Privacy Policy

CaseHawk ("CaseHawk," "we," "us," or "our") provides a cloud-based legal case management platform (the "Platform") designed for plaintiff litigation law firms and their authorized staff. Our contact for privacy matters is privacy@casehawk.co.

CaseHawk does not sell, rent, lease, trade, or otherwise transfer any personal information or case data to third parties for money or any other consideration. This is an unconditional commitment.

We are not in the data brokerage business. Your clients' information, case documents, medical records, deposition transcripts, financial records, and any other data you upload to CaseHawk exist solely to serve you and your firm. They will never be monetized, profiled for advertising, or shared with data aggregators.

We collect only what is necessary to provide and improve the Platform.

3.1 Account and Firm Information

When you create an account, we collect your name, email address, role, and your firm's name. Firm administrators may provide additional firm details such as a primary contact and practice area.

3.2 Case and Client Data

You and your authorized staff upload and create case files, client records, documents, medical records, deposition transcripts, financial data, calendar events, work plans, and related materials. This data belongs to your firm and your clients. We process it only as a data processor acting on your instructions.

3.3 Documents and Files

Files you upload are stored in Google Cloud Storage under access controls tied to your firm's account. Only authenticated, authorized members of your firm can access them through the Platform.

3.4 Google Account Data (Integrations)

If you connect Google Drive or Google Calendar, CaseHawk requests OAuth 2.0 access to:

• Google Drive (drive.readonly): We request read-only access to your Google Drive. This permission allows us to list and read file metadata and content solely for files you explicitly browse and select for import into CaseHawk. We do not request write access to your Drive. We do not scan, crawl, index, or access any file you have not directly selected. No Drive data is retained beyond the file content you actively choose to import.
• Google Calendar: Read and write calendar events to synchronize case deadlines and hearing dates. We access only calendars you designate within the Platform.

Google integration tokens are stored securely and used only for the purposes above. You can revoke CaseHawk's Google access at any time through your Google Account settings or through CaseHawk's Integrations settings page, which immediately disables all further access.

CaseHawk's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3.5 Usage and Technical Data

We collect standard technical data such as IP addresses, browser type, device type, pages visited, and actions taken within the Platform. This is used exclusively for security monitoring, debugging, and improving the Platform. It is never linked to your case or client data for profiling purposes.

3.6 Authentication Data

We use Firebase Authentication (Google) to manage sign-in. Passwords are never stored by CaseHawk in plain text. Firebase handles credential hashing and storage under Google's security standards.

When your Firm uses CaseHawk's e-signature feature, we collect and process specific data to create a legally defensible signing record. This section explains exactly what we collect, why, and how it is handled.

4.1 Data Collected for Each Signing Transaction

For every signature request, we collect and store the following in an immutable audit log:

• Signer identity information provided by the Firm: name, email address, and role
• Signing token: a unique cryptographic token generated per Signer per request, used for authentication
• View event: timestamp, IP address, and browser user agent recorded when the Signer opens the signing link
• Signature event: timestamp, IP address, browser user agent, and the captured signature image recorded when the Signer completes the signing action
• Decline event: timestamp, IP address, and browser user agent if the Signer declines to sign
• Signed document: the PDF with the electronic signature embedded, stored in Google Cloud Storage under your Firm's account

4.2 Purpose of Collection

This data is collected exclusively to:

• Establish the evidentiary record supporting the legal enforceability of the electronic signature
• Enable your Firm to demonstrate signer intent, authentication, and the integrity of the signed document
• Detect and prevent unauthorized use of signing links
• Provide your Firm with a complete audit trail accessible within the Platform

E-signature data is never used for marketing, advertising, profiling, or any purpose other than the signing transaction it relates to.

4.3 Signer Privacy (Non-Platform Users)

Signers who receive a CaseHawk signing link are not required to create a CaseHawk account and are not registered users of the Platform. Their personal data (name, email, IP address, signature image) is collected solely for the signing transaction and is accessible only to the Firm that initiated the request.

Signers who wish to access, correct, or request deletion of their personal data collected in connection with a signing transaction should contact the law firm that sent the signature request. CaseHawk will honor deletion requests from Signers directed to privacy@casehawk.co, subject to any legal hold obligations or the Firm's document retention requirements, which take precedence.

4.4 Retention

Audit logs and signed documents are retained for as long as your Firm's account is active, and for 90 days following account closure, consistent with our general data retention policy. Given that signed documents may have long-term legal significance, Firms are strongly encouraged to download and retain copies of all signed documents and audit logs independently of the Platform.

4.5 Security

Signing links are single-use in authentication intent — each link contains a unique token tied to a specific Signer and signing request. Signed documents are stored in Google Cloud Storage under the same firm-scoped access controls as all other documents on the Platform. Audit logs are stored in Firestore with access limited to authenticated, authorized members of your Firm. Document access for Signers is proxied through CaseHawk's servers; no direct, unauthenticated storage URLs are exposed.

CaseHawk offers AI-powered tools including case summarization, document analysis, and deposition review. To provide these features, case content you submit to an AI tool is transmitted to Anthropic, PBC, the provider of the Claude AI models we use.

The following rules govern this processing:

• You control what is submitted. Data is sent to Anthropic only when you actively use an AI tool on a specific document or case. Nothing is analyzed automatically.
• We do not train AI models on your data. Case information submitted through CaseHawk is used solely for real-time inference — to generate the response you requested. It is not stored, retained, or used to train or fine-tune any AI model by CaseHawk or Anthropic.
• Anthropic's data handling. Anthropic processes prompts under their own Privacy Policy and API usage policies. We encourage you to review those policies.
• Attorney responsibility. You are responsible for ensuring that submitting case information to AI tools is consistent with your ethical obligations to your clients, applicable bar rules, and any applicable confidentiality agreements. AI-generated output is provided for attorney review only and does not constitute legal advice.

CaseHawk provides a direct messaging feature that allows clients with portal access to communicate privately with their law firm's authorized staff. This section describes how that communication data is handled.

6.1 What We Collect

When the messaging feature is used, we collect and store the following:

• Message content: the full text of each message sent between a client and firm staff
• Sender identity: the name and user identifier of the person who sent each message
• Timestamps: the date and time each message was sent, stored in UTC
• Read receipts: the date and time a message was read by the recipient, stored in UTC
• Thread metadata: subject, last message preview, and unread counts associated with each conversation thread

6.2 Who Can See Messages

Client portal messages are strictly private between the individual client and the firm's authorized staff (administrators, attorneys, and paralegals). Specifically:

• A client can only see messages from their own conversation threads with the firm — they cannot view messages belonging to any other client
• Firm staff can see all client message threads within their firm, which is necessary for case management and coverage purposes
• CaseHawk does not read, review, or access the content of client messages except as technically necessary to store and deliver them, or when investigating a reported security incident with your permission
• No message content is shared with third parties, used for advertising, or included in any form of cross-client analysis

6.3 Purpose of Collection

Message data is collected exclusively to deliver the messaging feature — to transmit messages between the client and their firm, to display conversation history, and to generate read receipts. It is not used for any other purpose.

6.4 Notifications

When a new message is sent, the recipient receives an email notification from CaseHawk containing the sender's name, the thread subject, and a short preview of the message. This notification email is sent via Resend, our transactional email provider, which processes the email content solely to deliver the notification and is contractually bound not to use it for any other purpose.

6.5 File Attachments

The messaging feature does not support file attachments. Clients who need to share documents with their firm should use the Documents feature, which is subject to the data handling practices described in Section 3.3 of this policy.

6.6 Retention

Message data is retained for as long as the Firm's account is active, and for 90 days following account closure, consistent with our general data retention policy described in Section 10. Clients may request deletion of their message data by contacting their firm directly or by reaching us at privacy@casehawk.co, subject to any applicable legal hold or records retention obligations.

6.7 Module Availability

The client messaging feature is an optional module that firm administrators may enable or disable for their firm at any time through the Platform's settings. If disabled, clients will not see the Communications page and no new messages can be sent, though previously stored message data is retained.

We use the information we collect to:

• Provide, operate, and maintain the Platform and its features
• Authenticate users and enforce access controls within your firm
• Process AI tool requests as directed by you
• Sync data with Google Drive and Google Calendar as authorized by you
• Send transactional notifications such as deadline reminders and document signing requests
• Monitor for security threats, unauthorized access, and abuse
• Diagnose and fix bugs and technical issues
• Improve the Platform's performance and user experience based on aggregate, anonymized usage patterns
• Comply with applicable laws and respond to valid legal process

We do not use your case data, client data, or document content for any marketing, advertising, or cross-platform profiling purpose.

We do not share your personal information or case data with third parties except in the following limited circumstances:

• Service Providers. We share data with vendors who help us operate the Platform, including Google (Firebase, Cloud Storage, Google Workspace APIs) and Anthropic (AI processing). These vendors are contractually bound to process data only as directed by us and for no other purpose.
• Within Your Firm. Data you enter is accessible to other authenticated, authorized members of your firm on the Platform according to the permissions your firm administrator configures.
• Legal Compliance. We may disclose information if required by a valid court order, subpoena, or applicable law, or to protect the rights, property, or safety of CaseHawk, our users, or others. We will notify you before disclosure where legally permitted.
• Business Transfers. If CaseHawk is acquired, merged, or undergoes a change of control, your data may be transferred as part of that transaction. You will be notified in advance, and the successor entity will be bound by this Privacy Policy or an equivalent.

We take the security of legal data seriously and implement multiple layers of protection:

• All data is transmitted over TLS-encrypted connections
• Data at rest is encrypted using Google Cloud's default encryption
• Access to case and client data is enforced through Firestore security rules scoped to your firm's identifier
• Document downloads are proxied through authenticated server routes — direct, unauthenticated access to storage URLs is not possible
• Google OAuth tokens are stored securely and scoped to the minimum permissions required
• Access logs are maintained and available to firm administrators through the Audit Log

No security system is perfect. If you believe your account or data has been compromised, contact us immediately at privacy@casehawk.co.

We retain your firm's data for as long as your account is active. If you close your account, we will delete or anonymize your data within 90 days of account closure, except where we are required by law to retain it longer.

You may request deletion of specific data or your entire account at any time by contacting privacy@casehawk.co. We will confirm receipt and complete your request within 30 days.

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information through your account settings or by contacting us
• Delete your account and associated personal data
• Export your data in a portable format upon request
• Revoke third-party integrations (Google Drive, Google Calendar) at any time
• Object to any processing you believe is inconsistent with this policy

To exercise any of these rights, contact us at privacy@casehawk.co. We will respond within 30 days.

CaseHawk is designed for use by legal professionals. We recognize that much of the data stored on the Platform may be subject to attorney-client privilege, work product protection, and professional confidentiality rules.

CaseHawk does not review, analyze, or access the substantive content of your case files except: (a) as technically necessary to store and deliver the data to you, (b) when you explicitly invoke an AI tool, or (c) when investigating a reported security incident with your permission.

Firm administrators are responsible for configuring user access controls appropriately and for ensuring that their firm's use of CaseHawk complies with applicable bar association rules and professional conduct obligations.

The Platform is designed for use by legal professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor's data has been submitted, please contact us immediately.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a prominent notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

Questions, concerns, or requests regarding this Privacy Policy should be directed to:

We aim to respond to all privacy inquiries within 5 business days.