1. Who We Are

ProperResponse ("ProperResponse," "we," "us," or "our") operates the ProperResponse legal case management platform accessible at properresponse.com. We provide cloud-based software tools to help pro se litigants and legal professionals organize cases, track deadlines, manage documents, and generate AI-assisted legal research.

ProperResponse is the data controller for account and billing data and a data processor for the legal case content you upload or generate inside the platform. Your relationship with us is governed by our Terms of Service and this Privacy Policy.

Contact: privacy@properresponse.com

2. Information We Collect

2.1 Information You Provide Directly

• Account registration: full name, email address, organization or firm name, and the password you choose (stored as a bcrypt hash — we never see the plain text).
• Two-factor authentication: a time-based one-time password (TOTP) seed, stored encrypted. We never see your authenticator codes.
• Case and contact data: parties, opposing counsel, judges, court information, deadlines, costs, notes, activities, and any other case details you enter.
• Documents: files you upload, including PDFs, Word documents, images, and audio recordings.
• Communications: messages you send to our support team.
• Billing information: name and billing address for invoicing. Full card numbers are handled entirely by Stripe and never touch our servers.

2.2 Information Collected Automatically

• Server logs: IP address, browser type and version, operating system, referring URL, page requested, HTTP status code, and timestamp for each request. Logs are used for security monitoring, fraud detection, and debugging. They are not used for behavioral advertising.
• Audit logs: a record of every significant action taken within the application (login, case created, document uploaded, etc.) tied to the user and tenant ID. These logs support our security posture and may be required in a security incident investigation.
• Session data: an encrypted session token stored in a secure, HttpOnly, SameSite=Strict cookie. Session data is held in our Redis cache and automatically expires after 30 minutes of inactivity.

2.3 Information We Do Not Collect

• We do not collect your Social Security Number unless you choose to enter it as part of a case contact record, in which case it is encrypted at rest with AES-256 and never displayed in full after entry.
• We do not use third-party advertising networks, analytics SDKs, pixel trackers, or behavioral fingerprinting scripts.
• We do not read the content of uploaded documents except as required to perform virus scanning before storage.

3. How We Use Your Information

Purpose	Data Used	Why
Providing the service	All account and case data	Contract performance
Authentication & security	Email, password hash, TOTP seed, IP, session token, audit logs	Legitimate interest / contract
Billing and subscription management	Name, email, billing address, Stripe customer ID	Contract performance
Service notifications	Email address	Contract performance
Security incident response	Logs, audit trail, IP address	Legitimate interest / legal obligation
Product improvement (aggregated, anonymized)	Anonymized usage patterns — never case content	Legitimate interest
Legal compliance	What law requires	Legal obligation

4. Legal Basis for Processing (GDPR)

For users located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to deliver the service you signed up for, including account management and billing.
• Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, fraud prevention, service reliability improvements, and abuse prevention — where our interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c) GDPR): retaining records required by law, responding to lawful requests from authorities.
• Consent (Art. 6(1)(a) GDPR): for any processing not covered above, we will ask for your explicit consent and you can withdraw it at any time.

5. Data Sharing and Subprocessors

We share data only as necessary to operate the platform. We contractually require all subprocessors to maintain confidentiality and process data only under our instruction.

Subprocessor	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud infrastructure: EC2 compute, Aurora MySQL (database), ElastiCache Redis (sessions/cache), S3 (document storage), Secrets Manager (credentials)	All application data at rest and in transit within AWS services	US East (N. Virginia)
Stripe, Inc.	Payment processing and subscription billing	Name, email, billing address, payment card data (Stripe handles card data directly; we receive only a token)	United States
Anthropic, PBC	AI-powered legal research and analysis features (Claude API)	Case context you explicitly submit to an AI analysis feature. Anthropic's API does not retain submitted data for model training by default.	United States
MXroute	Transactional email (account notifications, billing receipts)	Recipient email address and message content (service notifications only)	United States

5.1 Law Enforcement and Legal Process

We may disclose data when required by a valid court order, subpoena, legal process, or government request applicable to us. Where legally permitted, we will notify affected users before complying. We require law enforcement to follow appropriate legal process and will challenge requests we believe are overbroad or improper.

5.2 Business Transfers

If ProperResponse is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice within the application before your data becomes subject to a different privacy policy.

6. Cookies and Tracking

6.1 Essential Cookies Only

ProperResponse uses only essential (strictly necessary) cookies. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Cookie	Purpose	Duration
PHPSESSID (or equivalent)	Session authentication — links your browser to your server-side session stored in Redis. Without this cookie the application cannot function.	Session (expires on browser close or 30 min inactivity)
CSRF token cookie	Cross-site request forgery protection. Validates that form submissions originate from within the application.	Session

All cookies are set with HttpOnly, Secure, and SameSite=Strict attributes. They are never readable by JavaScript and are never shared with third parties.

Because we use only essential cookies, we are not required to display a cookie consent banner. If we ever add non-essential cookies we will obtain your explicit consent first.

7. AI Features and Your Data

• AI analysis results are stored as part of your case record so you can review them later.
• We do not use AI outputs to infer sensitive attributes about you (health status, political beliefs, etc.).
• AI-generated content is clearly marked and is not a substitute for professional legal advice. See our Terms of Service, Section 5, for the full AI disclaimer.
• You may not submit confidential information belonging to third parties to our AI features without the legal right to do so.

8. Data Retention and Deletion

8.1 Active Accounts

We retain your data for as long as your account is active. Case content, documents, and contacts are retained at your direction and can be deleted by you at any time within the application.

8.2 After Account Termination

When your account is canceled or terminated:

• 90-day retrieval window: your case data and uploaded documents remain accessible for 90 days after the effective termination date, so you can export your records. You may contact us at privacy@properresponse.com to request a data export during this window.
• Deletion after 90 days: at the close of the 90-day window, we will delete or anonymize your case content, contact records, uploaded documents, and personal identifiers.
• What we retain longer: billing records (as required by tax and financial regulations, typically 7 years), audit logs (for security compliance, up to 2 years in anonymized form), and any data we are legally compelled to retain.

8.3 Deletion Requests

To request deletion of your data before the 90-day window expires, email privacy@properresponse.com from your account email. We will confirm deletion within 30 days.

8.4 Document Storage

Uploaded documents are stored in Amazon S3 with server-side encryption (SSE-S3). Versioning is enabled, meaning deleted objects are retained as non-current versions for up to 90 days before permanent removal by our lifecycle policy.

9. Security

We implement security controls appropriate for legal case management software, including:

• Transport encryption: TLS 1.2+ enforced on all connections with HSTS preload.
• At-rest encryption: AES-256 for sensitive fields (e.g., Social Security Numbers); SSE-S3 for all documents.
• Authentication: bcrypt/Argon2id password hashing; optional TOTP two-factor authentication; 5-attempt account lockout with 15-minute cooldown.
• Access controls: role-based access (admin, firm admin, attorney, paralegal, viewer); tenant isolation enforced on every database query.
• Input security: parameterized SQL queries (no string interpolation); output encoding against XSS; CSRF token validation on all state-changing requests.
• Infrastructure: AWS security groups, fail2ban intrusion prevention (5 active jails), ModSecurity web application firewall, ClamAV virus scanning on uploads.
• Audit trail: every significant action is logged with user, tenant, resource type, resource ID, and timestamp.

No security system is perfect. You are responsible for keeping your password and two-factor authentication device secure. We strongly recommend enabling 2FA on your account.

10. Your Rights

Regardless of your location, you have the following rights with respect to your personal data:

Right	What It Means	How to Exercise
Access	Obtain a copy of the personal data we hold about you.	Email privacy@properresponse.com
Correction	Correct inaccurate or incomplete data.	Update directly in the app, or email us
Deletion ("Right to be Forgotten")	Request deletion of your personal data, subject to retention obligations.	Email privacy@properresponse.com
Export / Portability	Receive your case data in a portable format.	Use in-app export, or email us
Restriction	Request that we restrict processing of your data in certain circumstances.	Email privacy@properresponse.com
Objection	Object to processing based on legitimate interests.	Email privacy@properresponse.com
Withdraw Consent	Withdraw any consent you have given, without affecting lawfulness of prior processing.	Email privacy@properresponse.com

We will respond to all data rights requests within 30 days. We will ask you to verify your identity before fulfilling any request to prevent unauthorized access to your data.

11. California Residents — CCPA / CPRA CA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

11.1 Categories of Personal Information Collected

In the past 12 months we have collected:

• Identifiers: name, email address, IP address, account ID.
• Commercial information: subscription plan, billing history.
• Internet or other electronic network activity: server logs, session data, audit logs.
• Professional or employment-related information: firm name, role.
• Inferences drawn from above: none beyond what is necessary to provide the service.

11.2 Your CCPA Rights

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, the categories of sources, and the categories of third parties with whom we share.
• Right to Delete: request deletion of your personal information, subject to certain exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you can confirm this at any time.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only to provide the requested service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To exercise your CCPA rights, email privacy@properresponse.com. We will respond within 45 days (extendable to 90 days with notice). We will verify your identity using your registered email address.

Authorized Agents: you may designate an authorized agent to submit requests on your behalf. We may require written permission from you and independent verification of your identity.

12. European and UK Residents — GDPR / UK GDPR EU/UK

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, additional rights under the GDPR (or UK GDPR) apply to you, as described in Sections 4 and 10 above.

12.1 Data Controller

ProperResponse is the data controller for your account information. For case content, we act as a data processor on your behalf. If you are a legal professional using ProperResponse to process data about your clients, you are the controller for that client data and we are your processor.

12.2 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. We ask that you contact us first at privacy@properresponse.com so we can address your concern directly.

12.3 Data Processing Agreement (DPA)

If you require a Data Processing Agreement for GDPR compliance (e.g., you are a legal professional processing EU client data), email privacy@properresponse.com to request a DPA.

13. International Data Transfers

ProperResponse is operated from the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States. The United States may not provide the same level of data protection as your home country.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our subprocessor agreements with AWS, Stripe, and Anthropic.
• The UK International Data Transfer Agreement (IDTA) for UK-origin transfers where applicable.

14. Children

ProperResponse is not directed to children under the age of 18 and is not intended for use by minors. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact privacy@properresponse.com and we will delete the information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our service. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page;
• Send an email notification to the account administrator email address on file;
• Display a notice within the application at least 14 days before the change takes effect.

Your continued use of the service after the effective date constitutes acceptance of the revised policy. If you do not accept the changes, you must stop using the service and request deletion of your account.

16. Contact and Data Requests

For privacy questions, data requests, or to report a privacy concern:

Channel	Address / Detail	Response Time
Privacy email	privacy@properresponse.com	Within 5 business days for questions; 30 days for formal data requests
Support email	support@properresponse.com	Within 2 business days
Postal address	ProperResponse — Privacy, United States	Allow 10 business days

When submitting a data request, please include: your full name, the email address associated with your account, and a description of your request. We will verify your identity before processing any request.

© 2026 ProperResponse. This Privacy Policy is effective as of May 6, 2026. Questions? privacy@properresponse.com   •   Terms of Service