Privacy Policy

1. Defined Terms

“Personal Information” means information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable individual.

“Visitor” means anyone who visits the Causel marketing website without creating an account.

“Customer” means a law firm, organization, or individual that has entered into a design partner agreement or master subscription agreement with Causel.

“End User” means an individual authorized by a Customer to use the Causel application.

“Customer Data” means data, documents, communications, transcripts, or other content uploaded into the Causel application by or on behalf of Customer. Customer Data is governed by the applicable agreement between Causel and the Customer, not this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

• Contact information when you fill out forms on our marketing website (name, work email, firm name, role, practice area).
• Account information when an End User is invited to the application (name, work email, role, password).
• Communications when you correspond with us via email, chat, or support tickets.
• Feedback when you participate in surveys, user research, or provide product feedback.
• Payment information when Customer pays invoices. We use Stripe; Causel does not store full payment card numbers.

2.2 Information Collected Automatically

• Usage data: pages viewed, features used, actions taken, timestamps.
• Device data: browser type, operating system, screen resolution.
• Network data: IP address (hashed via SHA-256 before storage on marketing site; retained in application logs for security).
• Referral data: referring URL, campaign identifiers.

2.3 Information We Do Not Collect

• We do not read or process the contents of documents flagged as attorney-client privileged unless the Customer explicitly overrides the quarantine.
• We do not collect biometric identifiers, precise geolocation, or government-issued identifiers.

3. How We Use Your Information

• Provide and operate the Services: authenticate users, process requests, deliver outputs.
• Communicate with you: respond to inquiries, send transactional messages, provide support.
• Improve the Services: analyze aggregate usage patterns to improve performance and features. We never use Customer Data to improve the Services.
• Protect the Services: detect fraud, prevent abuse, enforce terms.
• Comply with legal obligations: respond to lawful requests from governmental authorities.

4. Legal Bases for Processing (EEA/UK)

If you are located in the EEA or UK, we rely on the following legal bases:

• Contract performance: processing necessary to provide the Services you requested.
• Legitimate interests: processing necessary for our legitimate business purposes (e.g., fraud prevention, product improvement) where those interests are not overridden by your rights.
• Consent: processing based on your explicit opt-in (e.g., marketing emails). You may withdraw consent at any time.
• Legal obligation: processing necessary to comply with applicable law.

5. How Long We Keep Your Information

• Account data: retained for the duration of the Customer relationship plus 90 days for orderly transition.
• Customer Data: retained until Customer deletion request or 30 days after contract termination, whichever is earlier.
• Marketing form submissions: retained for 24 months unless you request earlier deletion.
• Usage/analytics data: retained for 13 months, then aggregated and anonymized.
• Security logs: retained for 90 days for incident response, then purged.

6. Security

We maintain administrative, technical, and physical safeguards designed to protect your information, including:

• AES-256 encryption at rest; TLS 1.3 in transit.
• Logical isolation at the matter level; multi-tenant architecture with row-level security.
• Role-based access control; least-privilege provisioning.
• SOC 2 Type II audit in progress via Vanta.

No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but will notify affected Customers of any breach in accordance with Section 13 and applicable law.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on causel.ai:

• Essential cookies: required for authentication, security, and site functionality. Cannot be disabled.
• Analytics cookies: optional; help us understand usage patterns. You may opt out via our cookie banner or browser settings.

We honor Global Privacy Control (GPC) signals as an opt-out of analytics cookies.

8. When We Share Your Information

• With subprocessors: we share data with vendors who help us operate the Services (see Section 9).
• With your organization: if you are an End User, your firm administrators may access your account data.
• For legal compliance: we may disclose information in response to lawful requests by public authorities.
• In a corporate transaction: if Causel is acquired or merged, your information may be transferred to the successor entity.

9. Subprocessors

We use the following categories of subprocessors:

Customers may subscribe to subprocessor change notifications by emailing privacy@causel.ai.

10. International Data Transfers

Causel is based in the United States. If you access the Services from outside the U.S., your information will be transferred to, stored, and processed in the United States.

For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For UK users, we use the UK Addendum to the SCCs.

Upon request, Causel will execute a Data Processing Agreement (DPA) that includes the SCCs. Contact privacy@causel.ai.

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: request a copy of the Personal Information we hold about you.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your Personal Information.
• Restriction: request that we restrict processing in certain circumstances.
• Portability: request a machine-readable copy of your data.
• Object: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw at any time.

To exercise these rights, contact privacy@causel.ai. We will respond within 30 days (or as required by applicable law). We may ask you to verify your identity before fulfilling your request.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

12.1 Right to Know

You may request disclosure of the categories and specific pieces of Personal Information we have collected, the sources, the purposes, and the third parties with whom we share it.

12.2 Right to Delete

You may request that we delete your Personal Information, subject to certain exceptions.

12.3 Right to Correct

You may request that we correct inaccurate Personal Information.

12.4 Right to Opt Out of Sale or Sharing

Causel does not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising.

12.5 Right to Limit Use of Sensitive Personal Information

We do not use or disclose Sensitive Personal Information for purposes beyond those permitted under CPRA.

12.6 Non-Discrimination

We will not discriminate against you for exercising your rights.

To submit a request, email privacy@causel.ai or call 1-833-CAUSEL-1. You may designate an authorized agent by providing written authorization.

13. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and Iowa (ICDPA) have similar rights to access, correct, delete, and opt out of certain processing. Contact privacy@causel.ai to exercise these rights.

14. Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Access: request access to your Personal Information.
• Correction: request correction of inaccurate information.
• Withdrawal of consent: withdraw consent at any time (subject to legal restrictions).
• Complaint: file a complaint with the Office of the Privacy Commissioner of Canada.

We adhere to the ten PIPEDA principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

15. Law Enforcement Requests

Causel may disclose Personal Information to law enforcement if required by valid legal process (e.g., subpoena, court order).

Unless prohibited by law or court order, we will notify Customer before disclosure so they may seek a protective order. We will challenge overly broad requests and will not voluntarily provide data without legal process.

16. Children's Privacy

The Services are B2B software intended for use by law firms and their authorized personnel. The Services are not directed to individuals under the age of 16. We do not knowingly collect Personal Information from children under 16. If we learn that we have collected such information, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a notice on our website or sending an email to the address associated with your account at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.