Privacy Policy

2. Data We Collect

Personal Identification Data: When you create an account, we collect your full name, email address, telephone number (optional), company or organization name (optional), professional title (optional), and billing address. This information is necessary for account creation, service delivery, and communication purposes.

Document Data: When you upload contracts and legal documents for analysis, we process the content of these documents. This may include personal data of third parties referenced within the documents, such as names, addresses, contractual terms, financial information, and other details contained in the uploaded materials. You are responsible for ensuring you have the legal authority to share such documents with our service.

Usage and Technical Data: We automatically collect certain technical information when you interact with our platform, including your IP address, browser type and version, operating system, device identifiers, pages visited, features used, timestamps of interactions, analysis requests, and general usage patterns. This data helps us maintain, improve, and secure our service.

Payment Data: When you subscribe to a paid plan or make a single purchase, all payment processing is handled by our authorized reseller, Paddle.com Market Ltd ("Paddle"), who acts as the Merchant of Record. We do not collect, store, or have access to complete credit card numbers, bank account details, or other sensitive payment information. All payment data is processed directly by Paddle in accordance with PCI DSS compliance standards.

Communication Data: When you contact our support team, submit feedback, or engage with us through any communication channel, we collect the content of your messages, your contact details, and any attachments you provide.

3. How We Use Your Data

Service Provision and Contract Analysis: Your primary data is used to provide our core service -- AI-powered contract analysis. When you upload a document, our system processes the content to identify key clauses, potential risks, obligations, deadlines, and other relevant contractual elements. The analysis results are generated through artificial intelligence models and are presented to you through our platform interface.

Account Management and Communication: We use your personal identification data to create and manage your account, process your subscription, send you important service notifications (such as analysis completion alerts, subscription renewals, or security alerts), and respond to your support inquiries. We may also send you optional product updates and feature announcements, which you can opt out of at any time.

Service Improvement and Analytics: We use aggregated and anonymized usage data to understand how our platform is used, identify areas for improvement, develop new features, and optimize the performance and accuracy of our AI analysis models. This processing is based on our legitimate interest in providing a high-quality service.

Legal Compliance and Security: We process personal data as necessary to comply with applicable legal obligations, respond to lawful requests from public authorities, enforce our Terms of Service, and protect the rights, property, and safety of ContractsGuard, our users, and the public. This includes fraud prevention, security monitoring, and audit purposes.

4. Legal Basis for Processing

Contract Performance (Article 6(1)(b) GDPR): The processing of your personal data is necessary for the performance of the contract between you and ContractsGuard. This includes account creation, service delivery, contract analysis, payment processing, and customer support. Without this processing, we would be unable to provide our services to you.

Consent (Article 6(1)(a) GDPR): For certain processing activities, we rely on your explicit consent. This includes the processing of documents you voluntarily upload for analysis, the sending of optional marketing communications, and the use of non-essential cookies. You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Legitimate Interest (Article 6(1)(f) GDPR): We rely on our legitimate interests for certain processing activities, including service improvement through anonymized analytics, security monitoring and fraud prevention, and the administration and management of our business operations. We have conducted legitimate interest assessments for each of these activities and have determined that our interests do not override the fundamental rights and freedoms of our users.

Legal Obligation (Article 6(1)(c) GDPR): We process certain personal data as necessary to comply with legal obligations to which we are subject, including tax and accounting requirements, regulatory obligations, and responses to lawful requests from competent authorities.

5. Data Storage and Security

All personal data and uploaded documents are stored on secure servers located within the European Union, specifically in data centers operated within Germany and the Netherlands. We do not transfer your personal data outside the European Economic Area (EEA) unless adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.

We implement industry-leading security measures to protect your data. All documents and personal data are encrypted at rest using AES-256 encryption, which is the same standard used by financial institutions and government agencies. Data transmitted between your device and our servers is encrypted using TLS 1.3 encryption. Our infrastructure is monitored 24/7 for security threats, and we conduct regular penetration testing and security audits.

Access to personal data within our organization is strictly limited to authorized personnel who require access for the performance of their duties. All employees and contractors are subject to confidentiality agreements and receive regular data protection training. We maintain comprehensive access logs and implement multi-factor authentication for all administrative access.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR and will inform affected individuals without undue delay in accordance with Article 34 GDPR.

6. Third-Party Services

AI Analysis Provider: We use advanced AI language models to perform intelligent contract analysis. When you submit a document for analysis, the content is processed by our AI provider's systems to generate the analysis results. Our AI provider acts as a data processor on our behalf and is contractually bound by a Data Processing Agreement (DPA) that ensures compliance with GDPR requirements. Your document content is not used to train AI models when accessed through the provider's API. Data may be processed on servers located in the United States under Standard Contractual Clauses.

Google Cloud Vision: For documents uploaded as images or scanned PDFs, we use Google Cloud Vision API to perform Optical Character Recognition (OCR) to extract text content. Google acts as a data processor under a DPA. Processing occurs within the EU region where available. The image data is processed in real-time and is not retained by Google after processing is complete.

Paddle: All payment processing is handled by Paddle.com Market Ltd ("Paddle"), who acts as the Merchant of Record for all paid transactions. As the Merchant of Record, Paddle is an independent data controller for payment processing, tax collection, invoicing, and billing purposes. Paddle collects and processes payment information, billing addresses, and tax identifiers directly. ContractsGuard does not have access to your full payment details. For more information, please refer to Paddle's Privacy Policy at paddle.com/legal/privacy and Paddle's Buyer Terms at paddle.com/legal/terms.

Mailgun: We use Mailgun for transactional email delivery (such as account verification, password resets, and analysis notifications). Mailgun processes email addresses and message content as a data processor on our behalf under a DPA. Mailgun's servers are located in the EU.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at privacy@contractsguard.eu or through the settings in your account dashboard.

Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the personal data and receive a copy of it along with information about the processing. We will respond to access requests within 30 days.

Right to Rectification (Article 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete personal data completed. You can update most of your personal information directly through your account settings.

Right to Erasure (Article 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw your consent, or where the processing is unlawful. Please note that we may be required to retain certain data to comply with legal obligations or to establish, exercise, or defend legal claims.

Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit it to another controller. This includes your account data, analysis history, and uploaded documents.

Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately.

Right to Restriction of Processing (Article 18 GDPR): You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of legitimate grounds.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

8. Data Retention

Account Data: We retain your account information (name, email, preferences) for as long as your account is active and for a period of 30 days after account deletion to allow for account recovery. After this period, your account data is permanently deleted from our active systems.

Uploaded Documents and Analysis Results: Documents you upload and the resulting analysis reports are retained for as long as your account is active. You may delete individual documents and their associated analyses at any time through your account dashboard. Upon account deletion, all documents and analysis results are permanently deleted within 30 days.

Payment and Billing Records: In accordance with German commercial and tax law (HGB and AO), we are required to retain invoices, payment records, and related billing information for a period of 10 years from the end of the relevant fiscal year. This data is retained in a restricted archive with limited access.

Server Logs and Security Data: Technical server logs, including IP addresses and access records, are retained for a maximum of 90 days for security and troubleshooting purposes. Security incident logs may be retained for up to 3 years to support investigation and legal proceedings.

Anonymized and Aggregated Data: Data that has been fully anonymized and cannot be attributed to any individual may be retained indefinitely for statistical analysis and service improvement purposes. This data does not constitute personal data under the GDPR.

9. Cookies and Tracking

ContractsGuard uses a minimal set of cookies that are strictly necessary for the functioning of our platform. We do not use third-party tracking cookies, advertising cookies, or social media tracking pixels. We do not engage in cross-site tracking or behavioral profiling.

Essential Cookies: We use session cookies to maintain your login state and ensure the security of your session. These cookies are strictly necessary for the provision of our service and do not require your consent under Article 5(3) of the ePrivacy Directive. These cookies expire when you close your browser or after a configurable inactivity period.

Preference Cookies: We use a small number of functional cookies to remember your language preference, theme settings, and other user interface preferences. These cookies enhance your experience but are not strictly necessary. You can manage these cookies through your browser settings or account preferences.

We do not use Google Analytics, Facebook Pixel, or any other third-party analytics or advertising services. Any analytics we perform are based on server-side, privacy-preserving methods using anonymized data that cannot be linked back to individual users.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you by posting a prominent notice on our platform, sending you an email notification, or by other appropriate means at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices. The "Last Updated" date at the top of this policy indicates when it was most recently revised. Your continued use of our services after any changes to this Privacy Policy constitutes your acknowledgment of the changes.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the following details:

Domaniai LLC Data Protection Officer Email: privacy@contractsguard.eu Website: www.contractsguard.app

You also have the right to contact the competent data protection supervisory authority. Depending on your location, you may also contact the relevant data protection supervisory authority in your country or region.