🚀 Exciting news, Contracts.ai is now free to sign up for everyone.
Sign up for free
cross icon

GDPR Compliance Statement

CONTRACTS.AI, Inc. ("Contracts.ai", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This page describes how Contracts.ai supports compliance with the EU General Data Protection Regulation (GDPR). It is intended to provide transparency into our data protection practices for customers, prospects, and partners.
last updated
January 29th, 2026
1. Overview

Contracts.ai is committed to protecting personal data and complying with the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This statement summarizes the technical, organizational, and procedural measures implemented by Contracts.ai to support GDPR compliance.

2. Scope

This statement applies to all personal data processed by Contracts.ai in the course of providing its services, including customer data, end-user data, and personal data contained within documents processed by AI-enabled features.

3. Roles and Responsibilities
  • Data Controller: Customers of Contracts.ai, with respect to personal data they upload or submit
  • Data Processor: Contracts.ai, acting on documented customer instructions
  • Data Protection Oversight: CTO / Engineering Leadership
4. Lawful Basis for Processing

Contracts.ai processes personal data based on one or more of the following lawful bases, as applicable:

  • Performance of a contract (Article 6(1)(b))
  • Legitimate interests (Article 6(1)(f))
  • Compliance with legal obligations (Article 6(1)(c))

Customers determine the appropriate lawful basis for data they submit to the platform.

5. Data Minimization and Purpose Limitation
  • Personal data is processed solely for the purpose of delivering contracted services
  • Only data necessary to perform the requested functionality is processed
  • AI systems are configured to limit unnecessary data exposure
6. Data Security and Confidentiality

Contracts.ai implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Access controls based on least privilege
  • Secure authentication and authorization mechanisms
  • Regular security testing, including third-party penetration testing
  • Secure software development lifecycle (Secure SDLC) practices
7. Subprocessors and Third Parties

Contracts.ai may engage vetted subprocessors to support service delivery (e.g., hosting providers, AI service providers). All subprocessors are subject to contractual data protection obligations consistent with GDPR requirements.

A list of subprocessors can be provided upon request.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Contracts.ai relies on appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure adequate data protection.

9. Data Subject Rights

Contracts.ai supports customer obligations to respond to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Requests are handled in accordance with documented customer instructions and applicable law.

10. Data Retention and Deletion
  • Personal data is retained only for as long as necessary to provide the service or as required by law
  • Customers may request deletion of their data in accordance with contractual terms
11. Incident Response and Breach Notification

Contracts.ai maintains an incident response process to detect, respond to, and remediate security incidents.

In the event of a personal data breach, Contracts.ai will notify affected customers without undue delay and provide relevant information to support regulatory reporting obligations.

12. Governance and Review

This GDPR Compliance Statement is reviewed periodically and updated as necessary to reflect changes in regulatory requirements or internal practices.

Detailed data processing obligations are governed by the Contracts.ai Data Processing Addendum (DPA), which is incorporated into customer agreements or available upon request.

13. Contact and Data Protection Inquiries

Questions regarding this GDPR Compliance Statement or Contracts.ai data protection practices may be directed to:

Email: hello@contracts.ai

Data subject rights requests should be submitted through the relevant customer organization acting as the data controller.

Built with love and care in Silicon Valley, USA
Sign Up
Sign Up
SOC 2 and SOC 3 certified
Company
AboutContactPrivacyTerms
Legal
GDPRCCPAHIPAASubprocessors
Support
hello@contracts.ai
© Contracts AI, Inc. All rights reserved.
Contracts.ai provides technology, not legal services, and its AI generated output is not legal advice, and may contain errors and misstatements or may be incomplete.  Use of Contracts.ai platform does not create an attorney-client relationship.

DISCLAIMER: All logos and trademarks appearing on this website are the property of their respective owners. Their use is for informational purposes only and does not constitute an endorsement, sponsorship, or affiliation.