannot identify specific clients or cases

Purposeful Retention

CaseGuild stores uploaded documents, extracted data, and AI interactions only as needed to provide core functionality and improve the user experience, in line with our Data RetentionPolicy.

No Behavioral Profiling

We do not engage in behavioral profiling, make automated decisions that affect access to services or pricing, or use your data for competitive intelligence or business development purposes that would identify you or your clients. We may use anonymized and aggregated data for legitimate business purposes such as product improvement, research, and general analytics, provided such use does not compromise client confidentiality or attorney-client privilege.

No Model Training with User Data

CaseGuild does not use customer data to train or fine-tune AI models. Neither do our AI infrastructure providers. All user inputs and outputs remain private and confidential.

Zero Retention by AI Providers

Our AI model providers do not log or store your data for any period of time.

AI Output Protection

AI-generated outputs receive the same protection as the original evidence:

• Same access control lists (ACLs) as evidence
• Tenant isolation to prevent cross-client data exposure

Data Isolation

We implement tenant partitioned data to ensure complete isolation between different law firm clients.

Privileged Information Handling

We handle potentially privileged information with enhanced security measures:

• Encryption at rest
• Restricted personnel access
• Private networking
• Zero Data Retention and training agreements
• Tenant isolation

Limited Sharing

We share your information only:

• With subprocessors necessary for service delivery
• As aggregated statistics or case studies (with your consent)

Subprocessors

We use the following subprocessors to deliver our Service:

• Microsoft Azure (cloud infrastructure)
• Cloudflare (security and performance)
• Auth0 (authentication)
• AI providers: OpenAI, Anthropic, Microsoft Azure, Google Cloud, Amazon Web Services, OpenRouter
• Analytics: Statsig, Google Analytics 4
• Stripe (payment processing)
• Better Stack (availability monitoring)

Disclosure Circumstances

We may disclose information:

• Upon your instruction
• In response to legal process (with notice where permitted)
• To protect our rights, privacy, safety, or property

Attorney-Client Privilege

We treat all uploads as confidential and potentially privileged. We only access tenant data with explicit approval, and all access is logged.

Encryption & Secure Hosting

• Regional Data Hosting: CaseGuild is hosted on Microsoft Azure's North America-based hyperscale infrastructure, ensuring regional compliance and data residency within the United States.
• Encryption: We use TLS 1.2+ for data in transit and AES-256/KMS for data at rest.

Access Controls

• Single Sign-On (SSO) and Two-Factor Authentication (2FA)
• System for Cross-domain Identity Management (SCIM)
• Tenant isolation
• Least privilege access model
• Quarterly access reviews
• Optional IP allowlisting

Endpoint Security

Staff devices are encrypted, run up-to-date anti-malware tools, and automatically lock after periods of inactivity to prevent unauthorized physical access.

Additional Security Measures

• Cloudflare Web Application Firewall (WAF)
• Rate limiting
• Comprehensive audit logs
• Code review and dependency scanning
• Penetration testing
• Regular backups with restore testing
• Secure data destruction tools with audit logs

Audits, Testing & Governance

• SOC 2: CaseGuild has successfully completed a SOC 2 Type 2 audit, demonstrating effective design and operation of controls over time in accordance with the AICPA TrustServices Criteria.
• Independent Penetration Testing: We engage external security firms to conduct regular penetration tests on our platform, infrastructure, and APIs. Findings are promptly triaged and remediated based on severity.
• Policy Governance: All security and privacy policies are reviewed at least annually to reflect evolving threats, technologies, and regulatory developments.
• Continuous Improvement: Our security program evolves based on threat intelligence, client feedback, and compliance obligations to ensure we maintain a strong, adaptive posture.

DATA BREACH NOTIFICATION

Breach Notification Process

In the event of a data breach that compromises personal information or client data, we will:

• Promptly investigate the incident to determine its scope and impact
• Notify affected customers within 72 hours of discovery when feasible
• Provide details about the nature of the breach, types of data affected, and potential impact
• Outline steps we're taking to mitigate harm and prevent future incidents
• Offer guidance on protective measures affected users can take

Notification Methods

We will notify affected users through:

• Direct email to the primary account contact
• In-product notifications when appropriate
• Phone calls to designated security contacts for high-severity incidents

Regulatory Compliance

We comply with breach notification requirements under applicable laws and regulations, including GDPR, CPRA, and relevant state data breach notification laws. When legally required, we will notify relevant regulatory authorities within the timeframes specified by law.

Breach Response Team

Our dedicated breach response team includes information security, legal, and executive leadership to ensure a coordinated, effective response to any security incident.

Continuous Improvement

Following any security incident, we conduct thorough post-incident reviews to identify improvements to our security controls, monitoring capabilities, and response procedures.

For security-related inquiries or to report a potential security incident, please contact our information Security team immediately at infosec@caseguild.com.

Retention Periods

We retain different categories of data for the following periods:

• Account/administrative data: Account lifetime plus 2 years
• Billing information: 7 years
• Usage/telemetry data: 90 days
• Evidence (uploaded documents): Until customer deletes
• AI outputs: Same retention period as the source evidence
• Backups: 90 days
• Audit logs: 1-3 years

Deletion Rights

In alignment with our Data Retention Policy, users retain full control and can request permanent deletion of their data at any time, subject to any ongoing contractual or legal obligations.

Deletion Process

• Self-service deletion for projects and files
• Backups purged after 90 days
• Court-ordered destruction supported with audit logs

Data Hosting Location

CaseGuild's services are hosted exclusively in the United States:

• Primary: Azure East US
• Disaster Recovery: Azure West US

Cross-Border Transfers

We currently maintain US-only hosting.

Transfer Safeguards

If cross-border transfers are introduced in the future, we will implement appropriate safeguards such as:

• Regional hosting options
• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)

User Rights

You have the following rights regarding your data:

• Access and data portability
• Rectification of inaccurate data
• Deletion of personal data
• Restriction of processing
• Opt-out of marketing and analytics
• Do-Not-Sell/Share (under CPRA)

How to Exercise Your Rights

You can exercise your rights:

• Through in-product features
• By emailing us at [privacy@caseguild.com] We will respond to your request within 30-45days.

User Controls

We provide the following controls:

• Retention settings
• Data export functionality
• User provisioning and role management
• IP allowlisting
• Session duration settings

Applicable Regulations

We comply with the following privacy regulations:

• General Data Protection Regulation (GDPR)
• UK GDPR
• California Privacy Rights Act (CPRA)
• Other US state privacy laws

Legal Bases for Processing

Under the GDPR, we process personal data on the following legal bases:

• Contractual Necessity: Processing necessary to provide our Service and fulfill our contractual obligations to you.
• Legitimate Interests: Processing that serves our legitimate business interests or those of a third party, provided these interests are not overridden by your rights and freedoms.
• Legal Obligation: Processing necessary to comply with our legal obligations.
• Consent: Processing based on your specific consent, which you may withdraw at anytime.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for:

• New AI features
• High-risk processing activities

Data Subject Request Handling

When handling data subject requests, we:

• Verify the requestor's identity
• Scope the request appropriately
• Provide responses within 30-45 days
• Use standard export formats for data portability

Our Service is designed for and directed at professionals in the legal industry. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as possible.

If you believe we might have any information from or about a child under 16, please contact us at [privacy@caseguild.com].

Third-Party Services

Our Service may contain links to third-party websites or services that are not owned or controlled by CaseGuild. We are not responsible for the privacy practices of these third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services you visit.

Integrations

We may offer integrations with third-party services to enhance our Service functionality. When you enable these integrations, you may be sharing information with these third parties. The information shared and how it is used will be governed by the privacy policies of those third parties.

Our current integrations include:

• Authentication providers (Auth0)

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. If we make material changes to this policy, we will notify you by:

• Posting the updated policy on our website
• Sending an email to the email address associated with your account
• Providing a notification within our Service

We encourage you to periodically review this page for the latest information on our privacy practices.

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@caseguild.com

Postal Address:

CaseGuild Inc.
1400 112th Ave SE Ste 100,
Bellevue, WA, 98004
United States

For security-related inquiries, you can also reach our Information Security team at infosec@caseguild.com.