← Back to Sued

Sued (suedalerts.com) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your information when you use our service.

1. Information We Collect

We collect information in several ways:

1.1 Account Information

1.2 Watchlist Data

1.3 Alert and Filing Data

1.4 Payment Data

1.5 Technical and Usage Data

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery — to provide, maintain, and improve the Sued platform
• Account management — to authenticate you, manage your account, and process changes to your preferences
• Alert delivery — to monitor court filings, match them against your watchlist, and send you timely notifications via email, SMS, or Slack
• Billing and payments — to process subscriptions, send invoices, and manage your subscription tier
• Customer support — to respond to your inquiries and resolve issues
• Legal compliance — to comply with applicable laws and regulations
• Security — to detect, prevent, and address fraud and security threats
• Service improvement — to analyze usage patterns and enhance our features and performance

3. Information Sharing and Third Parties

We share your information with trusted third-party service providers who help us operate the Sued platform. Here's exactly what data each partner receives:

3.1 Stripe (Payment Processing)

Data shared: Email address, subscription information, payment method information

Stripe processes all credit card transactions and maintains PCI-DSS Level 1 compliance. We never see your actual credit card numbers. Stripe's Privacy Policy

3.2 Anthropic (AI Summaries)

Data shared: Public court filing text (case captions, Nature-of-Suit codes, cause-of-action descriptions, docket entries, and — for Protect Plus and Intelligence tier users — the text of complaints and docket sheets fetched from PACER).

What is NOT shared: No personal user data (your name, email, phone number, subscription status, payment information, watchlist, or any other account information) is sent to Anthropic.

We use Anthropic's API (the Claude family of models) to generate plain-English summaries and full case briefings of court filings. Anthropic's handling of data submitted via their API is governed by their Privacy Policy and their commercial terms; per those terms, Anthropic does not use commercial API inputs or outputs to train their models by default. The AI provider we use may change over time without prior notice, and this Privacy Policy will be updated when that happens.

3.3 PACER (Federal Courts)

Data shared: Our API credentials (not your personal data)

We query PACER on your behalf to retrieve federal court documents. PACER sees our authentication credentials, not your user information. PACER is operated by the U.S. Courts.

3.4 CourtListener (Free Law Project)

Data shared: API queries for court data enrichment

We use CourtListener's free, public API to enhance our court data. No personal information about you is shared with CourtListener.

3.5 AWS (Cloud Hosting)

Data shared: All application data and user information

Services used: ECS Fargate (application hosting), EFS (file storage), SES (email delivery), CloudWatch (logging)

Location: All data is stored in the us-east-1 (N. Virginia) AWS region. AWS is compliant with major security and privacy standards. AWS Privacy Policy

3.6 Twilio (SMS Alerts)

Data shared: The mobile phone number you provide and the content of each SMS alert message (which contains public court-filing information — case caption, court, docket number, and a short summary).

If you opt into SMS alerts, your phone number is transmitted to Twilio for message delivery. Twilio is our SMS delivery provider; they process the phone number and message solely for the purpose of delivering SMS to your carrier and are contractually prohibited from using it for independent purposes. Sued does not share or sell mobile opt-in data or phone numbers with any third party for marketing. You can opt out of SMS at any time through your notification preferences or by replying STOP to any alert message. Twilio's Privacy Policy.

Note: SMS availability is subject to carrier verification and approval. During pending verification windows, SMS delivery may be temporarily unavailable even if you have opted in.

3.7 Vercel (Frontend Hosting)

Data shared: Static assets and frontend code

Vercel hosts the Sued web application. No user data is stored on Vercel's servers. Vercel's Privacy Policy

3.8 Google Analytics (Product Analytics)

Data shared: Anonymized page-view and event data (which pages you visit, which features you use, approximate location at country/city level, device type, browser, and a randomly-assigned visitor identifier).

What is NOT shared: Your name, email, phone number, watchlist contents, alert content, or any personally-identifying account data.

We use Google Analytics 4 (GA4, Measurement ID G-WNEDFDG7FQ) on production pages only to understand how the Sued product is used and improve the experience. GA4 sets first-party cookies (e.g. _ga) in your browser. Browser-level tracker blockers (uBlock Origin, Brave Shields, etc.) reliably opt you out. Local development sessions never send to GA4. Google's Privacy Policy

3.9 Google Public DNS (Email Domain Validation)

Data shared: The domain portion of an email address you type during signup (e.g. example.com, not the full address) for an MX-record lookup over DNS-over-HTTPS.

When you enter an email during signup, we make a DNS-over-HTTPS request to dns.google/resolve to verify the domain has working mail servers. This catches typos and parked/squatted domains before you reach Stripe Checkout. Only the domain (not your full email or any account data) is sent. The check is debounced and runs once per typed email. Google Public DNS Privacy

3.10 ipapi.co (Login-Alert Geolocation)

Data shared: The IP address of the device that just signed in to your account.

When you successfully log in, we email you a security-alert notification with a coarse location ("Boston, Massachusetts, United States") so you can spot unauthorized sign-ins at a glance. To translate the IP into a city/region/country, we make a single HTTPS request to ipapi.co per login. No account information (your email, name, watchlist, etc.) is sent — only the IP of the signing-in device. ipapi.co's free tier does not require an account or API key. ipapi.co Privacy

3.11 X (Auto-Post Draft Queue — operator-only)

Data shared: No user data, no watchlist data, no notification data is ever sent to X.

Sued operates a small public X account (@suedalerts) that posts neutrally-phrased summaries of newly-filed federal court cases, drawn exclusively from the public administrative filings feed. Customer watchlist matches are never the source of these posts — there is no path by which subscribing to Sued exposes who you are watching. The posting pipeline includes a human-review queue and AI-drafted text uses neutral "alleges that" phrasing per legal-defamation guardrails.

3.12 Law Enforcement & Legal Requirements

We may disclose your personal information if required to do so by law, regulation, legal process, or governmental request, including but not limited to: subpoenas, court orders, search warrants, national security letters, or requests from law enforcement agencies. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to an emergency.

3.13 Business Transfers

If Sued is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

3.14 Aggregated & De-identified Data

We may create aggregated, anonymized, or de-identified data from your information and usage of the service. This data cannot reasonably be used to identify you. We may use, share, and commercialize such aggregated data for any purpose, including product improvement, analytics, industry research, and business purposes, without restriction or obligation to you.

3.15 No Sale of Personal Data

We do not sell, rent, trade, or otherwise disclose your identifiable personal information to third parties for marketing or advertising purposes. We do not engage in advertising or ad-tracking. The only parties who receive your identifiable information are the service providers listed above, and only the data necessary for them to provide their services, along with disclosures required by law as described above.

4. Data Storage and Security

We take security seriously. Here's how we protect your information:

4.1 Password Security

• All passwords are hashed using bcrypt, a one-way cryptographic function
• Passwords are never stored in plaintext
• Even our administrators cannot recover or see your password

4.2 Authentication

• We use JSON Web Tokens (JWT) for user authentication, signed with a secret key held only on our servers.
• Tokens carry a token-version claim that allows server-side revocation — on password reset, logout, or a suspected security event, we can invalidate all existing tokens without requiring users to change passwords.
• Session tokens are stored in your browser's localStorage (not cookies), meaning they are not automatically sent to other sites.
• Email verification is required to log in. Accounts with unverified email addresses cannot access the platform.

4.3 Transport Security

• HTTPS everywhere — all communication between your browser and our servers is encrypted using TLS.
• HSTS (HTTP Strict Transport Security) — our servers instruct browsers to refuse insecure HTTP connections.

4.4 Server Security

• Security headers — we set a strict Content-Security-Policy (CSP), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and a Permissions-Policy that locks down camera, microphone, geolocation, and payment APIs (except those explicitly required by Stripe Checkout) on all responses.
• Rate limiting — we throttle login, signup, password-reset, and search endpoints to limit brute-force and abuse attempts.
• Account lockout — 5 failed login attempts within a 10-minute window automatically locks the account for 15 minutes. The lockout fires a notification email so you know if someone is trying to access your account, with a password-reset link as an immediate escape valve.
• Application-level audit log — security-relevant events (logins, login failures, account lockouts, password resets) are recorded in a structured audit trail with IP, user-agent, and timestamp. The log is retained per the schedule in Section 5.
• Admin endpoints are gated by a separate admin API key and are not accessible to regular user accounts.
• Prompt-injection defenses — our AI summarization pipeline separates system instructions from untrusted court text using structured delimiters.
• Input validation — court identifiers and file paths are validated against a known-good allow-list before being used in requests to third-party systems. Email addresses are validated for format, MX records, and against a blocklist of disposable / throwaway email providers.
• Dependency scanning — every code change runs through automated CVE scans (pip-audit for Python, npm audit for JavaScript) and merges are blocked on high-severity findings.
• AWS infrastructure — hosted in AWS us-east-1 with encryption at rest (EFS volumes, RDS, S3) and encryption in transit (TLS 1.2+ on all endpoints). Daily backups of the application database are taken via AWS Backup with 30-day retention.

No system is perfectly secure. Despite these measures, no method of electronic transmission or storage is guaranteed to be 100% secure. We cannot and do not warrant the absolute security of your information and encourage you to use a strong, unique password for your Sued account.

5. Data Retention

We retain your information only as long as necessary:

• Account data — active subscription. Retained while your account is active.
• Account data — after cancellation (90-day grace). When you cancel, your account enters a 90-day grace period during which you can resubscribe and restore everything. On day 90, the account is soft-deleted: we mark it inactive, invalidate all session tokens, and stop sending alerts. Soft-deleted accounts can no longer be re-activated by you directly — contact support@suedalerts.com if you change your mind during this window.
• Account data — after soft-delete. Soft-deleted account data is retained for an additional 30 days, then permanently purged from our active database. Backups taken before the purge date may persist for up to 30 additional days under our backup-retention policy (below) before being overwritten.
• Alert and filing history — retained for the duration of your subscription. Unsaved alerts auto-expire after 14 days; saved alerts are retained until you unsave them or delete your account.
• Server logs — retained for 30 days in AWS CloudWatch, then automatically deleted.
• Audit log — security event records (logins, lockouts, password resets) are retained for up to 12 months for incident-investigation purposes, then automatically deleted.
• Database backups — we take daily snapshots of the application database via AWS Backup with 30-day retention. Backups are encrypted at rest and stored in the same AWS region as the primary database.
• Watchlist data — you can delete watchlist items at any time via the dashboard, and they are removed from our active systems immediately. Backup copies follow the 30-day retention above.
• Legal holds — notwithstanding the above, we may retain any information for longer periods as required by applicable law, regulation, legal process, or to resolve disputes and enforce our agreements.

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Right to Access

You can access all of your personal information at any time by logging into your Sued account dashboard.

6.2 Right to Correction

You can correct or update your account information (company name, email, phone number, notification preferences) directly in your account settings.

6.3 Right to Deletion

You can delete your account and all associated data at any time through the dashboard or by contacting support@suedalerts.com. Your data will be permanently deleted within 30 days.

6.4 Right to Export

You can export your watchlist and alert history at any time using the export feature in your dashboard or via our API.

6.5 Right to Opt-Out of Communications

You can modify your notification preferences at any time to disable email, SMS, Slack, or push notifications. You can also unsubscribe from marketing emails by clicking the unsubscribe link in any email we send.

6.6 Right to Know (CCPA)

If you are a California resident, you have the right to know what personal information we have collected about you. Contact us at support@suedalerts.com with the subject line "CCPA - Right to Know" to request this information.

6.7 Right to Delete (CCPA)

If you are a California resident, you have the right to request that we delete your personal information. Contact us at support@suedalerts.com with the subject line "CCPA - Right to Delete".

6.8 Right to Opt-Out of Sale (CCPA)

If you are a California resident, you have the right to opt-out of the "sale" of your personal information. We do not sell personal information, so this right is fully honored by default.

7. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

• Right to Know: You can request what personal information Sued has collected about you
• Right to Delete: You can request deletion of your personal information (with limited exceptions for legal compliance)
• Right to Opt-Out of Sale: You can opt-out of the "sale" of your personal information. Sued does not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, please contact us at support@suedalerts.com with your request.

We will verify your identity before processing your request and respond within 45 days. If we cannot verify your identity, we will not process your request.

8. Children's Privacy

Sued is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected personal information from a child under 18, we will promptly delete such information.

If you believe we have collected information from a child under 18, please contact us immediately at support@suedalerts.com.

9. International Data Transfers

Sued is based in the United States, and your personal information is processed and stored primarily in the United States, specifically in AWS us-east-1 (N. Virginia).

If you are located outside the United States, please understand that your personal information will be transferred to, stored in, and processed in the United States. By using Sued, you consent to this transfer and processing of your information in the United States.

The United States may not provide the same level of data protection as your home country. However, we implement industry-standard security measures to protect your data regardless of location.

10. Browser Storage (localStorage)

Sued uses your browser's localStorage to store two pieces of information locally on your device:

• sued_token — Your JWT authentication token, used to keep you logged in
• sued_admin_key — Your admin API key (if generated), for API access

Important notes:

• These items are stored only on your device in your browser's localStorage
• They are not cookies and are not transmitted to other websites
• They are only sent to our servers when you make a request to Sued
• You can clear localStorage at any time through your browser settings, which will log you out
• We do not use cookies for tracking, advertising, or analytics

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of changes: We will notify you of any material changes to this Privacy Policy by sending you an email at the email address associated with your account at least 30 days before the changes take effect.

Your continued use of Sued after such notification constitutes your acceptance of the updated Privacy Policy. We recommend reviewing this policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

---

Sued is committed to your privacy. Thank you for trusting us with your court filing monitoring.