Privacy Policy

Last updated: April 1, 2026

1. Introduction

ContractScan Inc. ("ContractScan," "we," "us," or "our") operates the contractscan.com website and the ContractScan AI contract review platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service.

We are committed to protecting your privacy and handling your data with transparency. By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when you:

  • Create an account: Name, email address, and password (or OAuth provider credentials when you sign in with Google or GitHub).
  • Subscribe to a paid plan: Payment information (processed and stored securely by Stripe; we do not store your full credit card number).
  • Upload contracts: The documents you upload for AI analysis. These may contain personal data, business terms, and other sensitive information.
  • Contact us: Any information you include in support requests, feedback, or correspondence.
  • Use team features: Team member names and email addresses when you invite colleagues.

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

  • Device and browser information: Browser type, operating system, device type, screen resolution, and language preferences.
  • Usage data: Pages visited, features used, time spent on pages, click patterns, and navigation paths.
  • Log data: IP address, access timestamps, referring URLs, and error logs.
  • Cookies and similar technologies: Session identifiers, authentication tokens, and preference data. See Section 7 for our Cookie Policy.

3. How We Use Your Information

We use collected information for the following purposes:

  • Provide the Service: Process your uploaded contracts through our AI analysis engine, generate risk assessments, health scores, and reports.
  • Manage your account: Authenticate your identity, manage subscriptions, process payments, and maintain your contract library.
  • Improve the Service: Analyze usage patterns to improve features, fix bugs, and enhance the user experience. We use aggregated, anonymized data for this purpose.
  • Communicate with you: Send transactional emails (account verification, password resets, analysis completion notifications), respond to support inquiries, and provide service-related announcements.
  • Marketing: With your consent, send newsletters and product updates. You can unsubscribe at any time.
  • Security and compliance: Detect fraud, enforce our Terms of Service, and comply with legal obligations.

4. How We Handle Uploaded Contracts

Your contracts contain sensitive business information. We treat uploaded documents with the highest level of care:

  • Processing only: Uploaded contracts are processed solely to provide you with the AI analysis you requested. We do not read, review, or access your contracts for any other purpose.
  • No training on your data: We do not use your uploaded contracts to train, fine-tune, or improve our AI models. Your documents are never used as training data.
  • Encryption: Contracts are encrypted in transit (TLS 1.3) and at rest (AES-256). Access is restricted to automated processing systems.
  • Retention: Uploaded contracts and analysis results are retained in your account until you delete them or close your account. Upon account closure, all associated data is permanently deleted within 30 days.
  • No sharing: We never share, sell, or provide access to your uploaded contracts to any third party, except as required by law with proper legal process.

5. Data Sharing and Disclosure

We do not sell your personal information. We share information only in these limited circumstances:

  • Service providers: We use trusted third-party services to operate our platform, including Stripe (payment processing), Supabase (database and authentication), Vercel (hosting), and AI model providers (contract analysis). These providers are contractually bound to protect your data and use it only as instructed.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify you of any such change.
  • With your consent: We may share information with third parties when you explicitly authorize us to do so.

6. Data Security

We implement industry-standard security measures to protect your data:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Regular security assessments and penetration testing
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for internal systems
  • Automated monitoring for unauthorized access attempts
  • Regular backups with encrypted storage

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

7. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential cookies: Required for authentication, session management, and core functionality. These cannot be disabled.
  • Analytics cookies: Help us understand how visitors interact with the Service. We use privacy-respecting analytics that do not track users across websites.
  • Preference cookies: Remember your settings such as dark mode preference and language.

We do not use third-party advertising cookies or cross-site tracking technologies.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data and uploaded contracts.
  • Portability: Request your data in a portable, machine-readable format.
  • Objection: Object to processing of your data for certain purposes.
  • Withdraw consent: Where processing is based on consent, withdraw your consent at any time.

To exercise any of these rights, contact us at privacy@contractscan.com. We will respond within 30 days.

9. GDPR Compliance (EEA Users)

If you are in the European Economic Area, we process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you requested.
  • Legitimate interest: Processing necessary for our legitimate business interests (service improvement, security) where those interests are not overridden by your rights.
  • Consent: Processing based on your explicit consent (marketing emails).
  • Legal obligation: Processing required to comply with applicable laws.

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

10. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected, used, and shared.
  • Right to delete personal information held by us.
  • Right to opt out of the sale of personal information. Note: we do not sell personal information.
  • Right to non-discrimination for exercising your privacy rights.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information promptly.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, for international data transfers.

13. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we permanently delete your data within 30 days, except where retention is required by law (e.g., financial records for tax purposes).

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, for significant changes, by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

ContractScan Inc.
Email: privacy@contractscan.com
Website: contractscan.com