Privacy Policy

CaseAlly helps litigators and self-represented litigants analyze court records. Because many of those records are sensitive, we take privacy and security seriously. This policy explains what Saint Michael Ventures LLC (the operator of CaseAlly) collects, how we use it, and the controls you have.

• Account data. Name, email, organization, role, and billing email (collected by Stripe).
• Content. Documents you upload, their extracted text, analyses, findings, contradictions, notes, chat messages, hearing-prep entries, and client-portal shares you create.
• Operational data. Audit logs, in-product notifications, device and IP used for authenticated requests, error traces, and aggregate usage metrics.

• To provide, secure, and improve the Service.
• To generate AI analysis using trusted third-party model providers (Anthropic, OpenAI) under contracts that prohibit training on your content.
• To send transactional emails (analysis completion, document processing, shares) and, only if you opt in, product updates and a weekly digest.
• To enforce our Terms, prevent abuse, and comply with law.

Documents and text you upload are processed by third-party AI providers (Anthropic for analysis and synthesis; OpenAI for embeddings used in retrieval). We use business or enterprise agreements that:

• Prohibit the provider from training models on your content.
• Limit retention of request payloads to what is needed for abuse monitoring and legal compliance.
• Restrict provider personnel access to a narrow operational scope.

AI outputs are grounded in your uploaded documents and include source citations. Even so, AI can misread context or misattribute quotations. Outputs are informational only; see our Legal Disclaimer.

CaseAlly stores your account data, documents, and analysis results in Supabase-managed Postgres and object storage, which runs on Amazon Web Services (AWS) infrastructure in the United States. All data is encrypted at rest (AES-256) and in transit (TLS 1.3).

Row-Level Security isolates every tenant's data at the database level; service-role credentials are only held by our server-side code and never reach the browser.

• Supabase. Postgres database, authentication, and object storage (AES-256 at rest, TLS in transit, Row-Level Security).
• Vercel. Web application hosting and edge CDN.
• Anthropic and OpenAI. AI inference for analysis and embeddings. Requests exclude training permissions.
• Stripe. Subscription billing. We never store raw card details.
• Resend. Transactional email delivery.
• Upstash (optional). Rate limiting via ephemeral counters; no case content is sent.
• Sentry (optional). Error tracing; PII is scrubbed.
• PostHog (optional). Privacy-respecting product analytics with no recording of page content or form inputs.

CaseAlly uses a small number of cookies:

• Session cookies. Required for sign-in; they identify your authenticated session and cannot be disabled while you are using the Service.
• Preferences. Locally stored settings, for example your verification-mode toggle, that never leave your browser.
• Analytics (PostHog, optional). Used to understand aggregate feature usage. PostHog is configured to avoid recording page content, form inputs, or document data. You may opt out from Settings, Notifications.

• TLS everywhere; HSTS preload on the production domain.
• Encrypted at rest (database and storage).
• Tenant isolation via Row-Level Security; service-role access restricted to server-side operations.
• Content Security Policy, CORS lock-down, magic-byte upload validation, HMAC-signed unsubscribe links, and session management with "sign out all other sessions".
• Audit log of every write operation, retained according to your plan.

If we confirm that an unauthorized party has accessed your personal information, we will notify affected organizations by email within 72 hours of confirmed customer impact, consistent with GDPR Article 33 and applicable U.S. state breach-notification laws. The notice will describe the scope of the incident, the data involved, and the mitigation steps we are taking.

When you share a case with a client, the portal link is token-authenticated (no account required for the client). Access is rate-limited, can be revoked at any time, and honors the per-section permissions you select.

Each organization configures its own retention window from Settings, Data Retention. Options are 90 days, 180 days, 1 year, 2 years, 5 years, or indefinite. Auto-deletion is off by default and requires explicit opt-in.

When auto-delete is on, a case that has been inactive longer than the retention window is soft-deleted. Soft-deleted cases enter a 30-day grace period during which an organization owner can restore them. After the grace period ends, the case, its documents, and all associated analysis are permanently deleted.

You may delete individual documents, cases, or your entire account at any time from Settings. Supabase database backups roll off on their own schedule (up to 35 days on our paid tier). Audit log entries are retained in line with applicable recordkeeping law and may persist beyond the retention window, stripped of their matter association.

From Settings, Data Retention, you can request a full export. CaseAlly generates a ZIP archive containing your uploaded documents, all analysis results (as JSON), chat history, communications, findings, contradictions, appeal issues, and your audit log (as CSV). Exports are rate-limited to one per 24 hours.

If you are a California resident, the CCPA gives you the right to request access to, deletion of, or correction of your personal information, and the right not to be discriminated against for exercising those rights. If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR and UK GDPR give you parallel rights (access, rectification, erasure, restriction, portability, and objection), plus the right to lodge a complaint with your supervisory authority.

CaseAlly does not sell personal information. The lawful bases on which we process your data are: (a) your consent when you create an account, (b) performance of the contract under which we provide the Service, and (c) legitimate interest in securing the Service and preventing abuse.

To exercise any of these rights, email hello@caseally.law from the email on file. We respond to verified requests within 30 days.

CaseAlly is intended for use by attorneys, paralegals, and self-represented litigants who are at least 18 years old. The Service is not directed at children, and we do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18 without verified parental consent, we will delete it promptly.

Questions about privacy? Email hello@caseally.law.