Privacy Policy

This policy explains how ContractHQ (operated by SweetWater Holding UG (haftungsbeschränkt)) collects, stores, and uses your data. We are based in Hamburg, Germany and process data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the UK General Data Protection Regulation (UK GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Australian Privacy Act 1988 (Cth), the New Zealand Privacy Act 2020, and applicable US state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

1. Data controller

SweetWater Holding UG (haftungsbeschränkt)
Bunsenstraße 1, 22765 Hamburg, Germany
Email: jane@contracthq.app

See our Imprint for full company details.

2. What we collect

We collect only the data necessary to provide ContractHQ:

• Account data: name, email, authentication credentials (hashed passwords or federated identity tokens), organisation name, role.
• Waitlist data: email, optional name, optional company, optional message you send us.
• Contract data: the contract files you upload (PDF / DOCX) or the webpage content at URLs you provide, filename, size, and the metadata our AI extracts (counterparty, dates, notice period, renewal terms, commercial terms, and other structured fields).
• Billing data: when you subscribe to a paid plan, payment processing is handled entirely by our merchant of record. We receive subscription status, plan type, and billing email via webhook - but we never see or store your payment card number, CVV, or bank details.
• Usage logs: server-side logs of API requests (IP address, user-agent, timestamp, route) retained for up to 30 days for security and debugging.

3. How we use your data

We use your data for the following purposes:

• Providing, maintaining, and improving the Service, including improving our AI extraction accuracy and prompts.
• Sending transactional emails (reminders, invitations, verification).
• Security, fraud prevention, and debugging.
• Generating aggregated, de-identified analytics to improve the product. Aggregated data cannot be used to identify you or your organisation.

4. Legal basis (Art. 6 GDPR)

• Account, waitlist, and contract data: Art. 6(1)(b) - performance of a contract (providing the service you signed up for).
• Service improvement and AI prompt optimisation: Art. 6(1)(f) - legitimate interest in improving the accuracy and quality of the Service.
• Server logs and security telemetry: Art. 6(1)(f) - legitimate interest in operating a secure service.
• Marketing emails (if you opted in): Art. 6(1)(a) - your consent, which you can revoke at any time.

5. Where your data lives (sub-processors)

To operate the Service we rely on a small number of third-party processors, each bound by a Data Processing Agreement under Art. 28 GDPR. We use the following categories of providers:

• Authentication provider (EU/US): stores authentication credentials. Data may be processed in the EU and the United States. Transfer mechanism: Standard Contractual Clauses.
• File storage provider (EU): stores your uploaded contract files in European data centres.
• Database and infrastructure provider (Germany): stores account, waitlist, and contract metadata in German data centres.
• AI / LLM API provider (US): processes contract content to extract structured metadata. Content is transmitted for the duration of the extraction request only and is not used to train models. Transfer mechanism: Standard Contractual Clauses.
• Transactional email provider (US): delivers invitations, reminders, and billing notifications. Transfer mechanism: Standard Contractual Clauses.
• Application hosting provider (US/EU): hosts the web application and serverless functions. Transfer mechanism: Standard Contractual Clauses.
• Web analytics (Germany): privacy-focused, cookie-free analytics. We run our own instance; no data is sent to a third-party analytics company. See Section 12.
• Merchant of record for payments (US): processes card payments, invoices, sales tax, and VAT on our behalf. We do not collect or store your payment card details. Transfer mechanism: Standard Contractual Clauses.

The named list of current sub-processors, including the specific legal entities and data-transfer mechanisms, is included in our Data Processing Agreement, which is available to customers inside the app once you sign up. Non-customers can request a copy by emailing jane@contracthq.app.

6. International transfers

Some sub-processors above are based outside the EU/EEA. Where applicable we rely on the European Commission's Standard Contractual Clauses and additional safeguards. You can request a copy of any specific agreement by emailing us.

7. How long we keep your data

• Active accounts: as long as your account is open.
• Closed accounts: deleted within 30 days, except where statutory retention obligations apply (e.g. § 257 HGB / § 147 AO for billing documents - up to 10 years).
• Waitlist entries: kept until you ask us to delete them.
• Server logs: 30 days.

8. Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15)
• Correct inaccurate data (Art. 16)
• Erase your data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3))
• Lodge a complaint with a supervisory authority (Art. 77) - for German residents, this is your state Datenschutzbehörde

To exercise any of these rights, email jane@contracthq.app.

9. Your rights under US state privacy laws (CCPA/CPRA)

If you are a California resident, or a resident of another US state with applicable privacy legislation, you may have additional rights including:

• Right to know: you can request the categories and specific pieces of personal information we have collected about you.
• Right to delete: you can request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale or sharing: we do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

Categories of personal information collected (as defined by the CCPA): identifiers (name, email), commercial information (contract data, billing status), internet activity (server logs), and professional information (organisation name, role).

To exercise these rights, email jane@contracthq.app. We will verify your identity before processing your request and respond within 45 days as required by law.

10. Your rights under UK, Canadian, Australian, and New Zealand privacy law

If you are located in the United Kingdom, Canada, Australia, or New Zealand, the following applies in addition to the GDPR rights above:

• United Kingdom (UK GDPR / Data Protection Act 2018): you have the same rights as described in Section 8 above. The relevant supervisory authority is the Information Commissioner's Office (ICO).
• Canada (PIPEDA): you have the right to access, correct, and challenge our handling of your personal information. You may file a complaint with the Office of the Privacy Commissioner of Canada.
• Australia (Privacy Act 1988): you have the right to access and correct your personal information under the Australian Privacy Principles (APPs). You may file a complaint with the Office of the Australian Information Commissioner (OAIC).
• New Zealand (Privacy Act 2020): you have the right to access, correct, and request deletion of your personal information under the Information Privacy Principles (IPPs). You may file a complaint with the Office of the Privacy Commissioner.

To exercise any of these rights, email jane@contracthq.app.

11. Cookies

We set a single strictly-necessary cookie called __session to keep you signed in. This cookie is exempt from consent requirements under § 25 (2) Nr. 2 TTDSG / GDPR Recital 30 because it is essential to provide the service you requested.

We do not use marketing, advertising, or analytics cookies. We do not embed third-party trackers.

12. Analytics

We run our own instance of Plausible Analytics on infrastructure located in Germany. Plausible is privacy-focused and does not use cookies, does not collect personal data, and does not track users across sites. It records aggregate page views, referral sources, and country (derived from IP, which is discarded immediately and never stored). No data is sent to Plausible's company - the instance is entirely under our control. Legal basis: Art. 6(1)(f) - legitimate interest in understanding how the product is used.

13. Security

Uploaded files are encrypted at rest. Data in transit is protected by TLS. Authentication uses industry-standard credential storage with support for password-based and federated sign-in. Access to production systems is granted on a least-privilege basis and protected by multi-factor authentication.

14. Changes

We may update this policy. Material changes will be communicated by email to active users. The most current version is always available at this URL.