Privacy Policy

At a glance

CASUS is a Swiss legal-tech platform. We help legal teams draft, review and manage documents with the support of Large Language Models (LLMs). Because you entrust us with sensitive documents, privacy is not an afterthought — it is a design constraint.

Who we are. CASUS Technologies AG, Uraniastrasse 31, 8001 Zurich, Switzerland. Contact for privacy matters: contact@getcasus.com.

What we process. Your account data (name, email, company, role), documents you upload, the prompts and instructions you send to our AI features, billing data, and technical data such as IP address and browser information.

Where your documents live. Customer documents and workspace data are stored on Google Cloud infrastructure in Switzerland. When you use AI features, document text and prompts are transmitted to Google Cloud (Vertex AI) in Belgium and to Microsoft Azure OpenAI in Switzerland and Sweden for inference. All transfers happen over encrypted channels.

AI and your documents. We use third-party LLMs (via Google Cloud Vertex AI and Microsoft Azure OpenAI) to power contract analysis and drafting. We do not use your documents to train AI models, and our enterprise agreements with Google and Microsoft prohibit them from doing so either. AI output can contain errors — please keep a human lawyer in the loop.

Who else sees your data. A small number of carefully selected service providers (listed in full in Section 10): payments (Stripe), support chat (Intercom), scheduling (Calendly), website analytics, and internal tools such as our CRM. None of them use your data for their own purposes.

Your rights. You can access, correct, delete, export, restrict or object to the processing of your personal data, and withdraw consent at any time. Write to contact@getcasus.com and we will respond within 30 days.

Laws that apply. The Swiss Federal Act on Data Protection (FADP / revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR). This policy is written to satisfy both.

Full Privacy Policy

1. Scope and controller

This Privacy Policy describes how CASUS Technologies AG (“CASUS”, “we”, “us”) processes personal data when you:

• visit our website at getcasus.com and related subdomains;

• register for, log in to or otherwise use the CASUS web application, the CASUS Word Add-in or any other CASUS product (together, the “Service”);

• interact with us as a customer, prospect, business partner, event participant, newsletter subscriber or applicant; or

• contact us by email, chat, phone or through any form on our website.

CASUS is the controller within the meaning of Art. 5 lit. j FADP and Art. 4 no. 7 GDPR for the processing described here, except where we act as a processor on behalf of a customer (see Section 3).

We are incorporated in Switzerland and our registered office is:

CASUS Technologies AG Uraniastrasse 31 8001 Zurich Switzerland contact@getcasus.com

Our Data Protection Officer is Céleste Urech, reachable at celeste.urech@casus.ch or via the contact address above.

This Privacy Policy does not cover websites, products or services operated by third parties, even if we link to them.

2. Definitions

We use terms as defined in Art. 5 FADP and Art. 4 GDPR. For convenience:

• Personal data means any information relating to an identified or identifiable natural person.

• Processing means any operation performed on personal data, such as collection, storage, use, disclosure or deletion.

• Controller means the entity that determines the purposes and means of the processing.

• Processor means an entity that processes personal data on behalf of a controller.

• Customer means a legal or natural person that has entered into a service agreement with CASUS.

• User means an individual who accesses the Service, whether as an employee of a Customer, as a trial user or as a visitor.

3. Controller vs. processor role

CASUS processes personal data in two different roles, and it matters which one applies:

a) CASUS as controller. For account data, billing data, website analytics, marketing communications and similar operational processing, CASUS decides the purposes and means. This Privacy Policy governs that processing.

b) CASUS as processor. When Customers upload documents and run AI analyses in the Service, those documents may contain personal data of employees, counterparties, clients and other third parties. CASUS processes that content on behalf of and under the instructions of the Customer, who remains the controller. The terms of that processing are set out in the CASUS General Terms of Service (in particular Section 9) and further documented in the Trust Center at https://trust.getcasus.com.

If you are a data subject whose information appears in documents uploaded to CASUS by one of our Customers, please direct requests (access, deletion, etc.) to that Customer in the first instance. We will support the Customer in responding to such requests in our role as processor.

4. What personal data we process

We try to collect only what is necessary for the purpose at hand. The table below lists the main categories.

4.1 Data you provide directly

• Account and profile data — first name, last name, work email, company, role, preferred language, password hash. Collected at sign-up and when you update your account.

• Contact data — phone number, postal address, job title. Collected via contact forms and during sales interactions.

• Content data — documents you upload; prompts and instructions you send to AI features; clauses, drafts, templates and annotations you create in the Service. Collected through your use of the Service.

• Contract and billing data — subscription plan, billing address, VAT number, invoices, payment history. Collected during subscription and billing.

• Support and communication data — messages to our support team, chat transcripts, meeting notes. Collected when you contact us for support, by call or by email.

• Event and webinar data — name, email, company, questions asked. Collected when you register for our events.

• Newsletter data — name, email, interaction with newsletters (open, click). Collected when you sign up for our newsletter.

• Application data — CV, cover letter, references. Collected when you apply for a job with us.

4.2 Data we collect automatically

When you use the Service or visit our website we automatically collect technical information, including:

• IP address and approximate location derived from it

• Device and browser information (type, version, language, operating system, screen size)

• Referring URL and pages visited, timestamps, session duration

• HTTP status codes, amount of data transferred

• Log data about feature usage, errors and performance

• Cookie and similar identifiers (see Section 12)

4.3 Data we receive from third parties

Where necessary, we process personal data that we receive from other sources, for example:

• Contact information from business partners, event hosts or public sources (commercial register, LinkedIn) for B2B sales outreach;

• Authentication data (name, email) from identity providers when you sign in via single sign-on (available as an option for enterprise customers);

• Payment confirmations from Stripe.

4.4 Categories of data subjects

Personal data processed through the Service may relate to our Customers’ employees, contractors, consultants, suppliers, clients, counterparties and other natural persons mentioned in uploaded documents, as well as website visitors and newsletter subscribers.

4.5 Special categories of data

The Service is not designed to process special categories of personal data (Art. 9 GDPR, Art. 5 lit. c FADP), such as health data, data about trade-union membership or data revealing religious or philosophical beliefs. If you nevertheless upload documents containing such data, you do so on your own responsibility and you must ensure that you have a lawful basis and, where required, the explicit consent of the data subjects.

5. Purposes of processing

We process personal data for the following purposes:

1. Providing the Service, including account creation and authentication, storage and retrieval of your documents, contract analysis and drafting via AI, workspace collaboration, and the CASUS Word Add-in.

2. Customer administration, including contract management, billing, accounting and archiving as required by Swiss law.

3. Customer support, including responding to inquiries, troubleshooting and debugging.

4. Product improvement and security, including monitoring uptime and performance, investigating abuse, debugging, error analysis, improving usability and developing new features. For this purpose we prefer aggregated or anonymised data wherever possible.

5. Marketing and communications, including sending newsletters and product updates (subject to your consent or opt-out), hosting webinars and events, advertising on our own channels, measuring the reach of our campaigns, and contacting prospects in a B2B context.

6. Legal compliance and defence of rights, including complying with Swiss and EU legal obligations, responding to law-enforcement requests, documenting consent and the exercise of data subject rights, and establishing, exercising or defending legal claims.

7. Corporate transactions, including the evaluation, preparation and implementation of mergers, acquisitions or reorganisations.

6. Legal basis

Under the GDPR we rely on the following legal bases (Art. 6 GDPR):

• Performance of a contract (Art. 6(1)(b)) — to provide the Service to you or your employer, to manage your account and subscription, to process payments and to respond to your requests.

• Legitimate interests (Art. 6(1)(f)) — to operate our website and the Service securely, to detect and prevent fraud or abuse, to improve our product, to carry out B2B marketing to business contacts, to keep reasonable records for evidence purposes, and to prepare and carry out corporate transactions. We have balanced these interests against your rights and freedoms and are happy to share our assessment on request.

• Legal obligation (Art. 6(1)(c)) — to comply with Swiss and EU obligations, e.g. accounting, tax, anti-money-laundering, data breach notifications.

• Consent (Art. 6(1)(a)) — for newsletters, non-essential cookies and other processing where we explicitly ask for it. You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Under the Swiss FADP, processing is lawful where the general principles in Art. 6 FADP are respected (lawfulness, good faith, proportionality, purpose limitation, transparency, data security). Where we rely on overriding interests we have documented a corresponding justification.

7. AI processing of your documents

This section is important because it is what distinguishes CASUS from a generic SaaS product.

7.1 What we do

The Service uses Large Language Models (“LLMs”) to analyse, summarise, extract information from, draft and edit legal documents. When you ask the Service to perform an AI task, the following happens:

1. The relevant document text and your prompt are transmitted from your browser or Word Add-in to the CASUS backend over TLS.

2. The backend forwards the text to one of our LLM providers — currently Google Cloud (Vertex AI) and Microsoft Azure OpenAI — over an encrypted, private connection.

3. The LLM generates an answer and returns it to the CASUS backend.

4. The answer is delivered to your workspace and displayed in the Service.

7.2 Where the models run

• Google Cloud — Vertex AI (Gemini and third-party models exposed via Vertex): Belgium (europe-west1).

• Microsoft Azure — Azure OpenAI Service: Switzerland North and Sweden Central.

Document storage itself remains on Google Cloud in Switzerland; only the text needed for a specific AI request is transmitted to the inference region.

7.3 No training on your data

We have configured our integrations with Google Cloud and Microsoft Azure so that your prompts, documents and AI outputs are not used to train, fine-tune or improve the underlying models. This is contractually enforced through the data protection terms that Google Cloud and Microsoft apply to their enterprise customers and that form part of our accounts.

We also do not use your content to train or improve any CASUS-proprietary model.

7.4 Retention at the model layer

Google Cloud Vertex AI does not retain customer prompts and responses after the request has been served, subject to the applicable Google Cloud terms. Microsoft Azure OpenAI would normally retain prompts and completions for up to 30 days for abuse and misuse monitoring; CASUS has been granted an abuse monitoring opt-out by Microsoft, which means your prompts and completions are not stored by the Azure OpenAI Service beyond the request-response cycle.

7.5 Accuracy and human oversight

AI outputs are statistical predictions, not verified legal advice. They may contain factual errors, fabricated citations (“hallucinations”), omissions or misinterpretations. You must not rely on AI outputs without qualified human review. CASUS is a tool for legal professionals; it does not replace legal judgement and does not provide legal advice.

7.6 Confidentiality-sensitive content

You are responsible for deciding which documents to upload. If a document is subject to particularly strict confidentiality, privilege or secrecy obligations, please evaluate before uploading whether the safeguards described in this policy and in our Trust Center are sufficient for your use case. We are happy to discuss additional safeguards with enterprise customers.

8. Disclosure to third parties

We disclose personal data only where there is a lawful basis and a genuine need. Recipients include:

• Service providers and subprocessors that help us run the Service and our business (see Section 10).

• Professional advisers such as auditors, tax advisers, lawyers and insurers, bound by confidentiality.

• Payment service providers such as Stripe, for subscription billing.

• Public authorities and courts, where we are legally required to disclose personal data.

• Acquirers or investors, in the context of a due diligence process or corporate transaction, under appropriate confidentiality protections.

We do not sell personal data and we do not disclose personal data to third parties for their own marketing purposes.

9. International data transfers

We process personal data primarily in Switzerland and the EU/EEA. Mandate and document content remains within these regions at all times. Other data categories – such as account, usage, and support data – may also be processed in additional countries, in particular:

• European Union (Belgium, Ireland, Netherlands, Germany, Malta) — for AI inference (Google Cloud Vertex AI), for some analytics and support services, and for payment processing.

• Sweden — as one of the Azure OpenAI regions we use.

• United States — for certain operational and website tools such as Intercom, Calendly, Notion, Slack, Attio, Google Analytics and for LLM providers’ US-based support functions.

Where personal data is transferred to a country that is not recognised by the Swiss Federal Council or the European Commission as providing an adequate level of data protection, we rely on one or more of the following safeguards:

• the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) in combination with the Swiss addendum recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC);

• the UK International Data Transfer Addendum where applicable;

• supplementary technical and organisational measures such as encryption in transit and at rest, strong access controls and contractual limitations on subprocessor access;

• your explicit consent or contractual necessity in specific situations, where permitted by Art. 17 FADP and Art. 49 GDPR.

You can request a copy of the safeguards in place for a specific transfer by writing to contact@getcasus.com.

10. Subprocessors

We use a small number of subprocessors to operate the Service and to run our business. We differentiate between two groups:

• Product subprocessors that may come into contact with Customer documents and prompts. Because this is the sensitive core of the processing, we name them in full below.

• Operational subprocessors that we use to run our website, marketing, sales, support, payment and internal collaboration. They generally do not access Customer documents. We list them by category below; the up-to-date, named list is published in our Trust Center.

10.1 Product subprocessors

• Google LLC / Google Cloud EMEA Ltd — Google Cloud Storage and compute, located in Switzerland. Used for hosting of the Service and storage of Customer documents and workspace data.

• Google LLC / Google Cloud EMEA Ltd — Google Cloud Vertex AI, located in Belgium (europe-west1). Used for LLM inference for AI features.

• Microsoft Ireland Operations Ltd — Azure OpenAI Service, located in Switzerland North and Sweden Central. Used for LLM inference for AI features.

These subprocessors operate under a zero-data-retention arrangement: Customer Content sent for inference is not stored by them beyond the duration of the request and is not used to train or improve their models.

10.2 Operational subprocessors — categories

For our website, marketing, sales, support, payments, internal collaboration and communications we rely on third-party providers in the following categories:

• Payment processing, for subscription billing and invoicing.

• Transactional and marketing email, for account emails, password resets, invoices and newsletters.

• Customer support and in-app messaging, for our support chat, help centre and product announcements.

• CRM and sales tools, for managing prospect and customer contact data.

• Meeting scheduling, for booking demos and sales calls.

• Website and product analytics, advertising measurement and tag management, to understand how visitors use our website and to measure marketing campaigns.

• Product analytics, heatmaps and session recordings on our marketing website.

• Web fonts loaded via our marketing site.

• Authentication and database infrastructure supporting parts of the Service.

• Internal knowledge base and documentation.

• Internal team communication.

Providers in these categories are located in Switzerland, the European Economic Area and the United States. Where providers are located outside Switzerland or the EEA, transfers are protected by the safeguards described in Section 9 (in particular EU Standard Contractual Clauses with the Swiss Addendum, and/or the applicable adequacy decisions).

10.3 Current list and Trust Center

The current, named list of all subprocessors — both product and operational — is publicly available in our Trust Center at https://trust.getcasus.com. We keep this list up to date whenever we add or replace a subprocessor, so you can always check who we work with at any given time.

We have entered into a written agreement with each subprocessor that imposes obligations equivalent to those set out in this Privacy Policy and our Terms of Service, including confidentiality, security and — where relevant — Standard Contractual Clauses for international transfers.

Changes to subprocessors. We may add or replace subprocessors as the Service evolves. We will notify Customers at least 30 days in advance of any new product subprocessor via the Trust Center and, where Customers have subscribed to updates, by email. Customers may object on reasonable data protection grounds.

11. Retention

We retain personal data only as long as necessary for the purposes set out in this policy or as required by law. The main retention periods are:

• Account and profile data — for the duration of your account plus up to 90 days after account deletion for backup purging.

• Customer documents and workspace content — for as long as the Customer subscription is active; after termination, deleted or returned in accordance with our Terms of Service.

• Billing and accounting data — 10 years after the end of the relevant business year (Art. 958f Swiss Code of Obligations).

• Contract data with Customers and suppliers — 10 years after the end of the contract.

• Server and access logs — typically up to 90 days, longer where required for security investigations.

• Support tickets and chat transcripts — up to 3 years after the last interaction.

• Newsletter subscriptions — until you unsubscribe, plus a suppression record to avoid re-contacting you.

• Marketing and analytics data — typically up to 26 months in aggregated form.

• Job applications — up to 12 months after the end of the application process, longer with your consent.

• Legal claims and disputes — until the claim is resolved and the relevant limitation period has expired.

Where data is no longer required, we delete or irreversibly anonymise it as part of our routine deletion processes.

12. Cookies, analytics and tracking

Our website uses cookies and similar technologies. We distinguish between:

• Strictly necessary cookies, which are required to operate the website and the Service (e.g. authentication, load balancing, CSRF protection). These cannot be switched off.

• Analytics cookies, set by Google Analytics 4, which help us understand how our website and Service are used in the aggregate.

• Marketing cookies, set by Google Ads via Google Tag Manager, which help us measure the reach and effectiveness of our campaigns.

Analytics and marketing cookies are only set with your consent, which we collect via the cookie banner on your first visit. You can withdraw your consent at any time via the cookie settings link in the footer of our website.

Google Analytics 4 uses pseudonymised identifiers; IP addresses are truncated before storage and are not merged with other Google data about you. Google Ads and Google Tag Manager allow us to manage tags and measure ad performance; Google may transfer data to the United States.

Our marketing website is built on Framer and uses Google Fonts embedded via Framer. When fonts are loaded from Google servers, your IP address may be transmitted to Google.

We do not use cookies or similar technologies to build behavioural profiles for advertising outside our own campaigns.

13. Newsletter, webinars and contact forms

Newsletter. If you subscribe to our newsletter we will send you product news, event invitations and related content. We use a double opt-in procedure and you can unsubscribe at any time using the link at the bottom of each newsletter or by writing to contact@getcasus.com. Our newsletter and transactional emails are sent via Brevo (Sendinblue SAS, France). Brevo processes your name, email address and interaction data (opens, clicks) on our behalf in the European Union.

Webinars and events. When you register for a webinar or event we process your name, email and the answers you give during registration to confirm your place, send reminders and, where applicable, follow up with related content. Live events are generally not recorded in a way that identifies participants; if you appear as a speaker or interview partner we will ask for your consent in advance.

Contact and demo forms. When you use our contact or demo forms we process the information you provide (typically first name, last name, email, phone, company and message) to respond to your request and, where relevant, to start a sales conversation.

14. Security

We implement technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include:

• Encryption in transit using TLS for all connections to the Service and our website.

• Encryption at rest for Customer documents and workspace data.

• Strict access controls on a need-to-know basis, with individual user accounts, strong passwords and, where possible, multi-factor authentication.

• Network security including firewalls, intrusion detection and continuous monitoring.

• Secure software development practices, code review and dependency management.

• Regular backups with documented recovery procedures.

• Endpoint management for devices that access production systems.

• Staff training on data protection and security.

• Incident response processes, including the obligation to notify affected Customers as controllers without undue delay and, where we are processor, within 48 hours of becoming aware of a personal data breach.

A detailed description of our technical and organisational measures is available in our Trust Center and on request from contact@getcasus.com.

No method of transmission or storage is perfectly secure. We will not claim otherwise.

15. Your rights

Subject to the conditions and exceptions of applicable data protection law, you have the following rights regarding your personal data:

• Right of access — to obtain confirmation as to whether we process personal data about you and, if so, to receive a copy and related information.

• Right to rectification — to have inaccurate personal data corrected and incomplete data completed.

• Right to erasure — to have your personal data deleted where one of the grounds in Art. 17 GDPR / Art. 32 FADP applies.

• Right to restriction — to have processing restricted in certain situations.

• Right to object — to object at any time to processing based on legitimate interests or for direct marketing.

• Right to data portability — to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.

• Right to withdraw consent — to withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

• Right not to be subject to automated decisions with legal or similarly significant effects. We do not take such decisions on the basis of the personal data governed by this policy. AI-assisted analysis of your documents is always reviewed by you as the human decision maker.

To exercise these rights, please write to contact@getcasus.com. We may need to verify your identity before acting on your request. We will normally respond within 30 days; this period may be extended by up to 60 days for complex requests, in which case we will inform you.

You also have the right to lodge a complaint with a supervisory authority:

• In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch.

• In the EU/EEA: the supervisory authority of the member state of your habitual residence, place of work or the place of the alleged infringement. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

16. Children

The Service is a B2B tool intended for legal professionals and other business users. It is not directed at children, and we do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided personal data to us, please contact contact@getcasus.com so that we can delete it.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our Service, in the legal framework or in our practices. The current version is the one published at https://www.getcasus.com/privacy and is identified by the effective date at the top. For material changes we will notify you in advance through the Service, by email or by a notice on our website. If you continue to use the Service after the new version takes effect, the updated policy applies to you.

18. Contact

For any question, concern or request regarding this Privacy Policy or the processing of your personal data:

CASUS Technologies AG
Uraniastrasse 31
8001 Zurich
Switzerland
contact@getcasus.com

Our Data Protection Officer is Céleste Urech (celeste.urech@casus.ch).