CaseLogCaseLog

Privacy Notice

Last updated: 2026-05-12

1. About this Notice

This Privacy Notice explains how [Company Name]trading as “CaseLog” (“we”, “us”, “our”) collects and processes personal data when you use our website, our web application, or any related services (together, the “Service”).

The Service is built for Irish criminal-defence solicitors and their firms. Two relationships exist for data-protection purposes:

  • We are the controller of personal data about the Firm and its Authorised Users (account credentials, billing details, Service-usage logs). This Notice covers that processing.
  • We are the processor of personal data the Firm enters into the Service about its own clients and matters(case files, appearances, claims, communications, attendance notes, etc.). For that processing, the Firm is the controller and our processor obligations are set out in our Data Processing Addendum (“DPA”), incorporated into our Terms of Service. The Firm's own privacy notice to its clients is the relevant disclosure for that data.

2. Who we are

Controller: [Company Name]
Trading as: CaseLog
Registered in: Ireland, company number [Company Number]
Registered office: [Registered Office Address]
VAT: [VAT Number]
Email: [privacy@yourdomain.ie]

3. Data Protection Officer

Our Data Protection Officer (or designated privacy contact) can be reached at [dpo@yourdomain.ie], or by post addressed to “DPO” at our registered office above.

4. Personal Data we collect

We collect the following categories of personal data:

a. Account data

  • Name and email address.
  • Password (stored only as a salted hash).
  • Two-factor authentication secret (encrypted at rest) and trusted-device fingerprints.
  • Profile picture, signature image, and personal preferences.
  • The Firm you belong to, your role, and your permissions.

b. Billing data

  • Firm name, billing address, VAT number, and contact email.
  • Subscription plan, seat count, trial state, and payment history (Stripe holds the payment-instrument details; we do not store full card numbers).
  • Invoices and payment receipts.

c. Service-usage data

  • IP address, user agent, timestamps, and pages accessed.
  • Audit-log entries recording sign-in, password reset, two-factor activity, and significant actions you take in the Service.
  • Email and SMS delivery logs for notifications sent on your behalf.
  • Diagnostic logs (which may include error messages and stack traces) collected to investigate incidents.

d. Communications with us

  • Support enquiries, feedback, and any information you provide when you contact us.

Special-category data and offence data. We do not seek to collect special category data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR / section 55 Data Protection Act 2018) from you as a Service user. However, the data the Firm enters into the Service about its own clients will typically include offence data. For that data the Firm is the controller and the Firm must satisfy itself that it has a lawful basis under Article 10 GDPR and section 55 DPA 2018 before entering it.

5. How we use your data and the lawful bases

PurposeLawful basis (GDPR)
Creating and maintaining your account; providing the Service to the Firm.Performance of a contract (Art 6(1)(b)).
Billing, payment processing, and tax-record retention.Performance of a contract (Art 6(1)(b)) and legal obligation (Art 6(1)(c)).
Security, fraud prevention, audit logging, abuse handling, and incident response.Legitimate interests (Art 6(1)(f)) in protecting the Service and our users.
Service improvement, telemetry, and aggregate analytics.Legitimate interests (Art 6(1)(f)).
Service-related communications (security alerts, billing notices, important changes).Performance of a contract (Art 6(1)(b)) and legal obligation where applicable.
Marketing communications about new features (only where you opt in).Consent (Art 6(1)(a)). You can withdraw consent at any time.
Responding to lawful requests from public authorities, including for national security or law-enforcement purposes.Legal obligation (Art 6(1)(c)).

6. Sub-processors and recipients

We share personal data with the following categories of recipients only to the extent necessary for the purposes above:

  • Hosting and database: Vercel Inc. (application hosting and serverless compute, with EU regions where available) and Neon Database (managed Postgres, EU region).
  • Email delivery: Resend for transactional emails (verification, password reset, billing receipts, court list dispatch).
  • SMS delivery: Twilio for SMS reminders sent on the Firm's behalf to the Firm's clients.
  • Payments: Stripe Payments Europe Ltd (Ireland), which is an independent controller for the purpose of card-payment processing under its own privacy policy.
  • File storage: Vercel Blob for documents and signatures.
  • AI-assisted import (optional): if the Firm enables AI-assisted import, files are sent to a configured large-language-model endpoint (e.g. OpenAI or a self-hosted alternative) to extract structured fields. The Firm controls whether this feature is enabled.
  • Professional advisers: our lawyers, accountants, and auditors, subject to strict confidentiality.
  • Acquirers: a prospective acquirer in connection with a corporate transaction, subject to confidentiality.
  • Public authorities: where required by law, including the Office of the Data Protection Commission, An Garda Siochana, the Revenue Commissioners, or any court of competent jurisdiction.

Each sub-processor is bound by a written contract containing the safeguards required by Article 28 GDPR. A current list of sub-processors is available on request.

7. International transfers

We aim to store and process personal data within the European Economic Area (“EEA”). Where transfers outside the EEA are necessary (for example, to certain sub-processors with headquarters in the United States), we rely on lawful transfer mechanisms under Chapter V GDPR, including:

  • The European Commission's adequacy decisions (including the EU–US Data Privacy Framework, where the recipient is certified).
  • The European Commission's Standard Contractual Clauses (2021/914) supplemented by appropriate technical and organisational measures.
  • Your explicit consent, where no other safeguard applies and the transfer is occasional.

You can request a copy of the safeguards relevant to a specific transfer by writing to our DPO at the email address above.

8. How long we keep data

We retain personal data for no longer than necessary for the purposes for which it was collected:

  • Account data — for the duration of your account, plus 12 months after closure (to handle disputes or re-activation).
  • Billing data — 7 years, in line with Irish tax-record retention requirements.
  • Audit logs and security records — 24 months, after which they are aggregated or deleted.
  • Diagnostic logs — up to 90 days.
  • Support correspondence — 36 months from the last contact.
  • Marketing-consent records — until consent is withdrawn, plus 12 months as evidence of the prior consent.
  • Firm Data (where we are processor) — retained for the term of the Subscription plus a 30-day export window, then deleted in accordance with the DPA, subject to any legal obligation to retain.

Where we are required by law to retain data for longer (for example, to respond to a lawful request from An Garda Siochana), we will do so for the period required.

9. Your rights

Under GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data:

  • Right of access (Article 15) — to obtain a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — to have inaccurate data corrected and incomplete data completed.
  • Right to erasure (Article 17) — to have your data deleted in defined circumstances (subject to our retention obligations).
  • Right to restrict processing (Article 18) in defined circumstances.
  • Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21) — to processing carried out on the basis of legitimate interests or for direct marketing.
  • Right not to be subject to solely automated decision-making (Article 22) producing legal or similarly significant effects. We do not carry out such decision-making.
  • Right to withdraw consent at any time, where processing is based on consent.

10. How to exercise your rights

To exercise any of these rights, write to us at [privacy@yourdomain.ie]. We will respond within one month (extendable by two further months for complex requests, in which case we will tell you within the first month).

If your request concerns data held by us as a processor on behalf of a Firm (for example, a case record entered by your solicitor about you as their client), please contact the Firm directly — the Firm is the controller of that data. We will assist the Firm in responding where appropriate.

We may ask you to verify your identity before acting on a request. There is normally no fee, but we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive.

11. Complaints

If you believe we have not handled your personal data in accordance with data-protection law, please contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800
Website: www.dataprotection.ie

12. Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+ for all network traffic).
  • Encryption at rest for sensitive fields including two-factor secrets and Personal Public Service Numbers.
  • Salted-hash storage of passwords (bcrypt).
  • Mandatory two-factor authentication (TOTP) where the Firm has opted in to enforcement, with a trusted-device option that requires a fresh verification on each new device.
  • Role-based access controls and per-action audit logging within the Service.
  • Rate-limiting and abuse detection on authentication endpoints.
  • Background screening of personnel and confidentiality undertakings.
  • Regular dependency scanning, secure-development training, and incident-response procedures.

No system is completely secure. We will notify the relevant supervisory authority and affected data subjects of any personal-data breach where required to do so under Articles 33 and 34 GDPR.

13. Cookies and similar technologies

We use a minimal set of strictly necessary cookies to sign you in and to remember session preferences (such as light/dark theme). We do not use third-party advertising or cross-site tracking cookies. Optional analytics cookies will be deployed only with your consent through a cookie banner.

14. Children

The Service is intended for use by solicitors and their employees, all of whom are adults. We do not knowingly collect personal data from children directly. Where a Firm processes data about a child within the Service (for example, a juvenile client), the Firm is the controller of that data and must comply with the additional protections applicable under the Children Act 2001, the Childrens Court's in-camera rule, and related law. The Service includes redaction features to support this.

15. Changes to this Notice

We may update this Notice from time to time. The “last updated” date at the top will reflect the most recent change. If a change is material we will notify the Firm administrator by email at least 30 days before it takes effect, unless the change must take effect sooner for legal or security reasons.

16. Contact

Questions about this Notice or about our processing of your data can be sent to [privacy@yourdomain.ie], or by post addressed to “Privacy” at our registered office above.