Privacy Policy

1. Introduction and Responsible Party

This Privacy Policy explains how ContractGuard (Pty) Ltd ("ContractGuard," "we," "our," or "us") collects, uses, discloses, and protects your personal information when you access or use our AI-powered contract analysis platform at www.contractguard.co.za (the "Service").

Responsible Party (as defined under POPIA):

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, as defined in POPIA.
• "Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, or dissemination.
• "Data Subject" means the person to whom personal information relates (i.e., you, the user).
• "Document Data" means the contracts, agreements, and legal documents you upload to our Service for analysis.
• "Third-Party Processor" means any external service provider who processes personal information on our behalf.

3. Information We Collect

We collect and process the following categories of personal information:

3.1 Information You Provide Directly

• Account Information: Full name, email address, phone number (optional), company name (optional), and password (encrypted).
• Billing Information: Payment card details (processed securely by our payment provider, PayFast), billing address, and transaction history.
• Document Data: The contracts and legal documents you upload for analysis. This may contain personal information of third parties (e.g., names of contracting parties, addresses, ID numbers).
• Communications: Any correspondence you send to us, including support requests and feedback.

3.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers.
• Usage Data: Pages visited, features used, time spent on the Service, analysis history, click patterns, and referring URLs.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management. See Section 10 for our Cookie Policy.

3.3 Information from Third Parties

• Payment Processors: Transaction confirmations and payment status from PayFast.
• Authentication Providers: If you sign in using Google or other OAuth providers, we receive your basic profile information (name, email) as authorized by you.

4. Legal Basis and Purpose of Processing

Under POPIA, we process your personal information based on the following legal grounds:

5. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: To analyze your contracts and provide risk assessments.
• Account Management: To create and manage your user account.
• Payment Processing: To process your payments and manage subscriptions.
• Communication: To send you service-related notifications and respond to inquiries.
• Improvement: To analyze usage patterns and improve our Service.
• Security: To detect and prevent fraud, abuse, and security incidents.
• Legal Compliance: To comply with legal obligations and enforce our terms.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active and for 2 years after closure.
• Document Data: Automatically deleted 30 days after analysis unless you request earlier deletion.
• Transaction Records: Retained for 5 years as required by tax and accounting regulations.
• Usage Analytics: Retained in anonymized form indefinitely for service improvement.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access Controls: Strict role-based access controls and authentication requirements.
• Infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure.
• Monitoring: Continuous security monitoring and regular vulnerability assessments.
• Incident Response: Documented procedures for handling security incidents.

8. Third-Party Sharing

We may share your personal information with the following categories of third parties:

• AI Service Providers: To process contract analysis (data is not retained by these providers).
• Payment Processors: PayFast for payment processing.
• Cloud Infrastructure: For hosting and data storage.
• Legal Authorities: When required by law or legal process.

We do not sell your personal information to third parties. All third-party processors are contractually bound to protect your data in accordance with POPIA.

9. International Data Transfers

Some of our service providers may process your data outside of South Africa. In such cases, we ensure that:

• The recipient country has adequate data protection laws; or
• Appropriate safeguards are in place (such as standard contractual clauses); and
• The transfer is necessary for the performance of our contract with you.

10. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication and basic functionality.
• Analytics Cookies: To understand how users interact with our Service (can be disabled).

You can control cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

11. Your Rights Under POPIA

As a data subject, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights, please contact our Information Officer at privacy@contractguard.co.za. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@contractguard.co.za.

13. Direct Marketing

In accordance with Section 69 of POPIA, we will only send you direct marketing communications if:

• You have given us your explicit consent (opt-in); or
• You are an existing customer and the marketing relates to similar products or services.

Every marketing email includes an unsubscribe link. You can also opt out by emailing privacy@contractguard.co.za or updating your preferences in your account settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this page;
• We will notify you by email (for registered users) at least 14 days before the changes take effect;
• We may display a prominent notice on our Service.

Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

15. Complaints

If you are dissatisfied with how we have handled your personal information or believe we have violated your privacy rights, you may:

1. Contact us first: Email our Information Officer at privacy@contractguard.co.za. We will investigate and respond within 30 days.
2. Lodge a complaint with the Information Regulator: If you are not satisfied with our response, you may lodge a complaint with:

   The Information Regulator (South Africa)

   JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

   P.O. Box 31533, Braamfontein, Johannesburg, 2017

   Email: complaints.IR@justice.gov.za

   Website: www.justice.gov.za/inforeg/