Data we collect (and don't)
For each report, Writrun stores: the judgment PDF you upload, the parsed judgment metadata (case number, court, debtor name and address as recorded by the court, judgment amount, date), the public-records findings we retrieve, the generated report, and the audit trail of which scrapers ran when.
We do not collect, request, or store: debtor Social Security numbers, dates of birth (beyond what appears in a public court record), driver's license numbers, financial-account numbers, or any consumer-report data subject to the FCRA.
Storage & encryption
Application data is hosted on Vercel and Neon, both US-based. Database storage is encrypted at rest with AES-256. All traffic — browser-to-app, app-to-database, app-to-subprocessor — uses TLS 1.3. Object storage for archived raw HTML and generated PDFs uses server-side encryption with rotated keys.
Access controls
Authentication uses Auth.js with passwordless magic links; there are no shared passwords. Roles are scoped per workspace (Owner, Attorney, Paralegal, Read-only) with row-level isolation between firms. Every report view, download, and export writes an entry to an immutable audit log. Engineering access to production data is logged, time-limited, and requires break-glass approval.
Retention
Reports and judgment PDFs are retained for seven years from generation to support the standard discovery and audit window in creditor's-rights matters. The raw scrape cache — archived HTML and JSON responses underlying each fact in a report — is retained for ninety days, after which only the hash is kept for citation integrity.
You can request deletion of a workspace at any time. Deletion is propagated to subprocessors within thirty days; legal-hold exceptions are documented in writing.
Subprocessors
The following vendors process Writrun data. We notify customers of additions or changes at least thirty days in advance.
| Vendor | Use | Region |
|---|---|---|
| Vercel | Hosting, edge, CI/CD | US |
| Neon | Postgres database (reports, accounts, audit log) | US-East |
| Anthropic | LLM synthesis of public-records findings | US |
| Stripe | Payment processing | US |
| Resend | Transactional email (report delivery, magic links) | US / EU |
| Browserbase | Headless browser execution for public-records scraping | US |
Incident response
Confirmed security incidents are disclosed to affected customers within twenty-four hours of confirmation, including a description of the affected data, a timeline, and the immediate remediation. A written post-incident report follows within ten business days.
Report security issues to security@writrun.ai. Responsible disclosure is acknowledged within one business day.