Privacy Policy
Effective from: 2026-07-03
History
1. Introduction
DirectCase s.r.o. is committed to protecting privacy and securing users' personal data. This Privacy Policy explains how we collect, use, share, and protect data when using our DirectCase application available at directcase.ai ("Service"), enabling search and analysis of legal sources using AI technologies. By accessing and using the Service, users consent to this Policy.
2. Processing of personal data and legal basis
We may collect and process the following types of data:
Personal data:
- Identification data: name, email address, contact information.
- Usage data: information on how the user uses the Service.
Non-personal data:
- Technical data: IP address, browser type, device/OS information.
- Analytical data: usage statistics, performance metrics, aggregated data.
Additional data we process:
- Content you provide — the questions, prompts, and any documents or files you upload to the Service.
- Account identifiers — your user ID and, where applicable, device identifiers used to operate the Service and to link analytics to your account.
- Subscription and purchase data — your plan, subscription status, and purchase history. Payment card data is handled by Apple or Stripe and is never received by us.
- Crash and diagnostic data — crash logs and error and performance diagnostics used to keep the Service stable.
Legal bases for processing:
- Performance of contract — processing is necessary to provide the Service.
- Legitimate interest — system security, abuse prevention, performance monitoring, UX improvement.
- Consent — marketing communications and personalised content are carried out only on the basis of free and informed consent, which may be withdrawn at any time.
2a. Cookies
The Service uses the following cookie types:
- Essential cookies — enable the basic functioning of the Service. Cannot be turned off.
- Analytical cookies — used to improve the Service based on aggregated data. Active only with prior consent.
- Marketing cookies — enable relevant advertising. Active only with prior consent.
Consent can be withdrawn at any time via cookie settings on the site or in the browser.
3. Use of data
- Providing and managing the Service — functionality, security, performance.
- Improving the Service — analysing aggregated and anonymised data.
- Communication — answering queries, providing change information, technical support; marketing only with consent.
- Data sharing — with third-party service providers to ensure functionality; only anonymised or aggregated data, unless otherwise stated in Appendix A — DPA.
- Legal obligations — complying with statutory duties and enforcing the Terms.
4. User queries and content
Queries on case law and other legal documents entered by the user are not further processed for any purpose other than retrieving and displaying the relevant information within the Service.
5. Scope of this policy — DirectCase's role
This policy applies exclusively to processing in which DirectCase acts as Controller — i.e., user account data.
Content entered into the Service (queries, case descriptions, client data) is processed by DirectCase as Processor on the user's instructions. This processing is governed by Appendix A — DPA.
Mobile application (Apple App Store)
This policy also covers the DirectCase application for iOS, distributed through the Apple App Store. When you subscribe within the app, payment is processed by Apple under Apple's terms; we receive your subscription status but not your payment card details.
6. Data sharing and international transfers
Third-party providers: Personal data from user account data (Cat. 1) is shared only with payment and operational service providers. Content entered into the Service (Cat. 2) is shared by DirectCase as Processor with sub-processors per Appendix A — DPA.
Legal requirements: Data may be disclosed if required by law, regulation, court order, or to protect rights and safety.
Business transactions: In the event of a merger, acquisition, or sale of assets, data may be transferred as part of the transaction.
Sub-processors and international transfers:
We share personal data only with service providers ("processors") who act on our behalf under contract. We do not sell your personal data, and we do not share it with third parties for their own advertising.
| Provider | Role | Data processed | Location |
|---|---|---|---|
| WorkOS, Inc. | Authentication and single sign-on | Name, email address, account identifier | USA |
| PostHog (EU Cloud) | Product analytics | Account identifier, name, email, product-interaction events, approximate location derived from IP | EU (Germany) |
| Better Stack, Inc. | Error tracking, logging, and performance monitoring | Crash logs, error and performance diagnostics, log events, account identifier, email address, request context | EU (Germany) |
| Brevo SA ("Sendinblue") | Transactional and marketing email | Name, email address | EU (France) |
| Stripe Payments Europe, Ltd. | Subscription billing and payment processing | Subscription and purchase records. Card details are entered with and held by Stripe; we never receive them. | EU (Ireland) / USA |
| Apple Distribution International Ltd. | App distribution and in-app purchase billing | Subscription and purchase transactions. Card details are held by Apple; we never receive them. | EU (Ireland) |
| OpenAI, L.L.C.; Anthropic, PBC; Google LLC | AI processing of your queries | Query text you submit | USA |
| Amazon Web Services, Inc. | Cloud infrastructure | Data stored and processed to operate the Service | EU (Sweden) |
| Hetzner Online GmbH | Cloud hosting (primary) | Data stored and processed to operate the Service | EU (Germany) |
| RunPod, Inc. | GPU compute for AI embeddings and models | Query and document text processed for embeddings and AI responses | EU (Romania) |
Personal data is stored and processed within the EU. A limited number of sub-processors (authentication and AI query processing) operate in the USA; such transfers are covered by Standard Contractual Clauses. Users have the right to obtain a copy of the SCC upon request.
7. Marketing use of data
Where the user has given consent, we may send commercial communications. Unsubscribe is possible at any time following the instructions in the communication or by contacting info@directcase.ai.
8. Data storage and security
Storage: Data is stored on secure servers located in Germany with industry-standard security.
Security: Measures pursuant to Art. 32 GDPR:
- encryption of data at rest and in transit,
- role-based access control (RBAC),
- regular security testing.
Retention:
- Account data: for the duration of the contract and 3 years thereafter.
- Accounting documents: 10 years (statutory obligation).
- Content entered into the Service: see Appendix A — DPA (automatic deletion after 90 days).
Breach notification: DirectCase notifies affected users without undue delay pursuant to Art. 33(2) GDPR.
DPIA: On request we provide information and cooperation under Art. 35 GDPR.
Data Protection Officer (DPO): Given the nature of processing, no DPO has been appointed under Art. 37 GDPR. Contact: info@directcase.ai.
9. User rights
- Access — to personal data held about them.
- Rectification — of inaccurate or incomplete data.
- Erasure — under certain conditions.
- Restriction — of processing.
- Portability — to another provider.
- Objection — to processing, including marketing.
Right to lodge a complaint: with the competent supervisory authority.
Automated decision-making: DirectCase does not perform automated decision-making with legal or similarly significant effects under Art. 22 GDPR. AI outputs are for information only.
10. Children's data protection
The Service is intended only for users over 18. We do not knowingly collect data from younger persons. If we become aware of such data, we will delete it promptly.
11. Third-party links and services
The Service may contain links to third-party websites or services not controlled by DirectCase. DirectCase is not responsible for their privacy policies or content.
12. Changes to the policy
We may update this Policy from time to time. We will notify users by publishing a new version on this page. Material changes will be communicated to users by email at least 14 days before they take effect.
13. Third-party provider policies
By using the Service users also consent to the terms and policies of the following AI providers:
- OpenAI Privacy Policy and OpenAI Terms of Use
- Anthropic Privacy Policy and Anthropic Terms
- Google Privacy Policy and Google Terms
14. Contact
DirectCase s.r.o.
Zenklova 2530/23, 180 00 Praha
VAT ID: CZ24337269 | Company ID: 24337269
Email: info@directcase.ai