Privacy Policy

CaseCore is a case management and operations platform for professional agencies. This Privacy Policy explains how CaseCore collects, uses, stores, and protects information submitted through the platform.

CaseCore is a professional business service. It is not a consumer, social, entertainment, education, or general-public data service.

We may collect account information, agency profile information, staff and contractor access records, billing-related identifiers, case records, notes, forms, evidence metadata, uploaded files, scheduling information, client invite information, agency license details, research workspace records, saved source URLs, entity records, relationship notes, timeline findings, AI prompts, AI outputs, AI usage records, terms acceptance records, technical logs, security events, audit activity, and support communications.

If an agency uses the CaseCore referral program, CaseCore may collect referral records such as the referring agency, referring user, referred agency name, referred contact name, referred email address, referral code, referral link, signup status, billing qualification status, credit status, and related email delivery or abuse-prevention metadata.

Agencies are responsible for the information they choose to enter into CaseCore, including personal information, client information, case records, and evidence files.

Agency customers decide what case information, client information, subject information, evidence, files, notes, forms, reports, research records, billing records, and other materials they upload or create in CaseCore. For that customer-controlled case data, the agency is generally responsible for deciding why the information is collected, whether it may be collected, who may access it, how long it should be retained, and when it should be deleted or exported.

CaseCore processes customer-controlled case data to provide the service, secure the platform, support authorized users, troubleshoot issues, maintain audit history, process requested AI features, and perform other functions described in this Policy and the Terms of Service.

CaseCore is currently offered for agencies, users, clients, and professional operations located in the United States and Canada. The service is not currently intended for agencies established outside the United States or Canada unless CaseCore gives written approval and the required privacy, data protection, and legal terms for that jurisdiction are in place.

Users should not submit information about matters, clients, or data subjects outside the United States or Canada unless they have confirmed that they are legally authorized to do so and CaseCore has approved that use in writing.

Information is used to provide the CaseCore service, authenticate users, operate multi-tenant agency workspaces, process subscriptions, generate reports and forms, support client case access, enforce roles and assigned-case restrictions, maintain security, support authorized-use workspace controls, troubleshoot issues, investigate abuse, and improve the product.

Referral program information is used to create tracked referral links, send referral invitations, associate referred signups with the referring agency, determine program eligibility, apply account credits, prevent abuse, and answer support or billing questions about referral status.

Terms acceptance records may be used to confirm that an account accepted the current CaseCore legal terms before accessing the authenticated product.

When an agency uses Switch Center or support-assisted migration, CaseCore may process exported files, spreadsheets, folder inventories, billing exports, evidence manifests, staff lists, form templates, old case numbers, notes, and related migration metadata. This information is used to map, preview, import, troubleshoot, and audit the agency's migration into its CaseCore workspace.

CaseCore does not require prior-system passwords for standard migration paths. Unless an approved OAuth/API connector is offered for a provider, agencies should export their own data and upload the export to CaseCore. CaseCore may retain migration history, skipped-row details, import summaries, and support notes so the agency can review what moved and what still needs cleanup.

When an agency connects QuickBooks Online, CaseCore uses Intuit OAuth so the agency approves access through Intuit. CaseCore does not collect or store QuickBooks passwords. CaseCore may store encrypted Intuit access tokens and related connection metadata so the agency can import approved QuickBooks accounting data into its CaseCore workspace.

QuickBooks data may include invoices, payments, expenses, time activity, customer references, transaction dates, amounts, descriptions, and related metadata returned by Intuit for the connected company and user permissions. This information is used only for the connected agency's requested billing, invoice, payment, expense, time-entry, migration, reconciliation, and accounting handoff workflows.

CaseCore does not use QuickBooks data to train AI models, create general-purpose datasets, or improve models for other customers. Agencies can disconnect QuickBooks from the Integrations page. Disconnecting removes stored Intuit tokens from CaseCore, but previously imported billing records may remain in the agency workspace until deleted or retained under the agency's and CaseCore's applicable retention rules.

When an agency configures email, calendar, or notification features, CaseCore may store provider type, connected account email, sync settings, message templates, draft metadata, calendar event metadata, feed tokens, and delivery or audit events needed to operate those features.

CaseCore does not use email or calendar data to train AI models for other customers. Users remain responsible for reviewing outbound messages, recipients, calendar feeds, and shared links before sending or sharing.

CaseCore does not sell customer case files, evidence, client records, case records, agency records, or user account data. CaseCore does not operate as a data broker for case records. CaseCore may use service providers as described below to operate the platform, process payments, host data, send email, support AI features requested by users, secure the service, and provide support.

CaseCore may record audit logs, security events, access records, login events, terms acceptance records, support activity, case activity, evidence actions, profile changes, billing activity, and administrative actions. These records help protect agency workspaces, investigate suspicious activity, enforce permissions, diagnose support issues, maintain evidence and activity history, and document who performed important actions in the platform.

Audit logs may include user identifiers, organization identifiers, timestamps, affected records, event names, IP address or request context, browser or device context, and limited action details. CaseCore may retain audit and security logs even when other information is deleted if retention is reasonably needed for security, legal, fraud prevention, dispute, billing, compliance, backup, or abuse prevention purposes.

CaseCore may maintain backups, recovery records, soft-deletion records, storage recovery holds, security events, and audit history to protect customers from accidental deletion, unauthorized changes, account compromise, system failures, billing disputes, fraud, abuse, or legal claims. These records may persist for a limited period after a user deletes content or closes an account.

Evidence deleted by an authorized owner or admin may be moved to a recovery hold before permanent removal so the agency can recover from mistakes or unauthorized account activity. Recovery holds, audit logs, and security records may not be immediately erasable where retention is needed for security, evidence integrity, legal, compliance, dispute, or abuse-prevention purposes.

CaseCore may also process support tickets, system health signals, self-healing events, and approved user feedback to troubleshoot, improve reliability, detect repeated failures, and maintain audit trails. These records are used for service operation and product quality, not to sell customer data.

CaseCore is a professional business platform for adult users and agency teams.

Agencies may handle matters that include sensitive personal information, protected records, family matters, witness information, medical details, school-related facts, or other restricted records. The agency is responsible for confirming legal authority, client authorization, court orders, consent requirements, reporting obligations, confidentiality duties, retention rules, and restrictions on sharing or uploading that information.

Sensitive records should be treated carefully. Agencies should limit access to personnel with a need to know, avoid unnecessary uploads, review client invite links before sharing, and review reports before sending them outside the agency.

CaseCore may store agency or investigator license numbers, state or jurisdiction information, and related agency settings so the workspace is positioned for authorized professional use. Agencies remain responsible for confirming license status and legal authority before using CaseCore for real work.

Research workspace records are agency-entered case records. CaseCore stores the entities, notes, saved links, source descriptions, relationships, and timeline findings users choose to add, but CaseCore does not use those records to make professional conclusions or determine whether a person is responsible for conduct.

Customer case records, clients, evidence, notes, reports, billing details, uploaded files, research workspace entries, and related agency content remain the agency customer's data. CaseCore stores and processes that information to provide the software, support the account, secure the platform, and comply with legal or operational obligations.

CaseCore does not make one agency's case records available to another agency. Access is scoped by workspace, authenticated user, role, assigned-case permissions, and security controls.

CaseCore is designed around tenant isolation, authenticated access, server-side controls, assigned-case restrictions, role-based access, signed storage links, and Supabase Row Level Security. Agencies should still limit access to authorized users, use strong passwords, enable MFA where available, review staff and contractor access, and avoid uploading information they are not legally permitted to store.

No internet service can guarantee perfect security. Agencies should promptly report suspected unauthorized access, exposed invite links, compromised credentials, or other security concerns using the contact information below.

If CaseCore determines that a security incident requires notice to affected customers, CaseCore will use reasonable efforts to notify the affected agency account owner or another appropriate contact using the account information available to CaseCore. Agencies remain responsible for notifying their own clients, staff, contractors, regulators, courts, insurers, government agencies, or other parties when required by law or professional obligations.

CaseCore may use trusted providers for authentication, database hosting, storage, payment processing, email delivery, deployment, analytics, AI-assisted processing, and operational support. These providers are used only as needed to operate the service.

When an agency uses CaseCore AI, the content submitted to the AI feature may be sent to a trusted AI provider to generate the requested draft, summary, review, or form assistance. Agencies should avoid submitting information they are not authorized to process and should review AI output before using it in case work or client-facing materials.

Agencies may generate read-only client invite links. Agencies are responsible for sending those links only to authorized recipients and revoking access when appropriate. Agencies are also responsible for assigning staff and contractors only to cases they are authorized to access.

Case information, evidence, reports, forms, account records, audit records, and billing-related records may remain stored while an agency account is active or as needed for legal, security, backup, billing, dispute, abuse prevention, and operational purposes.

Agencies are responsible for their own record-retention rules, including investigative licensing rules, court orders, contracts, client obligations, insurance requirements, tax records, evidence-preservation duties, and state-specific requirements.

Users and other individuals may contact CaseCore to request access to, correction of, or deletion of personal information that CaseCore controls. Requests should identify the requester, the agency or workspace involved if known, the email address or other identifier connected to the request, and the specific information or account the requester wants reviewed or deleted.

CaseCore may need to verify the requester's identity and authority before disclosing, changing, or deleting information. If the information is controlled by an agency customer, CaseCore may direct the requester to that agency or work with the agency to process the request. CaseCore may deny, limit, or delay deletion where retention is reasonably necessary for legal, security, evidence integrity, audit logs, billing, dispute, fraud prevention, backup, abuse prevention, or compliance purposes.

Deletion requests may be sent to the contact information below. Please use the subject line "Privacy Deletion Request" when possible.

Where a privacy law gives an individual a right to know, access, correct, delete, or limit certain personal information, CaseCore will respond as required by applicable law after verifying the request. Some requests may need to be handled by the agency customer that controls the case record. CaseCore may ask for information needed to verify identity, authority, agency relationship, or the records involved.

CaseCore may update this Privacy Policy as the service, law, security practices, providers, or business operations change. The updated date above shows when the page was last revised. Continued use of CaseCore after an update means the revised policy applies going forward.

Privacy questions, access requests, correction requests, deletion requests, or security concerns may be sent through the contact information listed below.