Privacy Policy

We collect several types of information to provide and improve our Service:

1.1 Information You Provide

When you create an account or use our Service, you directly provide us with:

• Account Information: Name, email address, phone number, password
• Organization Information: Company name, industry, company size, address, website
• Profile Information: User role, department, job title, profile photo
• Payment Information: Billing address, payment method details (processed securely by our payment processor)
• Case Data: Cases, documents, notes, comments, tags, and other content you create or upload
• Communications: Messages, support tickets, feedback, and other communications with us

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Data: Features used, pages visited, time spent, actions performed
• Device Information: Device type, operating system, browser type and version, IP address
• Log Data: Access times, error logs, performance data
• Cookies and Similar Technologies: Session identifiers, preferences, authentication tokens

1.3 Information from Third Parties

We may receive information about you from:

• Consortium Partners: Information shared when collaborating on inter-agency cases
• Integration Services: Data from third-party tools you connect to our Service
• Authentication Providers: If you sign in using a third-party service

We use the information we collect for the following purposes:

2.1 To Provide and Maintain Our Service

• Create and manage your account
• Process and store your case data
• Enable team collaboration and case sharing
• Facilitate consortium partnerships and inter-agency collaboration
• Generate AI-powered case summaries and insights
• Send transactional emails and notifications
• Provide customer support

2.2 To Improve and Develop Our Service

• Analyze usage patterns and trends
• Develop new features and functionality
• Improve AI accuracy and performance
• Optimize system performance and reliability
• Conduct research and development

2.3 For Security and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Monitor and analyze security threats
• Comply with legal obligations and enforce our Terms of Service
• Protect the rights, property, and safety of our users
• Maintain audit logs and activity records

2.4 To Communicate With You

• Send service-related notifications and updates
• Respond to your inquiries and support requests
• Send marketing communications (with your consent)
• Notify you of changes to our Service or policies

3.1 AI-Powered Features

CaseCore Management uses artificial intelligence services, including OpenAI, to generate case summaries and provide intelligent insights. When you use AI features:

• Your case data is sent to our AI service providers for processing
• Data is processed in accordance with our agreements with these providers
• We implement data minimization - only necessary information is shared
• AI providers do not use your data to train their models (per our agreements)
• Generated summaries are cached securely for performance optimization
• We track AI usage including token consumption and generation frequency

3.2 Current AI Service Providers

• OpenAI: For case summary generation and natural language processing

3.3 Email Service

We use Resend as our email service provider to deliver:

• Account verification emails
• Password reset notifications
• Activity notifications and mentions
• System alerts and updates

3.4 Other Third-Party Services

We may use other third-party services for:

• Cloud infrastructure and hosting (Supabase)
• Payment processing
• Analytics and monitoring
• Customer support
• Integrations you enable in your account

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Your Consent

We share information when you explicitly authorize us to do so, such as:

• Sharing cases with consortium partners
• Connecting third-party integrations
• Inviting team members to your organization

4.2 Within Your Organization

Information is shared within your organization according to the permissions and access controls you configure:

• Team members can access cases and tasks assigned to them
• Administrators have broader access to manage the organization
• All access is logged and auditable

4.3 With Service Providers

We share information with third-party service providers who help us operate our Service:

• Cloud hosting and database services
• AI processing services
• Email delivery services
• Payment processors
• Analytics providers
• Customer support tools

These providers are contractually obligated to protect your information and may only use it to perform services for us.

4.4 For Legal Reasons

We may disclose information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Requests from law enforcement or government agencies
• Legal claims or disputes
• Protection of our rights, property, or safety

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you individually for research, analytics, and service improvement purposes.

We implement comprehensive security measures to protect your information:

5.1 Technical Security

• Encryption: End-to-end encryption for data in transit (TLS/SSL) and at rest (AES-256)
• Multi-Tenant Isolation: Row-Level Security (RLS) policies ensure data isolation between organizations
• Authentication: Secure password hashing, session management, and token-based authentication
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Network Security: Firewalls, DDoS protection, and secure network architecture

5.2 Operational Security

• Activity Logging: Comprehensive audit logs of all system activities
• Monitoring: 24/7 security monitoring and incident response
• Regular Backups: Automated backups with disaster recovery procedures
• Vulnerability Management: Regular security assessments and patch management
• Employee Training: Security awareness training for all personnel

5.3 Compliance

• SOC 2 Type II: Compliance with industry-standard security controls
• GDPR Ready: Compliance with EU data protection regulations
• Data Processing Agreements: Available for enterprise customers
• Regular Audits: Third-party security audits and penetration testing

5.4 Security Limitations

Important: While we implement strong security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the security of your account credentials and promptly notifying us of any unauthorized access.

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this Privacy Policy:

6.1 Active Accounts

• Account and profile information: Retained while your account is active
• Case data: Retained according to your subscription plan and retention settings
• Activity logs: Retained for security and compliance purposes (typically 12 months)

6.2 Closed Accounts

• Account data: Retained for 30 days after account closure (grace period for recovery)
• Backups: Data may persist in backups for up to 90 days
• Legal obligations: Some data may be retained longer if required by law

6.3 AI-Generated Content

• Cached AI summaries: Retained for performance optimization (cleared when case is updated)
• Usage metrics: Aggregated AI usage data retained for billing and analytics

6.4 Data Deletion

You may request deletion of your data at any time by:

• Deleting specific cases or documents through the Service
• Closing your account (deletes all associated data)
• Contacting support for specific deletion requests

You have the following rights regarding your personal information:

7.1 Access and Portability

• Access your personal information through your account settings
• Request a copy of your data in a machine-readable format
• Export your case data and documents at any time

7.2 Correction and Update

• Update your account and profile information at any time
• Correct inaccurate or incomplete information
• Request assistance with updates by contacting support

7.3 Deletion

• Delete specific cases, documents, or comments
• Close your account to delete all associated data
• Request deletion of specific information

7.4 Objection and Restriction

• Object to processing of your information for certain purposes
• Restrict how we use your information in certain circumstances
• Opt out of marketing communications

7.5 Communication Preferences

• Manage email notification preferences in your account settings
• Unsubscribe from marketing emails via the link in each email
• Note: You cannot opt out of essential service-related communications

7.6 AI Feature Control

• Enable or disable AI features for your organization
• Control which users have access to AI summaries
• Configure AI usage limits and policies

7.7 Exercising Your Rights

To exercise any of these rights, please:

• Use the controls available in your account settings
• Contact us at hello@casecore.ai
• We will respond to your request within 30 days

We use cookies and similar tracking technologies to provide, protect, and improve our Service:

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic functionality
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Service
• Performance Cookies: Improve loading times and performance

8.2 How We Use Cookies

• Maintain your session and keep you logged in
• Remember your preferences and settings
• Analyze usage patterns and improve the Service
• Provide personalized features and content
• Detect and prevent fraud and security threats

8.3 Your Cookie Choices

Most browsers allow you to control cookies through their settings. However, disabling cookies may affect your ability to use certain features of our Service. Essential cookies cannot be disabled as they are necessary for the Service to function.

CaseCore Management is based in the United States. If you access our Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

We ensure appropriate safeguards are in place for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for data transfers to countries with adequate protection
• Other lawful transfer mechanisms as appropriate

By using our Service, you consent to the transfer of your information to the United States and other countries where we and our service providers operate.

CaseCore Management is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use our Service or provide any information to us.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we may have information from or about a child under 18, please contact us immediately at hello@casecore.ai.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You have the right to request information about:

• Categories of personal information we collect
• Purposes for collecting personal information
• Categories of sources from which we collect information
• Categories of third parties with whom we share information
• Specific pieces of personal information we have collected

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

11.3 Right to Opt-Out

You have the right to opt out of the sale of your personal information. Note: We do not sell your personal information.

11.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.5 Exercising Your Rights

To exercise your CCPA rights, contact us at hello@casecore.ai or through your account settings. We will verify your identity before processing your request.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Service
• Legitimate Interests: Improving our Service, security, and fraud prevention
• Consent: For marketing communications and optional features
• Legal Obligations: Compliance with applicable laws

12.2 Your GDPR Rights

In addition to rights described elsewhere in this policy, you have the right to:

• Lodge a complaint with your local data protection authority
• Withdraw consent at any time (without affecting lawfulness of prior processing)
• Request restriction of processing in certain circumstances
• Data portability for information you provided

12.3 Data Protection Officer

For GDPR-related inquiries, contact us at hello@casecore.ai.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or through the Service
• Provide at least 30 days' notice for material changes
• Obtain your consent if required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will respond to your privacy-related inquiries within 30 days (or sooner as required by applicable law).