Privacy Policy

CASO Document Management, Inc. ("CASO," "we," "us," or "our") operates the CASO Comply platform, an AI-powered document accessibility remediation service. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website, platform, and services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use the Service.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, organization name, job title, and billing information. If you sign up on behalf of an organization, we may also collect your organization's address and tax identification number for invoicing purposes.

Uploaded Documents

When you use our cloud-based remediation service, you may upload PDF documents and other files for processing. These documents are stored temporarily for the purpose of remediation and delivery. If you use our on-premise Docker agent, documents are processed entirely on your infrastructure and are never transmitted to or stored by CASO.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, documents processed, credit consumption, timestamps, browser type, operating system, and IP address. This data helps us improve the Service and diagnose technical issues.

Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how the Service is used. We use essential cookies required for the Service to function and analytics cookies to measure usage patterns. You can control cookie preferences through your browser settings.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service — Process your documents, deliver remediated files, manage your account, and handle billing.
• Improve the platform — Analyze usage patterns to identify bugs, improve features, and optimize performance. We may use anonymized and aggregated data to train and improve our AI remediation models.
• Communicate — Send transactional emails (account confirmations, billing receipts, document processing notifications), respond to support requests, and share product updates. You can opt out of non-essential communications at any time.
• Ensure security — Detect and prevent fraud, abuse, and unauthorized access to the Service.
• Comply with legal obligations — Fulfill our legal and regulatory requirements, including tax reporting and responding to lawful requests from government authorities.

3. Data Retention and Deletion

We retain your account information for as long as your account is active. If you close your account, we will delete your personal information within 30 days, except where we are required to retain it for legal or regulatory purposes (such as billing records, which we retain for 7 years).

Uploaded documents processed through our cloud service are retained for a maximum of 30 days after processing to allow you to download remediated files. After this period, documents are permanently deleted from our systems. You may request immediate deletion of your documents at any time through your dashboard or by contacting us.

Documents processed through our on-premise Docker agent are never stored by CASO. All processing occurs on your infrastructure and is subject to your own retention policies.

4. Third-Party Services

We use the following third-party services to operate the platform. Each provider has been evaluated for their security and privacy practices:

• Supabase — Database and authentication infrastructure. Account data and platform metadata are stored in Supabase's SOC 2 certified infrastructure.
• Vercel — Web application hosting. Our website and application are hosted on Vercel's SOC 2 certified platform.
• Analytics providers — We use privacy-respecting analytics to understand how the Service is used. We do not sell your data to any analytics or advertising providers.

We do not sell, rent, or trade your personal information to any third party. We share information with third-party service providers only to the extent necessary to operate the Service.

5. Security Measures

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption — All data is encrypted in transit using TLS 1.2 or higher. Sensitive data is encrypted at rest using AES-256 encryption.
• SOC 2 Type II Certification — CASO Document Management maintains SOC 2 Type II certification, demonstrating independently audited controls for security, availability, and confidentiality.
• Access controls — Access to customer data is restricted to authorized personnel on a need-to-know basis. All access is logged and audited.
• Infrastructure security — Our infrastructure providers maintain comprehensive physical and network security controls, including intrusion detection, DDoS protection, and regular penetration testing.

6. HIPAA Considerations

For healthcare organizations and other entities subject to HIPAA, we offer our on-premise Docker agent, which processes documents entirely on your infrastructure. Because protected health information (PHI) never leaves your environment, no Business Associate Agreement (BAA) is required for on-premise deployments.

If you require cloud-based processing of documents that may contain PHI, please contact us to discuss BAA arrangements and additional security measures for your specific use case.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — You may request a copy of the personal information we hold about you.
• Correction — You may request that we correct any inaccurate or incomplete personal information.
• Deletion — You may request that we delete your personal information, subject to our legal retention obligations.
• Portability — You may request a machine-readable export of your personal data.
• Restrict processing — You may request that we limit how we use your personal information.
• Withdraw consent — Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@casocomply.com. We will respond to verified requests within 30 days.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

9. International Data Transfers

Our Service is operated in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service prior to the change becoming effective. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: