Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your full name, email address, and a hashed version of your password. We never store your password in plain text.

Uploaded Contracts

When you upload a contract for analysis, we store the document and its extracted text on our servers. This data is associated with your account and is not shared with third parties.

Usage Data

We collect basic usage information including the number of contracts analyzed per month, feature usage, and general interaction data to improve the Service.

Payment Information

Payment processing is handled by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe's privacy policy governs their handling of your payment data.

Categories of Personal Information Collected

• Identifiers: Name, email address, account ID
• Commercial information: Subscription plan, payment history (via Stripe)
• Internet activity: Pages visited, features used, interaction data
• Professional information: Uploaded contracts, company name, bio

2. Legal Basis for Processing (GDPR Article 6)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill subscription obligations.
• Legitimate interests (Art. 6(1)(f)): Improving the Service, preventing fraud, ensuring security. We balance our interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where required for non-essential cookies, marketing communications, and optional data processing. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Where we are required by law to retain or disclose data (e.g., tax records, law enforcement requests).

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process your contract analyses and generate risk reports
• Manage your account and subscription
• Send service-related communications (account verification, billing, security alerts)
• Respond to your support requests
• Detect and prevent fraud or abuse

4. What We Do NOT Do

• We do not sell your personal information or uploaded contracts to third parties
• We do not use your uploaded contracts to train our AI models without your explicit consent
• We do not share your contract content with other users
• We do not read your contracts manually (analysis is fully automated)
• We do not send marketing emails without your opt-in consent
• We do not share or sell personal information for cross-context behavioral advertising

5. Data Storage & Security

Your data is stored on secure servers hosted by Railway (backend) and Vercel (frontend). We use industry-standard security measures including:

• HTTPS encryption for all data in transit
• Bcrypt password hashing
• JWT-based authentication with short-lived tokens and httpOnly cookies
• PostgreSQL database with encrypted connections
• File isolation per user account
• Rate limiting to prevent abuse
• Security headers (X-Content-Type-Options, X-Frame-Options, CSP)

6. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from the EEA, UK, or other regions with data transfer restrictions, please note that your data will be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transfers of personal data from the EEA to the United States. By using the Service, you consent to this transfer.

7. Data Retention

Your uploaded contracts and analysis results are retained as long as your account is active. You may delete individual contracts at any time through the dashboard. Upon account deletion, all associated data (contracts, analyses, account information) will be permanently deleted within 30 days.

8. Third-Party Services

We use the following third-party services:

• Stripe — Payment processing (Stripe Privacy Policy)
• Railway — Backend hosting and database
• Vercel — Frontend hosting
• Google Analytics — Website analytics (Google Privacy Policy)

9. Cookies & Tracking

We use the following types of cookies:

• Essential cookies: Authentication tokens (httpOnly cookies and localStorage) required for the Service to function. These cannot be disabled.
• Analytics cookies: Google Analytics cookies to understand how visitors use our site. You can opt out via our cookie consent banner.

You can manage your cookie preferences through our cookie consent banner displayed when you first visit the site, or by adjusting your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

10. Your Rights

Depending on your location, you have the right to:

• Access your personal data and uploaded contracts
• Delete your contracts and account at any time
• Export your analysis results in machine-readable format (available as DOCX, PDF, or TXT)
• Correct inaccurate account information
• Object to processing by contacting us
• Restrict processing of your personal data
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time where processing is based on consent

For EU/EEA Residents (GDPR)

You have additional rights under GDPR including the right to data portability, the right to restriction of processing, and the right to lodge a complaint with your local supervisory authority.

For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale or sharing of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. To exercise any of your rights, contact us at privacy@clauseshield.app.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR requirements. Notification will include the nature of the breach, the data affected, and steps we are taking to address it.

12. Children's Privacy

ClauseShield is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the most recent revision.

14. Contact Us

For privacy-related questions, data access requests, or to exercise your rights, contact us at privacy@clauseshield.app.