Privacy Policy

Contents

Who we are
What we collect
Why we use it
Who we share it with
What Claude (Anthropic) sees
Retention
Your rights
Security
International transfers
Children
Changes to this policy
Contact

1. Who we are

Kontraxa is a multi-tenant SaaS platform that audits invoices against contract terms for enterprises in contract-heavy industries. We act as a data processor for the contracts and invoices our customers upload — they remain the data controller for their own commercial documents and the personal data within them.

For privacy questions, contact: [email protected].

2. What we collect

2.1 Customer-uploaded content

Contract PDFs and the text + structured clauses Claude extracts from them.
Invoice PDFs and the analysis results (red flags, scores, dollar impact) the engine produces against them.
Recovery records — what your team did about flagged issues and how much was recovered.
Support tickets and any attachments (limited to PDFs and images of supporting evidence).

2.2 Account and identity data

Email address and full name (provided by your Clerk authentication; never a password — Clerk holds those).
Workspace name you choose at signup.
Role on the workspace (owner, admin, reviewer, viewer).

2.3 Operational metadata

Audit log of every state change in the application — uploads, analyses, flag decisions, recovery moves, settings changes, sign-ins. HMAC-chained to make tampering detectable.
Usage events — counts of API calls + estimated Anthropic cost per analysis.
Technical request logs — request id, route, status code, duration. Held by our infrastructure providers (Railway, Vercel) under their own retention policies (typically 7–30 days).

2.4 What we do NOT collect

We do not run third-party trackers (Google Analytics, Hotjar, ad pixels) on the authenticated application.
We do not collect device fingerprints beyond what Clerk uses for sign-in security.
We do not sell or rent any data to anyone, ever.

3. Why we use it

The data above is used solely to deliver the Kontraxa service to the customer who uploaded it. Specifically:

Contract + invoice content is sent to Claude for analysis (see §5).
Analysis results are stored and shown back to your reviewers.
Audit log is kept as compliance evidence and to allow chain-integrity verification.
Email + name is used to attribute actions in the audit log and to send transactional emails (alert when a vendor email draft fails, deletion certificate, etc.).
Operational metadata is used to debug incidents, enforce per-tenant guardrails, and bill usage where applicable.

We never use customer-uploaded content to improve our own product, train any model, or generate insights for other customers. The engine runs each analysis in isolation against the tenant's own contracts and invoices.

We share customer data only with the sub-processors required to deliver the service. The complete list with regions, compliance, and DPAs lives at /sub-processors. As of this policy that's:

Vendor	What they get
Supabase	The Postgres database and the object storage that holds your PDFs.
Anthropic	Contract and invoice text during analysis (see §5).
Clerk	User identity (email, name). Never sees contract content.
Vercel	Frontend hosting. Sees TLS-terminated traffic only.
Railway	Backend hosting. Sees app logs (PII-redacted at the source).
Sentry (optional)	Error tracebacks (secret-pattern-redacted) when the operator has wired error monitoring.
Stripe (optional)	Billing tier and email when subscription billing is in use.

We notify customers under contract 30 days before adding any new sub-processor that would handle their data.

We will only disclose customer data in response to a binding legal process where applicable law requires it. We will challenge overbroad requests, notify the affected customer where legally permitted, and document the disclosure in our access log.

5. What Claude (Anthropic) sees

Contract and invoice text is sent to Anthropic's Claude API for the analysis to run. You have two options for how this happens:

5.1 Platform key (default)

Analysis runs through Kontraxa's Anthropic account. We operate under Anthropic's Zero Data Retention agreement, which eliminates the default 30-day prompt retention that would otherwise apply.

5.2 Bring Your Own Key (BYOK)

Configure your existing Anthropic API key in Settings → BYOK. Analysis runs through your Anthropic account, governed by your Anthropic agreement (including any ZDR or regional terms you've negotiated). Your key is encrypted at rest in our database (pgcrypto symmetric encryption) and we display only the last four characters in the UI.

Anthropic does not train models on commercial API data under either option. See Anthropic's Trust Center for current details.

6. Retention

By default, customer-uploaded content (contracts, invoices, analyses, audit log) is retained for the lifetime of your workspace. You can:

Set a per-data-type retention policy (Settings → Trust Center) so contracts/invoices/analyses older than N days are auto-purged.
Delete individual records at any time through the application UI.
Request workspace deletion — see §7.2.

When data is hard-deleted, it is removed from our application database and storage immediately. Database backups held by Supabase may retain a copy for up to 7 days under their backup retention policy; after that window passes, the data is unrecoverable from any source.

The audit log is intentionally append-only and survives even tenant deletion in cryptographic form (see /security), because its purpose is to prove what happened.

7. Your rights

7.1 Access & portability (GDPR Articles 15 + 20)

Settings → Trust Center → Download data export returns a single ZIP file with every contract PDF, every invoice PDF, every analysis result, every audit row, and every user profile we hold for your workspace. Available on demand, no email, no waiting period.

7.2 Erasure (GDPR Article 17)

Settings → Trust Center → Request deletion schedules a permanent erasure of every record tied to your workspace. There is a 30-day grace period during which you can cancel. After the grace period:

Every contract, invoice, analysis, recovery, audit log entry, user account, and uploaded PDF is purged.
A deletion certificate is written to a separate Kontraxa-internal log (with row counts and the final audit chain hash) and emailed to the workspace owner.
The deletion is irreversible and cannot be undone after grace ends.

7.3 Rectification (GDPR Article 16)

You can edit any contract metadata, invoice metadata, or analysis decision through the application UI. For data you cannot reach yourself, email [email protected].

7.4 Access log transparency

Settings → Trust Center → Admin access log shows every time a Kontraxa platform admin accessed your workspace's data, with the reason they gave. The same record we have, you have.

7.5 Right to object / lodge a complaint

EU/UK residents have the right to lodge a complaint with their local data protection authority. We'd appreciate the chance to address the concern first — email [email protected].

8. Security

Full technical detail at /security. Headlines:

AES-256 encryption at rest for every customer record.
TLS 1.3 encryption in transit on every wire.
Three independent layers of tenant isolation (application, Postgres FORCE RLS, storage prefix).
HMAC-chained audit log keyed with a per-tenant secret.
BYOK Anthropic keys encrypted with pgcrypto.
Hardened JWT verification (RS256 hardcoded, issuer pinned).
Mandatory written reason for every Kontraxa-platform-admin access of tenant data, surfaced to the affected tenant.

9. International transfers

Kontraxa is hosted in AWS us-east-1 by default. Data moves to that region during normal operation. EU customers can opt for an EU-region Supabase project on Enterprise; data lives in the chosen region for the lifetime of the workspace.

Where transfers from the EU/UK are required, they are governed by the Standard Contractual Clauses (SCCs) included in our DPA template (available on request from [email protected]).

10. Children

Kontraxa is a B2B service for commercial contract auditing. It is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. If you believe a child has used the service, contact us and we will delete the relevant account.

11. Changes to this policy

We will post any material changes to this page with a new "Last updated" date and notify customers under contract by email at least 30 days before the change takes effect. Non-material changes (typo fixes, link updates) may be made without notice but will be reflected in the date.

12. Contact

Privacy and data-protection requests: [email protected].

Security disclosures (vulnerabilities, suspected incidents): [email protected]. PGP key available on request.