Privacy

Privacy Policy

Last updated: May 6, 2026

Draft — pending legal reviewThis document is a working draft. It does not constitute legal advice and should not be relied upon as final terms. Items marked [REVIEW] need attorney input before publication.

Plain-English summary

CaseAgent is a case-management product used by HR, ethics, compliance, and threat-intelligence teams to run investigations. We treat the contents of those investigations as highly sensitive and we don’t sell them, mine them for advertising, or use them to train AI models.

You are the customer. The cases, evidence, intake reports, and analyses you put into CaseAgent belong to you (or to your organization).
We are a service provider (a “processor” under GDPR; a “service provider” under the CCPA). We process customer data only to operate the product, follow your instructions, comply with law, or — when configured by your administrator — generate AI analyses on top of your own data.
We do not sell personal information, and we have not done so in the last 12 months.
We do not train, fine-tune, or improve foundation models using customer content. AI providers we use are configured for zero data retention where supported.

Who this policy covers

This policy applies to:

Customers — organizations that subscribe to CaseAgent and the administrators and authorized users who sign in.
End users— anyone whose information is included in a customer’s investigation (for example, the subject of a complaint, a witness, or a reporter who submits a tip through a customer’s public intake form).
Visitors — anyone browsing our marketing site at caseagent.net.

Different sections below apply to each group; we call them out where the treatment differs.

Our role: controller vs. processor

For most data inside the product, our customers are the “controller” (they decide why and how it’s processed) and CaseAgent is the “processor” (we handle it on their instructions). This is governed by our Terms of Service and Data Processing Addendum (DPA).

For account-level information about the people who sign in to CaseAgent — names, work email addresses, billing details, and product telemetry — we are the controller. This policy describes how we handle that information.

Information we collect

Account and identity information

When someone signs up, accepts an invitation, or signs in, we collect:

Name, work email address, and (optionally) profile photo.
Authentication identifiers, password hashes, and multi-factor authentication factors. Authentication is provided by Clerk, our identity vendor; CaseAgent does not see or store passwords in plaintext.
Organization (workspace) identifier, role assignment, and the permissions granted by the workspace administrator.

Customer Data (inside investigations)

Customers and their authorized users put data into CaseAgent. This includes:

Cases, intake reports, leads, persons-of-interest, evidence items and attachments, notes, AI prompts and responses, audit-log entries, and any other content you choose to upload or generate inside the product.
For public intake forms: any information a reporter submits, including (depending on the customer’s configuration) the reporter’s name, contact details, and narrative.

Customer Data may include personal information about third parties — the subject of a complaint, a witness, a colleague — placed there by the customer. The customer is responsible for the lawful basis for that processing.

Billing information

For paid subscriptions, our payment processor collects payment-method details directly. We receive the billing contact, plan, invoice history, and the last four digits and brand of the payment method — not the full card number. [REVIEW: Confirm processor name (Stripe) and DPA terms.]

Technical and usage data

Server logs (IP address, user-agent, request paths, response codes, timestamps).
Product telemetry: feature usage events, error reports, performance metrics. These are tied to the workspace and signed-in user but are not used for advertising.
Audit-log entries we maintain on behalf of the customer (who accessed what, when, from which IP).

Information we do not collect

We do not use third-party advertising networks or cross-site trackers on the product.
We do not collect special-category data (health, biometric, etc.) as part of operating the product. Customers may upload such information into Customer Data; that is their decision and their responsibility under applicable law.

How we use information

We use information to:

Operate, maintain, and secure the product, including authentication, access control, audit logging, integrity verification (SHA-256 hashes on evidence), backup, and recovery.
Provide AI features the customer enables — summarising threads, surfacing contradictions, drafting timelines and findings — by calling configured AI providers with the customer’s own data.
Communicate with users about the product: invitations, security notifications, billing, deadline reminders, scheduled digests, and out-of-office routing.
Respond to support requests and product feedback.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with legal obligations, enforce our terms, and respond to lawful requests.

Legal bases (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

Contract— to provide the service to the customer and to authenticated users acting on the customer’s behalf.
Legitimate interests — to keep the service secure, measure performance, prevent abuse, and support our business operations, balanced against the rights of the people involved.
Consent — for optional communications you opt in to (for example, product newsletters).
Legal obligation — to respond to lawful requests, retain billing records, and comply with applicable law.

For Customer Data, the customer determines the legal basis; we process it on their instructions under our DPA.

We share information only as described below:

With the customer. Information you put into a workspace is visible to other authorized users of that workspace based on the role and permission rules the customer configures.
With subprocessors. Vendors that help us run the service (hosting, database, email, AI inference, fraud prevention). See the list below.
For legal reasons. If we receive a valid legal process, we will respond as required by law. Where we are permitted to do so, we will notify the affected customer first.
In connection with a corporate transaction. If we are involved in a merger, acquisition, financing, or sale of assets, customer information may transfer to the successor; we will notify customers in advance and the successor will remain bound by this policy or one offering at least equivalent protections.
With your direction. Where you ask us to share information with a third party (for example, an integration you enable).

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

Subprocessors

We use the following subprocessors to deliver the service. Each is bound by a written data processing agreement requiring confidentiality, appropriate security, and processing limited to documented instructions.

Vercel — application hosting and edge delivery (United States).
Supabase — managed PostgreSQL database and object storage [REVIEW: confirm region(s) — likely US-East].
Clerk — authentication, session management, and transactional auth emails (United States).
Stripe — billing, subscription management, and payment processing (United States).
SendGrid (Twilio) — transactional email for notifications, digests, and out-of-office routing (United States).
OpenAI and Anthropic — AI inference for analysis features the customer enables. Configured for zero retention where supported by the provider. [REVIEW: confirm zero-retention agreements are in place at GA]
hCaptcha and Cloudflare Turnstile — bot defense on public intake forms and authentication challenges.
Backblaze B2 — encrypted, write-once off-site backups with object lock.

We will post material changes to the subprocessor list and provide customers a reasonable period to object before a new subprocessor begins processing Customer Data. [REVIEW: Decide notice period — 30 days is common.]

AI and machine learning

AI features are off by default for new workspaces and are controlled by the workspace administrator. When enabled:

We send the relevant customer-provided context (case content, evidence text, the user’s prompt) to a configured AI provider to generate a response.
We do not use Customer Data to train, fine-tune, or improve foundation models — ours or anyone else’s.
We require AI providers to retain customer content only for the minimum period necessary to deliver the response, and to use zero-retention configurations where supported.
AI output is generated material and may be inaccurate. CaseAgent surfaces source citations where available; users should verify before relying on AI output for any consequential decision.

International data transfers

CaseAgent is operated from the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our subprocessors operate. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable), and we have completed transfer impact assessments for our principal subprocessors. [REVIEW: Confirm SCCs and TIA documentation are filed.]

Retention and legal hold

We retain account and Customer Data for the duration of the subscription. After termination:

Customer Data is available for export for [REVIEW: 30 days?] following termination, then deleted from production systems.
Encrypted off-site backups are retained for [REVIEW: confirm — 30 days standard, 1 year max] on a rolling basis and then expire automatically.
Account-level metadata (organization name, billing record, audit summaries) may be retained as required to comply with legal, accounting, and tax obligations.

Legal hold. CaseAgent supports a legal-hold flag on cases and evidence. When a hold is active, deletion is blocked in-product even by administrators. If you place items on hold, we will not delete them on subscription termination until the hold is released; in such cases retention may be extended on commercial terms.

Security

We use a layered security program, including:

Encryption in transit (TLS 1.2+) and at rest for the production database and object storage.
Authentication via a dedicated identity provider with optional multi-factor authentication (TOTP).
Per-case access policies, role-based access control, and an audit log on every privileged action.
SHA-256 integrity hashes on uploaded evidence; legal-hold gating; access logs on intake attachments.
Encrypted off-site backups with object lock and quarterly restore drills.
Vendor risk review before adopting new subprocessors.

No system is perfectly secure. Report a suspected vulnerability to security@caseagent.net — see also our security.txt.

Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing. EEA, UK, and Swiss residents may also lodge a complaint with their data protection authority. California residents have rights under the CCPA, including the right to know, delete, correct, and opt out of sale or sharing (we do neither).

To exercise rights against information for which we are the controller (your account information), email privacy@caseagent.net. We will verify your identity and respond within the period required by applicable law.

End-user rights in customer workspaces

For information that a customer has placed inside their workspace about you (for example, a record in an investigation), the customer is the controller. Direct your request to that organization. If you cannot identify the customer or do not get a timely response, contact privacy@caseagent.net and we will route the request appropriately. We may not be able to modify or delete records the customer is required to retain (for example, under a legal hold).

Cookies and similar technologies

We use a small set of first-party cookies and local storage:

Authentication — set by Clerk to keep you signed in.
Preferences — to remember UI preferences such as theme and density.
CSRF protection — to protect against cross-site-request-forgery on state-changing actions.

We do not use third-party advertising or cross-site tracking cookies.

Children

CaseAgent is a workplace product not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe we have, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be announced in-product or by email to customer administrators with at least [REVIEW: 30 days?]notice. The “Last updated” date at the top reflects the latest revision.

Contact us

Questions about this policy or our practices: email privacy@caseagent.net. For security disclosures, use security@caseagent.net.

CaseAgent is operated by [REVIEW: insert legal entity, address, and registry no.].

Privacy

Privacy Policy

Last updated: May 6, 2026

Plain-English summary

You are the customer. The cases, evidence, intake reports, and analyses you put into CaseAgent belong to you (or to your organization).
We are a service provider (a “processor” under GDPR; a “service provider” under the CCPA). We process customer data only to operate the product, follow your instructions, comply with law, or — when configured by your administrator — generate AI analyses on top of your own data.
We do not sell personal information, and we have not done so in the last 12 months.
We do not train, fine-tune, or improve foundation models using customer content. AI providers we use are configured for zero data retention where supported.

Who this policy covers

This policy applies to:

Customers — organizations that subscribe to CaseAgent and the administrators and authorized users who sign in.
End users— anyone whose information is included in a customer’s investigation (for example, the subject of a complaint, a witness, or a reporter who submits a tip through a customer’s public intake form).
Visitors — anyone browsing our marketing site at caseagent.net.

Different sections below apply to each group; we call them out where the treatment differs.

Our role: controller vs. processor

Information we collect

Account and identity information

When someone signs up, accepts an invitation, or signs in, we collect:

Name, work email address, and (optionally) profile photo.
Authentication identifiers, password hashes, and multi-factor authentication factors. Authentication is provided by Clerk, our identity vendor; CaseAgent does not see or store passwords in plaintext.
Organization (workspace) identifier, role assignment, and the permissions granted by the workspace administrator.

Customer Data (inside investigations)

Customers and their authorized users put data into CaseAgent. This includes:

Cases, intake reports, leads, persons-of-interest, evidence items and attachments, notes, AI prompts and responses, audit-log entries, and any other content you choose to upload or generate inside the product.
For public intake forms: any information a reporter submits, including (depending on the customer’s configuration) the reporter’s name, contact details, and narrative.

Billing information

Technical and usage data

Server logs (IP address, user-agent, request paths, response codes, timestamps).
Product telemetry: feature usage events, error reports, performance metrics. These are tied to the workspace and signed-in user but are not used for advertising.
Audit-log entries we maintain on behalf of the customer (who accessed what, when, from which IP).

Information we do not collect

We do not use third-party advertising networks or cross-site trackers on the product.
We do not collect special-category data (health, biometric, etc.) as part of operating the product. Customers may upload such information into Customer Data; that is their decision and their responsibility under applicable law.

How we use information

We use information to:

Operate, maintain, and secure the product, including authentication, access control, audit logging, integrity verification (SHA-256 hashes on evidence), backup, and recovery.
Provide AI features the customer enables — summarising threads, surfacing contradictions, drafting timelines and findings — by calling configured AI providers with the customer’s own data.
Communicate with users about the product: invitations, security notifications, billing, deadline reminders, scheduled digests, and out-of-office routing.
Respond to support requests and product feedback.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with legal obligations, enforce our terms, and respond to lawful requests.

Legal bases (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

Contract— to provide the service to the customer and to authenticated users acting on the customer’s behalf.
Legitimate interests — to keep the service secure, measure performance, prevent abuse, and support our business operations, balanced against the rights of the people involved.
Consent — for optional communications you opt in to (for example, product newsletters).
Legal obligation — to respond to lawful requests, retain billing records, and comply with applicable law.

For Customer Data, the customer determines the legal basis; we process it on their instructions under our DPA.

We share information only as described below:

With the customer. Information you put into a workspace is visible to other authorized users of that workspace based on the role and permission rules the customer configures.
With subprocessors. Vendors that help us run the service (hosting, database, email, AI inference, fraud prevention). See the list below.
For legal reasons. If we receive a valid legal process, we will respond as required by law. Where we are permitted to do so, we will notify the affected customer first.
In connection with a corporate transaction. If we are involved in a merger, acquisition, financing, or sale of assets, customer information may transfer to the successor; we will notify customers in advance and the successor will remain bound by this policy or one offering at least equivalent protections.
With your direction. Where you ask us to share information with a third party (for example, an integration you enable).

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

Subprocessors

Vercel — application hosting and edge delivery (United States).
Supabase — managed PostgreSQL database and object storage [REVIEW: confirm region(s) — likely US-East].
Clerk — authentication, session management, and transactional auth emails (United States).
Stripe — billing, subscription management, and payment processing (United States).
SendGrid (Twilio) — transactional email for notifications, digests, and out-of-office routing (United States).
OpenAI and Anthropic — AI inference for analysis features the customer enables. Configured for zero retention where supported by the provider. [REVIEW: confirm zero-retention agreements are in place at GA]
hCaptcha and Cloudflare Turnstile — bot defense on public intake forms and authentication challenges.
Backblaze B2 — encrypted, write-once off-site backups with object lock.

AI and machine learning

AI features are off by default for new workspaces and are controlled by the workspace administrator. When enabled:

We send the relevant customer-provided context (case content, evidence text, the user’s prompt) to a configured AI provider to generate a response.
We do not use Customer Data to train, fine-tune, or improve foundation models — ours or anyone else’s.
We require AI providers to retain customer content only for the minimum period necessary to deliver the response, and to use zero-retention configurations where supported.
AI output is generated material and may be inaccurate. CaseAgent surfaces source citations where available; users should verify before relying on AI output for any consequential decision.

International data transfers

Retention and legal hold

We retain account and Customer Data for the duration of the subscription. After termination:

Customer Data is available for export for [REVIEW: 30 days?] following termination, then deleted from production systems.
Encrypted off-site backups are retained for [REVIEW: confirm — 30 days standard, 1 year max] on a rolling basis and then expire automatically.
Account-level metadata (organization name, billing record, audit summaries) may be retained as required to comply with legal, accounting, and tax obligations.

Security

We use a layered security program, including:

Encryption in transit (TLS 1.2+) and at rest for the production database and object storage.
Authentication via a dedicated identity provider with optional multi-factor authentication (TOTP).
Per-case access policies, role-based access control, and an audit log on every privileged action.
SHA-256 integrity hashes on uploaded evidence; legal-hold gating; access logs on intake attachments.
Encrypted off-site backups with object lock and quarterly restore drills.
Vendor risk review before adopting new subprocessors.

No system is perfectly secure. Report a suspected vulnerability to security@caseagent.net — see also our security.txt.

Your rights

End-user rights in customer workspaces

Cookies and similar technologies

We use a small set of first-party cookies and local storage:

Authentication — set by Clerk to keep you signed in.
Preferences — to remember UI preferences such as theme and density.
CSRF protection — to protect against cross-site-request-forgery on state-changing actions.

We do not use third-party advertising or cross-site tracking cookies.

Children

CaseAgent is a workplace product not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe we have, contact us and we will delete it.

Changes to this policy

Contact us

Questions about this policy or our practices: email privacy@caseagent.net. For security disclosures, use security@caseagent.net.

CaseAgent is operated by [REVIEW: insert legal entity, address, and registry no.].

Plain-English summary

Who this policy covers

Our role: controller vs. processor

Information we collect

Account and identity information

Customer Data (inside investigations)

Billing information

Technical and usage data

Information we do not collect

How we use information

Legal bases (EEA / UK)

How we share information

Subprocessors

AI and machine learning

International data transfers

Retention and legal hold

Security

Your rights

End-user rights in customer workspaces

Cookies and similar technologies

Children

Changes to this policy

Contact us

Plain-English summary

Who this policy covers

Our role: controller vs. processor

Information we collect

Account and identity information

Customer Data (inside investigations)

Billing information

Technical and usage data

Information we do not collect

How we use information

Legal bases (EEA / UK)

How we share information

Subprocessors

AI and machine learning

International data transfers

Retention and legal hold

Security

Your rights

End-user rights in customer workspaces

Cookies and similar technologies

Children

Changes to this policy

Contact us