Privacy Notice

Effective Date: 5 August 2025

Last Updated: 10 April 2026

This Privacy Notice, together with our Terms of Service, explains what data we collect, why we collect it, how we use and protect it, and your rights as a data subject, in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (“PDPO”).

1. Who This Notice Applies To

This Notice applies to all users of Casebyte, including barristers, solicitors, trainee solicitors, pupil barristers, and law students who access Casebyte in Hong Kong.

Minimum age: Casebyte is intended for users aged 18 and over. We do not knowingly collect personal data from persons under 18.

2. Data We Collect

2.1 Personal Data

We collect the following personal data (data from which your identity can be ascertained) when you register an account:

• Email address (mandatory) — account creation, authentication via OAuth, and operational communications
• Full name (optional) — personalisation of your account experience
• Professional role: Barrister / Solicitor / Law Student (optional) — tailoring Casebyte to your professional context

2.2 Non-Personal Data

The following data does not identify you and is not personal data under the PDPO:

• Query data: text of queries you submit and AI-generated responses returned to you
• Workspace data: research you save, action or matter numbers, and other content you create in your Personal Workspace
• Usage analytics: pages visited, features used, session duration, and interaction patterns
• Technical data: browser type, device type, and session identifiers

Important: We strongly advise against including confidential client information, legally privileged materials, or personal data of third parties in your queries — see Section 9.

3. How We Use Your Data

3.1 Personal Data

We use your personal data only for:

• account creation, authentication, and management;
• providing access to Casebyte; and
• complying with legal obligations.

3.2 Non-Personal Data

Non-personal data may be used for:

• generating AI-assisted responses to your queries;
• product analytics and service improvement; and
• system monitoring and performance optimisation.

Non-personal data is not subject to the restrictions applicable to personal data under the PDPO.

4. Disclosure to Third Parties

We disclose data only to the following categories of recipients, strictly for the purposes described in this Notice.

4.1 AI Model Providers

Your query data (non-personal) is transmitted to the following AI model providers to generate responses. Each provider processes query data subject to its own privacy policy:

• Z.ai — docs.z.ai/legal-agreement/privacy-policy
• MiniMax — platform.minimax.io/protocol/privacy-policy
• Google LLC — policies.google.com/privacy

Your personal data (email, name, role) is not transmitted to AI model providers unless you specifically include it in the text of your query.

4.2 Authentication Provider

Your email address is shared with the OAuth provider solely for authentication.

4.3 Cloud Infrastructure Provider

Your personal data (email, name, role) is processed on Supabase and Google Cloud.

4.4 Analytics Provider

Your usage data is processed on PostHog for product analytics.

5. Cross-Border Data Transfer

In accordance with Section 33 of the PDPO, we inform you that your personal data will be transferred to jurisdictions outside Hong Kong for the following purposes:

• Your email address is shared with the OAuth provider solely for account authentication and login services.
• Your personal data (email, name, role) is stored on Supabase.

6. Data Retention

We retain data only as long as necessary, in compliance with DPP2.

• Personal data (email, name, role): duration of active account..
• Conversations: Stored indefinitely unless you delete them manually
• Deleted conversations: Permanently removed from our systems upon deletion
• Usage and analytics data: 24 months from collection
• Data access / correction records: 7 years from date of request

You may delete your queries and workspace data at any time from within Casebyte. To request account closure and deletion of your personal data, contact support@casebyte.ai.

7. Cookies

You may manage cookie preferences through your browser settings. Disabling certain cookies may affect Casebyte’s functionality. We do not use advertising cookies or share analytics data for third-party marketing purposes.

8. AI Transparency and Human Oversight

When you submit a query, it is transmitted to a third-party AI model provider (see Section 4.1), which generates a response returned to you via Casebyte.

Only the text of your query is transmitted to AI model providers. Your email address, name, and professional role are not included unless you specifically include them in your query.

AI-generated responses are probabilistic and may contain inaccuracies, outdated information, or confabulated citations. Outputs do not constitute legal advice and must be independently verified against primary sources before any professional reliance. See our Terms of Service for the full disclaimer.

9. Confidential and Privileged Information

You must not submit to Casebyte any of the following:

• Confidential client communications or instructions
• Legally privileged materials or correspondence
• Personal data of clients, opposing parties, or third parties
• Commercially sensitive or proprietary information of a third party

You are responsible for ensuring your use of Casebyte complies with your professional obligations.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or accidental access, processing, erasure, loss, or use. We cannot guarantee absolute security and are not responsible for unauthorised access outside our reasonable control.

In the event of a data breach likely to result in significant harm to you, we will notify you and, where appropriate, the PCPD, as soon as reasonably practicable.

11. Direct Marketing

We may send you marketing communications about new features, Casebyte updates, or related services. You may withdraw consent at any time by clicking “Unsubscribe” in any marketing email or by contacting support@casebyte.ai. Withdrawal of marketing consent does not affect your account or access to Casebyte.

12. Your Rights as a Data Subject

Under DPP6 of the PDPO, you have the following rights:

• Access: request confirmation of whether we hold your personal data and request a copy — submit a written Data Access Request to support@casebyte.ai
• Correction: request correction of inaccurate personal data — submit a written Data Correction Request to support@casebyte.ai
• Account deletion (contractual): request deletion of your account and associated data by contacting support@casebyte.ai. Note: this is a contractual right provided by Casebyte, not a statutory right under the PDPO

13. Complaints to the PCPD

If your complaint has not been satisfactorily resolved by us, you may contact:

Office of the Privacy Commissioner for Personal Data

Website: www.pcpd.org.hk | Email: enquiry@pcpd.org.hk

Telephone: (852) 2827 2827

Address: 12/F, 248 Queens Road East, Wan Chai, Hong Kong

14. Changes to This Notice

We may update this Privacy Notice from time to time. Material changes will be notified to you by email or by prominent notice on Casebyte prior to taking effect. Where changes require your fresh consent under the PDPO, we will obtain that consent separately before changes take effect.

15. DPP Compliance Summary

• DPP1 (Purpose and manner of collection): Sections 2, 3
• DPP2 (Accuracy and retention): Section 6; Section 12
• DPP3 (Use of data): Sections 3, 4
• DPP4 (Security): Section 10
• DPP5 (Information generally available): Section 1; Section 12; Section 13
• DPP6 (Access and correction): Section 12

16. Contact Us

For privacy-related inquiries, data access requests, or to exercise your rights under the PDPO, contact us at: support@casebyte.ai