Ember Trail LLC ("Company," "we," "us," or "our") operates ContractDecoder (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Our Privacy Commitment
ContractDecoder is built on a zero-knowledge architecture for your contract content. This means:
- We do NOT store your contracts - Documents are processed in memory and immediately discarded
- We do NOT read your contracts - Analysis is performed by AI, not humans
- We do NOT sell your data - We will never sell your personal information or contract content to third parties
- We do NOT train AI on your contracts - Your documents are not used to train any AI models
2. Information We Collect
2.1 Information You Provide
Account Information:
- Email address (required for account creation)
- Name (if provided)
Payment Information:
- Payment transactions are processed by Stripe
- We do NOT store credit card numbers, CVVs, or full card details
- We receive and store only: last 4 digits of card, card brand, expiration date, and billing postal code
Communications:
- If you contact our support, we may retain your correspondence
2.2 Information Collected Automatically
Usage Data:
- Number of contracts analyzed (count only, not content)
- Number of chat messages sent (count only, not content)
- Feature usage patterns
- Session timestamps
Technical Data:
- IP address
- Browser type and version
- Device type
- Operating system
- Referring URLs
Cookies and Similar Technologies:
- Session cookies (required for authentication)
- We do NOT use advertising or tracking cookies
- See Section 7 for more details
2.3 Information We Do NOT Collect or Store
- Contract file contents
- Extracted text from your documents
- AI analysis results
- Chat conversation content
- Any information from within your contracts (names, terms, amounts, etc.)
3. How We Process Your Contracts
3.1 Zero-Knowledge Processing
When you upload a contract, the following process occurs:
- 1. UPLOAD
Your file is transmitted via encrypted connection (TLS 1.3) - 2. TEXT EXTRACTION
Text is extracted from PDF/Word in server memory
File is immediately discarded - 3. AI ANALYSIS
Extracted text is sent to AI provider API
Text is NOT logged or stored on our servers - 4. RESULTS DELIVERED
AI response is sent directly to your browser - 5. PROCESSING COMPLETE
All contract text is cleared from server memory
Nothing is written to any database
3.2 What This Means
- Your contract exists on our servers only during active processing (typically 15-60 seconds)
- We cannot retrieve your contract after processing completes
- We cannot show you previously analyzed contracts (we don't have them)
- If you want to keep your analysis, you must save it yourself
3.3 Chat Follow-Up Questions
When you ask follow-up questions about your contract:
- Your browser sends the contract text back to our server (it was never stored)
- We process the question and immediately discard all content
- Chat history is stored only in your browser session
- When you close the tab, chat history is gone
4. How We Use Your Information
4.1 We Use Account Information To:
- Create and manage your account
- Process your subscription payments
- Send transactional emails (login links, receipts)
- Respond to your support requests
- Notify you of important service changes
4.2 We Use Usage Data To:
- Monitor and improve Service performance
- Identify and fix technical issues
- Understand how users interact with our features
- Generate aggregate, anonymized statistics
4.3 We Do NOT Use Your Information To:
- Train AI models
- Build profiles for advertising
- Sell to third parties
- Contact you with marketing (unless you opt in)
5. Third-Party Services
5.1 AI Processing (OpenRouter / Anthropic)
We use third-party AI models to analyze contracts:
- Provider: OpenRouter (routing to Anthropic Claude models)
- Data Sent: Your contract text (for analysis only)
- Data Retention by Provider: Per Anthropic's API terms, data is not used for model training and is retained only for abuse monitoring for a limited period
- Our Control: We cannot control third-party data practices and rely on their stated policies
Anthropic's Commitment: Anthropic states that API data is not used to train models. See Anthropic's Privacy Policy for details.
5.2 Payment Processing (Stripe)
- Purpose: Process subscription payments
- Data Shared: Email, payment method details
- Their Policy: Stripe Privacy Policy
5.3 Email Service
- Purpose: Send transactional emails (login links, receipts)
- Data Shared: Email address
5.4 Hosting (Amazon Web Services)
- Purpose: Host application infrastructure
- Data Processed: All data flows through AWS servers
- Location: United States
- Their Policy: AWS Privacy Policy
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Contract content | NOT RETAINED (processed in memory only) |
| AI analysis results | NOT RETAINED |
| Chat messages | NOT RETAINED |
| Account information | Until account deletion + 30 days |
| Payment records | 7 years (legal/tax requirements) |
| Usage statistics | 2 years (aggregated) |
| Server logs | 30 days |
7. Cookies and Tracking
7.1 Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authentication | 30 days |
7.2 Cookies We Do NOT Use
- Advertising cookies
- Third-party tracking cookies
- Social media cookies
- Cross-site tracking
7.3 Your Choices
Our Service requires the session cookie to function. If you disable cookies entirely, you will not be able to log in.
8. Data Security
8.1 Security Measures
We implement appropriate technical and organizational measures including:
- Encryption in Transit: TLS 1.3 for all connections
- Encryption at Rest: Database encryption for stored data
- Access Controls: Limited employee access to systems
- Infrastructure Security: AWS security best practices
- No Contract Storage: The best protection is not storing sensitive data at all
8.2 Security Limitations
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
8.3 Breach Notification
In the event of a data breach affecting your personal information, we will notify you via email within 72 hours of becoming aware of the breach, as required by applicable law.
9. Your Rights and Choices
9.1 Access and Portability
You may request a copy of the personal information we hold about you. Since we don't store contract content, this will be limited to account and usage data.
9.2 Correction
You may update your account information at any time through the Service.
9.3 Deletion
You may request deletion of your account and associated personal data. Upon request, we will:
- Delete your account information
- Delete your usage statistics
- Retain only what is legally required (payment records for tax purposes)
To request deletion, contact us at [email protected].
9.4 Data Export
You may request an export of your personal data in a machine-readable format.
9.5 Opt-Out
- Marketing Emails: We don't send marketing emails unless you opt in. You can opt out anytime.
- Transactional Emails: Required for service operation (login links, receipts). You cannot opt out while maintaining an account.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
10.1 Right to Know
You may request information about:
- Categories of personal information collected
- Sources of personal information
- Purpose for collecting personal information
- Third parties with whom we share personal information
10.2 Right to Delete
You may request deletion of your personal information, subject to certain exceptions.
10.3 Right to Non-Discrimination
We will not discriminate against you for exercising your privacy rights.
10.4 No Sale of Personal Information
We do not sell personal information. We have not sold personal information in the preceding 12 months.
10.5 Contact for California Requests
To exercise your California privacy rights, contact us at [email protected].
11. International Users
11.1 Data Location
Our Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
11.2 GDPR (European Users)
If you are in the European Economic Area, you have rights under the General Data Protection Regulation including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
Our legal basis for processing:
- Contract Performance: Processing your contracts (while you use the Service)
- Legitimate Interests: Improving our Service, preventing fraud
- Consent: Marketing communications (if you opt in)
To exercise GDPR rights, contact us at [email protected].
12. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn we have collected such information, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Sending you an email (for material changes)
Your continued use of the Service after changes constitutes acceptance of the revised policy.
14. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
ContractDecoder
Email: [email protected]
For privacy-specific inquiries: [email protected]
15. Summary
- What we collect: Email, payment info, usage counts
- What we DON'T collect: Your contracts, analysis results, chat content
- Who we share with: AI provider (for processing only), payment processor, email service
- Your control: Access, correct, delete, export your data anytime
Our commitment: Your contracts are yours. We process them, we don't keep them.
For our complete legal documentation, also see: Terms of Service