EB-CASETerms of Service →

Privacy Policy

Effective Date: March 10, 2026 · Version 1.0 · CCPA · BIPA · ECPA Compliant

Summary: EB-CASE is a platform for immigration law practices. We handle sensitive immigration data, biometric information, and attorney-client privileged communications. We take privacy extremely seriously and comply with all applicable US federal and state privacy laws.

1. Who We Are

EB-CASE ("we," "our," or "us") operates an AI-powered immigration case management platform ("Platform") for US immigration law offices ("Law Offices") and their clients ("End Users"). We are a data processor acting on behalf of Law Offices, which are the data controllers for their client data.

For questions about this Policy, contact us at: privacy@eb-case.com

2. Data We Collect

2.1 Account & Identity Data

Full name, email address, phone number (E.164 format), country of origin, password (hashed — never stored in plain text), and device information (for new device detection).

2.2 Immigration & Case Data

Visa application details, immigration status, personal narrative statements, case history, and all communications between clients and attorneys. This data is protected under attorney-client privilege and is only accessible to the designated attorney and their authorized team.

2.3 Documents

Uploaded identity documents (passports, diplomas, employment letters, etc.). Documents are encrypted with SSE-KMS (per-tenant keys) at rest and TLS 1.3 in transit. OCR text is extracted and indexed for AI analysis.

2.4 Biometric Data (Facial Recognition)

HIGH SENSITIVITY — BIPA/CCPA/CPRA Protected

If you consent, we collect a facial scan for identity verification. We store ONLY a mathematical hash of the facial template — the original image is NEVER stored. Biometric data is destroyed automatically 30 days after verification or upon account closure, whichever comes first. We never sell, trade, or profit from biometric data. Collection requires explicit written consent before use.

2.5 Payment Data

Payments are processed by Stripe (PCI-DSS Level 1 certified). We do not store raw card numbers. We retain tokenized payment references as required for legal and audit purposes.

2.6 Usage Data

IP address, browser/device type, session duration, feature interactions, and error logs — used for security, performance, and product improvement. Retained for 2 years, then automatically anonymized.

3. How We Use Your Data

  • Provide, maintain, and improve the Platform
  • Authenticate your identity and detect unauthorized access
  • Process immigration case documents and generate AI pre-screening analysis
  • Facilitate scheduling and payments between clients and attorneys
  • Send transactional notifications (appointment reminders, document status, payment confirmations)
  • Maintain immutable audit trails as required by law (7-year retention)
  • Comply with applicable legal obligations (subpoenas, court orders — reviewed by legal counsel)

We do not use your data for advertising, sell it to third parties, or use it to train general-purpose AI models.

4. AI Processing & Data

Our AI features (pre-screening, deep analysis, chat engine) process your data using Claude API (Anthropic) and OpenAI APIs. Data sent to these services is governed by our data processing agreements with each provider. AI analysis results are stored per-case and accessible only to the assigned attorney team.

The AI assistant does not provide legal advice. It provides informational pre-screening only. All outputs include appropriate disclaimers.

Conversation history with the AI assistant is retained for the duration of the case plus 3 years, then anonymized.

5. Attorney-Client Privilege

All communications between clients and attorneys on this platform are protected by attorney-client privilege. Key protections:

  • Chat messages are encrypted end-to-end (AES-256 Signal Protocol). The server never holds decryption keys.
  • Platform employees have no access to privileged communication content.
  • Data is processed in volatile memory only — no persistent raw data beyond what the client explicitly submits.
  • All access to client data by the attorney team is logged in an immutable audit trail.
  • Government requests for privileged data are directed to legal counsel before any disclosure.

6. Data Sharing

We share data only with:

  • Your Law Office: Your assigned attorney and their authorized team members
  • Service Providers: AWS (hosting/storage), Stripe (payments), Anthropic/OpenAI (AI processing), Onfido/AWS Rekognition (identity verification) — all under strict data processing agreements
  • Legal Authorities: Only when required by valid legal process, after review by our legal counsel

We never sell personal data. We never share immigration data with non-authorized third parties.

7. Data Retention

Data TypeRetentionLegal Basis
Account dataAccount duration + 3 yearsFTC / CCPA
Immigration documentsCase duration + 7 yearsINA / USCIS guidelines
Attorney-client communicationsCase duration + 7 yearsAttorney-Client Privilege
Biometric data (facial hash)Verification + 30 days maxBIPA / CCPA
Payment recordsPer PCI-DSS (tokenized)PCI-DSS
Audit logs7 years (immutable)SOC 2 / compliance
Usage/analytics data2 years then anonymizedCCPA / CPRA

8. Your Rights (CCPA / CPRA / VCDPA)

Depending on your state of residence, you may have the following rights:

  • Right to Know: What personal data we collect, use, and share
  • Right to Delete: Request deletion of your personal data (subject to legal holds)
  • Right to Correct: Request correction of inaccurate data
  • Right to Opt-Out: We do not sell data, so this does not apply
  • Right to Non-Discrimination: Exercising rights will not affect your service
  • Right to Portability: Receive a copy of your data in a portable format

To exercise your rights, email privacy@eb-case.com or use the Settings → Privacy section of the app. We respond within 45 days.

9. Security

We implement enterprise-grade security measures including:

  • TLS 1.3 for all data in transit + certificate pinning on mobile
  • AES-256 encryption at rest (SSE-KMS with per-tenant key rotation every 30 days)
  • End-to-end encryption for attorney-client communications (Signal Protocol)
  • Immutable audit logs (append-only, cryptographically signed, 7-year retention)
  • Multi-factor authentication mandatory for all attorney accounts
  • Penetration testing conducted semi-annually
  • AWS infrastructure in us-east-1 (primary) with failover to us-west-2

In the event of a data breach affecting your data, we will notify you within the timeframes required by applicable law (30 days for NY SHIELD Act, promptly for CCPA).

10. Cookies & Tracking

We use only essential cookies for session management and authentication. We do not use third-party advertising cookies. You may disable non-essential cookies through your browser settings without affecting core functionality.

11. Children's Privacy

The Platform is not directed to individuals under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact privacy@eb-case.com immediately.

12. Changes to This Policy

We will notify you of material changes via email and in-app notification at least 30 days before they take effect. Continued use after the effective date constitutes acceptance. You may review version history at any time.

13. Contact Us

For privacy questions, data requests, or concerns:

Email: privacy@eb-case.com

Data Protection Officer: dpo@eb-case.com

Response time: Within 45 calendar days

← Back to Home
Terms of ServiceSign In