Privacy Policy

Our core principle: CourtFlow AI is a product of CourtFlow AI, Corp., a Florida corporation. Your documents stay in YOUR Google Drive or OneDrive. We never store, copy, or retain your court filings, case files, or client documents on our servers. CourtFlow AI processes your data in transit and stores only metadata (case names, deadlines, analysis summaries) in our encrypted database.

1. Information We Collect

Account Information

When you sign up, we collect your name, email address, and profile picture through Google OAuth or Microsoft Azure AD authentication. We also collect your firm name, bar number, phone number, and practice areas during onboarding.

Email Metadata

When you connect your Gmail or Outlook account, CourtFlow reads emails from your configured court e-service sender address (e.g., eservice@myflcourtaccess.com). We process the email subject, sender, date, and body to identify court filings. Email content is processed in transit and not permanently stored — only our AI-generated analysis summary is retained.

Document Analysis Data

Court documents (PDFs, DOCX, XLSX, EML, images, and other supported formats) are sent to Google Gemini for AI analysis. The analysis results — including summaries, extracted deadlines, case classifications, and case law citations with confidence levels — are stored in our database. AI-generated case law citations are verified against CourtListener, a third-party legal database operated by the nonprofit Free Law Project, to reduce the risk of inaccurate citations. The documents themselves are filed directly to your Google Drive or OneDrive and are never stored on CourtFlow servers.

Usage Data

We collect standard usage information including pages visited, features used, browser type, IP address, geographic location (country/region derived from IP), device type, and referral source to improve our service and diagnose issues. We use Google Analytics to collect and analyze this data in aggregate. Google Analytics may set cookies on your browser; see Google's privacy policy for details on how Google processes this data.

AI-Generated Content

Beyond document analysis, CourtFlow AI generates additional content at your direction, including trial preparation materials (witness outlines, jury instructions, motions in limine, voir dire questions, cross-examination and direct examination outlines, proof checklists, and order of proof), AI-powered case briefs, discovery analysis, and draft legal responses. Case details and party information from your dashboard are sent to Google Gemini to generate this content. The AI-generated outputs are stored in our database. No client documents are sent for these features — only the structured case metadata already in your account.

Federal Court Email Processing

For firms that enable federal court processing, CourtFlow receives Notice of Electronic Filing (NEF) emails from the federal CM/ECF system via an inbound email address hosted by Resend (e.g., yourfirm@ecf.courtflow.ai). These emails are parsed to extract case numbers, docket entries, and free-look PDF download links. PDFs are downloaded directly from PACER via the one-time free-look URL contained in the NEF email, processed in memory, and filed to your cloud storage. CourtFlow does not maintain a PACER account on your behalf and does not access PACER beyond the free-look link provided in each NEF email.

2. How We Use Your Information

• To provide the CourtFlow AI service — processing court emails (state and federal), analyzing documents, tracking deadlines, generating case law citations, verifying citations against legal databases, generating briefings, producing trial preparation materials, generating draft legal responses, and providing AI-powered case analysis
• To authenticate you and manage your account and team
• To send you service-related communications (daily briefings, deadline alerts, system notifications)
• To improve our AI analysis accuracy and service reliability
• To enforce our terms of service and protect against misuse

3. Google API Data — Scope-by-Scope Disclosure

CourtFlow AI uses the following Google OAuth scopes. This section describes exactly what data each scope accesses, how it is used, and what is never accessed or stored.

gmail.modify — Gmail Read & Label

CourtFlow AI reads emails from your Gmail inbox to identify incoming court e-service emails, based on sender domain and subject line patterns. It reads the email subject, sender, date, and body solely to identify court filings and extract PDF attachments for processing. After processing, CourtFlow AI applies a "CourtFlow Processed" label to the email to prevent double-processing. This label application is the only modification made to your Gmail. CourtFlow AI does not read, modify, delete, archive, or access personal emails, drafts, sent mail, spam, or any emails not identified as court e-service. Email content is processed in transit and not permanently stored — only AI-generated metadata (document type, case number, parties, deadline) is retained.

gmail.send — Processing Notifications & Daily Briefing

CourtFlow AI uses gmail.send to send two types of emails to your firm team: (1) Per-document processing notifications — sent immediately each time a court e-service email is processed, summarizing the document type, case name, party information, and any extracted deadline. This gives the firm real-time confirmation that a document has been received and filed. (2) Daily briefing emails — sent once per morning, listing all court deadlines and filings due in the next 7 days organized by case. Both email types are sent only to configured recipients within your firm. CourtFlow AI never sends emails to external third parties, never forwards emails from your inbox, and sends no emails other than these two notification types.

drive.file — Court Document Filing & Folder Organization

CourtFlow AI uses the drive.file scope (https://www.googleapis.com/auth/drive.file) to create a folder structure in your Google Drive and upload court documents into it. This scope limits CourtFlow AI to accessing only files and folders that it has created — it cannot see, read, modify, or delete any of your pre-existing files, personal documents, or other directories. CourtFlow creates a main "CourtFlow" folder, organizes case-specific subfolders within it, and uploads processed court PDFs and AI-generated draft responses as Word documents. All folder reorganization (e.g., moving case folders during case merges) operates exclusively within this app-created hierarchy.

calendar — Deadline Events

CourtFlow AI uses the calendar scope to create deadline events in a dedicated "CourtFlow AI" calendar within your Google Calendar. Deadline events include the case name, deadline type, and due date extracted from processed court documents. CourtFlow AI does not read, modify, or delete any events in your primary calendar or any other existing calendars. Only the dedicated CourtFlow AI calendar is written to.

tasks — Deadline Tasks

CourtFlow AI uses the tasks scope to create deadline tasks in a dedicated "CourtFlow AI" task list in Google Tasks, providing a second tracking mechanism for court deadlines alongside calendar events. CourtFlow AI does not access, read, modify, or delete any tasks in your existing task lists or your default My Tasks list. Only the CourtFlow AI task list is written to.

4. Microsoft Graph API Data — Scope-by-Scope Disclosure

CourtFlow AI uses the following Microsoft Graph API permissions when users connect via Microsoft 365 / Azure AD. This section describes exactly what data each permission accesses, how it is used, and what is never accessed or stored.

Mail.ReadWrite — Outlook Read & Label

CourtFlow AI reads emails from your Outlook inbox to identify incoming court e-service emails, based on sender domain and subject line patterns. It reads the email subject, sender, date, and body solely to identify court filings and locate the court portal download link contained in the email. After processing, CourtFlow AI applies a "CourtFlow Processed" category to the email to prevent double-processing. This category application is the only modification made to your Outlook mailbox. CourtFlow AI does not read, modify, delete, archive, or access personal emails, drafts, sent mail, or any emails not identified as court e-service. Email content is processed in transit and not permanently stored — only AI-generated metadata (document type, case number, parties, deadline) is retained.

Mail.Send — Processing Notifications & Daily Briefing

CourtFlow AI uses Mail.Send to send two types of emails to your firm team: (1) Per-document processing notifications — sent immediately each time a court e-service email is processed, summarizing the document type, case name, party information, and any extracted deadline. This gives the firm real-time confirmation that a document has been received and filed. (2) Daily briefing emails — sent once per morning, listing all court deadlines and filings due in the next 7 days organized by case. Both email types are sent only to configured recipients within your firm. CourtFlow AI never sends emails to external third parties, never forwards emails from your inbox, and sends no emails other than these two notification types.

Files.ReadWrite.All — Court Document Filing

CourtFlow AI uses Files.ReadWrite.All to save PDF documents downloaded from court portal links to your OneDrive, organized into case-specific folders. CourtFlow AI writes only to the dedicated CourtFlow AI folder it creates within your OneDrive. It does not access, read, modify, or delete files outside of this folder. We acknowledge that Files.ReadWrite.All grants broader technical access than strictly required; we use it because the more limited Files.ReadWrite scope does not support the folder creation and organization required for reliable case filing. CourtFlow AI limits its actual usage to the CourtFlow AI folder only.

Calendars.ReadWrite — Deadline Events

CourtFlow AI uses Calendars.ReadWrite to create deadline events in a dedicated "CourtFlow AI" calendar within your Microsoft Calendar. Deadline events include the case name, deadline type, and due date extracted from processed court documents. CourtFlow AI does not read, modify, or delete any events in your primary calendar or any other existing calendars. Only the dedicated CourtFlow AI calendar is written to.

Tasks.ReadWrite — Deadline Tasks

CourtFlow AI uses Tasks.ReadWrite to create deadline tasks in a dedicated "CourtFlow AI" task list in Microsoft To Do, providing a second tracking mechanism for court deadlines alongside calendar events. CourtFlow AI does not access, read, modify, or delete any tasks in your existing task lists or your default Tasks list. Only the CourtFlow AI task list is written to.

User.Read — Account Identity

CourtFlow AI uses User.Read to read your Microsoft account name and email address for authentication and account identification purposes only. This data is used to create and manage your CourtFlow AI account. No other profile data is accessed.

5. Third-Party Services

CourtFlow AI integrates with the following third-party services:

• Google Workspace APIs — Gmail (court email detection, label application, daily briefing delivery), Google Drive (court document filing), Google Calendar (deadline events), Google Tasks (deadline tasks). Governed by Google's API Services User Data Policy. See Section 3 for scope-by-scope detail.
• Microsoft Graph API — Outlook (court email detection, category labeling, daily briefing delivery), OneDrive (court document filing), Microsoft Calendar (deadline events), Microsoft To Do (deadline tasks). Governed by Microsoft's API Terms of Use. See Section 4 for scope-by-scope detail.
• Google Gemini AI — Document analysis, natural language processing, case law citation generation, draft response generation, trial preparation content generation, case brief generation, and AI chat. Document content and case metadata are sent to Gemini for processing and are subject to Google’s AI data usage policies. Google does not use API data to train Gemini models.
• CourtListener (Free Law Project) — Case law citation verification. AI-generated case law citations are checked against CourtListener's legal database to verify accuracy. Only the citation text is sent to CourtListener; no client data, case details, or document content is shared.
• Supabase — Database hosting (PostgreSQL). All data encrypted at rest.
• Vercel — Application hosting and serverless function execution.
• Stripe — Payment processing and subscription management. We do not store credit card numbers. All payment data is handled by Stripe (PCI DSS Level 1 certified).
• Sentry — Error monitoring and performance tracking. May collect anonymized technical data (browser type, error stack traces) but never personal or legal content.
• Resend — Transactional email delivery (welcome emails, daily briefings, deadline alerts) and inbound email receiving for federal court NEF notifications. Your email address is shared with Resend for delivery purposes. For federal court processing, Resend receives NEF emails on a dedicated courtflow.ai subdomain and forwards them to our processing pipeline via webhook.
• Google Analytics — Website traffic analysis. Collects anonymized usage data including pages visited, session duration, geographic region, device type, and referral source. No personal, legal, or case-related data is shared with Google Analytics.
• PACER (Public Access to Court Electronic Records) — Federal court document retrieval. CourtFlow downloads court filing PDFs via one-time free-look URLs contained in NEF emails. No login credentials are used and no PACER account is maintained on your behalf.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

6. Data Storage & Security

Our database is hosted on Supabase with encryption at rest and in transit (TLS 1.3). Authentication tokens are encrypted using industry-standard JWT with rotating secrets. API routes are protected by rate limiting and role-based access controls.

Your court documents and case files are stored exclusively in your own Google Drive or OneDrive account. CourtFlow does not maintain copies of these files. If you disconnect CourtFlow, your files remain in your Drive exactly as they are.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 90 days of account closure.
• Email analysis summaries: Retained while your account is active.
• Deleted items: Soft-deleted items are permanently removed after 30 days.
• Activity logs: Retained for 12 months for audit and troubleshooting purposes.

8. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Revoke OAuth access at any time from your Google or Microsoft account settings
• Export your data in a machine-readable format
• Opt out of non-essential communications

To exercise any of these rights, contact us at privacy@courtflow.ai.

9. Attorney-Client Privilege

CourtFlow AI is a tool for managing court documents and does not create an attorney-client relationship. We take the confidentiality of legal communications seriously. Our systems are designed to minimize data exposure — documents are processed in transit and stored only in your own cloud storage. However, you are responsible for ensuring your use of CourtFlow complies with your jurisdiction's rules of professional conduct regarding client data and cloud storage.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or through the application. Continued use of CourtFlow after changes constitutes acceptance of the updated policy.

Questions?

If you have questions about this privacy policy or how we handle your data, contact CourtFlow AI, Corp. at privacy@courtflow.ai.