Casegen.ai Logo

Login

Book a Call
Book a Call

Privacy

Privacy Policy

Last Updated: March 12, 2025

Application: This Privacy Policy describes the data protection practices that CaseGen has maintained since commencing operations and applies to all customers, including those who subscribed to the Services prior to the publication of this Policy. By continuing to use the Services after this Policy is posted, existing customers agree to its terms.

MAF AI, Inc. (“MAF AI”, “CaseGen,” “we,” “us,” or “our”) respects your privacy and is committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit https://www.casegen.ai, interact with our marketing or scheduling tools, or use our AI-powered legal intake, answering, follow-up, messaging, and outbound communication services (collectively, the “Services”).

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

1. Scope of This Policy

This Privacy Policy applies to:

  • Website visitors and prospective customers
  • Individuals who submit forms or book meetings
  • Law firms and authorized users who subscribe to CaseGen
  • Data processed on behalf of law firm customers while providing the Services

This Policy applies regardless of whether data is collected or processed via website forms, phone calls, SMS, email, outbound communications, or other channels supported by CaseGen.

2. Nature of the Services

CaseGen provides managed AI services for law firms. Unlike self-service software platforms, CaseGen operates and configures the Services on behalf of customers based on their requirements and instructions.

How It Works

  • Customers communicate their needs, requirements, and compliance obligations to CaseGen
  • CaseGen configures and operates AI agents, call handling, and communication systems accordingly
  • Customers do not have direct access to modify system configurations
  • Configuration changes, retention adjustments, or special requirements must be requested through your CaseGen account representative or support@casegen.ai

This managed service approach ensures optimal performance and compliance but requires active communication between customers and CaseGen regarding specific use cases and requirements.

3. Information We Collect

a. Website and Pre-Sales Information

We collect information you voluntarily provide, including:

  • Name, email address, phone number
  • Law firm or company name
  • Demo requests, calendar bookings, and contact submissions
  • Marketing preferences and communication consent

We also collect limited technical information automatically, such as IP address, browser type, device information, and website usage data through cookies and similar technologies.

b. Customer and Service Data (Processed on Behalf of Clients)

When law firms use the Services, CaseGen processes information necessary to operate the platform, which may include:

  • Account, user, and billing information
  • Call recordings, call metadata, and telephony data
  • Call transcripts and intake responses
  • SMS and email communications sent or received through the platform
  • Scheduling, appointment coordination, and follow-up data
  • Outbound call and message activity related to intakes, retainers, and client follow-ups
  • Evaluation and quality-assurance data used to assess and improve agent behavior
  • Support communications and configuration preferences

This data may include personal information relating to callers, clients, service providers, or third parties, as provided by or on behalf of our customers.

4. Call Recording and Telephony Data

CaseGen’s Services may enable and support call recording and related telephony features (including call metadata such as call time, duration, routing, and phone numbers), as configured for each customer.

Customer configuration and lawful use
CaseGen configures recording and notification settings based on each customer’s documented instructions and the capabilities of the applicable telephony provider(s). Customers are responsible for determining whether recording is lawful for their specific use case(s), jurisdictions, and call flows, including whether notice and/or consent is required and what form of notice is appropriate.

Notifications and consent tools
Where supported, CaseGen can implement customer-selected notification mechanisms (for example, verbal announcements, beep tones, or other disclosures). CaseGen may also provide operational tools (such as call scripts, opt-out handling, and logging) to help customers implement their compliance decisions; however, CaseGen does not provide legal advice and does not determine the legal sufficiency of any notice or consent mechanism for a customer’s particular circumstances.

Compliance controls
If CaseGen reasonably believes a customer’s configured use of recording features presents material legal, regulatory, or platform risk, CaseGen may require configuration changes, restrict certain features, or suspend recording functionality for that customer until the issue is addressed, consistent with the parties’ agreements.

5. Outbound Communications Data

CaseGen facilitates outbound calls, SMS messages, and automated communications on behalf of law firm customers for purposes including:

  • Follow-up with prospective clients
  • Appointment reminders and confirmations
  • Administrative coordination

Data Processing

For outbound communications, we process:

  • Recipient contact information (phone numbers, email addresses)
  • Message content as configured in consultation with the customer
  • Delivery status and response data
  • Opt-out and preference data

Consent, opt-out, and compliance
Customers are responsible for ensuring they have a lawful basis and any required consents to initiate outbound calls, texts, or emails using the Services, including compliance with the Telephone Consumer Protection Act (“TCPA”), Telemarketing Sales Rule (“TSR”), state telemarketing laws, and analogous regulations.

Opt-out and suppression
CaseGen supports customer-directed opt-out handling (for example, SMS “STOP” keywords where supported and do-not-contact suppression lists). Customers are responsible for providing and maintaining accurate do-not-contact and opt-out information and for promptly informing CaseGen of any compliance requirements specific to their campaigns (including time-of-day, jurisdictional restrictions, and calling purpose).

Risk controls
If CaseGen reasonably believes the Services are being used in a way that creates material compliance risk (e.g., repeated complaints, unlawful calling patterns, or provider policy violations), CaseGen may require changes, limit functionality, or suspend outbound communications, consistent with the parties’ agreements.

Customers are responsible for:

  • Obtaining appropriate consents before initiating communications
  • Ensuring compliance with applicable telecommunications laws (including TCPA, TSR, and similar regulations)
  • Informing CaseGen of opt-out requests and do-not-contact preferences
  • Providing guidance on calling restrictions, time zones, and compliance requirements for their specific use case

CaseGen configures and operates communication systems based on customer instructions and requirements, but customers determine lawful use and maintain ultimate responsibility for compliance with telecommunications laws.

6. AI Disclosure and Usage

AI-Powered Services

CaseGen uses artificial intelligence (AI) and machine learning technologies to power conversational agents, process natural language, route communications, and automate workflows.

Disclosure: When you interact with CaseGen Services, you may be communicating with AI-powered agents. These agents are designed to simulate natural conversation but are not human operators.

How We Use Data for Service Improvement

CaseGen may analyze call recordings, transcripts, messages, and interaction data to:

The activities described are conducted solely to provide, improve, and maintain the Services for the applicable customer, and are exclusively for the purpose of performing the business functions specified in our agreement with that customer, and not for CaseGen’s independent commercial or business purposes, thereby ensuring compliance with its status as a Service Provider under the CCPA/CPRA.

What We Do NOT Do

  • We do not use Customer Data to train, retrain, or fine-tune third-party foundation models or general-purpose AI systems
  • We do not share Customer Data across different customers or organizations
  • We do not sell, license, or monetize Customer Data for advertising or unrelated commercial purposes

Clarification on “Training”

When we say we do not use data to “train models,” we mean we do not incorporate Customer Data into the base parameters or weights of large language models (LLMs) or other foundation models.

We do use Customer Data to:

  • Adjust prompt templates, instructions, and configuration parameters
  • Create evaluation datasets for quality assessment within a customer’s environment
  • Tune routing logic and decision trees specific to that customer’s use case
  • Refine response selection and conversation flows

These activities are conducted solely to provide and improve the Services for the applicable customer and do not involve cross-customer data sharing or external model training.

7. How We Use Information

We use information solely to:

  • Provide, operate, and maintain the Services
  • Route, record, store, and process calls, messages, and intakes
  • Send and receive communications on behalf of customers
  • Coordinate appointments, follow-ups, and administrative workflows
  • Improve system reliability, accuracy, and agent performance
  • Evaluate prompt logic and agent behavior for service quality
  • Provide customer support and troubleshooting
  • Process billing and manage subscriptions
  • Comply with legal obligations and enforce agreements
  • Protect against fraud, abuse, and security threats

8. Data Ownership and Controller/Processor Relationship

For subscription customers:

Law Firm as Data Controller

  • The law firm is the data controller and owner of all Customer Data
  • The law firm determines purposes and lawful bases for processing
  • The law firm instructs CaseGen regarding data handling requirements

CaseGen as Service Provider/Processor

  • CaseGen acts as a service provider, processor, or subprocessor (depending on applicable law)
  • CaseGen operates and configures the Services based on:
    • Customer instructions and requirements
    • Applicable service agreements
    • This Privacy Policy
    • Applicable law

Service Configuration

CaseGen operates the Services on behalf of customers, including configuration of:

  • Call recording and notification settings
  • Outbound communication parameters
  • Retention periods and data handling
  • Integration and routing rules
  • AI agent behavior and conversation flows

Customers must communicate their specific requirements, preferences, and compliance obligations to CaseGen. We configure the Services based on these instructions, but customers retain ultimate responsibility for ensuring their use of the Services complies with applicable laws.

Processing Activities

Our AI agents make certain automated decisions (e.g., conversation routing, response selection, appointment scheduling) as part of providing the Services. These decisions are made:

  • Within parameters configured by CaseGen based on customer requirements
  • According to customer instructions
  • For the purpose of delivering the contracted Services
  • Without independent decision-making authority outside the scope of Services

CaseGen does not claim ownership of Customer Data.

9. Data Sharing and Disclosure

We do not sell personal or law firm information.

We may share information only with:

Service Providers and Subprocessors

We engage third-party service providers to support:

  • Cloud infrastructure and hosting
  • Telephony and messaging services
  • Payment processing and billing
  • Analytics and monitoring
  • Customer support tools

All subprocessors are contractually bound by confidentiality and data protection obligations substantially similar to those in this Policy.

Customer-Directed Sharing

We share data with third parties as specifically directed by customers in connection with providing the Services, including:

  • Recipient parties designated by the customer
  • Services integrated per customer instructions

Legal Requirements

We may disclose information when required by law, including:

  • In response to valid legal process (subpoenas, court orders)
  • To comply with applicable laws and regulations
  • To protect CaseGen’s rights, property, or safety
  • To protect the rights, property, or safety of users or the public
  • In connection with investigations of fraud or security incidents

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected parties of any such change and any choices available.

10. Data Retention

Retention Periods

We retain personal information and Customer Data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect the security and integrity of the Services.

Default retention (may be customized for certain Customer Data)

  • Call recordings: 90 days from the date of the call (customer-configurable upon request).
  • Transcripts and intake data: 90 days from the date of the call (customer-configurable upon request).
  • Outbound message content and delivery metadata (SMS/email routed through the Services): 90 days by default (customer-configurable upon request, subject to provider constraints).
  • Account, billing, and tax records: retained for up to 2 years (or longer where required by applicable law).
  • Website analytics: up to 12 months.
  • Marketing communications: maintained until opt-out, and we may retain a record of your opt-out and suppression status for up to 2 years (or longer as needed to honor your preferences).

Customer-requested changes
Customers may request different retention periods for certain categories of Customer Data by contacting privacy@casegen.ai or their account representative. Approved changes will be documented in the customer’s service configuration.

Deletion
Subject to legal and contractual obligations, customers may request deletion of specific Customer Data. We will process deletion requests within a commercially reasonable timeframe (typically within 30 days), unless:

  • retention is required by law,
  • data is subject to a legal hold, or
  • data is needed to establish, exercise, or defend legal claims.

Backups and residual copies
Deleted data may persist for a limited period in encrypted backups or logs maintained for security, disaster recovery, and business continuity, and will be deleted or overwritten in accordance with our backup retention practices.

11. Security

Security Measures

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

Technical Controls:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and authentication mechanisms
  • Network security measures
  • Regular monitoring and logging

Administrative Controls:

  • Security policies and procedures
  • Employee training on data protection
  • Incident response procedures
  • Vendor management practices

Physical Controls:

  • Use of enterprise-grade cloud infrastructure (Google Cloud Platform)
  • Data center security managed by our cloud infrastructure provider

Infrastructure

CaseGen uses Google Cloud Platform (GCP) for hosting and data storage. GCP data centers maintain industry-standard physical and environmental security controls. Information about GCP’s security practices is available at cloud.google.com/security.

Data Breach Notification

In the event of a data breach that compromises personal information, we will:

  • Investigate and contain the breach promptly
  • Notify affected customers without undue delay and within 72 hours where required by law
  • Notify affected individuals as required by applicable law
  • Cooperate with regulatory authorities as required
  • Provide information about the breach, affected data, and remediation steps

12. Cookies and Tracking

Cookies We Use

CaseGen uses cookies and similar technologies (such as pixels, local storage, and SDKs) on our website to operate the site, understand usage, prevent fraud, and measure marketing performance.

Categories of cookies/technologies

  • Strictly necessary: essential for site functionality, security, and session management.
  • Analytics: help us understand how visitors interact with the site (e.g., page views, performance, and errors).
  • Marketing/measurement: help us measure campaigns and attribute conversions; depending on configuration, these technologies may collect identifiers such as cookie IDs, device IDs, and IP-derived location.

Your choices
You can control non-essential cookies via our cookie banner (where presented) and/or your browser settings. Disabling certain cookies may affect site functionality or measurement.

“Sale” / “sharing” under certain laws
CaseGen does not sell personal information for money. Depending on how analytics and marketing technologies are configured, certain disclosures of identifiers to third parties for cross-context behavioral advertising may be considered a “sale” or “sharing” under some U.S. state privacy laws. Where applicable, we provide a mechanism to opt out of such disclosures (for example, through our cookie settings and/or a “Do Not Sell or Share My Personal Information” link).

Do Not Track
Our website does not currently respond to browser “Do Not Track” signals.

13. International Data Transfers

Data Locations

CaseGen’s Services are hosted in the United States. As a result, personal information and Customer Data processed through the Services are processed and stored in the United States, and may be accessed from the United States for support, security, and service operations.

U.S.-only offering
The Services are intended for use by U.S.-based customers and are not marketed or offered for use in jurisdictions where CaseGen cannot implement an appropriate cross-border data transfer mechanism.

No transfer mechanism for restricted transfers
CaseGen has not implemented Standard Contractual Clauses (SCCs), Binding Corporate Rules, or other GDPR/UK GDPR transfer mechanisms for routine restricted transfers. Accordingly, customers must not submit to the Services personal data that is subject to GDPR/UK GDPR/Swiss cross-border transfer restrictions unless and until CaseGen and the customer have agreed in writing on transfer terms and safeguards applicable to that customer’s use case.

If restricted data is provided
If we become aware that personal data subject to GDPR/UK GDPR/Swiss transfer restrictions has been provided to CaseGen in a manner inconsistent with this section, we may restrict processing, delete the data, suspend the affected workflows, and/or require configuration changes until the issue is remediated, consistent with our agreements.

14. Your Privacy Rights

CCPA/CPRA Rights (California)

California residents have the right to:

  • Know: Request information about what personal information is collected, used, disclosed, and (if applicable) sold or shared.
  • Access: Request a copy of your personal information (up to twice per 12-month period, where applicable).
  • Delete: Request deletion of your personal information, subject to legal exceptions.
  • Correct: Request correction of inaccurate personal information.
  • Opt-out (if applicable): Opt out of the sale or sharing of personal information (as those terms are defined under California law), if CaseGen engages in such activities for the applicable data.
  • Limit (if applicable): Limit the use and disclosure of sensitive personal information if it is used or disclosed for purposes beyond those permitted by California law.
  • Non-discrimination: Not be discriminated against for exercising your privacy rights.

Note: CaseGen does not sell personal information. For Customer Data processed on behalf of law firm customers, CaseGen does not share personal information for cross-context behavioral advertising. CaseGen may disclose personal information to service providers/subprocessors solely to provide, secure, and maintain the Services and for other permitted business purposes.

Requests for Customer Data: If your personal information was collected by a law firm using CaseGen, the law firm is typically the business responsible for responding to your request. Please submit your request directly to that law firm. CaseGen will assist our law firm customers, as applicable, in responding to verified consumer requests consistent with our contractual and legal obligations.

Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas, and other states with comprehensive privacy laws have similar rights. Contact us to exercise these rights.

Submitting Requests

To exercise privacy rights:

Email: privacy@casegen.ai
Subject line: “Privacy Rights Request”
Include: Your name, contact information, specific request, and information to verify your identity

We will respond within:

  • 45 days (CCPA/CPRA), with possible 45-day extension if needed
  • Timeframes required by other applicable laws

We may need to verify your identity before fulfilling requests. We will not discriminate against you for exercising privacy rights.

15. Children’s Privacy

Our website and Services are not directed to children, and we do not knowingly collect personal information from children through our marketing website.

However, because CaseGen provides managed intake and communications services for law firms, Customer Data may include information about minors (for example, where a caller seeks legal services involving a minor). In those cases, CaseGen processes such information only on behalf of and under the instructions of the customer (the law firm), consistent with our agreements and this Policy.

If a parent or guardian believes we have collected a child’s personal information through our website in a manner inconsistent with this section, please contact privacy@casegen.ai and we will take appropriate steps to delete it.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect:

  • Changes in our practices or services
  • Legal or regulatory developments
  • New features or technologies

Notification of Changes

We will notify you of material changes by:

  • Posting the updated Policy with a revised “Last Updated” date
  • Sending email notification to registered users for significant changes
  • Displaying a prominent notice on our website

Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy.

We encourage you to review this Policy periodically.

17. Third-Party Services and Links

The Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party practices.

We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party services you access.

18. Contact Information

For privacy questions, data requests, or concerns, contact:

MAF AI, Inc.
Email: privacy@casegen.ai
Address: 19800 MacArthur Blvd #300, Irvine, CA 92612
For data protection inquiries:
Data Protection Officer: privacy@casegen.ai

19. Governing Law

This Privacy Policy is governed by the laws of California, United States, without regard to conflict of law principles, except where specific provisions are governed by other applicable laws (such as CCPA, etc.).

This Privacy Policy is effective as of March 12, 2025.