How Caselaw handles your personal information

Caselaw operates this Canadian service under the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5). We collect, use, and disclose personal information only for the purposes described below, with your consent or under another lawful basis recognised by PIPEDA, and we apply the ten Fair Information Principles set out in Schedule 1 of the Act.

• Account data— email address, hashed password, display name, university or NCA cohort (if provided), authentication tokens.
• Usage data— pages and cases viewed, search queries, AI-tutor prompts and responses, briefs generated, study streaks, device + browser metadata for security and analytics.
• Payment data— billing address and tax identifiers required by Stripe Tax for GST/HST/PST, Stripe customer ID, subscription state. We do not store full card numbers; payment instruments are tokenised by Stripe.
• Communications— support emails you send us and our replies.

We rely on two PIPEDA-recognised bases:

• Consent— for account creation, optional analytics, and marketing email. Express at signup, withdrawable at any time per §9 below.
• Contract performance— for delivering the service you paid for (subscription billing, content access, brief generation, customer support).

Account, usage, and content data is stored on Supabase Postgres in the AWS eu-west-1 (Ireland) region. Payment data is processed by Stripe Payments Canada Ltd. with global routing. Email delivery uses Resend (US infrastructure).

Cross-border transfer.Hosting your data in Ireland rather than Canada is a deliberate trade-off for cost and platform maturity. The European Economic Area provides protections recognised as adequate by Canadian regulators, and we apply Standard Contractual Clauses with our processors. By creating an account you consent to this transfer; if that’s not acceptable to you, do not create an account — we cannot run the service from Canada-only infra today.

Account + usage data is retained while your account is active and for 90 days after deletion (so accidental deletions can be reversed). Stripe billing records are kept for 7 years to satisfy CRA tax retention rules. Anonymised aggregate analytics may be kept indefinitely.

We share personal information only with:

• Processorsbound by data-processing agreements: Supabase (database + auth), Stripe (payments + tax), Resend (transactional email), Anthropic (AI inference for briefs and tutor — prompts are sent to Anthropic but not used to train its models per our enterprise agreement), Vercel (hosting + edge network).
• Legal authorities when compelled by a Canadian court order, subpoena, or warrant. We will notify you unless legally barred from doing so.

We do not sell your personal information.

We set first-party cookies for authentication (sb-access-token, sb-refresh-token), jurisdiction (caselaw_jurisdiction), and theme preferences. We do not use cross-site advertising trackers. Analytics is first-party via PostHog, with IP truncation enabled.

Under PIPEDA you have the right to:

• Access— request a copy of the personal information we hold about you.
• Correction— ask us to correct inaccurate or incomplete data.
• Deletion— ask us to delete your account and associated personal information. Stripe billing records that we are legally required to retain will not be deleted but will be disassociated from your account where possible.
• Withdrawal of consent— withdraw consent for optional processing at any time. Withdrawing consent for essential processing (e.g. account auth) means we can no longer provide the service.
• Complaint — lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC).

Exercise any of these by emailing [email protected]. We respond within 30 days as required by PIPEDA §8(3).

PIPEDA §10.1 and the OPC’s breach-notification guidance require us to notify you and the Privacy Commissioner of any breach of security safeguards involving personal information that creates a real risk of significant harm. We commit to notifying both within 72 hoursof confirming such a breach, and to maintaining a log of all breaches as required by §10.3.

Notifications include: the nature of the breach, the personal information involved, the steps we’ve taken to mitigate harm, and the steps you can take to protect yourself.

Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by Supabase (AES-256). Database access is restricted by row-level security policies and service-role keys are stored in Vercel encrypted env vars. We perform dependency security reviews on every deploy.

Caselaw’s Privacy Officer is responsible for compliance with PIPEDA and for handling all data subject requests and breach notifications:

Aryan Verma, Privacy Officer
Email: [email protected]

We will update this page when our practices change. Material changes will be announced by email to active subscribers at least 14 days before they take effect.