CaseworkAI is a free document generation tool for frontline social workers and NGO case managers, operated as a community project.
Data Controller: Tom R. (operating as CaseworkAI)
Website: https://caseworkai.org
Contact: hello@caseworkai.org
ICO Registration (UK): CaseworkAI is registered with the UK Information Commissioner’s Office (ICO) under the Data Protection Act 2018. Registration number: ZC132263. This registration confirms CaseworkAI’s compliance obligations as a data controller under UK GDPR.
When you submit the form you provide your name, job title, organisation, email address, a date, a client reference and your rough notes. This is used solely to generate your draft document and is permanently deleted immediately after delivery. No copy is retained by CaseworkAI.
We strongly advise using client initials or reference codes only — never full client names. The system is designed to work without identifying information.
Case notes may contain special category personal data including health information, details of criminal proceedings, mental health, domestic circumstances and information about children. We process this data only to generate your document. It is not stored, reviewed by humans or used for any other purpose. It is deleted immediately after delivery. We do not use case note content to train AI models.
CaseworkAI does not store any data relating to children. All submitted content is permanently deleted after document generation. Workers must never include a child’s full name in submissions.
Used only to deliver your document. Not added to any mailing list, not shared with third parties, not retained after delivery.
If you accept our cookie banner, Google Analytics (GA4) collects anonymised data about how visitors use the site — pages visited, time on site, approximate region. No personally identifiable information is collected. You can decline at any time.
We do not sell or share your data for commercial purposes. CaseworkAI runs on a self-hosted serverless function — there is no form provider, no workflow automation platform, no third-party email platform holding your notes. The minimal set of processors involved:
Submissions are processed via systems that may involve transfer to the United States (Anthropic, Resend, Netlify). These transfers are governed by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) where applicable. The zero-retention design means your data is processed transiently and deleted — it is not stored in any jurisdiction.
CaseworkAI is used by workers in multiple countries. The following national data protection laws are relevant to our users and are acknowledged in this policy:
| Country | Applicable Law | Key Provisions Addressed |
|---|---|---|
| United Kingdom | UK GDPR & Data Protection Act 2018 | ICO registered (Reg. ZC132263), lawful basis, special category data, subject rights, SCCs for US transfers |
| Kenya | Data Protection Act No. 24 of 2019 (ODPC) | Lawful basis for processing, data minimisation, cross-border transfer safeguards, sensitive personal data protections, zero-retention design |
| Uganda | Data Protection and Privacy Act 2019 | Lawful basis, data subject rights, processing limitations, security obligations |
| Nigeria | Nigeria Data Protection Regulation 2019 (NDPR) & Nigeria Data Protection Act 2023 | Lawful basis, data minimisation, cross-border transfers, sensitive data obligations |
| Romania | EU GDPR (as EU member state) & national implementation | Full EU GDPR compliance applies — same framework as UK GDPR with SCCs for US processors |
| Colombia | Law 1581 of 2012 (Habeas Data) & Decree 1377 of 2013 | Authorisation for data processing, data subject rights, cross-border transfer requirements, sensitive data protections |
| Ghana | Data Protection Act 2012 (Act 843) — Data Protection Commission | Lawful basis, data subject rights, sensitive personal data protections, cross-border transfer obligations |
| South Africa | Protection of Personal Information Act 2013 (POPIA) — Information Regulator | Lawful processing, special personal information (incl. health/children) protections, data subject rights, cross-border transfer rules |
| Rwanda | Law N° 058/2021 on the protection of personal data and privacy | Lawful basis, data subject rights, sensitive personal data protections, cross-border transfer authorisation requirements |
| Philippines | Data Privacy Act 2012 (RA 10173) — National Privacy Commission (NPC) | Lawful processing, sensitive personal information protections, data subject rights, cross-border transfer obligations |
Users in all jurisdictions benefit from the same zero-retention design — your notes are processed and immediately deleted regardless of where you are located. Where national law requires specific registration or local safeguards beyond what is described here, we encourage organisations to contact us at hello@caseworkai.org to discuss their requirements.
Under UK GDPR and equivalent national legislation you have the right to: access your data, erasure, rectification, restrict processing, data portability, object to processing, and withdraw consent. To exercise any right contact hello@caseworkai.org. We respond within 30 days. You may also complain to the UK ICO at ico.org.uk or your national supervisory authority.
If your organisation directs staff to use CaseworkAI you may require a written Data Processing Agreement (DPA) under Art. 28 UK GDPR or equivalent national law. A standard one-page DPA is available covering: subject matter of processing, data types, retention, security measures, sub-processors, audit rights and deletion obligations.
To request a DPA email hello@caseworkai.org with the subject “DPA Request — [Organisation Name]”. We respond within five working days.
All data is transmitted via HTTPS. No case note content is stored persistently. API credentials are secured and not exposed client-side. Access to processing systems is restricted to the operator. If you become aware of a security concern contact hello@caseworkai.org immediately.
CaseworkAI is a professional tool for qualified social workers and case managers aged 18 or over. It is not directed at children. Due to zero-retention design, any data inadvertently submitted by or about a child is immediately deleted. Contact hello@caseworkai.org if you have concerns.
Material changes will be noted at the top of this page with a new effective date. Continued use after changes are posted constitutes acceptance.
This policy is governed by the laws of England and Wales. We acknowledge and respect applicable national data protection legislation in all jurisdictions where CaseworkAI is used, including those listed in Section 6.
Rights requests, DPA requests or any data question:
Rights requests: 30 days. All other queries: 5 working days.