Privacy Policy
Effective date: March 1, 2026 · Last updated: March 1, 2026
1. Introduction
ClauseWarn ("we," "us," or "our") operates the ClauseWarn platform at clausewarn.com. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights under the Brazilian General Data Protection Law (LGPD), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
By using ClauseWarn, you agree to the practices described in this policy. If you do not agree, please do not use our service.
2. Data We Collect
2.1 Account Information
When you sign up, we collect:
- Email address
- Name (if provided via Google OAuth)
- Organization name
- Authentication credentials (managed by Supabase Auth)
2.2 Contract Data
When you upload a contract, we store:
- The original PDF file (in encrypted private storage)
- Extracted fields: vendor name, dates, financial terms, risk factors, and other metadata returned by our AI extraction pipeline
- File metadata: name, size, SHA-256 hash (for duplicate detection), page count
2.3 Usage Data
- Alert configuration and delivery logs
- Upload counts and billing status
- Timestamps of account activity
2.4 Payment Data
Payment information (credit card numbers, billing addresses) is collected and processed directly by Stripe. We store only a Stripe customer ID and subscription ID — never your card details.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR/LGPD) |
|---|---|
| Provide the ClauseWarn service (extraction, alerts, dashboard) | Performance of contract |
| Send alert emails before contract deadlines | Performance of contract |
| Process payments via Stripe | Performance of contract |
| Send transactional emails (account verification, password resets) | Performance of contract |
| Detect and prevent abuse (duplicate uploads, plan limits) | Legitimate interest |
| Improve the service (aggregate usage analytics) | Legitimate interest |
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except the sub-processors listed below.
4. Sub-Processors
We use the following third-party services to operate ClauseWarn. Each processes data only as necessary to provide their service.
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI contract extraction | Contract text (sent per-extraction, not stored by Anthropic for training) | US |
| Supabase | Database, auth, file storage | All application data | US (us-east-1) |
| Stripe | Payment processing | Billing information, subscription status | US |
| SendGrid (Twilio) | Email delivery (alerts, transactional) | Email addresses, alert content | US |
| Vercel | Frontend hosting | HTTP requests, IP addresses | US |
| Railway | API hosting | HTTP requests, application logs | US |
5. AI Data Processing
When you upload a contract, the text content is sent to the Anthropic Claude API for extraction. Important details:
- Not used for training: Under Anthropic's API data policy (2025), API inputs and outputs are not used to train AI models. Data may be retained up to 30 days for trust and safety purposes only.
- Sent per-extraction: Contract text is sent only at the moment of extraction. It is not stored in Anthropic's systems beyond the retention period above.
- No persistent model memory: The AI does not remember your contracts between extractions. Each upload is processed independently.
6. Data Retention
- Active accounts: Your data is retained for as long as your account exists.
- Deleted accounts: When you delete your account via Settings or the API, all organization data (contracts, files, alert rules, alert logs, members) is permanently deleted. Stripe subscriptions are canceled.
- Backups: Supabase database backups may retain data for up to 7 days after deletion, after which it is permanently purged.
7. Your Rights
Under the LGPD (Brazil), GDPR (EU), and CCPA (California), you have the following rights:
- Access / Portability: Export all your data as JSON via the data export endpoint (
GET /my-data/export) or contact us. - Correction: Edit any contract field directly in the ClauseWarn dashboard.
- Deletion / Erasure: Delete your account and all associated data via the account deletion endpoint (
DELETE /my-data/delete-account) or contact us. - Objection: You can object to processing by contacting us. If we cannot address your objection, we will delete your account.
- Withdraw consent: You can withdraw consent at any time by deleting your account.
To exercise any of these rights, email privacy@clausewarn.com or use the self-service options in the app.
8. Security
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
- Row-level security (RLS) policies isolate each organization's data at the database level
- Contract files stored in a private Supabase Storage bucket with access control
- Authentication via Supabase Auth with secure session management
- API protected by JWT-based authentication on all endpoints
- Service key used only server-side; never exposed to the client
9. Cookies
ClauseWarn uses only essential cookies for authentication (Supabase session tokens) and user preferences (theme selection). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
10. International Transfers
Our infrastructure is hosted in the United States. If you access ClauseWarn from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and equivalent safeguards where required by applicable law.
11. Children
ClauseWarn is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or a notice in the app. The "Last updated" date at the top indicates when this policy was last revised.
13. Contact
For questions about this Privacy Policy or to exercise your data rights:
- Email: privacy@clausewarn.com
- General support: support@clausewarn.com