Privacy Policy
Effective date: July 7, 2026
Last updated: July 7, 2026
Esqase, Inc. ("Esqase," "we," "us," or "our") operates a legal practice management platform. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you access or use our Service, including app.esqase.com and all associated sub-domains and applications.
By using the Service, you agree to the practices described in this Privacy Policy.
1. Scope
This Privacy Policy applies to:
- Firm Users — attorneys, staff members, and administrators who create accounts and use the Service to manage their legal practice.
- Clients and Contacts — individuals whose information is entered into the Service by a Firm (e.g., potential clients, existing clients, contacts).
- Visitors — individuals who visit our marketing website at esqase.com.
For Client Data processed by Esqase on behalf of a Firm, Esqase acts as a data processor and the Firm acts as the data controller. Our Data Processing Agreement governs that relationship.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, password (hashed), firm name, job title, and profile details provided during registration.
- Subscription and billing: Payment method information processed by our payment provider (Stripe). We do not store full card numbers.
- User Content: All data, documents, notes, messages, and other content you upload or create in the Service, including client contact details, matter information, billing records, documents, and calendar events.
- Communications: Messages you send to our support team.
- Preferences: Settings, notification preferences, and customizations you configure.
2.2 Information We Collect Automatically
- Usage data: Pages visited, features used, actions taken, timestamps, and session duration.
- Device and technical data: IP address, browser type, operating system, device identifiers, and referring URLs.
- Log data: Server logs, error reports, and crash data.
- Cookies and similar technologies: See Section 7 (Cookies) below.
2.3 Information from Third Parties
- OAuth providers: If you connect Google (Gmail, Google Calendar, Google Meet), Microsoft (Outlook, Outlook Calendar, Microsoft Teams), or Zoom, we receive your basic account identity and the permissions you authorize. We access these accounts only to provide the features you enable (sending email, syncing calendars, and creating meeting links), and you can disconnect them at any time from your Integrations page.
- Payment processors: We receive transaction confirmations and payment status from Stripe.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Operate, maintain, and improve the platform, including document management, matter tracking, billing, scheduling, and communication features.
- Process transactions: Manage your Subscription and payment.
- Authenticate users: Verify your identity using email/password, passwordless email links, or Google sign-in.
- Send notifications: Deliver in-app and push notifications about activity relevant to your account, as configured in your preferences.
- Support: Respond to questions, troubleshoot issues, and provide technical assistance.
- Security: Detect, investigate, and prevent fraudulent transactions, abuse, and security incidents.
- Product improvement: Analyze aggregated usage patterns to improve the Service. We do not sell or use your Client Data to train third-party AI models without your explicit consent.
- Legal compliance: Meet our obligations under applicable law.
- Communications: Send important account-related notices, product updates, and (with your consent) promotional content.
4. How We Share Your Information
We do not sell your personal information. We share information only as described below.
4.1 Service Providers (Subprocessors)
We work with trusted third-party providers who process information on our behalf to operate the Service. Our key subprocessors include:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Infrastructure, database, file storage, authentication, serverless functions, and push notifications (Firebase Cloud Messaging) | US |
| Cloudflare | DNS, content delivery, and network security | US (global network) |
| Stripe | Payment processing and subscription billing | US |
| Resend | Transactional (system) email delivery | US |
| Google LLC (Gmail, Calendar, Meet APIs) | Email, calendar, and meeting integration (when enabled by a user) | US |
| Microsoft Corporation (Outlook, Teams APIs) | Email, calendar, and meeting integration (when enabled by a user) | US |
| Zoom Video Communications | Meeting link integration (when enabled by a user) | US |
A current list of subprocessors is available in our Data Processing Agreement.
4.2 Public-Facing Features
When you use Public-Facing Features (e.g., Client Portal, document sharing, booking, intake forms, payment pages), limited information may be visible to your clients or other recipients you designate. You control what is shared and with whom.
4.3 Legal Requirements
We may disclose information if required by law, court order, or regulatory authority, or where necessary to protect the rights, safety, or property of Esqase, our users, or others.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, information may be transferred to the successor entity, subject to equivalent privacy protections.
4.5 With Your Consent
We will share information with third parties when you have given us explicit consent to do so.
5. Data Retention
We retain your information for as long as your account is active and as necessary to provide the Service. Upon account termination:
- We retain your data for 30 days to allow recovery, after which it is deleted from our active systems.
- Backup copies may persist for up to 90 days before being purged.
- We retain records required for legal, tax, or audit purposes for the periods required by applicable law.
- Anonymized or aggregated data that cannot identify you may be retained indefinitely.
6. Security
We implement industry-standard technical and organizational measures to protect your information, including:
- Encryption in transit (TLS) and at rest (AES-256-GCM for sensitive fields).
- Role-based access controls enforced at the database layer.
- Strict tenant isolation to prevent cross-firm data access.
- Audit logging of all significant data access and modifications.
- Two-factor authentication (TOTP and email OTP) available for firm users.
- Security monitoring and incident response procedures.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at legal@esqase.com.
7. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Service and improve your experience.
7.1 Types of Cookies We Use
| Type | Purpose |
|---|---|
| Strictly necessary | Session management, authentication, security (e.g., __Host-session cookie). Cannot be disabled. |
| Functional | Remembering preferences and settings. |
| Analytics | Understanding aggregate usage patterns to improve the Service. |
We do not use third-party advertising cookies or sell data to ad networks.
7.2 Managing Cookies
You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning correctly.
8. Your Rights and Choices
Depending on where you are located, you may have the following rights regarding your personal information:
8.1 General Rights (All Users)
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information, subject to legal retention obligations.
- Portability: Request your data in a machine-readable format.
- Objection / Restriction: Object to or restrict certain processing.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
8.2 U.S. State Privacy Rights
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under CCPA.
Other U.S. states may grant similar rights. Contact us to exercise any applicable rights.
8.3 European Economic Area and United Kingdom (GDPR/UK GDPR)
If you are in the EEA or UK, you have additional rights including the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing include: performance of a contract (providing the Service), compliance with legal obligations, our legitimate interests (security, fraud prevention, product improvement), and consent where applicable.
8.4 Philippines (Data Privacy Act of 2012)
If you are in the Philippines, you have rights under Republic Act No. 10173 (Data Privacy Act of 2012), including the right to be informed, access, correction, erasure/blocking, damages, file a complaint with the National Privacy Commission (NPC), and data portability.
8.5 Exercising Your Rights
To exercise any of the above rights, contact us at legal@esqase.com. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.
9. International Data Transfers
We are based in the United States and operate infrastructure primarily through Google Cloud in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the U.S. or other countries.
Where required by law, we rely on approved transfer mechanisms, such as Standard Contractual Clauses (for EEA/UK transfers), to ensure adequate protection.
10. Children's Privacy
The Service is not directed at children under 13 (or a higher age threshold where required by local law). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected such information, we will delete it promptly.
11. Links to Third-Party Services
The Service may contain links to or integrations with third-party websites and services (e.g., Google, Microsoft, Zoom, Stripe, PayPal). This Privacy Policy does not apply to those services. We encourage you to review their privacy policies before sharing information with them.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy, please contact:
Esqase, Inc.
Privacy Team
legal@esqase.com
For EU/UK matters, our Data Protection representative can be reached at the same address.
Other legal documents