Privacy Policy

1. Introduction and Scope

Casero Ltd is committed to protecting the privacy and security of the personal data entrusted to us by our customers, their staff, and the individuals whose data appears in legal matter files. This Policy explains who we are, what personal data we collect, how we use and protect it, who we share it with, how long we retain it, and what rights you have.

This Policy applies to:

• registered users of the Casero platform — solicitors, paralegals, practice managers, and other firm personnel (“Platform Users”);
• individuals whose personal data appears incidentally within legal matter documents, emails, or other files uploaded to the platform by a law firm (“Data Subjects in Matter Files”); and
• individuals who contact us for sales enquiries, support, demonstrations, or other correspondence (“Enquirers”).

This Policy does not apply to third-party websites or services that may be linked to or from the Service. We are not responsible for the privacy practices of those third parties.

Roles under UK GDPR

The nature of Casero's activities means we may act in different roles depending on the data being processed:

• As data controller: in respect of personal data collected directly from Platform Users and Enquirers — for example, account registration data, billing contact data, and usage logs.
• As data processor: in respect of personal data contained within Customer Data (matter documents, emails, and notes) uploaded to the platform by a law firm. In these circumstances, the law firm is the data controller and Casero processes that data only on the firm's instructions and in accordance with our Data Processing Agreement.

This distinction matters. Law firms bear primary responsibility for ensuring they have a lawful basis to share client and third-party data with us. We have designed the platform to support firms in meeting their obligations, but responsibility for data governance decisions relating to matter content rests with the firm.

2. Personal Data We Collect

2.1 Account and Identity Data

When you register for or sign in to the Service, we collect:

• full name and work email address;
• law firm name and your role or job title;
• authentication credentials — where you register using email and password, your password is stored in hashed and salted form using industry-standard cryptographic methods. We never store plaintext passwords;
• authentication tokens and profile identifiers provided by your identity provider (Microsoft or Google), where you sign in using Single Sign-On (SSO). We do not receive or store your SSO password; and
• profile preferences and notification settings selected within the platform.

2.2 Legal Matter and Case Data (Customer Data)

The principal function of the Service is to ingest, structure, and analyse legal matter content. To deliver this functionality, we process content uploaded by your firm, which may include:

• legal case documents, contracts, court filings, pleadings, instructions, and attendance notes;
• email correspondence linked to a matter;
• lawyer notes, annotations, chronologies, and other internal working documents;
• client-facing correspondence and communications; and
• any other files or data uploaded by your firm to the platform.

This content is processed by Casero solely on behalf of your firm and for the purpose of delivering the Service. It may contain personal data relating to clients, opposing parties, witnesses, experts, and other individuals. Your firm, as data controller for this content, is responsible for ensuring it holds a valid lawful basis for sharing such data with us.

2.3 Technical and Usage Data

We automatically collect limited technical data when you access and use the Service:

• IP address, browser type and version, operating system, and device type;
• log data including pages and features accessed, search queries, error reports, and timestamps;
• session identifiers used to maintain your authenticated session; and
• anonymised and aggregated feature usage telemetry used to improve the Service.

2.4 Billing and Payment Data

Where your firm subscribes to a paid tier, billing is processed by Stripe, Inc. We collect and transmit to Stripe the name, work email address, and billing address of the designated billing contact. Stripe handles all payment card data directly. We do not receive, process, or store payment card numbers, CVV codes, or other sensitive payment information. Stripe operates to PCI-DSS Level 1 standards. Please refer to Stripe's Privacy Policy at stripe.com/privacy for further details.

2.5 Communications Data

When you contact us by email or any other means, we retain records of the content of your communications with us, your contact details as provided, and our responses and any follow-up actions taken.

2.6 Special Categories of Personal Data

We do not intentionally collect or process special categories of personal data about Platform Users or Enquirers. However, special category data may appear incidentally within legal matter documents uploaded by a law firm — for example, in personal injury files, employment tribunal documents, or immigration matters. Where this is the case, the law firm as data controller must ensure it holds an appropriate condition under Article 9 UK GDPR for processing such data. Casero processes such data solely on the firm's instructions as data processor and does not use it for any other purpose.

3. How We Collect Personal Data

• Directly from you: when you register for an account, fill in a form on our platform or website, subscribe to a service tier, contact us for support or sales, or respond to a survey.
• Automatically: through your use of the platform via cookies, session tokens, and server-side logging as described in Sections 2.3 and 12.
• From your firm: when your firm's administrator adds you as an Authorised User, or when Customer Data containing references to you is uploaded to the platform.
• From your identity provider: if you sign in using Microsoft or Google SSO, we receive the profile information your identity provider shares with us — typically name, email address, and profile photo. We do not receive your SSO password.
• From public sources: we may review publicly available information in the course of sales outreach, solely to personalise our communications.

4. Legal Bases for Processing

We are required by UK GDPR to identify a lawful basis for each type of processing we carry out. The table below sets out the lawful bases we rely upon.

Legitimate Interests. Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to such processing — see Section 10.

Withdrawal of Consent. Where we rely on your consent, you may withdraw it at any time by contacting us at the address in Section 14. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Personal Data

5.1 To Provide the Service

• Creating and managing your account and Authorised User access.
• Ingesting, structuring, and analysing legal matter content to generate the knowledge graph, timelines, deadline and risk flags, and past matter matches that comprise the Service.
• Responding to plain English queries by surfacing relevant content from Customer Data and the Legal Library.
• Maintaining integrations with third-party case management and document management systems at the Pro tier.
• Managing your subscription, issuing invoices, and processing payments.

5.2 To Operate and Improve the Platform

• Monitoring platform availability and performance to meet our service level commitments.
• Investigating and resolving technical errors, bugs, and security incidents.
• Analysing anonymised and aggregated usage patterns to identify areas for improvement.
• Developing and testing new features before release.

5.3 To Communicate with You

• Responding to support requests, bug reports, and general enquiries.
• Notifying you of planned maintenance, service updates, and material changes to this Policy or our terms.
• Sending product news and updates where you are an existing customer — you may opt out at any time.
• Contacting prospective customers with information about the Service where we have a lawful basis to do so.

5.4 To Comply with Legal Obligations

• Maintaining financial and VAT records as required by HMRC.
• Responding to lawful requests from courts, regulators, or law enforcement.
• Notifying the ICO and affected individuals in the event of a reportable personal data breach.

5.5 What We Do Not Do

We do not use Customer Data to train, fine-tune, or improve any AI model — whether operated by Casero, Microsoft, or any other party. We do not sell, rent, or share personal data with third parties for their own marketing purposes. We do not engage in automated decision-making that produces legal or similarly significant effects on individuals. We do not display advertising within the platform.

6. AI Processing and Your Data

A core element of the Service is the use of artificial intelligence — specifically large language model (LLM) technology — to analyse, classify, and structure legal matter content. This section explains how that processing works and the protections that apply.

6.1 How AI Processes Your Data

When Customer Data is uploaded to the platform, it is transmitted to the Azure OpenAI Service (operated by Microsoft Corporation) for AI inference. The processing sequence is as follows:

• Document content is extracted and segmented for AI analysis.
• Each segment is transmitted to the Azure OpenAI Service API for inference — for example, to identify entities, extract key facts, recognise deadlines, or respond to a plain English query.
• The Azure OpenAI Service returns an inference result, which Casero uses to populate the knowledge graph, timeline, or query response.
• Document content transmitted to the Azure OpenAI Service API is processed transiently for the purpose of returning the inference result only. It is not retained by Microsoft beyond the duration of the API call.

6.2 No Model Training on Customer Data

Customer Data submitted to the Azure OpenAI Service is processed under Microsoft's Azure OpenAI Data Processing Addendum, which expressly prohibits the use of submitted data to train or fine-tune any AI model operated by Microsoft or OpenAI. Casero does not use Customer Data to train any AI model, fine-tune model weights, or derive training datasets. The only use of Customer Data by the AI is to return inference outputs in the course of providing the Service.

6.3 Source Grounding and Transparency

All AI outputs generated by the Service in response to matter queries are grounded exclusively in content uploaded by the firm or verified materials within the Casero Legal Library. The Service does not generate responses drawing on external sources or unsupported inference. Every AI-generated response that references matter content is accompanied by a passage-level citation to the specific passage within the source document from which the information is drawn. Users can navigate directly to that source passage.

6.4 Limitations and Human Oversight

AI systems can produce outputs that are inaccurate, incomplete, or misleading in particular circumstances — a known limitation referred to as “hallucination”. Casero's architecture is designed to minimise this risk through source grounding, but we do not warrant that AI outputs will be free from error in all circumstances. All AI-generated outputs must be reviewed by a qualified legal professional before being acted upon. The Service is a tool to assist, not replace, professional judgement.

6A. Google User Data

This section describes specifically how Casero accesses, uses, stores, and shares information obtained from Google services via Google OAuth 2.0 / Sign in with Google. These provisions apply in addition to the rest of this Privacy Policy and, where more specific, prevail over it. Casero's access to and use of information received from Google APIs conforms to the Google API Services User Data Policy, including its Limited Use requirements.

6A.1 What Google User Data We Collect

When you choose to sign in to Casero using Sign in with Google (Google OAuth 2.0), we request only the minimum scopes necessary to authenticate your identity and create your account. We request only the openid, email, and profile scopes. We do not request access to your Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service beyond authentication. The data elements we receive are:

• Your Google Account email address — to uniquely identify your account and send you transactional service notifications.
• Your display name (as set in your Google Account) — to personalise your in-platform experience and display your name to colleagues within your firm's workspace.
• Your Google Account profile photo (where shared by Google) — to display an avatar within the platform. This is fetched on demand from Google and is not stored persistently by Casero.
• An OAuth 2.0 access token and refresh token — to maintain your authenticated session. Tokens are stored securely and are never exposed to other users or third parties.

6A.2 How We Use Google User Data

Google user data obtained via OAuth 2.0 is used solely for the following purposes:

• Authenticating you and establishing a secure session on the Casero platform.
• Creating and managing your Casero user account, including linking it to your firm's workspace.
• Displaying your name and profile image within the platform to you and your firm colleagues.
• Sending you transactional emails relating to your account, such as security notifications or service updates.

We do not use Google user data for any of the following purposes: training, fine-tuning, or evaluating any AI or machine learning model; advertising, remarketing, or behavioural tracking; building user profiles for purposes unrelated to providing or improving the Casero Service; sharing with or selling to any third party for their own commercial purposes; or any purpose not disclosed in this Privacy Policy.

6A.3 How We Store Google User Data

• Email address and display name are stored within your Casero account record in our secure cloud database (hosted on Microsoft Azure within UK/EU data centre regions). This data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
• OAuth tokens are stored in encrypted form using industry-standard cryptographic methods. Access is restricted to the platform's authentication service only. Tokens are never logged in plaintext.
• Profile photos are not stored persistently. They are fetched on demand from Google's servers using the URL provided in the OAuth profile response.

Google user data is retained for the duration of your active account subscription, plus 90 days following account termination to allow for reinstatement. It is then permanently and securely deleted in accordance with Section 9 of this Policy. You may request deletion at any time — see Section 10.

6A.4 Sharing of Google User Data

We do not sell, rent, or otherwise transfer Google user data to third parties for their own purposes. Google user data may be shared only in the following limited circumstances:

• With sub-processors acting on our behalf (see Section 7.1) — specifically, Microsoft Azure for cloud hosting. Sub-processors are contractually prohibited from using Google user data for any purpose other than providing the agreed service to Casero.
• With your firm's workspace — your name and profile image may be visible to other Authorised Users within your firm's Casero workspace, consistent with the collaborative nature of the platform.
• Where required by law — as described in Section 7.2.

Under no circumstances is Google user data transferred to advertising networks, data brokers, analytics platforms, or any entity for purposes unrelated to the delivery of the Casero Service.

6A.5 Minimum Scope and Least-Privilege Principle

In accordance with Google's OAuth 2.0 Policies, Casero requests only the smallest set of Google API scopes necessary to provide the functionality you have chosen to use. We do not request scopes speculatively or in advance of a feature being available. If future functionality requires additional scopes, we will request your explicit consent at that time and update this Policy accordingly.

6A.6 Revoking Google Access

You may revoke Casero's access to your Google Account at any time by visiting your Google Account Security settings at myaccount.google.com/permissions and removing Casero from the list of connected applications. Revoking access will sign you out of any active Casero sessions authenticated via Google. Your Casero account data will remain in place; you may continue to use the platform by registering with an email and password instead, or by contacting us to arrange account migration.

6A.7 Compliance with Google API Services User Data Policy

Casero's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. In summary:

• Google user data is used only to provide or improve user-facing features of the Casero platform that are clearly disclosed to users.
• Google user data is not used for serving advertisements.
• Google user data is not transferred to third parties except as necessary to provide the Service, subject to confidentiality obligations.
• Google user data is not used to determine creditworthiness or for lending purposes.
• Google user data is not used for any purpose not disclosed in this Privacy Policy.

7. How We Share Personal Data

We do not sell, rent, or otherwise make personal data available to third parties for their own commercial or marketing purposes.

7.1 Sub-processors

We share personal data with the following sub-processors, who process data on our behalf and under contractual obligations no less protective than those imposed on us.

Changes to Sub-processors. We will notify law firms of any intended addition or replacement of sub-processors with at least 30 days' prior notice, giving firms the opportunity to object.

7.2 Other Permitted Disclosures

We may share personal data with third parties outside of the sub-processor relationship in the following limited circumstances:

• Legal obligation: where we are required to disclose personal data by applicable law, regulation, or a binding order of a court or regulatory body. Where legally permissible, we will give you advance notice.
• Protection of rights: where disclosure is necessary to protect the rights, property, or safety of Casero, our customers, or the public, including prevention of fraud.
• Business transfer: in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case personal data may be transferred to the acquiring entity. We will notify affected customers before such a transfer takes place.
• Professional advisers: legal advisers, auditors, and insurers, subject to written obligations of confidentiality.
• With your consent: where you have given specific consent to a disclosure not otherwise covered by this Policy.

8. International Transfers of Personal Data

Some of our sub-processors operate infrastructure or data centres outside the United Kingdom. As a result, personal data may be transferred to and processed in countries outside the UK in the course of providing the Service. We ensure that all such transfers are lawful and that appropriate safeguards are in place.

Microsoft Azure. We endeavour to process and store Customer Data within Azure's UK and European data centre regions wherever possible. However, certain Azure services — including elements of the Azure OpenAI Service — may involve processing in the United States. All such transfers are governed by the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses as amended for UK use by the ICO's IDTA Addendum, incorporated into Microsoft's Data Processing Addendum.

Stripe. Stripe, Inc. is headquartered in the United States. Stripe is certified under the EU-US Data Privacy Framework and processes UK personal data under Standard Contractual Clauses.

If your firm has specific data residency requirements, please contact us before subscribing. We will endeavour to accommodate such requirements where technically feasible. You may request further information about the specific transfer mechanisms we rely on, including copies of applicable Standard Contractual Clauses, by contacting us at the address in Section 14.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows.

Where you submit a valid erasure request under Article 17 of the UK GDPR, we will act on that request within 30 days of receipt, subject to any overriding legal obligations that require retention for longer. Where we cannot delete data immediately, we will restrict processing to the minimum necessary and delete it as soon as the retention period expires.

When personal data is deleted, we use industry-standard secure deletion methods to ensure it cannot be recovered. Matter data held in Azure Blob Storage is deleted using Azure's secure deletion mechanisms.

10. Your Rights

Subject to applicable conditions and exceptions under UK data protection law, you have the following rights in respect of personal data that we hold about you.

How to exercise your rights. To exercise any of the rights described above, please submit a written request to moeed.chughtai15@gmail.com, including sufficient information for us to verify your identity. We will acknowledge your request within two Business Days and provide a substantive response within one calendar month. In complex cases we may extend this by a further two months — we will notify you if this is the case.

Rights of Data Subjects in Matter Files. If you are an individual whose personal data appears within legal matter documents processed by Casero on behalf of a law firm, your primary point of contact for exercising your data subject rights is the law firm that controls that data, not Casero. We will refer any requests we receive in these circumstances to the relevant law firm.

11. Security

We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it against accidental loss, unauthorised access, disclosure, alteration, or destruction.

Technical measures

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of Customer Data at rest within Azure Blob Storage using AES-256 encryption.
• Role-based access controls limiting access to personal data to authorised Casero personnel with a legitimate business need.
• Multi-factor authentication required for all Casero personnel accessing production systems.
• Regular vulnerability scanning and penetration testing.
• Automated monitoring and alerting for anomalous access patterns and potential security incidents.

Organisational measures

• Privacy and security training for all personnel with access to personal data.
• Contractual confidentiality obligations for all personnel and contractors.
• A formal incident response plan with defined escalation procedures and notification timelines.
• Security assessments for all sub-processors prior to engagement.

We are at an early stage of development and are working towards formal compliance certifications — including ISO 27001 and Cyber Essentials Plus — as part of our product roadmap. Whilst we apply the measures described above, no system of electronic transmission or storage is entirely secure.

Breach notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 UK GDPR). Where a breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay (Article 34 UK GDPR). Where a breach affects Customer Data, we will notify the relevant law firm within 72 hours in accordance with our Data Processing Agreement.

Customer responsibilities. The security of the Service also depends on Platform Users. Customers are responsible for keeping login credentials confidential, using strong passwords, ensuring Authorised Users are aware of their security obligations, and notifying us promptly of any suspected unauthorised access.

12. Cookies and Tracking Technologies

We use cookies and similar technologies (including session tokens) on the Casero platform. The table below sets out what we use, why, and the basis for doing so.

We do not use advertising cookies, behavioural tracking cookies, cross-site tracking technologies, or third-party analytics tools within the platform. We do not engage in behavioural advertising or share data with advertising networks.

Strictly necessary cookies cannot be disabled as they are essential for the platform to function. You may delete cookies via your browser settings, but this will require you to sign in again on your next visit.

13. Additional Provisions

13.1 Children

The Service is intended exclusively for use by qualified legal professionals and firm personnel who are 18 years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If you believe a person under 18 has provided personal data to us, please contact us immediately and we will take prompt steps to delete that data.

13.2 Marketing Communications

Where you are an existing customer, we may send you product updates and feature announcements. You may opt out at any time by clicking the unsubscribe link in any marketing email, updating your notification preferences within the platform, or contacting us directly. We will not send marketing communications to non-customers without first obtaining the consent required by PECR, where applicable.

13.3 Links to Third-Party Services

The platform may contain links to or integrations with third-party services, including iManage, NetDocuments, and Clio. This Policy does not apply to those third-party services. We encourage you to review their privacy policies before using them.

13.4 Changes to This Policy

We may revise this Privacy Policy from time to time to reflect changes in our data processing practices, the introduction of new features, or changes in applicable law or regulatory guidance. The effective date and version number at the top of this document reflect the current version.

Where we make material changes — that is, changes that affect the basis on which we process personal data or that materially affect your rights — we will notify the firm's designated administrator by email at least 14 days before the revised policy takes effect, and will display a prominent notice on the platform. Continued use of the Service following the effective date of a revised Policy constitutes acceptance of the revised terms. For minor or clarificatory changes, we may update this Policy without prior notice.

13.5 Regulatory Framework

We monitor developments in data protection and AI regulation on an ongoing basis. Key frameworks relevant to the Service include the UK GDPR and Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003 (PECR); the EU Artificial Intelligence Act (phased in from 1 August 2024), whose extraterritorial scope we monitor; and SRA guidance on the use of AI in legal practice. Casero provides reasonable assistance to law firms seeking to understand how the platform operates in the context of their regulatory obligations, whilst noting that regulatory compliance remains the firm's own responsibility.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or to our processing of your personal data, please contact our privacy team:

Response commitment: We aim to acknowledge all privacy-related enquiries within two Business Days and to provide a substantive response within five Business Days for general enquiries, or within one calendar month for formal data subject rights requests.

If you are not satisfied with our response, or if you consider that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):