Privacy Policy
Last updated: 22 May 2026
1. Data Controller
Casefile Software Limited (company number 17201853), 66 Paul Street, London, EC2A 4NA is the data controller for personal data processed through the CaseFile.uk service. You can contact us at nick@casefile.uk.
2. What We Collect
We collect and process the following personal data:
- Account information: your email address (and your name, if provided), given when you sign up or place an order.
- Case documents: files you upload for bundle preparation, which may contain personal data about you and third parties, including special category data (see section 3).
- Intake form data: matter type, jurisdiction, court reference, hearing date, parties, and case details you provide.
- Messages: communications between you and our team within the platform.
- Payment information: processed by Stripe; we do not store card numbers.
- Technical data: IP address, browser type, and access logs for security purposes.
3. Legal Basis for Processing
We process your data on the following legal bases:
- Contract performance (Article 6(1)(b) UK GDPR): processing necessary to fulfil your order and provide the Service.
- Legitimate interests (Article 6(1)(f) UK GDPR): security monitoring, fraud prevention, and service improvement.
- Legal obligation (Article 6(1)(c) UK GDPR): compliance with tax, accounting, and regulatory requirements.
- Special category data (Article 9 UK GDPR): your case documents may contain special category data (for example, information about health or other sensitive matters) and personal data relating to third parties such as other parties to your case, children, or witnesses. Where this is the case, we process that data because it is necessary for the establishment, exercise, or defence of legal claims (Article 9(2)(f) UK GDPR), and we rely on your instruction to prepare your bundle. You are responsible for having a lawful basis to share third-party data with us (section 5 of our Terms).
4. How We Use Your Data
- To prepare and deliver your court bundle
- To communicate with you about your order
- To process payments
- To send transactional emails (order confirmations, login links)
- To maintain security and prevent fraud
- To comply with legal obligations
We do not use your data for marketing purposes without your explicit consent. We do not sell your data to third parties.
5. Storage and Security
- Documents are stored in AWS S3 (eu-west-2, London region), encrypted at rest using AES-256.
- All data in transit is protected by TLS 1.3.
- Access to customer data is restricted to authorised personnel on a need-to-know basis, and enforced at the database level.
- Authentication uses time-limited magic links; no passwords are stored.
6. Cookies and Analytics
CaseFile uses a single strictly necessary cookie to keep you securely logged in. Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require consent. We do not use advertising or tracking cookies.
For website analytics we use Plausible, a privacy-focused, cookieless analytics service. It does not set cookies, does not store personal data on your device, and does not track you across other websites. Because no cookies or personal data are stored on your device, no consent banner is required.
7. Data Retention
- Documents (paid cases): deleted 90 days after bundle delivery. You may request earlier deletion at any time.
- Documents (unpaid cases): uploaded documents and case details for cases that are created but not paid for are deleted 14 days after the case is created.
- Account data: retained for as long as your account is active, plus 6 years for legal and accounting purposes.
- Messages: retained with your account data.
- Technical logs: retained for 30 days.
8. Third-Party Processors
We use the following third-party data processors, all of whom have appropriate data processing agreements in place. Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses:
- Amazon Web Services (document storage, hosting) — UK (eu-west-2)
- Stripe (payment processing) — USA, under the UK Addendum to the EU SCCs
- Postmark (transactional email) — USA, under the UK Addendum to the EU SCCs
- Railway (application hosting) — USA, under the UK Addendum to the EU SCCs
- Plausible (website analytics) — EU-hosted; cookieless and does not process personal data
9. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data (subject to legal retention requirements).
- Restriction: request that we limit processing of your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
To exercise any of these rights, contact us at nick@casefile.uk. We will respond within one month.
10. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. We will notify you of material changes by email.
12. Contact
For any privacy-related queries, contact:
Casefile Software Limited (company number 17201853)
66 Paul Street, London, EC2A 4NA
nick@casefile.uk