Privacy Policy
Effective Date: December 10, 2025
Last Updated: December 10, 2025
Introduction
CaseMark, Inc. ("case.dev," "we," "us," or "our") operates the case.dev platform, including our API services, Console dashboard, Documentation site, Thurgood AI coding assistant, and Orbit Compute platform (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services. We are committed to protecting the privacy of our users, particularly given the sensitive nature of legal data our platform processes.
Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
Information We Collect
Information You Provide Directly
Account Information
- Name and email address
- Organization name and details
- Password (stored in hashed form)
- Profile information
- Communication preferences
Payment Information
- Billing address
- Payment method details (processed securely via Stripe)
- Transaction history
- For Payments Platform users: IOLTA account information, trust account details, and settlement data
Content and Documents
- Documents uploaded to our Vault API (PDFs, DOCX, images, and other file formats)
- Audio and video files submitted for transcription
- Text content submitted for AI processing
- Code and applications created through Thurgood
- Files deployed through Orbit Compute
Communications
- Support requests and correspondence
- Feedback and survey responses
- Any other information you choose to provide
Information Collected Automatically
Usage Data
- API calls and endpoints accessed
- Features used and actions taken
- Token usage and model selections
- Processing times and performance metrics
- Error logs and debugging information
Device and Connection Information
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Referring URLs and exit pages
Authentication Data
- Login timestamps
- Session information
- OAuth tokens (encrypted) for GitHub and other integrations
Information from Third Parties
OAuth Providers
When you connect GitHub, we receive repository information, user profile data, and access tokens necessary for integration functionality
Payment Processors
Stripe provides transaction confirmation and payment status information
AI Model Providers
When using BYOK (Bring Your Own Key), we route requests through your provider accounts
How We Use Your Information
Providing and Improving Services
- Process documents through our OCR, transcription, and AI services
- Store and index documents in Vault for semantic search
- Execute workflows and automations you configure
- Generate and deploy applications through Thurgood and Orbit
- Process payments and manage trust accounts through our Payments Platform
- Provide customer support and respond to inquiries
- Analyze usage patterns to improve our Services
- Detect, prevent, and address technical issues
Communication
- Send transactional emails (API notifications, billing receipts)
- Provide service updates and announcements
- Respond to support requests
- Send marketing communications (with your consent)
Legal and Security
- Comply with legal obligations
- Enforce our Terms of Service
- Protect against fraudulent, unauthorized, or illegal activity
- Maintain audit logs for compliance purposes
Aggregate and Anonymized Data
We may create aggregate or anonymized data from your information that cannot reasonably be used to identify you. We may use such data for any purpose, including research, analytics, and service improvement.
Document and Content Processing
How We Handle Your Documents
Vault API
- Documents are stored in encrypted S3 buckets with KMS encryption
- Each vault has organization-level isolation
- Semantic embeddings are generated for search functionality
- Metadata you provide is stored alongside documents
OCR/Vision API
- Documents are processed to extract text
- Processed files are stored temporarily (7 days by default)
- Extracted text may be retained for your subsequent use
Voice API
- Audio files are processed for transcription
- PII redaction is available and performed upon request
- Transcripts are stored according to your configuration
LLM API
- Prompts and responses are processed through AI models
- We do not train AI models on your data
- BYOK requests are routed directly to your provider
Thurgood
- Code generated is stored in ephemeral sandboxes
- Files persist only in your connected GitHub repositories or Orbit deployments
- Conversation history (Agent Runs) is retained for your reference
Data We Do Not Use
- We do not train AI models on your documents, code, or content
- We do not share your documents with other customers
- We do not access your documents except as necessary to provide the Services or as required by law
Data Storage and Security
Security Measures
We implement industry-standard security measures including:
- Encryption at Rest: All data encrypted using AWS KMS
- Encryption in Transit: TLS 1.3 for all API communications
- Access Controls: Role-based access control (RBAC) with organization-level isolation
- Authentication: Secure API key management with hashed storage
- Audit Logging: Comprehensive activity logs with IP and user agent tracking
- Infrastructure: Multi-tenant architecture with isolated resources
Payments Platform Security
For users of our Payments Platform:
- PCI-DSS Level 1 compliance (via Stripe Connect)
- Double-entry ledger with immutable transaction history
- IOLTA compliance features for trust accounting
- Complete audit trails for regulatory requirements
Data Location
Our Services are hosted on Amazon Web Services (AWS) infrastructure located in the United States. By using our Services, you consent to the transfer and processing of your data in the United States.
Data Retention
Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days |
| Vault documents | Until you delete them |
| OCR processed files | 7 days (configurable) |
| Transcription files | 7 days (configurable) |
| API logs | 90 days |
| Audit logs | 7 years (for compliance) |
| Billing records | 7 years (legal requirement) |
| Thurgood Agent Runs | Until you delete them |
| Orbit deployments | Until you delete them |
Deletion
You may delete your content at any time through the Console or API. When you delete content:
- Documents are removed from storage
- Vector embeddings are deleted
- Cached data is purged
- Some metadata may be retained in backup systems for up to 30 days
When you close your account, we will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or compliance).
Sharing and Disclosure
Service Providers
We share information with third-party service providers who perform services on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services | Infrastructure hosting | All service data |
| Stripe | Payment processing | Payment and billing data |
| Clerk | Authentication | Account credentials |
| OpenAI, Anthropic, Google, etc. | AI model providers | Prompts and content (per your requests) |
| Modal | Sandbox execution (Thurgood) | Code and execution data |
| GitHub | Repository integration | Repository data, OAuth tokens |
Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government agencies).
Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.
With Your Consent
We may share your information for other purposes with your explicit consent.
What We Do Not Sell
We do not sell your personal information to third parties for their marketing purposes.
Your Rights and Choices
Access and Portability
You have the right to:
- Access the personal information we hold about you
- Request a copy of your data in a portable format
- Review usage and billing information through the Console
Correction
You may update or correct your account information at any time through the Console or by contacting support.
Deletion
You may:
- Delete specific documents, vaults, or content at any time
- Request deletion of your account and associated data
- Exercise your right to be forgotten (subject to legal retention requirements)
Objection and Restriction
You may object to or request restriction of certain processing activities. Note that some objections may limit your ability to use the Services.
Data Protection Rights by Jurisdiction
California Residents (CCPA/CPRA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we do not sell data)
- Right to non-discrimination for exercising privacy rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
European Economic Area Residents (GDPR)
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making (Article 22)
To Exercise Your Rights: Contact us at privacy@case.dev or through the Console.
Cookies and Tracking
Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, session management | Session |
| Functional | Preferences, settings | 1 year |
| Analytics | Usage patterns, performance | 1 year |
Managing Cookies
You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.
Do Not Track
We currently do not respond to "Do Not Track" browser signals, as there is no industry standard for such signals.
Third-Party Services
Our Services integrate with third-party services that have their own privacy policies:
- Stripe: https://stripe.com/privacy
- GitHub: https://docs.github.com/en/site-policy/privacy-policies
- Clerk: https://clerk.com/privacy
- OpenAI: https://openai.com/privacy
- Anthropic: https://www.anthropic.com/privacy
- Google Cloud: https://cloud.google.com/privacy
- AWS: https://aws.amazon.com/privacy
We encourage you to review the privacy policies of any third-party services you connect to through our platform.
Children's Privacy
Our Services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly.
If you believe we have inadvertently collected information from a child under 16, please contact us at privacy@case.dev.
International Data Transfers
If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States where our servers are located.
For transfers from the European Economic Area, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Your explicit consent where applicable
- Necessity for the performance of a contract
Legal Basis for Processing (GDPR)
If you are in the European Economic Area, our legal basis for collecting and using your information includes:
| Purpose | Legal Basis |
|---|---|
| Providing Services | Performance of contract |
| Billing and payments | Performance of contract, legal obligation |
| Security and fraud prevention | Legitimate interests |
| Service improvement | Legitimate interests |
| Marketing communications | Consent |
| Compliance with law | Legal obligation |
| Support and communications | Performance of contract, legitimate interests |
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you by email (for material changes)
- Post a notice on our website or Console
We encourage you to review this Privacy Policy periodically for any changes. Your continued use of our Services after any modifications indicates your acceptance of the updated Privacy Policy.
Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
Email: privacy@case.dev
Mail:
CaseMark, Inc.
Attn: Privacy Team
[Address]
Data Protection Officer: dpo@case.dev
For support inquiries: support@case.dev
Additional Information for Specific Services
Vault API Users
Documents stored in Vault are:
- Encrypted at rest with KMS
- Isolated at the organization level
- Retained until you delete them
- Searchable via vector embeddings stored securely
You are responsible for ensuring you have the right to upload documents and that they are handled in compliance with applicable laws (including attorney-client privilege considerations).
Transcription Users
When using our Voice API:
- PII redaction is available upon request
- Audio files can be automatically deleted after processing
- Speaker labels and timestamps do not identify individuals without additional context
Payments Platform Users
For users of our IOLTA-compliant Payments Platform:
- All financial data is encrypted and access-controlled
- Transaction history is maintained for regulatory compliance
- We comply with applicable financial regulations
- Data may be retained for 7 years per legal requirements
Thurgood Users
When using Thurgood:
- Code is generated in ephemeral sandboxes
- Conversation history is retained for your reference
- GitHub integration requires OAuth consent
- We do not retain code outside your designated repositories
Orbit Users
When using Orbit Compute:
- Deployment artifacts are stored for the duration of your deployment
- Logs are retained for 30 days
- Environment variables are encrypted
- You are responsible for the content of deployed applications
This Privacy Policy is effective as of December 10, 2025.