Privacy Policy

Last updated: January 2026

The Short Version

We collect what we need to run the service. We don't sell your data. Your evidence files are yours. We use industry-standard security. You can export or delete your data at any time.

What We Collect

Account Information

We support authentication via Google or email. When you sign in, we collect your email address and basic profile information (name and, if using Google, profile picture). That's it for account creation. We don't access your Gmail, Drive, Calendar, or any other external services.

Evidence Files

You upload videos, photos, and audio recordings. We store them securely in Google Cloud Storage (US multi-region) for maximum durability and availability. Firebase Storage is the interface we use, but your files live on Google's infrastructure with the same enterprise-grade reliability used by millions of applications worldwide.

Case Data

Case titles, descriptions, client names, locations, tags, and notes are stored in Cloud Firestore with appropriate security rules that ensure only authorized users can access your data.

Technical Information

Standard web logs include IP addresses, browser type, and timestamps. These are used for security, debugging, and rate limiting. We do not use any third-party analytics, tracking pixels, or ad networks.

How We Use Your Data

  • Run the service (obviously)
  • Send you important updates about your account or cases
  • Improve the product based on usage patterns
  • Comply with legal requirements when necessary

We don't sell your data. Ever. We're not in that business.

Who Sees Your Data

Just You (Mostly)

Your cases and evidence are yours. Nobody else can see them unless you explicitly share access.

Our Service Providers

We use trusted third parties to run the service:

  • Google Cloud Platform: Hosting, storage (US multi-region for durability), database, and authentication via Firebase
  • Vercel: Web application hosting and deployment
  • AssemblyAI: Speech-to-text transcription for video narration
  • Stripe: Payment processing (we never see your full card number)
  • Resend: Transactional email delivery

These companies have their own privacy policies and operate under standard Data Processing Agreements (DPAs). We selected them because they take security seriously and are leaders in their respective fields. All data is processed in the United States.

Legal Requirements

If we receive a valid subpoena or court order, we must comply. We will fight overbroad requests, but we are required to follow the law. We will notify you if legally permitted to do so.

Security

We use industry-standard security measures:

  • All data transmitted over HTTPS/TLS encryption
  • Files stored in Google Cloud Storage with encryption at rest (AES-256)
  • US multi-region storage for high availability and durability
  • Firebase Security Rules to prevent unauthorized data access
  • Regular security updates and monitoring
  • SHA-256 hashing for evidence integrity verification

No system is 100% secure, but we take this seriously. If there is ever a breach, we will notify you promptly.

Your Rights

  • Access: Download your data anytime through the export feature
  • Delete: Delete individual files, cases, or your entire account
  • Correct: Edit your information whenever you want
  • Port: Export your data in standard formats (PDF reports, original media files)

Cookies and Tracking

We use only essential cookies required to operate the service:

  • Authentication: Session cookies to keep you logged in
  • Security: CSRF tokens to prevent cross-site attacks
  • Payments: Stripe uses cookies for secure payment processing

We do not use analytics cookies, tracking pixels, ad networks, or remarketing services. Because we only use strictly necessary cookies, we do not require a cookie consent banner under GDPR or CCPA.

Data Retention

We keep your data as long as your account is active. When you delete something, it's removed from our production systems. Backups are purged on a regular schedule.

If you delete your account, you have a 30-day grace period to change your mind. After that, we will delete your data, except for records we are legally required to keep for accounting and tax purposes.

International Users

Our servers are located in the United States (Google Cloud US multi-region). If you are outside the US, your data will be transferred to and stored in the US. By using the service, you consent to this transfer.

Children

This service is not intended for children under 13. If you are under 13, please do not use it. If we discover that a child has created an account, we will delete it.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the date at the top and notify you via email if the changes are significant. Please check back periodically.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request what personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of
  • Right to Limit: We do not use or disclose sensitive personal information beyond what is necessary to provide the service
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us with your request. We will respond within 45 days.

We do not sell your personal information. We do not share it for cross-context behavioral advertising. We only share data with service providers (Google Cloud, Vercel, AssemblyAI) who are contractually required to protect it.

European Users (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have rights under GDPR:

  • Right of Access: Get a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete your data (subject to legal requirements)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Export your data in a standard format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Stop processing based on consent

Legal Basis for Processing: We process your data based on:

  • Contract: To provide the service you signed up for
  • Legitimate Interest: To improve the service, prevent fraud, and ensure security

To exercise your rights, contact us. You also have the right to lodge a complaint with your local data protection authority.

Questions?

Have questions about this policy? Contact us.

We tried to write this in plain English rather than legalese. If there is ever a conflict between this easy-to-read version and some legal interpretation, we will go with what makes sense for protecting your privacy.