Privacy terms for operational case data.

This Privacy Policy explains how Caseflow collects, uses, stores, and shares information when you access or use the Caseflow web application, installable app experience, related collaboration features, and support channels.

This policy applies to account holders, workspace members, invited collaborators, assignees, and other authorized users of Caseflow.

We may collect the following categories of data:

• Account Data: name, email address, organization details, profile details, authentication identifiers, and account settings.
• Workspace Content: case records, tasks, task reports, contacts, invoices, vendor bills, inheritance records, prepared documents, uploaded files, notes, workflow metadata, and documents processed through assisted case insights and intelligent document analysis.
• Collaboration and Sharing Data: case invitations, access grants, assigned tasks, shared document scopes, shared task scopes, audit history, and related permission metadata.
• Community and Communication Data: community profile details, connection requests, posts, comments, direct messages, support tickets, support replies, and support attachments.
• Billing and Subscription Data: plan selection, billing cycle, storage add-ons, customer and subscription identifiers, invoice metadata, and payment workflow status needed to operate billing features.
• Operational and Technical Data: activity logs, timestamps, usage patterns, reminder settings, browser and device technical information, and app-state data such as local preferences, install state, and cached assets used to operate the service.

We use data to:

• Provide and maintain Caseflow services.
• Authenticate users and protect account security.
• Process case, document, inheritance, reporting, reminder, billing, and workflow operations, including intelligent document analysis where enabled.
• Enable collaboration, case sharing, task assignments, community interactions, and support workflows.
• Operate subscription billing, storage management, and payment-related account controls.
• Support product reliability, troubleshooting, and abuse prevention.
• Communicate service updates, policy notices, and account messages.
• Comply with legal, regulatory, and contractual obligations.

Caseflow includes AI-assisted features such as AI Co-pilot, document intelligence, document indexing, draft action support, and selected case summaries. When an authorized workspace user triggers these features, Caseflow may process selected prompts, case context, document excerpts, and generated outputs to provide the requested feature.

AI requests are routed through Caseflow backend controls. The current architecture is designed to avoid direct browser calls to OpenAI, minimize context before processing, redact common personal data where possible, and prevent unrestricted raw document uploads. Production deployments are intended to fail closed if unsafe raw upload settings are enabled.

The AI service flow may include:

• selected case or document excerpts needed for the requested AI task, rather than full case files by default;
• redacted or truncated prompts and retrieved document chunks;
• operational metadata such as tenant, case, user, feature, model, token counts, redaction status, request purpose, timestamp, and retention expiry;
• AI-generated answers, summaries, recommendations, and draft actions that remain subject to human review.

OpenAI API infrastructure may process AI inputs and outputs for these features. OpenAI API data is not used to train OpenAI models by default unless the relevant account opts in. Caseflow does not claim zero retention, EU-only processing, or a completed GDPR compliance determination unless those commitments are confirmed in the applicable contract and deployment record.

Customer-specific lawful basis, special-category data handling, data processing terms, subprocessor disclosures, retention commitments, and international transfer safeguards may be addressed in the applicable contract, deployment record, or customer review process.

Depending on your location, our legal bases may include performance of a contract, legitimate interests, compliance with legal obligations, and consent where required by law.

For AI-assisted processing, the applicable lawful basis depends on the customer role, workspace configuration, jurisdiction, and type of data involved. Customer administrators are responsible for ensuring that they have authority to submit case content for AI-assisted processing.

We do not sell personal information.

We may disclose information to:

• Other authorized workspace users, collaborators, assignees, or community connections when you or your workspace administrator use sharing, assignment, messaging, or visibility features.
• Service providers supporting hosting, authentication, storage, document delivery, messaging, billing, and support.
• Professional advisors where necessary for legal, compliance, or audit purposes.
• Authorities when required by law, court order, or enforceable legal process.
• Relevant parties in connection with a merger, acquisition, or reorganization.
• AI providers and infrastructure subprocessors where required to deliver AI-assisted features selected by authorized users.

Subprocessor lists, data processing terms, and commercial commitments may vary by deployment and plan and should be reviewed in the applicable customer agreement.

Paid subscriptions, billing-cycle changes, extra-storage add-ons, and billing portal functions may be provided through third-party payment infrastructure.

Caseflow may store subscription, customer, checkout, invoice, and payment-status metadata needed to manage your account. Payment card details are generally processed by the payment provider rather than stored directly by Caseflow.

If data is transferred across borders, we use appropriate safeguards required under applicable law, which may include contractual protections and operational security controls.

AI-assisted processing may involve service providers with infrastructure or support operations outside your country or region. Caseflow does not promise EU-only processing unless that is technically and contractually guaranteed for the relevant deployment. Appropriate transfer safeguards should be reviewed for regulated deployments where required.

We apply reasonable technical, organizational, and administrative safeguards to protect data against unauthorized access, misuse, loss, or alteration, including role-based workspace access and permission-controlled sharing workflows.

Users maintain strong account credentials, review collaboration permissions carefully, and secure devices used to access installed or browser-based versions of the service.

For AI-assisted workflows, Caseflow uses practical controls intended to reduce unnecessary exposure of sensitive case data:

• backend-only AI gateway routing for OpenAI requests;
• tenant, user, and case permission checks before AI processing;
• rate limiting, input validation, and raw upload safeguards;
• PII redaction and context truncation where supported by the feature;
• metadata-only AI audit logs and retention expiry tracking.

We retain information while accounts remain active and for additional periods as needed for legal, compliance, audit, security, backup, billing, support, and dispute-resolution purposes.

You may request deletion through support, subject to lawful retention obligations.

AI audit metadata is configured with a retention expiry. The default engineering setting is 30 days unless a shorter or longer approved retention period is configured for the deployment. Case deletion is designed to remove related AI chats, audit records, temporary processing artifacts, and document index references.

AI-generated outputs that a user saves into a case, report, note, document, or action history follow the retention rules for that workspace record.

Depending on applicable law, you may have rights to:

• Access and receive a copy of your personal data.
• Correct inaccurate personal data.
• Request deletion of personal data.
• Object to or restrict certain processing activities.
• Request data portability where available.
• request information about AI-assisted processing where applicable;
• lodge a complaint with a competent supervisory authority where applicable law provides that right.

Requests may require identity verification and may be limited by legal requirements.

Caseflow serves professional users and is not directed to children. If you believe a minor has provided personal data, contact us so we can review and take appropriate action.

We may update this Privacy Policy from time to time. Material updates will be reflected by revising the Last updated date and, where appropriate, providing additional notice.

For privacy questions or rights requests, contact Caseflow via the in-app Support Center or the workspace support page.

For security reports, suspected unauthorized access, or AI data handling questions, contact Caseflow support through the support page so the request can be routed to the appropriate privacy or security reviewer.