Privacy Policy

1. Who we are

CaseParity is operated by CaseParity LLC, a Colorado limited liability company. References to "CaseParity," "we," "us," and "our" in this policy mean CaseParity LLC.

Our data-protection contact is privacy@CaseParity.com.

2. What information we collect

Information you give us

When you create an account or purchase a report, we collect:

• Identity & contact: first name, last name, email address. If you choose email/password sign-in, your password is stored hashed using a modern adaptive algorithm by our auth provider (Clerk) — CaseParity itself never sees or stores the password. If you choose Sign in with Google or Sign in with Apple, we receive only your email address and the provider's user identifier; we do not request access to your contacts, calendar, files, or anything else.
• Authentication factors: if you enroll a second factor (TOTP or Passkey), the secret material is stored by Clerk, not by us. We hold only the fact that you have a second factor enrolled and when it was enrolled. We do not support SMS-based authentication.
• Jurisdiction: the state and/or county you select when ordering a report. We use this to deliver the correct jurisdiction's report and to filter the per-state legal disclaimer/attorney-finder strip.
• Pro Standard (attorney accounts only): state of bar admission, bar number, optional firm name. We verify the bar number with the issuing state bar's public licensee directory within one business day of signup. We retain this record for the duration of your subscription and for one (1) year after cancellation to handle any post-termination billing or disputes.
• Payment information: processed exclusively by Stripe. We never see, store, or have access to your full credit card number, CVV, or bank account number. Stripe returns to us only a transaction id, the last four digits of the card, and the card brand for receipt/dispute purposes.
• Optional information: a referral code you enter at checkout, language preference, communication preferences.

Information collected automatically

• Account telemetry (logged-in users only): login timestamp, IP address, browser user-agent, operating system, screen size. This is collected for security, fraud detection, abuse prevention, and compliance with the per-state data-access logging requirements that several state public-records statutes impose on bulk-data redistributors. See §7 below for retention.
• Usage analytics: pages viewed, reports downloaded, search queries within your account dashboard, time on page. We use this only for product improvement and capacity planning.
• Cookies and similar technologies: we use a session cookie to keep you logged in, a CSRF cookie for form security, and a preferences cookie to remember your language and dashboard settings. We do not use third-party advertising cookies. If you use the Google Translate widget on our marketing pages, that widget sets its own `googtrans` cookie — we don't read or process it.

Information we do NOT collect

• Any facts about your specific case. CaseParity's reports are pre-rendered statistical aggregates per (charge × jurisdiction). We do not ask for — and have no way to receive — your case number, your charging document, your priors, your scoresheet, your attorney's name, your court dates, or any other case-specific facts. Even if you tried to enter this information in the AI chatbot, we discard it after the session and do not store it against your account.
• Defendant identities from public records. The court records that feed our statistics are anonymized during ingest by the publishing agency before they reach us. We do not receive defendant names, addresses, dates of birth, or other directly-identifying details. If we ever discover that an upstream agency has accidentally included identifying information in a feed, we will remove it before it enters any report.
• Sensitive personal information as defined by U.S. state privacy laws (Social Security numbers, government IDs, financial account numbers, precise geolocation, biometric identifiers, health/medical information, racial/ethnic origin, religion, sexual orientation, immigration status). We do not need any of this to deliver our service and we do not collect it.
• Children's information. Our service is not directed to children under 13 (or 16 in some jurisdictions). See §10.

3. How we use information

We use the information described above for these purposes only:

• To deliver the service: render and serve the report you purchased, send the receipt, give you access to your account dashboard.
• To process payments: via Stripe, including subscription renewals, refunds, and dispute handling.
• To verify attorney eligibility for Pro Standard accounts (bar number lookup at signup; periodic re-verification annually).
• To communicate with you about your account: order confirmations, subscription renewal notices, report-update notices when a report you own has a new monthly snapshot available, customer-support replies, and material changes to these policies. These are transactional emails. You can not opt out of transactional emails while you have an active account.
• For optional marketing email (newsletters, new-state launches, product updates): only with your explicit opt-in, separately from account creation. Opt out anytime via the unsubscribe link or by emailing privacy@CaseParity.com.
• For security, fraud detection, and abuse prevention: account-telemetry data per §2.
• To comply with legal obligations: tax records, subpoenas, court orders, and the data-access logging that several state public-records statutes impose on bulk-data redistributors.
• To improve the product: aggregated usage analytics, never tied to individual identity in any output.

4. How we share information — and who we don't share it with

Service providers we share with

We share the minimum information necessary with the following processors, each under a written data-processing agreement:

• Stripe — payment processing. Stripe receives your name, email, billing address, and card details (which they take from you directly — we don't relay them).
• Clerk — authentication and session management. Clerk holds your password hash (if you use email/password), your TOTP seed or Passkey credential (if you've enrolled 2FA), and your Google/Apple OAuth user identifier (if you sign in with one of those). Clerk does NOT store any case-specific, report-specific, or billing data — only authentication material.
• Amazon Web Services (AWS) — cloud hosting, compute, database (RDS Postgres), object storage (S3 with Object Lock on report archive), email delivery (SES), CDN (CloudFront), audit-log archive (CloudTrail). U.S. regions only. AWS receives all customer data we hold; it is encrypted at rest and in transit.
• Postmark (or AWS SES as backup) — transactional email delivery. Receives your email address and the message contents.
• Anthropic — AI infrastructure used internally by CaseParity for report-generation experiments, translation-template review, and admin tooling. Anthropic does NOT receive any customer-identifying data at v1. (Note: the customer-facing chatbot on the marketing site is NOT an Anthropic API call — it runs entirely client-side per SD#13. Anthropic is listed here for completeness because we use its API for backend tasks.)
• Cloudflare — CDN, DNS, and WAF (web-application firewall) protection in front of the customer-facing application. Cloudflare receives request metadata (IP, user-agent, URL) for the same TTL as our login telemetry (see §7); does not see request bodies for the authenticated app surface.
• GitHub — source code repository and CI/CD (GitHub Actions). Does not receive customer data; only application code and build artifacts.
• 1Password — secrets and credentials storage for our team. Does not receive customer data.
• Sentry — application error monitoring. Receives error stack traces, which may include the user's account email if the error occurred in an authenticated context. We scrub sensitive parameters (passwords, payment tokens, the "Your reference" Pro field) before they reach Sentry.
• Plausible (or Fathom) — privacy-respecting marketing-site analytics. Receives page view + referrer + bucketed location only. No cookies, no cross-site tracking, no PII. We do not use Google Analytics or any ad-tech analytics. If we ever switch analytics providers, we will update this list at least 30 days before the change takes effect.
• State bar lookup services (manual browser navigation by admin) — for Pro Standard signups, our admin navigates to the state bar's public licensee directory in their browser to verify the bar number you submit. We do NOT use any automated API or scraper; the admin's browser sends only the URL with your bar number embedded, as any visitor to the state bar site would. No data flows from CaseParity to the state bar beyond what's in that URL.

If we ever add a new sub-processor, we update this list at least 30 days before the change takes effect, and email all active account holders if the new sub-processor materially expands what's shared (per §13).

Legal disclosures

We will disclose information when legally compelled by a valid subpoena, court order, or other legal process. Where permitted by law, we will notify you before disclosing your information so you have an opportunity to challenge the request. If a request is overbroad or facially invalid, we will challenge it.

Business transfers

If CaseParity is acquired, merged, or sells substantially all of its assets, your account information may transfer to the acquiring entity as part of the transaction. We will notify you by email at least 30 days before any such transfer becomes effective so you have the opportunity to delete your account first if you prefer.

We do NOT

• Sell your personal information. Not to advertisers, not to data brokers, not to anyone, not ever.
• Share your personal information for cross-context behavioral advertising.
• Use your information to train any AI model.
• Share your account-telemetry data (login IPs, etc.) with anyone except as required to comply with state public-records statutes or a valid legal process.

5. AI chatbot

Our marketing site includes an AI chatbot ("Ask CaseParity") for answering quick questions about the product, pricing, and how reports work. The chatbot:

• Runs entirely client-side — the answers come from a pre-defined response library, not from a live AI inference call to a third-party model. Anything you type stays in your browser session and is not transmitted to any server during the conversation.
• Detects crisis-related keywords (suicide ideation, self-harm) and immediately routes you to the 988 Suicide & Crisis Lifeline.
• Detects legal questions about specific cases and redirects you to a licensed attorney; it will not attempt to answer them.
• Does not store conversation history. Refreshing the page clears it.

If we ever move to a server-side AI inference model that does process your messages, we will update this policy and notify all active users at least 30 days before the change.

6. Cookies and tracking

We use the minimum cookies necessary to operate the service:

Cookie	Purpose	Lifespan
session	Keeps you logged in	Session (cleared on logout or 30-day inactivity)
csrf	Form security (anti-CSRF token)	Session
prefs	Remembers your language and dashboard settings	1 year
googtrans (Google's)	Set by the Google Translate widget if you use it on marketing pages. We don't read this cookie.	Per Google's policy

We do not use third-party advertising cookies, retargeting pixels, Facebook Pixel, Google Analytics, or any cross-site tracking. If your browser sends a Global Privacy Control (GPC) signal, we treat that as an opt-out of any future analytics that might process sale/share definitions under state privacy law.

7. Data retention

The retention table below is the canonical CaseParity retention schedule. The engineering specs (`SECURITY_AND_DATA_PROTECTION_SPEC.md` and `NO_INTAKE_PRODUCT_ARCHITECTURE.md`) mirror these numbers; if you ever see a different number elsewhere in our materials, the table on this page governs.

Data category	Retention	Reason
Account data (name, email, jurisdiction, language preference)	Active + 12 months after closure, then deleted	Service delivery + post-close billing/dispute handling. Earlier deletion via §8.
Payment + billing records	7 years	U.S. tax law (or longer if a specific jurisdiction requires)
Raw IP addresses + raw user-agent strings in login/access telemetry	30 days, then hashed (raw is deleted)	Security investigation window. After 30 days only the bucketed location (city/state) and parsed device class remain.
Bucketed telemetry (login timestamp, bucketed location, parsed device class)	1 year hot, then archived for an additional 6 years (7 years total)	Compliance with per-state public-records data-access logging statutes; subpoena response; legal-defense posture.
Pro Standard bar verification record	Active subscription + 12 months after cancellation	Post-termination dispute handling
Report-download history	While account is active (so you can re-download); cleared on close	Service delivery
Rendered report PDFs in our archive (S3 Object Lock)	7 years	Legal-discovery posture; tamper-evident archive of what we delivered. These are the artifact files we generated, not data about you.
Admin audit log (every admin action on accounts)	Permanent (append-only)	Compliance, dispute defense, customer trust signal
Admin read log (every admin view of an account)	1 year hot, archived 6 more years (7 years total)	State privacy-law access-logging requirements
Aggregated usage analytics (page views, conversion funnel)	Indefinite, never tied to individual identity	Product improvement
Stripe-side data (card hash, transaction history)	Per Stripe's policies + tax-record requirements	Stripe controls retention for the payment data it holds. We hold only the last 4 + brand + transaction id.
Clerk-side data (password hash, TOTP seed, Passkey credential)	While account is active; deleted on account closure within 90 days	Clerk controls retention for authentication material it holds.

Active legal hold (e.g., subpoena, litigation hold) suspends deletion on the affected records until the hold is released. We do not delete records under active legal hold even on customer request; in those cases we mark the account "deletion-pending-legal-hold" and complete deletion as soon as the hold lifts. We notify the customer if their deletion request is paused for this reason, where permitted by law.

8. Your privacy rights

Regardless of where you live, you have the following rights as a CaseParity customer:

• Access: request a copy of the personal information we hold about you. We'll respond within 30 days.
• Correction: ask us to fix inaccurate information.
• Deletion: ask us to delete your account and the personal data tied to it. We'll honor this request within 30 days, except for billing records we're required to retain under tax law (which we'll segregate and only access if legally required).
• Portability: request a machine-readable export of your account data.
• Opt-out of marketing email: use the unsubscribe link or email us.
• Non-discrimination: we won't deny service, charge a different price, or degrade service quality because you exercised a privacy right.

State-specific rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Indiana, or any other state with a comprehensive consumer privacy law, you have additional rights under that state's law. CaseParity does not sell or share personal information for cross-context behavioral advertising (so the most-asked-about CCPA/CPRA rights don't apply because there's nothing to opt out of). For other rights specific to your state, email privacy@CaseParity.com with the subject line "Privacy Rights Request [state]" and we'll route appropriately.

To submit a request, email privacy@CaseParity.com from the email address on your account, or use the in-dashboard "Privacy" section. We verify your identity using your account email and, if needed, a one-time code sent to that email. We do not require additional government ID to verify a request from your own account.

9. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit (TLS 1.2+), encryption at rest, password hashing with a modern adaptive algorithm, network-level access controls, and least-privilege role-based access for our team. We never store full payment card numbers or CVVs — those are handled exclusively by Stripe.

No system is perfectly secure. If a breach occurs that affects your data, we will notify you and the relevant authorities as required by applicable state and federal law (typically within 30-72 hours of confirming the scope, depending on jurisdiction).

10. Children's privacy

CaseParity is intended for use by adults (18+). We do not knowingly collect personal information from children under 13, or from children under 16 in jurisdictions where that is the applicable age. If you believe we have inadvertently collected such information, email privacy@CaseParity.com and we will delete it.

Note that adults frequently purchase CaseParity reports about charges that involve minors as defendants. The statistics in those reports describe aggregate sentencing outcomes across thousands of cases; they do not contain any identifying information about any specific minor.

11. International users

CaseParity is a U.S.-only service. Our infrastructure, our team, and our data are located in the United States. We do not intentionally market the service to users outside the U.S. If you access the service from outside the U.S., you understand that your information will be processed in the U.S., which may have different privacy protections than your home jurisdiction. We do not offer GDPR-specific rights at this time; we will reassess if the service expands internationally.

12. Communications about your account

We will email you for these reasons regardless of marketing preferences:

• Order confirmation and receipt
• Subscription renewal notice (for Pro Standard accounts — sent 7 days before each renewal)
• Report-update notice when a report you've purchased has a new monthly snapshot available
• Important security notifications (login from a new device, password change, suspected compromise)
• Material changes to this Privacy Policy or the Terms of Service (sent at least 30 days before they take effect)

13. Changes to this policy

If we materially change this Privacy Policy — meaning a change that expands what we collect, what we use it for, or who we share it with — we will email all active account holders at least 30 days before the change takes effect, post a notice on the homepage, and update the "Effective date" at the top of this page. Non-material changes (typos, clarifications, formatting) will be made silently with the version number incremented.

14. Contact

For any privacy question or to exercise any right described above:

• Email: privacy@CaseParity.com

This policy is provided in English. If you are reading a machine-translated version via the Translate widget at the top of the page, the English version of this policy is authoritative and controls in any dispute over interpretation.