Caselist

Legal

Privacy Policy

Last updated: 14 May 2026

This page explains what personal data Caselist collects when you use the service, why we collect it, and what rights you have. We comply with UK GDPR and the Data Protection Act 2018.

Who's in charge of your data

Caselist is operated as a sole trader business based in the United Kingdom. The operator of Caselist is the data controller for personal data we collect from you directly. If you're a workspace member rather than the workspace owner, the workspace owner may also be a controller for the data they ask you to record, such as case photos and venue check-ins. You can reach us at hello@caselist.app.

What we collect

We try to collect the minimum we need to run the service. Here's the full list:

From you, directly

  • Account info. Your email address. We don't store a password. You sign in with a one-time code we email you.
  • Workspace info. The names, case lists, items, tours, shows, photos, and notes you create.
  • Check data. When a case was checked, by whom, with what status (present, damaged, missing), and any damage photos or notes you upload. We also record GPS coordinates if you grant your browser's location permission. This is to help locate the venue on reports, never to track individuals.
  • Reports you send. Recipient email addresses and the report content.
  • Support correspondence. If you email us, we keep that thread.

From your browser, automatically

  • Auth cookies. Essential cookies set by Supabase so you stay signed in. We don't use marketing or analytics cookies.
  • Logs. Basic request logs (URL, IP address, user agent, response code) kept for up to 30 days for debugging and security.
  • Error and performance data. If something goes wrong, our error-monitoring tool records technical details about the failure: what broke, the page you were on, and your browser type. It also samples a small share of requests to measure performance. We have configured it not to record your screen and not to capture the contents of your case lists.

From third parties

  • Stripe. If you buy a paid plan, Stripe handles payment and sends us your customer ID and subscription status. We never see your card details.

What we don't collect

  • We don't run advertising or marketing trackers.
  • We don't record or replay your browsing sessions.
  • We don't sell or rent personal data.
  • We don't use your content to train AI models.

Why we collect it

Lawful basis under UK GDPR:

  • Contract (Article 6(1)(b)). Most processing happens because you've signed up to use Caselist and we need to deliver it.
  • Legitimate interests (Article 6(1)(f)). Log retention and rate limiting for security, error and performance monitoring to fix bugs, and sending you transactional emails about your account.
  • Legal obligation (Article 6(1)(c)). Keeping financial records for tax and accounting purposes.
  • Consent (Article 6(1)(a)). Granting location access in your browser. You can revoke this any time in your browser settings.

Who we share data with

We use a small number of trusted suppliers ("processors") to run the service:

  • Supabase (database, auth, storage). EU region. Privacy policy.
  • Vercel (hosting). Global edge network with European points of presence. Privacy policy.
  • Resend (transactional email). Sends sign-in codes, invites, and reports. Privacy policy.
  • Stripe (payments). Only relevant if you're on a paid plan. Privacy policy.
  • Sentry (error and performance monitoring). Receives technical error data so we can fix faults. EU region. Privacy policy.
  • Upstash (rate limiting). Stores short-lived counters keyed on IP address to prevent abuse and sign-in spam. Privacy policy.

We don't share personal data with anyone else unless you ask us to, we're required to by law, or it's necessary to defend or enforce our legal rights.

International transfers

Most processing happens in the UK and EU. Some of our suppliers, notably Vercel, Stripe, and Upstash, may transfer data to the United States under standard contractual clauses or equivalent safeguards. Where personal data leaves the UK or EU, we rely on those safeguards to keep your rights intact.

How long we keep things

  • Workspace data. Kept while the workspace exists. When a workspace is deleted, the underlying data is removed within 30 days, allowing for backup retention windows.
  • Account email. Kept while you have an active account. Signing out alone doesn't delete the account.
  • Financial records. Kept for 7 years after the end of the relationship, as required by UK tax law.
  • Logs and error reports. Up to 30 days.
  • Support emails. Up to 24 months after the conversation closes.

Cookies

Caselist only uses cookies that are essential to make the service work, primarily the Supabase auth cookie that keeps you signed in. We don't set any analytics or marketing cookies. Because we only use strictly necessary cookies, we don't show a cookie banner. We still want to tell you they exist.

You can clear cookies in your browser settings at any time. Clearing the auth cookie will sign you out.

Your rights under UK GDPR

You have the right to:

  • Access. Ask for a copy of the personal data we hold about you.
  • Rectification. Ask us to fix anything that's wrong.
  • Erasure. Ask us to delete your data ("right to be forgotten"), subject to the retention rules above.
  • Restrict processing. Tell us to stop using your data while we work something out.
  • Object. Object to processing based on legitimate interests.
  • Portability. Receive your data in a structured, machine-readable format.
  • Withdraw consent. Where we rely on consent, you can withdraw it any time.
  • Complain. To the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these, email hello@caselist.app. We'll respond within 30 days.

Children

Caselist isn't designed for children. You must be at least 16 to create an account. If you believe a child has signed up, email us and we'll close the account.

Security

We protect your data with industry-standard measures: HTTPS in transit, encryption at rest where supported by our hosting providers, role-based access controls, and least-privilege rules on database queries. No system is bulletproof. If you find a security issue, please email hello@caselist.app.

Changes to this policy

We may update this policy as the service evolves. If we make a material change, we'll email account holders and update the "Last updated" date at the top.

Contact

Questions about your data or this policy? Email hello@caselist.app.