BackCausa

Draft — pending legal review. This document is a working scaffold and has not yet been ratified by counsel. It is not the final, binding version. Sections marked [Counsel to draft] are placeholders.

Privacy Policy

Draft — not yet effective

This Privacy Policy explains how Causa handles personal and firm data. The technical data-flow described below reflects how the system actually operates. The legal terms governing that processing are being finalized with counsel.

Who we are

[Counsel to draft] Identify the Personal Information Controller (the law firm) and Personal Information Processor (Causa) and their relationship under the Data Privacy Act (RA 10173).

This website

When you submit the early-access or contact form on this site, we collect the name, email address, firm name, and message you provide, solely to respond to your request. These messages are delivered to us by email through Resend (an email-delivery provider operating in the United States). This marketing site does not use advertising or analytics trackers.

What the product collects

When your firm uses the Causa platform, we process the following categories of data so it can function:

  • Account and identity data (name, email, hashed password, firm membership, role).
  • Firm work product (cases, clients, tasks, calendar, notes, comments).
  • Documents you upload and text extracted from them.
  • Conversations with the AI assistant (Cleo).
  • Email you choose to sync from a connected Gmail account.
  • Audit logs (who did what, when, for which firm).

How your data is processed (and where)

Causa runs as a single-tenant deployment: each firm has its own server and database, and depending on the deployment that server may be hosted outside the Philippines. The third-party services listed below operate outside the Philippines, so data is processed abroad. We do not claim that your data stays within the Philippines.

ServiceWhat it receivesLocation
AWS S3Uploaded document files (encrypted at rest)Singapore
AWS Bedrock (Anthropic Claude)Document text, chat messages and case context the AI reasons overAWS infrastructure that may be outside the Philippines
AWS Bedrock (Cohere)Retrieved passages, for search-result rerankingTokyo, Japan
Google / Gmail APIEmail content and access tokens, only if you connect GmailUnited States
AWS SESEmail address and message body for account emailsSingapore
OpenAI (if enabled)Document text and search queries, for semantic searchUnited States

We do not use advertising or analytics trackers. Optional error monitoring (Sentry, United States) may be enabled by the deployment operator; if so, error reports may incidentally contain personal data.

Why we are allowed to process it (lawful basis)

[Counsel to draft] State the lawful basis under RA 10173 for each processing purpose, including the basis for the cross-border transfers listed above (consent vs. contractual necessity), and the safeguards relied on.

How long we keep it

[Counsel to draft] Define retention periods per data category and deletion on account closure.

Your rights

[Counsel to draft] Set out the data-subject rights under RA 10173 (access, correction, erasure/blocking, objection, data portability, complaint to the NPC) and how to exercise them.

Security and breach notification

[Counsel to draft] Describe the security measures and the 72-hour breach-notification procedure to the NPC and affected data subjects.

Data Protection Officer & contact

[Counsel to draft] Name the Data Protection Officer and provide contact details and the NPC registration status, once assessed.

© 2026 Causa. All rights reserved.