CaseHug by CalmIntake — Legal Intake Automation
← Back to home

Privacy Policy

Calm Intake, LLC d/b/a CaseHug

Effective Date: April 2, 2026

Last Updated: April 2, 2026

Calm Intake, LLC, doing business as CaseHug ("CaseHug," "Company," "we," "us," or "our"), is committed to protecting the privacy and security of information processed through our platform. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the CaseHug platform and related services available at https://calmintake.com (the "Service").

CaseHug is a technology company that provides client intake automation, document collection, and electronic signature services to law firms and legal services organizations ("Subscribers"). We are not a law firm and do not provide legal services.

This Privacy Policy applies to: (a) Subscribers who create accounts and use the Service; (b) clients of Subscribers ("End Users") whose information is submitted through the Service by or at the direction of a Subscriber; and (c) visitors to our website.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect information in three categories: Subscriber information, End User information processed on behalf of Subscribers, and automatically collected technical information.

1.1 Subscriber Information (Collected Directly)

When Subscribers register for and use the Service, we collect:

  • Account Information: Name, email address, phone number, law firm name, bar number (optional), firm address, and professional role
  • Billing Information: Payment card details and billing address (processed and stored by Stripe; CaseHug does not store full payment card numbers)
  • Configuration Data: Intake form templates, workflow settings, branding preferences, notification preferences, and user roles/permissions
  • Communications: Correspondence with our support team, feedback, and survey responses

1.2 End User Information (Processed on Behalf of Subscribers)

When Subscribers use the Service to collect information from their clients, we process on the Subscriber's behalf:

  • Intake Form Responses: Information submitted by End Users through intake forms created by Subscribers, which may include name, contact information, case details, and other information as configured by the Subscriber
  • Documents: Files uploaded by End Users, which may include identification documents, medical records, contracts, photographs, and other case-related materials
  • E-Signatures: Electronic signatures, signature timestamps, and associated metadata
  • Communication Records: SMS and email communications sent through the Service between Subscribers and End Users

Important: CaseHug processes End User information solely as a data processor acting on behalf of the Subscriber. The Subscriber (law firm) is the data controller and determines what End User information is collected and how it is used. End Users with questions about how their information is handled should contact the law firm that directed them to the Service.

1.3 Automatically Collected Information

We automatically collect certain technical information when you access the Service:

  • Usage Data: Pages viewed, features used, actions taken, session duration, and interaction patterns
  • Device Information: Browser type and version, operating system, device type, and screen resolution
  • Log Data: IP address, access timestamps, referring URLs, and error logs
  • Cookie Data: Information collected through cookies and similar technologies as described in Section 10

2. How We Use Information

2.1 Subscriber Information

We use Subscriber information to:

  • Provide, operate, and maintain the Service
  • Process subscriptions and billing
  • Send transactional communications (account confirmations, billing receipts, service notifications)
  • Provide customer support
  • Improve and develop the Service
  • Enforce our Terms of Service and protect against fraud
  • Comply with legal obligations
  • Send product updates and announcements (with opt-out available)

2.2 End User Information

We process End User information solely to:

  • Provide the Service to the Subscriber on whose behalf the data was collected
  • Transmit, store, and secure the data as directed by the Subscriber
  • Provide technical support when authorized by the Subscriber
  • Comply with legal obligations

We do not use End User information for our own marketing purposes, profiling, or any purpose unrelated to providing the Service to the Subscriber.

2.3 Aggregated and De-Identified Data

We may create aggregated, anonymized, or de-identified data from information collected through the Service ("Platform Data"). Platform Data cannot reasonably be used to identify any individual, End User, or Subscriber. We may use Platform Data for analytics, service improvement, benchmarking, and product development.

3. Legal Basis for Processing

We process personal information under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service under our Terms of Service (Subscriber information)
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by data subjects' rights
  • Data Processor Obligations: Processing of End User information performed on behalf of and as instructed by Subscribers (data controllers) pursuant to our Terms of Service and any applicable Data Processing Agreement
  • Legal Compliance: Processing necessary to comply with applicable legal obligations
  • Consent: Where required by applicable law, we obtain consent for specific processing activities, such as sending marketing communications

4. Data Sharing and Disclosure

4.1 We Do Not Sell Personal Information

CaseHug does not sell, rent, or trade personal information to third parties. We have never sold personal information and have no plans to do so.

4.2 Service Providers

We share information with the following categories of service providers, solely to the extent necessary for them to provide services to us:

| Provider | Purpose | Data Shared |

| ---------- | --------- | ------------- |

| Stripe | Payment processing | Billing information, transaction details |

| SendGrid | Email delivery | Email addresses, email content for transactional messages |

| Twilio | SMS delivery | Phone numbers, SMS content for intake communications |

| Supabase | Database infrastructure and authentication | All Service data (encrypted, stored in US) |

| Amazon Web Services (AWS) | Cloud infrastructure (us-east-1) | All Service data (encrypted, stored in US) |

Each service provider is contractually obligated to use information only for the purpose of providing services to CaseHug and to maintain appropriate security measures.

4.3 Other Disclosures

We may disclose information:

  • Legal Process: In response to a subpoena, court order, or other valid legal process, subject to the provisions in our Terms of Service regarding compelled disclosure of Client Data
  • Legal Rights: To establish, exercise, or defend legal claims
  • Safety and Security: To protect the rights, property, or safety of CaseHug, our Subscribers, or others when we believe disclosure is necessary
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, provided the acquiring entity agrees to be bound by this Privacy Policy
  • With Consent: With the explicit consent of the individual whose information is disclosed

4.4 Subscriber Access

Subscribers have access to End User information collected through their accounts. Subscribers are responsible for their own privacy practices with respect to End User information.

5. Data Security

5.1 Security Measures

We implement comprehensive technical, administrative, and organizational measures to protect information processed through the Service:

  • Encryption at Rest: All stored data is encrypted using AES-256 encryption
  • Encryption in Transit: All data transmitted to and from the Service is protected using TLS 1.3
  • Access Control: Row-level security ("RLS") is enforced at the database level, ensuring strict tenant isolation — Subscribers can access only their own data
  • Authentication: Secure authentication through Supabase Auth with support for multi-factor authentication
  • US-Only Data Storage: All data is stored exclusively in the United States, within the AWS us-east-1 region
  • Audit Logging: Access to data is logged for security monitoring and incident response
  • Personnel Controls: CaseHug personnel access to production data is restricted on a need-to-know basis and subject to confidentiality obligations

5.2 Security Incident Response

In the event of a security incident involving unauthorized access, acquisition, or disclosure of personal information, we will: (a) investigate and contain the incident; (b) notify affected Subscribers without unreasonable delay; (c) notify individuals and regulators as required by applicable law; and (d) take steps to prevent recurrence.

5.3 No Guarantee

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention and Deletion

6.1 Retention Periods

  • Active Accounts: Data is retained for the duration of the Subscriber's active subscription
  • Default Retention After Case Closure: End User data associated with closed cases is retained for ninety (90) days by default
  • Configurable Retention: Subscribers may configure retention periods from one (1) to seven (7) years per their firm's record retention requirements
  • Legal Holds: Subscribers may place legal holds on specific data to prevent automatic deletion
  • Post-Termination: Following account termination, Subscriber data is retained in read-only mode for ninety (90) days to allow data export, after which it is permanently deleted unless a longer retention period is required by law

6.2 Deletion Process

When data is scheduled for deletion: (a) it is first soft-deleted and made inaccessible; (b) it is permanently purged from primary systems within thirty (30) days; and (c) it is removed from backups within ninety (90) days in accordance with our backup rotation schedule.

6.3 Billing Records

Billing and transaction records may be retained for up to seven (7) years as required for tax and accounting purposes, even after account termination.

7. HIPAA Provisions

7.1 Protected Health Information

Some information processed through the Service may constitute electronic protected health information ("ePHI") under HIPAA. CaseHug's infrastructure is designed to support HIPAA compliance.

7.2 Business Associate Agreement

CaseHug will enter into a Business Associate Agreement ("BAA") with Subscribers whose use of the Service involves ePHI. A BAA is included with Firm plan subscriptions and available upon request for Practice plan subscriptions.

7.3 Safeguards

CaseHug maintains the administrative, physical, and technical safeguards required by the HIPAA Security Rule, including:

  • Access controls and audit trails
  • Encryption of ePHI at rest and in transit
  • Workforce training and confidentiality agreements
  • Incident response and breach notification procedures
  • Regular risk assessments

7.4 Use and Disclosure

When acting as a business associate, CaseHug will use and disclose ePHI only as permitted by the BAA and applicable law.

7.5 Subscriber Responsibility

Subscribers are responsible for determining whether their use of the Service involves ePHI and for ensuring that a BAA is in place before transmitting ePHI through the Service.

8. Your Rights

8.1 All Users

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format
  • Restriction: Request that we restrict the processing of your personal information in certain circumstances
  • Objection: Object to the processing of your personal information based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time

8.2 Exercising Your Rights

  • Subscribers: May exercise rights through account settings or by contacting us at privacy@calmintake.com
  • End Users: Because we process End User information on behalf of Subscribers, End Users should direct requests to the law firm that collected their information. If an End User contacts us directly, we will refer them to the appropriate Subscriber or, if the Subscriber cannot be identified, assist the End User to the extent we are able

8.3 Verification

We may require identity verification before processing rights requests to protect against unauthorized access.

8.4 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

9. California Privacy Rights (CCPA/CPRA)

9.1 Applicability

This section applies to California residents and supplements the rest of this Privacy Policy in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

9.2 Categories of Personal Information

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

| Category | Examples | Collected |

| ---------- | ---------- | ----------- |

| Identifiers | Name, email, phone number, IP address | Yes |

| Customer Records | Billing address, payment information | Yes |

| Commercial Information | Subscription history, transaction records | Yes |

| Internet/Network Activity | Usage data, log data, browsing history on our Service | Yes |

| Professional Information | Bar number, firm name, professional role | Yes |

| Inferences | Usage patterns, feature preferences | Yes |

9.3 Business Purpose for Collection

We collect personal information for the business purposes described in Section 2 of this Privacy Policy.

9.4 Sale and Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising purposes. We have not sold or shared personal information in the preceding twelve (12) months.

9.5 California Residents' Rights

California residents have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information collected, the sources of collection, the business purposes, and the categories of third parties with whom information is shared
  • Delete: Request deletion of personal information, subject to exceptions
  • Correct: Request correction of inaccurate personal information
  • Opt-Out of Sale/Sharing: We do not sell or share personal information, so this right is not applicable, but you may still submit a request
  • Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by the CCPA/CPRA
  • Non-Discrimination: We will not discriminate against you for exercising your rights

9.6 Submitting Requests

California residents may submit requests by:

We will respond to verifiable consumer requests within forty-five (45) days of receipt, as required by the CCPA/CPRA. We may extend the response period by an additional forty-five (45) days when reasonably necessary, with notice.

9.7 Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf. We may require verification of the agent's authority.

10. Cookie Policy

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate and improve the Service.

10.2 Types of Cookies We Use

Essential Cookies (Required)

  • Authentication and session management
  • Security features (CSRF protection)
  • Load balancing and infrastructure
  • These cookies are necessary for the Service to function and cannot be disabled

Analytics Cookies (Optional)

  • Usage analytics to understand how the Service is used
  • Performance monitoring
  • Feature adoption tracking
  • These cookies help us improve the Service and may be disabled through your browser settings or our cookie preferences interface

10.3 Third-Party Cookies

We may use third-party analytics services that set their own cookies. These are governed by the respective third parties' privacy policies.

10.4 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may impair the functionality of the Service. You may disable analytics cookies without affecting core Service functionality.

10.5 Do Not Track

Some browsers transmit "Do Not Track" signals. There is no industry consensus on how to respond to these signals. We do not currently respond to Do Not Track signals, but we do not engage in cross-site tracking.

11. Children's Privacy

The Service is designed for use by law firms and legal professionals. We do not knowingly collect personal information directly from individuals under the age of 18. The Service is not directed to children.

End User information submitted through the Service is collected by Subscribers (law firms), not by CaseHug directly. If a law firm collects information from or about a minor through the Service, the law firm is responsible for compliance with applicable laws governing the collection of minors' information, including the Children's Online Privacy Protection Act ("COPPA") where applicable.

If we learn that we have directly collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@calmintake.com.

12. International Data Transfers

12.1 US-Only Storage

All data processed through the Service is stored exclusively in the United States, within the AWS us-east-1 region. We do not transfer data to servers located outside the United States.

12.2 International Access

If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

12.3 No EU/EEA Operations

CaseHug does not currently target or offer the Service to individuals or entities located in the European Union or European Economic Area. If this changes, we will update this Privacy Policy to address applicable data transfer mechanisms and GDPR requirements.

13. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to the CaseHug Service. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party services you interact with.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by: (a) posting the updated Privacy Policy on our website with a revised "Last Updated" date; (b) sending notice to the email address associated with your account; or (c) providing in-app notification.

Material changes will take effect thirty (30) days after notice is provided. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Calm Intake, LLC

Privacy Inquiries: privacy@calmintake.com

General Legal: legal@calmintake.com

Website: https://calmintake.com

For privacy rights requests, please email privacy@calmintake.com with the subject line "Privacy Rights Request" and include sufficient information for us to verify your identity and process your request.

This Privacy Policy is effective as of April 2, 2026.

Questions about privacy? Contact us at privacy@calmintake.com