Privacy Policy

1. Introduction

LupaSoft Ltd, trading as CourtPilot ("Company," "we," "us," or "our") operates the CourtPilot service ("Service") at www.courtpilot.co.uk. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our application.

We are committed to protecting your privacy and ensuring you have a positive experience on our platform. If you have questions about this Privacy Policy, please contact us at privacy@courtpilot.co.uk.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, password, and profile details
• Case Information: Details about your legal claim, including parties, amounts, dates, and case description
• Documents: PDFs, images, and other files you upload for analysis
• Communication: Messages, feedback, and support requests you send us
• Payment Information: Processed securely through third-party payment providers (we do not store credit card details)

2.2 Information Collected Automatically

• Usage Data: Pages visited, time spent, clicks, searches, and features used
• Device Information: Browser type, operating system, device model, IP address, and unique device identifiers
• Location Data: Approximate geographic location (city/country level) based on IP address
• Cookies & Tracking: Through cookies, pixels, and similar technologies (see Cookie Policy)

2.3 Third-Party Data Collection

We work with a small number of carefully selected sub-processors to deliver the service. Section 6 lists each sub-processor in full. The categories of data collected through them are summarised here:

• Anthropic (Claude API): Receives the text we send for AI processing — case descriptions, extracted text from uploaded documents, conversation messages, and the prompts our system constructs around them
• Vercel: Hosts the CourtPilot website and APIs; receives all traffic and request metadata in the course of normal use
• Neon (database): Stores account data, case records, document metadata, extracted text, and audit logs
• Cloudflare R2: Stores your uploaded documents in encrypted form
• Redis Cloud: Caches non-sensitive application state and rate-limit counters
• Stripe: Collects transaction data for payment processing
• Resend: Sends transactional email (verification emails, receipts, case notifications)
• Sentry: Collects error logs and crash reports to improve platform stability, with PII filtering applied
• Google Analytics 4 & Google Tag Manager: Collect aggregate usage, device, and approximate location data to measure platform performance

3. How We Use Your Information

• Service Delivery: Creating and managing your account, processing cases, generating documents
• AI Analysis: Analysing documents and cases to provide legal insights and recommendations
• Communication: Sending transactional emails (confirmations, password resets) and product updates
• Platform Improvement: Understanding user behaviour to enhance features, fix bugs, and optimise performance
• Compliance & Security: Detecting fraud, enforcing terms, preventing abuse, and maintaining audit trails
• Legal Obligations: Responding to court orders, law enforcement requests, or regulatory requirements
• Marketing (with consent): Sending newsletters or promotional content only if you've opted in

4. Data Security & Encryption

We design CourtPilot around privacy-by-design and security-by-default principles, and operate the service to support compliance with the UK General Data Protection Regulation and the Data Protection Act 2018:

• AES-256-GCM Encryption at Rest: Uploaded documents are encrypted before being stored
• TLS 1.3 in Transit: All data transferred to and from CourtPilot is encrypted with modern cryptographic protocols
• Encryption Key Management: Encryption keys are managed via cloud-platform secret storage with restricted access
• PII Tokenisation in Conversational Case-Building: Identifying details that you type into our conversational case-builder (such as names, email addresses, phone numbers, and addresses) are substituted with placeholders before the message is sent to our AI provider. Tokenisation does not currently apply to documents you upload or to letter generation, where the original details are needed for the AI to produce a useful output. We may extend tokenisation to other parts of the service in future
• Role-Based Access Control (RBAC): Staff and application access limited to the information necessary for the task at hand
• Audit Logging: Document and case access is tracked and logged for security and compliance purposes
• Malware Scanning: Uploaded documents are scanned with ClamAV in our document-processing pipeline before they are made available for analysis
• Encrypted Document Storage: Documents are stored in Cloudflare R2 (UK/EU regions) in encrypted form

While we maintain strong security practices, no system is 100% secure. Please use unique, strong passwords and enable two-factor authentication if available.

5. Legal Data & Case Information

Your case information is treated with the highest level of confidentiality:

• Chain of Custody: All document uploads and modifications are tracked with timestamps and user attribution
• No Unsecured Logging: Case details and sensitive information are never logged in plain text
• Legal Professional Privilege: Case information is treated as confidential and is not shared with third parties except as required by law
• Data Retention: Case data is retained as long as your account is active. Upon deletion, all data is securely destroyed
• No AI Training: Your case data is not used to train AI models — Anthropic is contractually prohibited from training on customer content submitted via the API, and we do not maintain a separate training corpus

6. Third-Party Tools & Services

6.1 Google Analytics 4 & Google Tag Manager

We use Google Analytics 4 to measure website traffic and user behaviour (page views, time on site, conversions). Google Tag Manager manages the deployment of these tracking pixels.

• Data Collected: Usage patterns, device type, browser, location
• Privacy: Google Analytics data is anonymized and cannot be linked to individuals
• GDPR Compliance: Data processing agreements are in place with Google
• Opt-Out: You can disable Google Analytics with the Google Analytics Opt-Out Browser Extension
• Privacy Policy: See Google's Privacy Policy at https://policies.google.com/privacy

6.2 Payment Processing (Stripe)

Payment information is processed securely by Stripe. We do not store or have access to your full credit card details.

• PCI DSS Compliance: Stripe is fully PCI-DSS Level 1 certified
• Data Sharing: We receive only a transaction ID and confirmation of payment

6.3 Error Monitoring (Sentry)

We use Sentry to track errors and crashes. This helps us identify and fix issues quickly.

• Data Collected: Error messages, stack traces, device/browser information
• PII Redaction: We filter out case details and sensitive information from error reports

6.4 Email Service (Resend)

Transactional emails (verification emails, receipts, case notifications) are sent via Resend, Inc., based in the United States. Resend acts as our sub-processor under its data processing terms, which include EU Standard Contractual Clauses and the UK ICO Approved Addendum.

6.5 AI Processing (Anthropic)

Our AI features rely on Anthropic, PBC and the Claude API. When you use an AI feature, we send the relevant text — your case description, the extracted text content of documents you have uploaded, your conversation messages, and the prompts our system constructs around them — to Anthropic for processing. We do not send your password, payment details, or the encrypted document files themselves.

• Contractual safeguards: Anthropic acts as our sub-processor under Anthropic's Commercial Terms of Service and Data Processing Addendum, which include EU Standard Contractual Clauses and the UK Information Commissioner's Approved Addendum for international transfers
• No model training: Anthropic is contractually prohibited from training its models on customer content submitted via the API
• Limited retention by Anthropic: Anthropic retains submitted content only for the limited period needed to operate the service and to respond to abuse and trust-and-safety concerns; details are set out in Anthropic's published policies
• Sub-processor list: Anthropic's own list of sub-processors is published at anthropic.com/subprocessors

We do not use AI to make solely automated decisions producing legal effects within the meaning of Article 22 UK GDPR. AI outputs are guidance and drafts that you review, accept, modify, or reject before any decision is acted upon, filed with a court, or sent to a third party.

6.6 Hosting (Vercel)

The CourtPilot website and APIs are hosted on Vercel Inc., based in the United States with edge infrastructure in the UK and EU. All data transmitted to and from the service in the course of normal use passes through Vercel's infrastructure. Vercel acts as our sub-processor under its data processing terms, which include EU Standard Contractual Clauses and the UK ICO Approved Addendum.

6.7 Database (Neon)

Our primary application database is provided by Neon Inc., with data hosted in the United Kingdom (eu-west-2). Neon acts as our sub-processor under its data processing terms.

6.8 Document Storage and CDN (Cloudflare)

Encrypted documents are stored in Cloudflare R2. Cloudflare also provides DNS and content-delivery services for the website. Cloudflare, Inc. acts as our sub-processor under its data processing terms, which include EU Standard Contractual Clauses and the UK ICO Approved Addendum.

6.9 Caching (Redis Cloud)

Redis Ltd. (Redis Cloud) provides caching and rate-limit tracking, with data hosted in the United Kingdom (eu-west-2). Redis Cloud acts as our sub-processor under its data processing terms.

6.10 Sub-processor Changes

We will update this list at least 14 days before a new sub-processor begins processing your personal data. If you object to a new sub-processor, please contact privacy@courtpilot.co.uk before the change takes effect.

7. Your GDPR Rights (EU/UK Users)

If you are located in the EU, UK, or other jurisdictions with similar laws, you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal obligations
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to specific uses of your data (e.g., marketing)
• Right to Lodge a Complaint: Contact your local data protection authority (e.g., ICO in the UK)

To exercise any of these rights, contact us at privacy@courtpilot.co.uk with "GDPR Request" in the subject line. We will respond within 30 days.

8. Data Retention

• Account Data: Retained as long as your account is active. Deleted upon account termination.
• Case Information: Retained for compliance and legal purposes (court orders may require retention for 6-7 years)
• Analytics Data: Google Analytics data retained for 26 months by default
• Audit Logs: Kept for 12 months for security and compliance purposes

9. Children's Privacy

Our Service is not intended for individuals under 18 years old. We do not knowingly collect data from children. If we learn that a child has provided personal information, we will delete it immediately.

10. International Data Transfers

Our servers are located in the US. By using our Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your home country. We implement Standard Contractual Clauses and other safeguards to ensure adequate protection.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our website. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at: