Privacy Policy

1. Introduction and Responsible Party

This Privacy Policy explains how ContractGuard (Pty) Ltd ("ContractGuard," "we," "our," or "us") collects, uses, discloses, and protects your personal information when you access or use our AI-powered contract analysis platform at www.contractguard.co.za (the "Service").

Responsible Party (as defined under POPIA):

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, as defined in POPIA.
• "Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, or dissemination.
• "Data Subject" means the person to whom personal information relates (i.e., you, the user).
• "Document Data" means the contracts, agreements, and legal documents you upload to our Service for analysis.
• "Third-Party Processor" means any external service provider who processes personal information on our behalf.

3. Information We Collect

We collect and process the following categories of personal information:

3.1 Information You Provide Directly

• Account Information: Full name, email address, phone number (optional), company name (optional), and password (encrypted).
• Billing Information: Payment card details (processed securely by our payment provider, PayFast), billing address, and transaction history.
• Document Data: The contracts and legal documents you upload for analysis. This may contain personal information of third parties (e.g., names of contracting parties, addresses, ID numbers).
• Communications: Any correspondence you send to us, including support requests and feedback.

3.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers.
• Usage Data: Pages visited, features used, time spent on the Service, analysis history, click patterns, and referring URLs.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management. See Section 10 for our Cookie Policy.

3.3 Information from Third Parties

• Payment Processors: Transaction confirmations and payment status from PayFast.
• Authentication Providers: If you sign in using Google or other OAuth providers, we receive your basic profile information (name, email) as authorized by you.

4. Legal Basis and Purpose of Processing

Under POPIA, we process your personal information based on the following lawful grounds:

5. Document Data — Special Handling

We understand that the contracts you upload may contain highly sensitive and confidential information. We apply the following special protections to Document Data:

5.1 Third-Party Personal Information in Documents

Your uploaded documents may contain personal information of third parties (e.g., other contracting parties, witnesses, landlords, employers). By uploading such documents, you represent and warrant that:

• You have the legal right to share such documents for the purpose of analysis;
• You are not breaching any confidentiality obligations by uploading the document; and
• You accept responsibility for ensuring compliance with applicable data protection laws regarding third-party information.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

6.1 Service Providers (Operators under POPIA)

We engage trusted third-party service providers who process data on our behalf:

• Cloud Infrastructure Providers: For secure hosting and data storage
• Payment Processing: PayFast (Pty) Ltd — for secure payment processing
• AI Processing Providers: For contract analysis (documents processed under strict data processing agreements with no training on your data)
• Email Service Providers: For transactional and service-related emails
• Analytics Providers: For anonymized usage analytics to improve our Service

All service providers are bound by written data processing agreements requiring them to protect your information and use it only for specified purposes.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (e.g., court order, subpoena);
• Requests from law enforcement or government authorities;
• To protect our legal rights, privacy, safety, or property;
• To investigate potential violations of our Terms of Service.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service of any change in ownership.

7. Cross-Border Data Transfers

Some of our service providers may be located outside of South Africa. In accordance with Section 72 of POPIA, we ensure that any cross-border transfer of personal information is subject to:

• The recipient country having adequate data protection laws; or
• Binding agreements ensuring the recipient provides adequate protection; or
• Your explicit consent to the transfer.

Where we transfer data to service providers in the United States, European Union, or other jurisdictions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent data processing agreements.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:

After the retention period expires, personal information is securely deleted or anonymized.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or alteration:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Strict role-based access controls limit who can access personal information.
• Authentication: Secure password hashing (bcrypt) and optional two-factor authentication.
• Infrastructure Security: Our infrastructure is hosted on enterprise-grade platforms with SOC 2 compliance.
• Regular Audits: We conduct periodic security assessments and vulnerability testing.
• Incident Response: We maintain an incident response plan to address potential data breaches promptly.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

• Session authentication cookies
• Security cookies (CSRF protection)
• Load balancing cookies

Analytics Cookies (Optional)

With your consent, we may use analytics cookies to understand how users interact with our Service:

• Page views and navigation patterns
• Feature usage statistics
• Performance monitoring

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

11. Your Rights Under POPIA

As a data subject under the Protection of Personal Information Act, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights, please contact our Information Officer at privacy@contractguard.co.za. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@contractguard.co.za.

13. Direct Marketing

In accordance with Section 69 of POPIA, we will only send you direct marketing communications if:

• You have given us your explicit consent (opt-in); or
• You are an existing customer and the marketing relates to similar products or services.

Every marketing email includes an unsubscribe link. You can also opt out by emailing privacy@contractguard.co.za or updating your preferences in your account settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this page;
• We will notify you by email (for registered users) at least 14 days before the changes take effect;
• We may display a prominent notice on our Service.

Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

15. Complaints

If you are dissatisfied with how we have handled your personal information or believe we have violated your privacy rights, you may:

1. Contact us first: Email our Information Officer at privacy@contractguard.co.za. We will investigate and respond within 30 days.
2. Lodge a complaint with the Information Regulator: If you are not satisfied with our response, you may lodge a complaint with:

   The Information Regulator (South Africa)

   JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

   P.O. Box 31533, Braamfontein, Johannesburg, 2017

   Email: complaints.IR@justice.gov.za

   Website: www.justice.gov.za/inforeg/