CaseLens processes sensitive legal case files on behalf of Kenyan legal advocates. This notice explains what data we collect, how we use it, who we share it with, and your rights under the Kenya Data Protection Act 2019 and Article 31 of the Constitution of Kenya 2010.
Last updated: May 2026
CaseLens is operated by Kennedy Isiaho (Kenya). For privacy matters, contact us at kenisiaho@gmail.com or +254 712 869 569.
Your organisation (the law office, chamber, or public authority using CaseLens) is the Data Controller for the case files uploaded. CaseLens acts as a Data Processor - we process data on your instruction and do not use it for our own purposes.
Account data: your name, email address, organisation, county, and court station - provided at registration.
Case metadata: case titles, charge types, court, offence dates, and status - entered by you.
Extracted document text: when you upload a PDF, we extract its text server-side for AI analysis. The original binary file is immediately discarded - only the extracted text is stored, and it is encrypted at rest using AES-256-GCM.
AI analysis outputs: evidentiary gaps, readiness scores, witness records, and generated briefs produced from your documents.
Usage and audit logs: records of actions taken on the platform (who ran analysis, when) for accountability.
We do not collect: payment card details (handled by M-Pesa / IntaSend directly), biometric data, or any data beyond what you upload.
Contract (DPA 2019, Section 3(c)): processing your account data and case metadata is necessary to provide the service you have contracted for.
Statutory duty / legitimate interests (DPA 2019, Section 3(e) and 3(f)): case files often contain personal data of third parties - accused persons, victims, witnesses - who are not CaseLens users. We process this data to support the lawful administration of justice by licensed advocates and public authorities.
Legal obligation (DPA 2019, Section 3(c)): audit logs are kept to meet accountability requirements under Kenyan law.
Case document text is sent to AI providers for analysis. The provider used depends on your settings:
Infrastructure providers: Neon (database, hosted on AWS us-east-1), Vercel (hosting, CDN). Both process data as sub-processors under standard data processing terms.
Cross-border transfer notice: data processed by cloud AI providers and stored in our database is held on servers in the United States. The USA does not have a Kenya DPA adequacy finding. We rely on contractual safeguards (provider data processing terms) and the legitimate interests of administering justice. For fully local processing with no external transfer, use the Ollama option in Settings.
Encryption at rest: extracted text is encrypted in the database using AES-256-GCM with a 256-bit key held separately from database credentials.
Encryption in transit: all connections use TLS.
Access controls: each organisation's data is strictly isolated. Users can only access cases belonging to their organisation.
Original files: uploaded PDFs are parsed server-side and immediately discarded. Binary files are never written to disk or cloud storage.
Active cases:retained for the duration of the case and for a period following closure, consistent with Kenya's criminal case record-keeping requirements (up to 7 years post-conclusion).
Audit logs: retained for 7 years.
Account data: retained while your account is active. Deletion requests are processed within 30 days.
When you delete a case in CaseLens, all associated files, analysis results, gaps, witnesses, evidence records, and generated briefs are permanently deleted from our database.
Under the Kenya Data Protection Act 2019 (Sections 44-50) and Article 31 of the Constitution of Kenya 2010, you have the right to:
Third parties whose data appears in case files (accused persons, victims, witnesses) may also exercise these rights. We will respond to all requests within 30 days.
To exercise any right, report a concern, or request deletion of your data, contact us at kenisiaho@gmail.com.
You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya: www.odpc.go.ke.
We will update this notice when our practices change. Material changes will be communicated to registered users by email. Continued use of CaseLens after notice of a change constitutes acceptance.