Data Policy

Last updated: May 2026

What we store

  • Onboarding answers (company size, industry, vendor types, risk preferences) — stored in our database to personalize your audits.
  • Audit results (the 8-check findings, severity ratings, and suggested redlines) — stored so you can return to your audit report.
  • Anonymous session ID — a random identifier stored in a cookie to link your onboarding answers to your audits. No login required.

What we do NOT store

  • Your uploaded PDF — by default, your contract file is processed ephemerally. We extract the text in memory, run the audit, and discard the file immediately. We do not save the PDF to any storage or database.
  • Full contract text — the raw extracted text is not persisted after the audit completes. Only the structured audit results (findings, evidence snippets, redlines) are saved.

AI processing

Your contract text is sent to Anthropic's Claude API for analysis. Anthropic does not use API inputs to train their models. The text is processed and discarded by Anthropic after the response is generated.

We do not train on your data. Your contracts, onboarding answers, and audit results are never used to train any AI model.

Retention

  • Onboarding profiles and audit results are retained indefinitely for your convenience, unless you request deletion.
  • Usage telemetry (token counts, cost estimates) is retained for billing and monitoring purposes.
  • Uploaded PDFs are processed in memory and are never written to persistent storage. Typical processing time is under 60 seconds.

Deletion requests

To request deletion of your onboarding profile and audit results, please contact us at rob.neville22@gmail.com. Include your session ID (available in your browser cookies under "rg_session_id") so we can locate your records. We will process deletion requests within 30 days.

Security

All data is stored in Supabase (PostgreSQL) with Row Level Security enabled. All communication uses HTTPS/TLS. Access to the database is restricted to server-side operations via a service role key — no direct client access is permitted.

← Back to home