Skip to main content

Privacy Policy

Last updated: 25 April 2026

This Privacy Policy describes how caselaw ("we", "us", "our") collects, uses, and protects your personal data when you use the Service at https://www.getcaselaw.com. We are the data controller for the personal data described below. This Policy is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018 (together, the "UK GDPR").

1. Data we collect

1.1 Account data

  • Full name, email address, hashed password
  • University, qualification (LLB, SQE1, GDL, BPTC etc.), year of study (if provided)
  • Profile preferences (theme, default jurisdiction, notification settings)

1.2 Subscription & payment data

  • Plan, billing cadence, subscription status, trial start/end
  • Stripe customer ID, Stripe subscription ID, Stripe price ID
  • We do not store full card numbers. Card details are tokenised by Stripe and never touch our servers.

1.3 Usage data

  • Search queries, viewed cases, generated AI briefs, AI tutor messages
  • Saved cases, reading lists, flashcard progress, quiz answers, study streak
  • Past paper purchases and access events

1.4 Technical data

  • IP address, browser type and version, device type, operating system
  • Pages visited, referrer, timestamps
  • Cookies and similar technologies (see Section 6)

2. How we use your data & lawful bases

PurposeLawful basis (UK GDPR Art. 6)
Provide the Service (account, search, briefs, AI tutor, billing)Performance of a contract
Process payments and prevent fraudPerformance of a contract; legitimate interest (fraud prevention)
Send transactional emails (welcome, renewal reminders, receipts)Performance of a contract; legal obligation (DMCC Act 2024)
Send marketing emails (product updates, offers)Consent โ€” opt-in; you may withdraw at any time
Improve the product (aggregated, non-identifying analytics)Legitimate interest
Detect abuse, enforce Terms, comply with law enforcementLegitimate interest; legal obligation

3. Sub-processors

We use the following third-party processors to operate the Service. Each is bound by a Data Processing Agreement (DPA) and provides UK GDPR-compliant safeguards.

ProcessorPurposeRegion
VercelApplication hosting, edge network, deploymentsEU / global edge
SupabaseDatabase (Postgres), authentication, storageEU (Ireland)
Stripe Payments UK LtdPayment processing, billing, customer portalUK / EU / US (UK IDTA + Stripe UK contracts)
Anthropic PBCLarge language model inference (Claude) for AI briefs and AI tutorUS โ€” UK IDTA in place; Anthropic does not train on customer data
OpenAI, L.L.C.Selective text-generation tasks (fallback)US โ€” UK IDTA in place; data not used for model training (API tier)
ElevenLabsText-to-speech for content generation pipelinesUS โ€” UK IDTA
HiggsfieldMarketing image and video generation pipelines (no personal data)US โ€” UK IDTA
LoopsTransactional and marketing email deliveryUS โ€” UK IDTA
UpstashRate limiting and ephemeral cacheEU (Ireland)
The National ArchivesSource of UK case judgments (no personal data sent)UK

Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum.

4. AI processing

When you generate a case brief, ask the AI tutor a question, or use other AI features, your prompt is sent to the AI provider listed in Section 3 to generate a response. We instruct providers not to train on your data and we do not retain conversation history beyond what is needed to operate the Service. Your private notes and custom flashcards are never sent to AI providers.

5. Data retention

  • Active accounts: retained for as long as your account exists.
  • Deleted accounts: permanently purged from production within 30 days, including from backups within 90 days. Some billing records (invoices, refund logs) are retained for 6 years to meet UK tax law obligations.
  • Webhook event logs: 90 days, then anonymised.
  • Server logs: 30 days.

6. Cookies & similar technologies

We use a small number of essential cookies (authentication, CSRF protection, session state) and a privacy-friendly analytics tool (Vercel Analytics) which uses aggregated, non-identifying counters and does not set cross-site tracking cookies. We do not use advertising cookies.

7. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Port your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (e.g. for marketing emails)
  • Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you. We do not make such decisions.

To exercise any of these rights, email [email protected]. We will respond within one calendar month.

8. Security

Personal data is encrypted in transit (TLS 1.2+) and at rest. Database access is restricted to the founder and is logged. We follow the principle of least privilege for all third-party access. If we become aware of a personal data breach, we will notify the ICO within 72 hours and affected users without undue delay.

9. Children

The Service is intended for users aged 18+ (or 16+ with parental consent). We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it.

10. Complaints

If you have a complaint about how we process your personal data, please contact us first. You also have the right to complain to the UK Information Commissioner's Office:

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 14 days before they take effect.

12. Contact

Data protection enquiries: [email protected]

This Privacy Policy is an interim version pending external review. We are committed to operating the Service in line with the UK GDPR and Data Protection Act 2018.