Legal

Privacy Policy

Last updated: June 2026 · Available in English, Română and Русский.

This Privacy Policy explains how ContractsMind (“we”, “us”) collects, uses, stores and protects your personal data when you use our AI contract analysis service. We are committed to the EU General Data Protection Regulation (GDPR) and applicable local data-protection law.

1. Controller

ContractsMind is the data controller responsible for your personal data. For data-protection matters, contact our Data Protection Officer at [email protected].

2. Data we process

Account data — name, email address, hashed password, language preference
Uploaded documents — the contract files you submit for analysis (may contain personal data of third parties, e.g. parties to a contract)
Analysis results — generated reports stored for your access
Usage & transaction data — subscription, credits, document metadata, IP, audit events (no document content)
Payment data — processed by Paddle / Victoriabank MD; we do not store full card numbers

3. Purposes & legal bases

Providing the service (Art. 6(1)(b) contract) — analyzing your documents and delivering reports
Billing & subscriptions (Art. 6(1)(b)/(c)) — processing payments and keeping records
Security & fraud prevention (Art. 6(1)(f) legitimate interest) — malware scanning, audit logs, rate limiting
Improvement & analytics (Art. 6(1)(f) legitimate interest, or consent for non-essential cookies) — only with anonymized/aggregated data

We do not use your documents to train AI models. Your files are processed only to produce your report and are deleted per our retention policy.

4. Encryption & storage

Files are encrypted with AES-256-GCM and stored in Cloudflare R2 (EU-oriented setup). Sensitive files use SSE-C with customer-provided keys. Files are accessible only to you via short-lived signed URLs (1 hour TTL). See our Security overview for technical detail.

5. Retention

Uploaded documents: maximum 20 days, then permanent automatic deletion (or sooner if you delete them)
Analysis reports: retained while your account is active; removed with account deletion
Audit logs: metadata only (no document content), kept as long as necessary for security
Billing records: retained as required by tax/accounting law

6. Your GDPR rights

Access your data (Art. 15) and receive a copy (portability, Art. 20)
Rectification of inaccurate data (Art. 16)
Erasure / “right to be forgotten” (Art. 17) — one-click “Delete my documents” and “Delete my account & data”
Restriction & objection to processing (Art. 18, 21)
Withdraw consent at any time where processing is based on consent (Art. 7)
Lodge a complaint with your supervisory authority (Art. 77)

To exercise any right, email [email protected]. We respond within one month (Art. 12).

7. Sub-processors & transfers

We use carefully selected sub-processors under Data Processing Agreements (DPAs), including Cloudflare (R2, EU-oriented), Paddle, Victoriabank MD, AI model providers and SendGrid. See the sub-processor list. Where data leaves the EEA, we rely on appropriate safeguards (e.g. Standard Contractual Clauses).

8. Children

ContractsMind is not intended for users under 16. We do not knowingly process their data.

9. Changes to this policy

We may update this policy. Material changes will be notified in-app and/or by email. The “last updated” date above always reflects the current version.