Legal

Privacy & Retention Policy

Last updated: March 2, 2026

1. Overview

Guard-Clause (“we,” “us,” “our”) provides an AI-powered contract analysis service. This policy explains what data we collect, how we process it, and how long we retain it. We designed our system so that your original contract file and its extracted text are never stored permanently by default.

2. What We Collect

2.1 Account Information

If you create an account, we store your email address, a hashed password (managed by Supabase Auth), and your chosen plan. We use this to authenticate you, manage your subscription, and associate saved reports with your account.

2.2 Contract File (Ephemeral)

When you upload a contract (PDF, DOCX, or TXT), the file is read into server memory (RAM) for text extraction. The raw file buffer is discarded immediately after extraction — typically within seconds. Under normal operation, the original file is not written to disk, database, or object storage.

2.3 Extracted Text (Ephemeral Cache)

After extraction, the contract text is stored in a server-side ephemeral cache (Upstash Redis) with a 15-minute time-to-live (TTL). This cache entry is:

  • Keyed by a 256-bit cryptographic token (generated using Node.js crypto.randomBytes(32)) known only to your browser session.
  • Bound to a specific scan ID — the cache key cannot be reused for a different scan.
  • Automatically deleted after 15 minutes, or immediately after your analysis completes (for stored retention modes).
  • Not queryable — there is no way to list, search, or scan cache entries without the exact token.

If you choose the “Don’t store anything” retention mode, the cache TTL is refreshed after analysis to give you time to review and optionally purchase. After this window (or after 15 minutes), the text is gone permanently.

2.4 AI-Generated Analysis (Derived Data)

The AI-generated report includes: contract title, risk score, summary, findings with citations, negotiation pack (email draft, call script, prioritized asks), and addendum pack (replacement clauses, addendum note). This is derived data — it is produced by AI and does not contain the full original contract text, though it does include short excerpts cited in findings.

2.5 Payment Information

Payments are processed by Stripe. We never see or store your full credit card number. We store the Stripe session ID, payment intent ID, amount, and refund eligibility date.

2.6 Analytics

We use PostHog for product analytics. Events include: upload started, analysis completed, PDF exported, and checkout events. Analytics events are configured to exclude contract text, tokens, and clause excerpts. They contain only scan IDs, persona selections, risk scores, and finding counts.

3. Retention Modes

When you upload a contract, you choose one of the following retention modes. This choice is stored on the scan record and enforced structurally (via database constraints, not just policy).

3.1 “Don’t Store Anything” (retention_mode: none)

  • Your analysis is returned directly to your browser and displayed.
  • No report row is created in the database. A database CHECK constraint (chk_reports_no_none) structurally prevents this.
  • The extracted text exists only in the ephemeral cache (15 min TTL) and is deleted after expiry.
  • If you later purchase a Single Scan, the text is re-analyzed from the cache (if still within the TTL window), and a report is created under the “Save my report” mode.
  • After the cache expires, the text is gone permanently. There is no recovery.

3.2 “Save My Report” (retention_mode: derived_only)

  • The AI-generated analysis (risk score, findings, negotiation pack, addendum pack) is stored in our database.
  • The original contract text is not stored. Only derived data (including short cited excerpts within findings) is retained.
  • You can delete your report at any time via the dashboard or the API (DELETE /api/report/[id]).
  • Deletion is permanent and cascading — all associated data is removed.

3.3 “Store File” (retention_mode: store_file)

This mode is defined in our schema but is currently disabled behind a feature flag. When enabled, it would allow storage of the extracted contract text alongside the report. This mode is blocked at the API validation layer — requests using this mode will be rejected.

4. Third-Party Processors

4.1 Anthropic (AI Analysis)

Contract text is sent to Anthropic’s Claude API for analysis. Anthropic processes the text to generate our findings and does not retain input data for model training on our commercial API tier. See Anthropic’s privacy policy for details.

4.2 Supabase (Database & Auth)

Account information and reports (when retained) are stored in Supabase-managed PostgreSQL. Supabase provides encryption at rest and in transit.

4.3 Upstash (Ephemeral Cache)

Extracted contract text is cached in Upstash Redis with a 15-minute TTL. Upstash provides encryption at rest and in transit. Cache entries are automatically purged after expiry and cannot be recovered.

4.4 Stripe (Payments)

Payment processing is handled by Stripe. We do not store card details.

4.5 PostHog (Analytics)

Product analytics are collected via PostHog. No contract text or personally identifiable information (beyond anonymous user IDs) is included in analytics events.

5. Your Rights

  • Delete your report: Any saved report can be deleted at any time, permanently.
  • Delete your account: Contact support@guard-clause.com to request full account deletion. We will remove your profile, all reports, scan records, and purchase history.
  • Data export: You can export any saved report as a PDF at any time.
  • Opt out of analytics: Contact us to opt out of PostHog tracking.

6. Logging Hygiene

Our server logs are sanitized to exclude sensitive content. Specifically, our logging is configured to not include:

  • Contract text or excerpts
  • Scan tokens or cache keys
  • Clause citations or finding details
  • Stripe response bodies

Logs contain only: scan IDs (UUIDs), HTTP status codes, error codes (not messages), rate limit events, and analytics event names.

7. Security Contacts

If you discover a security vulnerability, please report it to security@guard-clause.com. We take all reports seriously and will respond within 48 hours.

8. Changes to This Policy

We may update this policy as our product evolves. Material changes will be communicated via email to registered users and posted on this page with an updated date.

9. Contact

Questions about this policy? Email us at support@guard-clause.com.