Last updated: 2026-05-26
Privacy Policy
This Privacy Policy explains how we collect, use, and protect your personal information when you use CaseCalm. Your privacy matters, especially given the sensitive nature of legal case data. We process personal data in line with the UK GDPR and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (registration number: to be added at launch).
1. Who we are
CaseCalm is operated by JobCannon Ltd, a company registered in England and Wales. We are the data controller for personal data we process through the Service.
If you have any questions about your data, email privacy@casecalm.com.
2. What we collect
Account information: name, email address, password (stored hashed), UK region, account creation date.
Case workspace data: the information you provide about your case, including claim details, opposing party information, documents you draft or upload, deadlines, and chat history with our AI. Case data may include special category data under UK GDPR (for example, if your case involves health, religion, sexual orientation, trade union membership) and information about criminal convictions.
Payment data: handled by Stripe; we do not store full card numbers. We retain billing history (transaction ID, amount, date).
Usage data: pages visited, features used, error logs. Analytics tools collect this in aggregate.
Communications: emails, support tickets, and other communications between you and us.
Cookies and similar technologies: see our Cookie Policy.
3. Why we process your data (lawful basis)
We rely on the following lawful bases under UK GDPR Article 6:
- Contract performance (Article 6(1)(b)): to provide the Service you signed up for, including the case workspace and AI drafting.
- Legitimate interests (Article 6(1)(f)): to improve and secure the Service, prevent fraud, and provide customer support.
- Consent (Article 6(1)(a)): for non-essential cookies, marketing emails, and optional features. You can withdraw consent at any time.
- Legal obligation (Article 6(1)(c)): to comply with court orders, tax laws, and other statutory requirements.
For special category data (Article 9), we rely on Article 9(2)(f): the establishment, exercise, or defence of legal claims. This is the specific UK GDPR provision designed for legal services.
For criminal-conviction data (Article 10), we rely on the legal-claims condition in Schedule 1 of the Data Protection Act 2018.
4. How we use your data
- To provide the case workspace and AI drafting features
- To remind you of deadlines
- To process subscription payments
- To respond to your support queries
- To improve and refine the Service
- To send transactional emails (account, billing, deadlines)
- To send marketing emails if you opted in
- To detect and prevent abuse and fraud
- To comply with legal obligations
Case data is used to deliver the Service to you. We do not use case content to train AI models. We do not sell case data to anyone, ever.
5. Who we share data with
We share data only with the processors we need to run the Service:
- Supabase (database and authentication) — EU hosted
- Stripe (payments) — Ireland and US
- Google Cloud / Vertex AI (Gemini AI for drafting) — UK / EU regions
- Resend (transactional email) — US, with EU data residency option
- Vercel (hosting) — US, with EU edge regions
- Cloudflare (DNS, security) — global
- Sentry (error monitoring) — US
We have data processing agreements with each. We don’t share case data with marketing partners, brokers, or advertisers.
We may disclose data when legally required: court orders, regulatory requests from the ICO, or where necessary to defend our rights.
For referral to solicitor partners: we only share the contact details you authorise us to share, and only after you explicitly opt in to a specific referral.
6. International transfers
Some processors are in the US or outside the UK / EU. We rely on Standard Contractual Clauses or the UK extension to the EU-US Data Privacy Framework for those transfers. Your data is protected to the standard required by UK GDPR regardless of where it sits.
7. How long we keep data
- Active case data: while your case is active plus 6 years (UK limitation period for most civil claims under the Limitation Act 1980).
- Closed case data: 6 years from closure.
- Account data not tied to a case: until you ask us to delete, or 3 years of inactivity, whichever is first.
- Marketing email lists: until you unsubscribe or 2 years of no engagement.
- Stripe payment data: 7 years (UK tax retention rules).
- Server logs: 90 days raw, then anonymised.
You can request deletion at any time (see Your Rights below). We may need to retain some data for legal obligations even after deletion requests — we’ll tell you when this applies.
8. How we protect your data
We use industry-standard security:
- TLS encryption for all traffic
- Encryption at rest in our database
- Strong authentication, including optional two-factor authentication
- Row-level security so users only see their own data
- Regular security reviews
- Access control on the operations team (least privilege)
If a breach happens that affects you, we’ll tell you within the timescale required by UK GDPR (without undue delay, and usually within 72 hours where the breach is likely to result in risk to your rights and freedoms).
9. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Erase your data (subject to legal exemptions, especially during active litigation)
- Restrict our processing
- Object to processing based on legitimate interests
- Receive your data in a portable format
- Withdraw consent at any time
- Complain to the Information Commissioner’s Office at ico.org.uk
To exercise any of these rights, email privacy@casecalm.com. We’ll respond within 30 days (extendable by 60 days for complex requests). We may need to verify your identity before processing the request.
10. Automated decision-making
Our AI drafts documents based on the information you provide. This is not automated decision-making in the legal sense: we don’t make decisions about you that have legal effects. You decide what to file. You decide what to sign. The AI is a tool you direct.
You can always ask for human review of AI output by emailing support@casecalm.com. We aim to respond within 2 business days.
11. Children
CaseCalm is for adults. We do not knowingly collect data from anyone under 18. If you believe we’ve collected data from a child, email privacy@casecalm.com and we’ll delete it.
12. Third-party links
Our site may link to other websites (gov.uk, Citizens Advice, partner solicitors). We’re not responsible for their privacy practices.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we’ll tell you by email and an in-product notice. Continued use after the change takes effect counts as acceptance.
14. Contact
For privacy questions or to exercise your rights: privacy@casecalm.com
To complain to the regulator:
- Information Commissioner’s Office
- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- casework@ico.org.uk
- 0303 123 1113
- ico.org.uk