Privacy Policy

Last updated: April 20, 2026

This policy explains how ContractHQ (operated by SweetWater Holding UG (haftungsbeschränkt)) (“ContractHQ”) collects, stores, and uses your data in relation to ContractHQ products, services, events, websites, and applications (“Services”). We are based in Hamburg, Germany and process data in accordance with the EU General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (“BDSG”), the UK General Data Protection Regulation (“UK GDPR”), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Australian Privacy Act 1988 (“Cth”), the New Zealand Privacy Act 2020, and applicable US state privacy laws including, but not limited to, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) and any other privacy and data protection laws that apply to the processing of data by ContractHQ when providing the Services.

1. Data controller

SweetWater Holding UG (haftungsbeschränkt)
Bunsenstraße 1, 22765 Hamburg, Germany
Email: jane@contracthq.app

See our Imprint for full company details.

2. What data we collect

We collect the following data:

• Account data: we collect data about you when you create an account with us, such as name, email, authentication credentials (hashed passwords or federated identity tokens), organization name, role.
• Waitlist data: we collect data when you join our waitlist such as email, optional name, optional company, optional message you send us.
• Contract data: we collect the contract files you upload (PDF / DOCX) or the webpage content at URLs you provide, filename, size, and the metadata our AI extracts (counterparty, dates, notice period, renewal terms, commercial terms, and other structured fields that you provide).
• Billing data: when you subscribe to a paid plan, payment processing is handled entirely by our merchant of record. We receive subscription status, plan type, and billing email via webhook - but we never process or store your payment card number, CVV, or bank details.
• Usage logs: we collect data submitted to us through the use of the Services, including server-side logs of API requests (IP address, user-agent, timestamp, route) retained for up to 30 days for security and debugging.
• Sales and marketing data: we collect data you provide for promotional communications, such as names, email address, phone number, or address.
• Support data: we collect data you provide to us when you open a support request or otherwise communicate with us, such as name, email, your role, organization name, and any other data you provide in your request.
• Device data: we collect data about your computer or device when you access the Services, such as browser type, IP address, or device location.
• Cookies and similar technologies: we use cookies and similar technologies (like web beacons and pixels) to collect data about your interaction with our website and the Services, including identifiers, usage data, session information, links clicked, pages visited, and other data related to your interaction with our website.
• Data we collect from third parties: we may receive information about you from third parties that provide business information to us or from public sources like LinkedIn. This data includes name, email, phone number, organization name, role, and social media profile. We may combine this data with data we collect through other sources.

3. How we use your data

We use your data for the following purposes:

• To provide the Services. We use your data to provide, maintain, and improve the Services, including improving our AI extraction accuracy and prompts, sending transactional emails (reminders, invitations, verifications), manage your account and support requests.
• For security. We use your data to maintain and increase security, for fraud prevention, and for debugging.
• To improve and create new Services. We use data to improve the Services, including to monitor and analyze trends, usage, and other activities in connection with the Services, so that we can continually improve them or create new ones. We generate aggregated, de-identified analytics to improve the Services. Aggregated data cannot be used to identify you or your organization.
• To market and promote the Services. We use your data to send you promotional messages and to show you advertisements. This may also include using your data for personalized advertising.
• To measure ad performance and attribute conversions effectively. We use data, in hashed form, to measure the effectiveness of our advertising campaigns and to improve campaign performance and attribution accuracy.
• To comply with legal obligations. We may use data to comply with our legal requirements such as tax and accounting purposes.
• With your consent. Finally, we use your data for any other purposes that you have consented to. For example, if you agree to be named as a featured customer, we might post data about you on one of our public websites.

We will not process your data for purposes materially different from the above without providing you with the opportunity to opt out.

4. How we share data

We will not share your data with third parties except as follows.

• Service providers. We use third-party service providers who work on our behalf, including to provide hosting services, authentication services, cybersecurity, anti-fraud services, and advertising, which may require us to share your data.
• Payment services. We use Lemon Squeezy, LLC to receive and process payments in relation to the use of our Services. Lemon Squeezy, LLC acts as an independent controller of the personal information received when it provides these services. More information about how Lemon Squeezy processes personal information is available in Lemon Squeezy's Privacy Policy.
• For legal reasons. In rare cases, we may share your data in response to a request for information if we believe disclosure is permitted or required by an applicable law, regulation, or legal process, including to comply with a subpoena or applicable court order. Further, we may share your data with any person to whom disclosure is necessary to enable us to enforce our rights under this privacy policy or under any agreement we enter with you or to protect the rights, property, or safety of ContractHQ or third parties.
• Business transfers. We may share your information in connection with, or during negotiations of, any merger, sale of ContractHQ assets, financing, or acquisition of all or a portion of our business by another company.
• Affiliates. We may share your data with our affiliate companies who may act for us for any of the purposes set out in this privacy policy, including our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership.
• Marketing and analytics. We may share your data with analytics, advertising, and search-engine providers that assist us in measuring, improving, and optimizing our marketing campaigns and websites.
• Social media. Some of our websites may contain social-sharing widgets or features that let you share data you find on our websites on third-party sites, including, for example, Twitter, Facebook, TikTok, LinkedIn, and YouTube. By doing so, you authorize us to facilitate this sharing of data, and you understand that the use of shared data will be governed by the social media provider's privacy notice.
• Consent. We may share your data with your consent or at your direction.

5. How long we keep your data

We only keep your data for as long as necessary to fulfill the purposes we collected it for, after which it will be deleted or archived unless we are required to keep it to comply with our legal obligations or for another legitimate and lawful purpose. In some cases, we may anonymize your data so that you are no longer identifiable, in which case we may use the resulting data without further notice to you.

We have established the following retention periods:

• Active accounts: as long as your account is open.
• Closed accounts: deleted within 30 days, except where statutory retention obligations apply (e.g. § 257 HGB / § 147 AO for billing documents - up to 10 years).
• Waitlist entries: kept until you ask us to delete them.
• Server logs: 30 days.

6. Your choices

You have choices about how we collect and use your data.

• Account data. You may access, update, or change your account data by logging into your account or by emailing us at jane@contracthq.app. Subject to the terms of your agreements with us, you may deactivate or delete your account by emailing us at jane@contracthq.app, but we may retain certain data as necessary to comply with our legal obligations or for legitimate business purposes, such as to resolve disputes or enforce our agreements.
• Advertising. You may opt out of receiving promotional emails from us by following the instructions in those emails or by emailing us at jane@contracthq.app or by completing our Data Subject Rights intake form. If you opt out of receiving promotional communications, we may still send you non-promotional emails, such as those about your account or our ongoing business relationship.

7. Where your data lives (sub-processors)

To operate the Services we rely on a small number of third-party processors, each bound by a Data Processing Agreement if required under data protection laws. We use Standard Contractual Clauses to transfer any data outside the European Economic Area. We use the following categories of providers:

• Authentication provider (EU/US): stores authentication credentials. Data may be processed in the EU and the United States. Transfer mechanism: Standard Contractual Clauses.
• File storage provider (EU): stores your uploaded contract files in European data centers.
• Database and infrastructure provider (Germany): stores account, waitlist, and contract metadata in German data centers.
• AI / LLM API provider (US): processes contract content to extract structured metadata. Content is transmitted for the duration of the extraction request only and is not used to train models. Transfer mechanism: Standard Contractual Clauses.
• Transactional email provider (US): delivers invitations, reminders, and billing notifications. Transfer mechanism: Standard Contractual Clauses.
• Application hosting provider (US/EU): hosts the web application and serverless functions. Transfer mechanism: Standard Contractual Clauses.
• Web analytics (Germany): privacy-focused, cookie-free analytics. We run our own instance; no data is sent to a third-party analytics company.
• Merchant of record for payments (US): processes card payments, invoices, sales tax, and VAT on our behalf. We do not collect or store your payment card details.

The named list of current sub-processors, including the specific legal entities and data-transfer mechanisms, is available to customers inside the app once you sign up. Non-customers can request a copy by emailing jane@contracthq.app.

8. Supplemental notice for the EEA, UK, and Switzerland

This section provides additional details about the personal data we process subject to the General Data Protection Regulation (GDPR) and the UK GDPR.

Controller of your information

SweetWater Holding UG (haftungsbeschränkt) is the data controller of your personal information.

Legal basis for processing personal data (Art. 6 GDPR)

We process your personal information on one of the following legal bases:

• Account, waitlist, and contract data: Art. 6(1)(b) - performance of a contract (providing the service you signed up for).
• Service improvement and AI prompt optimization: Art. 6(1)(f) - legitimate interest in improving the accuracy and quality of the Service.
• Server logs and security telemetry: Art. 6(1)(f) - legitimate interest in operating a secure service.
• Marketing emails (if you opted in): Art. 6(1)(a) - your consent, which you can revoke at any time.

International data transfers

Some sub-processors above are based outside the EU/EEA. Where applicable we rely on the European Commission's Standard Contractual Clauses and additional safeguards for data transfers to third countries.

Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15 GDPR)
• Correct inaccurate data (Art. 16 GDPR)
• Erase your data (Art. 17 GDPR)
• Restrict processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on legitimate interest (Art. 21 GDPR)
• Withdraw consent at any time (Art. 7(3) GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR) - for German residents, this is your state Datenschutzbehörde. You may lodge a complaint with a data protection authority for your country or region where you have your habitual residence, where you work, or where an alleged infringement of applicable data protection law occurs. A list of EEA data protection authorities is available here, and the contact details for the UK Information Commissioner's Office are available here.

To exercise any of these rights, email jane@contracthq.app or complete our Data Subject Rights intake form.

9. Supplemental notice for the United States

If you are a California resident, or a resident of another US state with applicable privacy legislation, you may have the following rights:

• Right to know: you can request the categories and specific pieces of personal information we have collected about you.
• Right to delete: you can request deletion of your personal information, subject to certain exceptions.
• Right to correct: you have the right to correct errors in your personal information.
• Right to update: you have the right to request that inaccurate personal information we hold about you be corrected.
• Right to opt-out of sale or sharing: you have the right to opt out of behavioral or targeted advertising, automated profiling, and sales of your personal information.
• Right to non-retaliation: we will not retaliate against you for exercising your privacy rights.
• Right to restrict the use and disclosure of your sensitive information: you have the right to request that we limit our use and disclosure of your sensitive personal information.

If you or your authorized agent wishes to exercise any of these rights, please complete our Data Subject Rights intake form or email us at jane@contracthq.app. Please note that we may ask you or your agent to provide us with additional information to confirm your identity. If you submit a request to exercise one of the above rights and you disagree with our decision regarding your request, you may have the right to appeal our decision under applicable law. To do so, please reply to our response.

Categories of personal information collected

The personal information that we've collected in the past 12 months falls into the following categories specifically established under the California Consumer Privacy Act, as amended (the CCPA):

• Identifiers such as a real name, postal address, organization name, role, unique personal identifier, online identifier, internet protocol address, and email address.
• Information under Cal. Civ. Code §1798.80(e), such as your name, address, telephone number, or any financial information.
• Commercial information, such as information related to products or services you've purchased.
• Internet or other electronic network activity information, such as information regarding your interaction with the Services.
• Geolocation data.
• Inferences drawn on the information above, such as aggregated metrics.
• Account log-in in combination with your credentials allowing access to your account.

For more information about the categories of personal information we collect, please see the “What data we collect” section above.

Categories of personal information disclosed for a business purpose

The personal information that we've disclosed for a business purpose (including to our service providers) in the past 12 months falls into the following categories specifically established under the CCPA:

• Identifiers such as a real name, postal address, organization name, role, unique personal identifier, online identifier, internet protocol address, and email address.
• Information under Cal. Civ. Code §1798.80(e), such as your name, address, telephone number, or any financial information.
• Commercial information, such as information related to services you've purchased.
• Internet or other electronic network activity information, such as information regarding your interaction with the Services.
• Geolocation data.
• Inferences drawn on the information above, such as aggregated metrics.
• Account log-in in combination with your credentials allowing access to your account.

For more information about the categories of personal information we disclose to other parties, including to our service providers, please see the “How we share data” section above.

Categories of personal information shared for cross-context behavioral advertising

The personal information that we've shared with our advertising partners for cross-context behavioral advertising in the past 12 months falls into the following categories specifically established under the CCPA:

• Identifiers such as a real name, unique personal identifier, organization name, role, online identifier, internet protocol address, and email address.
• Internet or other electronic network activity information, such as information regarding your interaction with the Services.
• Geolocation data.
• Inferences drawn on the information above, such as aggregated metrics.

To exercise these rights, email jane@contracthq.app or complete our Data Subject Rights intake form. We will verify your identity before processing your request and respond within 45 days as required by law.

10. Your rights under Canadian, Australian, and New Zealand privacy law

If you are located in Canada, Australia, or New Zealand, the following applies in addition to the rights above:

• Canada (PIPEDA): you have the right to access, correct, and challenge our handling of your personal information. You may file a complaint with the Office of the Privacy Commissioner of Canada.
• Australia (Privacy Act 1988): you have the right to access and correct your personal information under the Australian Privacy Principles (APPs). You may file a complaint with the Office of the Australian Information Commissioner (OAIC).
• New Zealand (Privacy Act 2020): you have the right to access, correct, and request deletion of your personal information under the Information Privacy Principles (IPPs). You may file a complaint with the Office of the Privacy Commissioner.

To exercise any of these rights, email jane@contracthq.app.

11. Cookies

We set a single strictly-necessary cookie called __session to keep you signed in. This cookie is exempt from consent requirements under § 25 (2) Nr. 2 TTDSG / GDPR Recital 30 because it is essential to provide the service you requested.

12. Analytics

We run our own instance of Plausible Analytics on infrastructure located in Germany. Plausible is privacy-focused and does not use cookies, does not collect personal data, and does not track users across sites. It records aggregated page views, referral sources, and country (derived from IP, which is discarded immediately and never stored). No data is sent to Plausible's company - the instance is entirely under our control. Legal basis: Art. 6(1)(f) - legitimate interest in understanding how the product is used.

13. Security

We have implemented and we continually maintain a variety of technical and organizational security measures to protect your data from unauthorized access and against unlawful processing, accidental loss, destruction, and damage. Uploaded files are encrypted at rest. Data in transit is protected by TLS. Authentication uses industry-standard credential storage with support for password-based and federated sign-in. Access to production systems is granted on a least-privilege basis and protected by multi-factor authentication.

14. Children

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect or sell the personal information of children under 16.

15. Changes

We may update this privacy policy from time to time. Material changes will be communicated by email to active users. The most current version is available at this URL. The date at the top of this Privacy Policy indicates when it was last revised. Any changes will become effective when we post the revised Privacy Policy on this page.

16. Contact us

If you have questions or concerns about this Privacy Policy, please contact us at:

SweetWater Holding UG (haftungsbeschränkt)
Bunsenstraße 1, 22765 Hamburg, Germany
Email: jane@contracthq.app

You may contact our EU representative at:

SweetWater Holding UG (haftungsbeschränkt)
Bunsenstraße 1, 22765 Hamburg, Germany
Email: jane@contracthq.app