Privacy — Ireland

Caselaw operates under GDPR + Irish Data Protection Act 2018 for Ireland users. Data residency: Supabase EU-WEST (Frankfurt). Privacy regulator: Data Protection Commission (Ireland).

• EU OSS scheme handles cross-border B2C VAT.
• Lawful basis is performance of contract for paying users; consent for marketing emails.
• International transfers covered by SCCs where data leaves the EEA.

What we collect

• Email address (account, magic-link auth, transactional comms)
• University / year-level / exam-focus (only what you give us in the waitlist or settings)
• Salted IP hash for abuse prevention (never raw IP)
• Reading history within Caselaw — used to drive flashcards and revision suggestions; never sold
• Stripe customer / subscription state (via Stripe; we do not store payment card data)

What we don't collect

• Tracking cookies that follow you off the site
• Third-party advertising profiles
• Card numbers (Stripe processes them — we never see them)
• Voice / video / camera data — we have none of those features

Your rights

Access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability and the right to object — all exercisable by emailing [email protected]. We respond within 30 days. If you're not satisfied, you can lodge a complaint with the Data Protection Commission (Ireland).

This regional privacy notice supplements our global privacy policy — read both. Effective 2026-05-01.