Privacy Policy

CaseRead integrates with your Google Account to support core product workflows. When you connect your Google Account, CaseRead requests the following OAuth scopes, each of which gives CaseRead the minimum access needed for the corresponding feature.

Google Drive — https://www.googleapis.com/auth/drive.file

We request access only to the specific Google Drive files and folders you explicitly share with CaseRead via Google’s file picker. We never access your full Drive contents, and we cannot see files you have not shared with the app. We use this access to ingest case documents (pleadings, briefs, contracts, correspondence) into the matter workspace you designate, so CaseRead can perform matter-aware legal research grounded in your firm’s case files.

Google Calendar — https://www.googleapis.com/auth/calendar.events

We read and write calendar events to surface upcoming hearing dates, deposition schedules, and statutory deadlines within your case workspaces, and to write court-imposed deadlines extracted from your case documents back to your calendar. We do not access calendar settings, sharing permissions, or other calendars’ access control lists.

Account identity — https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, openid

Used solely to identify your CaseRead account during sign-in. We use your email address and profile name to create and authenticate your CaseRead user account.

How we handle Google user data.File contents and event text transmitted from Google APIs are processed by Anthropic’s API for analysis, taxonomy tagging, and embedding generation. Anthropic processes this data under its commercial API terms and does not use it for model training. CaseRead stores ingested document content and embeddings in Supabase Postgres with pgvector, encrypted at rest. We do not sell Google user data, do not use it for advertising, and do not share it with third parties beyond the infrastructure providers strictly required to operate the service.

Data deletion. You may disconnect CaseRead from your Google Account at any time via myaccount.google.com/permissions or from within CaseRead settings. Upon disconnection, account deletion, or written request to privacy@caseread.ai, CaseRead will delete all Google user data — including raw file content, calendar event data, and derived embeddings — within 30 days.

Limited Use compliance.CaseRead’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We collect three categories of personal information:

Information you give us. Name, firm name, work email, phone number, bar number and admission jurisdiction, profile photo, billing address, and tax identifiers. Payment card details are submitted directly to our PCI-compliant payment processor; we never see or store full card numbers.

Information collected automatically. IP address, device and browser identifiers, operating system, referring URL, pages viewed, session duration, feature usage events, and error logs. We use first-party cookies for authentication and session continuity, and a privacy-respecting analytics service for aggregate traffic measurement. We do not use advertising cookies and do not participate in cross-context behavioral advertising.

Information from third parties. Subscription and payment status from our payment processor, email deliverability signals from our transactional email provider, and identity claims from any single sign-on provider you elect to use.

Hallucination Shield (free tier). Citation strings you submit for verification, an anti-abuse challenge token, your IP address (used only for abuse rate-limiting), and, where you provide it, an email address for results delivery.

We use personal information to:

• Provision and operate the Services, including creating each firm’s isolated vault_firm_{id} database schema.
• Authenticate users and enforce role-based access controls.
• Process subscription billing and meet our tax-reporting obligations.
• Send transactional messages (account verification, invites, password resets, billing receipts, security alerts, and product notifications you have opted into).
• Detect and prevent fraud, abuse, and security incidents, and enforce our Terms.
• Improve the product through aggregated and de-identified usage analytics.
• Comply with legal obligations, respond to lawful requests, and exercise or defend legal claims.

CaseRead uses artificial intelligence to power research, drafting, and verification features. AI requests are routed to two enterprise AI providers:

• Anthropic, PBC — Claude Sonnet, Claude Opus, and Claude Haiku, used for research synthesis, document drafting, query expansion, and summarization, all via Anthropic’s commercial API.
• OpenAI, L.P. — the text-embedding-3-small model, used to generate vector embeddings that power semantic search.

All AI processing occurs on infrastructure located in the United States. Embeddings and AI-generated outputs are stored in the customer’s isolated database schema, never pooled across tenants. AI outputs are advisory only and require review by a licensed attorney before any reliance — see Section 6 of our Terms of Service.

Automated decision-making notice.AI features do not produce legal effects without human review by the licensed attorney using the Service. Where required by applicable law (including the California Consumer Privacy Act’s automated decision-making technology rules), you may request human review of, and an explanation for, any AI output produced about you.

We engage the following categories of sub-processors to deliver the Services. Each is contractually required to maintain confidentiality and security obligations consistent with this Policy.

A complete, named list of sub-processors is available to customers under non-disclosure agreement on request to privacy@caseread.ai. We will provide notice of material changes at least 30 days before a new sub-processor begins handling Customer Data, where required by your agreement with us.

We disclose personal information only in these circumstances:

• To the sub-processors identified above, under written contracts that limit their use to providing services to us.
• To affiliates and to a successor entity in connection with a merger, acquisition, financing, or sale of assets — subject to confidentiality terms at least as protective as this Policy.
• To comply with applicable law, valid legal process (subpoena, warrant, court order), or to protect the rights, safety, or property of CaseRead, our users, or the public. Where legally permitted, we will give the affected firm prompt notice so it can seek a protective order or otherwise respond.
• With your direction or consent.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

• Account data: for the duration of your subscription plus 90 days after termination, then purged.
• Customer Data (vault contents): per your firm’s subscription agreement. After termination, your firm has 30 days to export, after which we delete the data and the firm’s isolated schema.
• Google integration tokens and cached metadata: retained while the connection is active; purged within 30 days of disconnect or matter close (see Section 1).
• Billing and tax records: seven years, as required by applicable tax law.
• Support tickets: two years after closure.
• Hallucination Shield logs: 30 days, then anonymized for aggregate analytics.
• Backups: rolling 30-day window; deleted records age out of backups within that window.

Per our architecture, vectors and metadata tied to a specific client_id can be purged on request when a client relationship ends.

We protect personal information using:

• Schema-level multi-tenant isolation. Every firm receives its own dedicated PostgreSQL schema. Cross-tenant queries are mathematically impossible at the database layer — not merely filtered at the application layer.
• Row-level security within each firm separates lawyer-private documents from firm-wide content.
• Encryption at rest (AWS KMS-backed AES-256) and in transit (TLS 1.2+). Share-link passwords are protected with AES-256-GCM.
• Access controls, including multi-factor authentication, role-based permissions, audit logging, and least-privilege staff access.
• Operational practices, including rate limiting, input validation, output sanitization, and continuous security review.

No system is perfectly secure. In the event of a confirmed personal-data breach, we will notify affected firms without undue delay and in accordance with applicable law, and within 72 hours where required.

Depending on where you reside, you may have rights to access, correct, delete, or port your personal information; to opt out of the sale or sharing of personal information (we do not sell or share for advertising); to limit the use of sensitive personal information; to withdraw consent; and to request human review of automated decision-making. We respond to verified requests within 45 days, with one 45-day extension where reasonably necessary, and we do not discriminate against users who exercise their rights.

To exercise a right, email privacy@caseread.ai. If your personal information is held within a firm’s vault, we will forward your request to that firm, which is the controller of that data.

Authorized agents may submit requests on your behalf with written authorization. Appeals: if we deny your request, you may appeal to privacy@caseread.ai with the subject line “Privacy Appeal.”

The Services are intended exclusively for licensed attorneys and authorized firm staff aged 18 or older. We do not knowingly collect personal information from anyone under 18, and the Services are not directed to children.

CaseRead is operated from, and hosts data in, the United States. If you access the Services from outside the United States, you consent to the transfer of your information to the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses and the data-processing terms of our sub-processors.

We use strictly necessary cookies for authentication and session continuity, and analytics cookies to measure aggregate site usage. We do not use advertising cookies, and we honor the Global Privacy Control signal where applicable. You can control cookies through your browser settings.

We will post any changes to this Policy on this page and update the effective date above. For material changes that adversely affect your rights, we will give notice by email or in-app banner at least 30 days before the change takes effect.

CaseRead AI LLC
privacy@caseread.ai
For all other inquiries: info@caseread.ai