Privacy Policy

We collect information in the following categories:

• Account data. When you sign up via Google OAuth, we receive your name, email address, and profile picture from Google. We store your email and display name to identify your account.
• Contract content. The descriptions, party names, clauses, and other text you provide when generating contracts. This content is submitted to our AI provider to generate your contract.
• Usage data. Log data including your IP address, browser type, pages visited, features used, and timestamps. We use this to improve the service and monitor for abuse.
• Billing data. Subscription and payment information is handled by Polar. We do not store your payment card details directly.

• Service delivery. To authenticate you, generate contracts, store your history, and process your subscription.
• AI processing. Your contract inputs are sent to OpenAI's API to generate contract text. See the AI Processing Disclosure section below.
• Service improvement. Aggregated, anonymised usage patterns help us improve features. We do not sell your data.
• Communications. We may send transactional emails (receipts, account security) and, if you opt in, product updates.

Your data is stored on servers located within the European Union. We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel only.

Retention. We retain your account and contract data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to retain it by law.

We work with the following third parties who may process your data:

• Polar — subscription billing and payment processing. Polar's privacy policy applies to billing data.
• Google — authentication via Google OAuth. Google's privacy policy applies when you sign in.
• OpenAI — AI contract generation. Your contract inputs are processed per OpenAI's API terms.
• PostHog — product analytics and usage insights. PostHog tracks page views, feature interactions, and user flows in a pseudonymised manner. Data is stored on EU servers (eu.i.posthog.com). PostHog analytics are only loaded after you have given your consent via the cookie banner. See PostHog's privacy policy for full details.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

If you are in the EU or EEA, you have rights under the General Data Protection Regulation (GDPR):

• Access. Request a copy of your personal data.
• Correction. Ask us to correct inaccurate data.
• Deletion. Request deletion of your account and associated data.
• Export. Download your contracts at any time from your dashboard in PDF or DOCX format.
• Objection. Object to processing based on legitimate interests.
• Complaint. Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have violated your rights.

To exercise these rights, email privacy@contract.diy.

We process your personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR):

• Contract performance (Article 6(1)(b)). Account data, contract content, and billing information are processed to deliver the service you have subscribed to.
• Legitimate interests (Article 6(1)(f)). We process usage logs to improve our product and to detect and prevent abuse or fraud, where our interests are not overridden by your rights.
• Consent (Article 6(1)(a)). Analytics cookies (PostHog) and any marketing communications are only processed after you have given your explicit consent via the cookie banner or opt-in mechanism. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)). Where required by applicable law, we may retain certain data to comply with legal or regulatory obligations.

We use essential cookies to keep you signed in and maintain your session. We do not use third-party advertising cookies. The cookies we set include:

• Session cookie — identifies your authenticated session. Expires when you sign out.
• Preference cookie — stores UI preferences (e.g. theme). Persists for 1 year.
• Analytics cookies (PostHog) — when you consent via the cookie banner, PostHog sets cookies to track page views, feature usage, and user flows in a pseudonymised manner. These cookies may persist for up to 1 year. They are non-essential and require your explicit consent before being set. You can withdraw consent at any time by clicking “Cookie Settings” in the footer.
• Consent cookie — stores your cookie consent preferences. Persists for 1 year.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, where appropriate, notify you by email. Your continued use of the service after changes take effect constitutes your acceptance of the updated policy.

We have not appointed a formal Data Protection Officer as we do not engage in large-scale systematic processing. You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Questions about this Privacy Policy or your data rights? Reach us at privacy@contract.diy or our contact page.