Skip to main content

Privacy Policy

Last updated: 23 May 2026

This Privacy Policy describes how caselaw ("we", "us", "our") collects, uses, and protects your personal data when you use the Service at https://www.getcaselaw.com. We are the data controller for the personal data described below. This Policy is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018 (together, the "UK GDPR").

1. Data we collect

1.1 Account data

  • Full name, email address, hashed password
  • Username (a public handle visible on Common Room, leaderboard, and your profile page). You can pick one at signup or we'll generate one for you to confirm during onboarding.
  • Profile picture (optional). Stored in our public Supabase storage bucket and visible alongside your username on Common Room posts and your profile page. Remove it any time from your account settings; if you don't upload one, we render a deterministic initials avatar from your username.
  • University, qualification (LLB, SQE1, GDL, BPTC etc.), year of study (if provided)
  • Profile preferences (theme, default jurisdiction, notification settings)

1.2 Subscription & payment data

  • Plan, billing cadence, subscription status, trial start/end
  • Stripe customer ID, Stripe subscription ID, Stripe price ID
  • We do not store full card numbers. Card details are tokenised by Stripe and never touch our servers.

1.3 Usage data

  • Search queries, viewed cases, generated AI briefs, AI tutor messages
  • Saved cases, reading lists, flashcard progress, quiz answers, study streak
  • Past paper purchases and access events

1.4 Technical data

  • IP address, browser type and version, device type, operating system
  • Pages visited, referrer, timestamps
  • Cookies and similar technologies (see Section 6)

2. How we use your data & lawful bases

PurposeLawful basis (UK GDPR Art. 6)
Provide the Service (account, search, briefs, AI tutor, billing)Performance of a contract
Process payments and prevent fraudPerformance of a contract; legitimate interest (fraud prevention)
Send transactional emails (welcome, renewal reminders, receipts)Performance of a contract; legal obligation (DMCC Act 2024)
Send marketing emails (product updates, offers)Consent โ€” opt-in; you may withdraw at any time
Improve the product (aggregated, non-identifying analytics)Legitimate interest
Detect abuse, enforce Terms, comply with law enforcementLegitimate interest; legal obligation

3. Sub-processors

We use the following third-party processors to operate the Service. Each is bound by a Data Processing Agreement (DPA) and provides UK GDPR-compliant safeguards.

ProcessorPurposeRegion
VercelApplication hosting, edge network, deploymentsEU / global edge
SupabaseDatabase (Postgres), authentication, storageEU (Ireland)
Stripe Payments UK LtdPayment processing, billing, customer portalUK / EU / US (UK IDTA + Stripe UK contracts)
Anthropic PBCLarge language model inference (Claude) for AI briefs and AI tutorUS โ€” UK IDTA in place; Anthropic does not train on customer data
OpenAI, L.L.C.Selective text-generation tasks (fallback)US โ€” UK IDTA in place; data not used for model training (API tier)
ElevenLabsText-to-speech for content generation pipelinesUS โ€” UK IDTA
HiggsfieldMarketing image and video generation pipelines (no personal data)US โ€” UK IDTA
LoopsTransactional and marketing email deliveryUS โ€” UK IDTA
UpstashRate limiting and ephemeral cacheEU (Ireland)
The National ArchivesSource of UK case judgments (no personal data sent)UK

Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum.

3A. Case-record data and third parties named in court judgments

Caselaw reproduces UK court judgments verbatim from the public corpus published by The National Archives under the UK Government's Open Government Licence v3.0. These judgments routinely contain the names of parties (defendants, claimants, appellants), and may incidentally contain the names of witnesses, victims, family members, and other third parties. Our lawful basis for this processing is Article 6(1)(f) UK GDPR (legitimate interests in supporting legal education and research) read with the public-records and journalistic/academic exemptions in Schedule 2 of the Data Protection Act 2018 and the open justice principle.

If you appear in a case record on getcaselaw.com and would like it removed โ€” for example because your conviction was quashed on appeal, you have statutory anonymity as a victim or witness, the conviction is spent under the Rehabilitation of Offenders Act 1974, or for other privacy reasons โ€” please use our removal request form. We acknowledge requests within 24 hours and respond substantively within 30 days, as required by Article 12(3) UK GDPR. In practice most requests are actioned within 48 hours.

You can also email [email protected] directly if you prefer not to use the form. We retain an internal audit log of all erasure requests and our response to them, as expressly permitted by Article 17(3)(b) UK GDPR for compliance demonstration purposes.

4. AI processing

When you generate a case brief, ask the AI tutor a question, or use other AI features, your prompt is sent to the AI provider listed in Section 3 to generate a response. We instruct providers not to train on your data and we do not retain conversation history beyond what is needed to operate the Service. Your private notes and custom flashcards are never sent to AI providers.

5. Data retention

  • Active accounts: retained for as long as your account exists.
  • Deleted accounts: permanently purged from production within 30 days, including from backups within 90 days. Some billing records (invoices, refund logs) are retained for 6 years to meet UK tax law obligations.
  • Webhook event logs: 90 days, then anonymised.
  • Server logs: 30 days.

6. Cookies & similar technologies

We use a small number of essential cookies (authentication, CSRF protection, session state) and a privacy-friendly analytics tool (Vercel Analytics) which uses aggregated, non-identifying counters and does not set cross-site tracking cookies. We do not use advertising cookies.

Email tracking.Our lifecycle and reminder emails contain a small (1ร—1 pixel) image and links that pass through our own servers, so we can see whether an email was opened and which links were clicked. This is first-party only โ€” no third-party advertising or email-marketing tracker is used โ€” and we record it solely to measure whether our emails are useful and to stop sending mail you don't engage with. You can turn all marketing and reminder email off at any time from your settings or the one-click unsubscribe link in any email.

Push notifications. If you opt in, we store a browser push subscription so we can send you study reminders (for example, when flashcards are due). You can revoke this at any time in your browser or device settings.

7. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Port your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (e.g. for marketing emails)
  • Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you. We do not make such decisions.

To exercise any of these rights, email [email protected]. We will respond within one calendar month.

If your request relates to a case record that contains your name (rather than to your user account), please use the case removal request form โ€” it routes directly to the case-record review queue and is the fastest path to action.

8. Security

Personal data is encrypted in transit (TLS 1.2+) and at rest. Database access is restricted to the founder and is logged. We follow the principle of least privilege for all third-party access. If we become aware of a personal data breach, we will notify the ICO within 72 hours and affected users without undue delay.

9. Children

The Service is intended for users aged 18+ (or 16+ with parental consent). We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it.

10. Complaints

If you have a complaint about how we process your personal data, please contact us first. You also have the right to complain to the UK Information Commissioner's Office:

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 14 days before they take effect.

12. Contact

Data protection enquiries: [email protected]

This Privacy Policy is an interim version pending external review. We are committed to operating the Service in line with the UK GDPR and Data Protection Act 2018.