Privacy Policy

1. Who we are

Vettingly ("we", "us") provides AI-assisted contract analysis through vettingly.app. For the personal data described here, we act as the data controller.

Privacy contact: privacy@vettingly.app.

2. What we collect

• Account data — name, email address, hashed password (or Google OAuth identifier).
• Contract content — files you upload, the text we extract from them, and the analysis we generate.
• Billing data — Stripe customer ID, subscription tier, plan history. We do not store card numbers; Stripe does.
• Usage data — credit transactions, timestamps of analyses, basic server logs (IP, user-agent) for security and debugging.

3. Why we process it (lawful basis)

• Contract (Art. 6(1)(b) GDPR) — running the analysis you asked for, storing your history, processing payments.
• Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, service improvement.
• Legal obligation (Art. 6(1)(c)) — keeping invoices and tax records.
• Consent (Art. 6(1)(a)) — only where explicitly requested (e.g. optional product emails).

4. Sub-processors

We share data with the following providers, each bound by a Data Processing Agreement:

• Supabase — database, authentication, file storage (US).
• Anthropic — runs the contract analysis on the text we send. Inputs and outputs are not used to train Anthropic's models.
• Stripe — payment processing (US/IE).
• Resend — transactional email delivery (US).
• Vercel — hosting and edge delivery (US/global).

For transfers outside the EEA we rely on Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

5. How long we keep it

• Contracts and analyses — until you delete them or close your account.
• Account data — until you delete your account.
• Invoices and payment records — up to 7 years where required by tax law, even after account deletion.
• Server logs — typically 30 days.

6. AI processing

Vettingly's reports are generated by a large language model. The output is a statistical interpretation of contract text and may be incomplete or wrong. Reports are not legal advice and Vettingly is not a law firm. You should not rely on a report as the sole basis for any contract decision.

7. Your rights under GDPR

If you live in the EU, EEA, or UK you have the right to:

• Access — download a copy of your data from your account page.
• Erasure — delete your account from your account page. This permanently removes your contracts, analyses, and profile.
• Rectification — correct your name or email by contacting us.
• Portability — the export above is provided in machine-readable JSON.
• Objection / restriction — email us and we will stop the relevant processing where lawful.
• Withdraw consent — for any processing based on consent, at any time.
• Lodge a complaint — with your local Data Protection Authority. A list is available at edpb.europa.eu.

8. Security

Data is encrypted in transit (HTTPS/TLS) and at rest (storage and database encryption provided by Supabase). Access to production systems is limited to authorized personnel.

9. Cookies

We use only strictly-necessary cookies — for authentication (Supabase) and checkout (Stripe). We do not use advertising or cross-site tracking cookies. If that changes, we will update this policy and add a consent banner.

10. Children

Vettingly is not directed to anyone under 16. We do not knowingly process data from children. If you believe a child has registered, contact us and we will delete the account.

11. Changes to this policy

Material changes will be communicated by email and posted here at least 14 days before they take effect.

12. Contact

Privacy questions or requests: privacy@vettingly.app.