Privacy Policy

2. Data We Collect

Personal Identification Data: When you create an account, we collect your full name, email address, telephone number (optional), company or organization name (optional), professional title (optional), and billing address. This information is necessary for account creation, service delivery, and communication purposes.

Document Data: When you upload contracts and legal documents for analysis, we process the content of these documents. This may include personal data of third parties referenced within the documents, such as names, addresses, contractual terms, financial information, and other details contained in the uploaded materials. You are responsible for ensuring you have the legal authority to share such documents with our service.

Usage and Technical Data: We automatically collect certain technical information when you interact with our platform, including your IP address, browser type and version, operating system, device identifiers, pages visited, features used, timestamps of interactions, analysis requests, and general usage patterns. This data helps us maintain, improve, and secure our service.

Payment Data: When you purchase credits or pay for our services, payment processing is handled by Stripe Payments Europe Limited ("Stripe"). We do not store complete credit card numbers, bank account details, or other sensitive payment information on our servers. Stripe collects and processes payment card data directly under PCI DSS compliance. We receive a Stripe Customer ID, the last four digits of the card, the card brand, and transaction metadata (amount, date, status) for accounting and customer support purposes.

Business Contact Data (Outreach Recipients): For our B2B cold outreach program, we collect publicly available business contact information (company name, business email address, contact role, public website) of organizations that may benefit from our service. This data is sourced from public registers, company websites, and industry directories. We do not collect personal email addresses (e.g. gmail.com, gmx.de) for outreach.

Communication Data: When you contact our support team, submit feedback, or reply to our outreach emails, we collect the content of your messages, your contact details, and any attachments you provide.

3. How We Use Your Data

Service Provision and Contract Analysis: Your data is used to provide our core service — AI-powered contract analysis. When you upload a document, our system processes the content to identify key clauses, potential risks, obligations, deadlines, and other relevant contractual elements. The analysis results are generated through artificial intelligence models and are presented to you through our platform interface.

Account Management and Communication: We use your personal identification data to create and manage your account, process your payments, send you important service notifications (such as analysis completion alerts, payment receipts, or security alerts), and respond to your support inquiries. We may also send optional product updates and feature announcements, which you can opt out of at any time.

Service Improvement and Analytics: We use aggregated and anonymized usage data to understand how our platform is used, identify areas for improvement, and develop new features. Document content is not used to train AI models. This processing is based on our legitimate interest in providing a high-quality service.

Legal Compliance and Security: We process personal data as necessary to comply with applicable legal obligations, respond to lawful requests from public authorities, enforce our Terms of Service, and protect the rights, property, and safety of ContractsGuard, our users, and the public. This includes fraud prevention, security monitoring, and audit purposes.

Business Outreach (B2B Cold Email): For business contacts at organizations that may benefit from our service, we send introductory cold emails on the basis of legitimate interest (Article 6(1)(f) GDPR). Every outreach email identifies our company, contains a working unsubscribe link, links to this Privacy Policy and our legal notice (Impressum), and respects opt-out requests immediately. We track only delivery, opens (via a 1x1 tracking pixel) and link clicks to measure engagement and adjust our sending frequency. Replies to outreach emails are processed by an AI classifier (Anthropic Claude Haiku) to route them to the appropriate person; the classifier output is not used to train AI models. Recipients may opt out at any time by clicking the unsubscribe link, replying STOP or "Abmelden", or contacting us at [email protected] — opt-outs are honored within 24 hours and the email address is added to a permanent suppression list.

4. Legal Basis for Processing

Contract Performance (Article 6(1)(b) GDPR): The processing of your personal data is necessary for the performance of the contract between you and ContractsGuard. This includes account creation, service delivery, contract analysis, payment processing, and customer support. Without this processing, we would be unable to provide our services to you.

Consent (Article 6(1)(a) GDPR): For certain processing activities, we rely on your explicit consent. This includes the processing of documents you voluntarily upload for analysis, the sending of optional marketing communications, the loading of opt-in web analytics, and the use of non-essential cookies. You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Legitimate Interest (Article 6(1)(f) GDPR): We rely on our legitimate interests for service improvement through anonymized analytics, security monitoring and fraud prevention, the administration and management of our business operations, and our B2B cold outreach program targeting business contacts at organizations that may benefit from our service. We have conducted legitimate interest assessments for each of these activities and have determined that our interests do not override the fundamental rights and freedoms of data subjects.

Legal Obligation (Article 6(1)(c) GDPR): We process certain personal data as necessary to comply with legal obligations to which we are subject, including tax and accounting requirements, regulatory obligations, and responses to lawful requests from competent authorities.

5. Data Storage and Security

Our primary infrastructure is hosted by Hetzner Online GmbH in Falkenstein and Nuremberg, Germany. All personal data, uploaded documents, and analysis results are stored within the European Union. We do not transfer your personal data outside the European Economic Area (EEA) unless adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission. Uploaded documents are stored in our self-hosted MinIO object storage with AES-256-GCM encryption at rest; the encryption keys are held by our application and are not accessible to the storage layer or the hosting provider.

Data transmitted between your device and our servers is encrypted using TLS 1.3. Our infrastructure is monitored 24/7 for security threats. We conduct regular penetration testing and security audits and maintain a comprehensive security incident response plan.

Access to personal data within our organization is strictly limited to authorized personnel who require access for the performance of their duties. All employees and contractors are subject to confidentiality agreements and receive regular data protection training. We maintain comprehensive access logs and implement multi-factor authentication for all administrative access.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR and will inform affected individuals without undue delay in accordance with Article 34 GDPR.

6. Third-Party Service Providers and Sub-Processors

We work with a small number of carefully selected service providers. Where they process personal data on our behalf, we have entered into a Data Processing Agreement (DPA) compliant with Article 28 GDPR. The current sub-processors are:

Anthropic, PBC (United States) — AI Model Provider: We use Anthropic Claude models for contract analysis (Claude Sonnet 4), document OCR / image text extraction (Claude Haiku Vision), outreach personalization, and reply classification (Claude Haiku). Document content and outreach inputs are processed via the Anthropic API and are not used to train Anthropic's models per their Commercial Terms. Anthropic acts as a data processor under a DPA; transfers to the US are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses. Privacy policy: anthropic.com/legal/privacy.

Stripe Payments Europe Limited (Ireland) — Payment Processing: All paid transactions are processed by Stripe. Stripe collects and processes payment card data, billing addresses, and tax identifiers directly. ContractsGuard receives only a Stripe Customer ID, last-four digits of the card, card brand, and transaction metadata. Stripe acts as an independent controller for fraud prevention, regulatory compliance (KYC/AML), and tax reporting, and as a processor for payment execution on our behalf. Privacy policy: stripe.com/privacy.

Zoho Corporation B.V. (European Union) — Email Services: We use Zoho Mail (smtppro.zoho.eu, SMTP and IMAP, EU data center) for transactional email (account verification, password reset, payment receipts, analysis completion notifications), B2B outreach delivery, and outreach reply monitoring. Zoho processes email addresses, subjects, message bodies, and attachments as a data processor on our behalf under a DPA. EU data residency. Privacy policy: zoho.com/privacy.html.

Hetzner Online GmbH (Germany) — Hosting Infrastructure: Application servers, PostgreSQL database, MinIO object storage, Redis cache, and supporting infrastructure are hosted in Hetzner data centers in Falkenstein and Nuremberg, Germany. Hetzner does not have logical access to application data. DPA in place. Privacy policy: hetzner.com/legal/privacy-policy.

Cloudflare, Inc. (United States) — DNS, CDN, and Edge Security: Cloudflare routes and caches public website traffic, provides DNS resolution, TLS termination, and DDoS protection. Personal data processed: IP addresses, request metadata, browser headers. EU edge nodes are prioritized for European visitors. Transfers to the US are covered by Standard Contractual Clauses. Privacy policy: cloudflare.com/privacypolicy.

Functional Software, Inc. dba Sentry (United States) — Error Tracking: Sentry captures application stack traces and runtime exceptions to help us diagnose and fix bugs. Captured data may include IP addresses, partial request paths, user-agent strings, and limited user identifiers. Retention: 30 days. Transfers to the US are covered by Standard Contractual Clauses. Privacy policy: sentry.io/privacy.

Umami Analytics (self-hosted) — Web Analytics: We use Umami, a privacy-friendly, open-source analytics tool, self-hosted on our Hetzner infrastructure in Germany. Umami records anonymized page views, referrers, and screen sizes. It does not set tracking cookies, does not fingerprint visitors, and anonymizes IP addresses before storage. Analytics are loaded only after you grant consent through our cookie banner.

A current list of sub-processors is maintained in this section and updated whenever changes occur. We give reasonable advance notice of any new sub-processor and the opportunity to object on legitimate grounds.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at [email protected] or through the settings in your account dashboard.

Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the personal data and receive a copy of it along with information about the processing. We will respond to access requests within 30 days.

Right to Rectification (Article 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete personal data completed. You can update most of your personal information directly through your account settings.

Right to Erasure (Article 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw your consent, or where the processing is unlawful. Please note that we may be required to retain certain data to comply with legal obligations or to establish, exercise, or defend legal claims.

Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit it to another controller. This includes your account data, analysis history, and uploaded documents.

Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests, including our B2B outreach program, or for direct marketing purposes. Where you object to processing for direct marketing or outreach, we will cease such processing immediately and add your email address to our permanent suppression list.

Right to Restriction of Processing (Article 18 GDPR): You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of legitimate grounds.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

8. Data Retention

Account Data: We retain your account information (name, email, preferences) for as long as your account is active and for a period of 30 days after account deletion to allow for account recovery. After this period, your account data is permanently deleted from our active systems.

Uploaded Documents and Analysis Results: Documents you upload and the resulting analysis reports are retained for as long as your account is active. You may delete individual documents and their associated analyses at any time through your account dashboard. Upon account deletion, all documents and analysis results are permanently deleted within 30 days.

Payment and Billing Records: For tax and accounting compliance, we retain invoices, payment records, and related billing information for the period required by applicable law (typically 6–10 years from the end of the relevant fiscal year). This data is retained in a restricted archive with limited access.

Outreach Records: For B2B outreach recipients, we retain contact data, send/open/click metadata, and reply content for as long as we have a legitimate business interest — typically up to 24 months — or until you opt out, whichever comes first. After opt-out, we retain only the unsubscribe record (your email address on a permanent suppression list) indefinitely, to ensure we do not contact you again.

Server Logs and Security Data: Technical server logs, including IP addresses and access records, are retained for a maximum of 90 days for security and troubleshooting purposes. Security incident logs may be retained for up to 3 years to support investigation and legal proceedings.

Anonymized and Aggregated Data: Data that has been fully anonymized and cannot be attributed to any individual may be retained indefinitely for statistical analysis and service improvement purposes. This data does not constitute personal data under the GDPR.

9. Cookies and Tracking

ContractsGuard uses a minimal set of cookies. We do not use advertising cookies, social media tracking pixels, cross-site tracking, or behavioral profiling. We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker.

Strictly Necessary Cookies: We use session cookies to maintain your login state (JWT and refresh tokens) and to protect against cross-site request forgery (CSRF). These cookies are strictly necessary for the provision of our service and do not require your consent under Article 5(3) of the ePrivacy Directive.

Preference Cookies: We use a small number of functional cookies to remember your language preference, theme settings, and other user interface preferences. These cookies enhance your experience but are not strictly necessary. You can manage these cookies through your browser settings or account preferences.

Analytics (Umami — Opt-in): If you consent through our cookie banner, we load Umami, a self-hosted, privacy-friendly web analytics tool. Umami does not use tracking cookies, does not fingerprint visitors, and anonymizes IP addresses before storage. You can withdraw consent at any time through the cookie banner or your browser settings.

Outreach Email Tracking: If you receive a B2B outreach email from us, the message contains a 1x1 tracking pixel that logs delivery and open events, and outbound links are rewritten to log click events. This is disclosed in the email footer. You can disable image loading in most email clients and you can unsubscribe at any time via the link in every outreach email.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or sub-processor relationships. When we make material changes to this Privacy Policy, we will notify you by posting a prominent notice on our platform, sending you an email notification, or by other appropriate means at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices. The "Last Updated" date at the top of this policy indicates when it was most recently revised. Your continued use of our services after any changes to this Privacy Policy constitutes your acknowledgment of the changes.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the following details:

Domaniai LLC Data Protection Officer Email: [email protected] General Support: [email protected] Website: www.contractsguard.app

EU Representative (Article 27 GDPR): Domaniai LLC is in the process of designating an EU representative. Until the appointment is published here, EU and EEA data subjects may exercise all rights described above by contacting our Data Protection Officer at the address above. We will update this section as soon as the EU representative is appointed.

You also have the right to contact the competent data protection supervisory authority. Depending on your location, you may contact the supervisory authority in your country or region.