Privacy Policy

1. Introduction

ClauseMesh Inc. ("ClauseMesh," "we," "our," or "us") is committed to protecting the privacy of individuals who interact with our website, platform, and services. This Privacy Policy describes the types of personal data we collect, how we use and share that data, how long we retain it, and the rights you have regarding your personal data.

This Policy applies to:

• Visitors to the ClauseMesh website at clausemesh.com (the "Site")
• Registered users and administrators of the ClauseMesh platform (the "Platform")
• Individuals whose information is included in contracts and documents processed through the Platform on behalf of our customers
• Contacts at prospective customer organizations

If you are a customer of ClauseMesh accessing the Platform under a subscription agreement, the processing of contract documents you upload is governed by our Data Processing Addendum (DPA), which forms part of your subscription agreement. This Privacy Policy covers ClauseMesh's own data practices regarding your account and contact information.

ClauseMesh Inc. is incorporated under the laws of Delaware and headquartered at 1 World Trade Center, New York, NY 10007. For purposes of the EU General Data Protection Regulation (GDPR), ClauseMesh is the data controller for personal data collected through the Site and for account-related data collected through the Platform. For contract documents processed on behalf of customers, ClauseMesh acts as a data processor and our customer is the data controller.

2. Personal Data We Collect

We collect personal data in several ways depending on how you interact with ClauseMesh.

2.1 Information You Provide Directly

Account registration: When you register for a ClauseMesh account, we collect your first and last name, work email address, company name, job title, and a password. If your organization uses single sign-on (SSO), your identity information is provided by your identity provider rather than collected directly by ClauseMesh.

Demo and contact requests: When you complete a demo request, contact form, or request a proof-of-concept evaluation, we collect your name, work email address, company name, job title, phone number (optional), and the content of your message or request.

Subscription and billing: When you subscribe to a paid plan, we collect billing contact information, company address, and payment method details. Payment card data is processed directly by our payment processor (Stripe) and is not stored by ClauseMesh in unencrypted form.

Customer support: When you contact our support team, we collect the information you provide in your support request, including any attachments you choose to include.

Survey and feedback responses: If you participate in surveys, NPS polls, or provide feedback through in-product mechanisms, we collect the content of your responses along with your account identifier.

2.2 Information Collected Automatically

Usage data: When you use the Platform, we collect data about your interactions, including pages visited, features used, search queries within the Platform, documents processed, and session timestamps. This data is used for product improvement, security monitoring, and billing purposes where usage is metered.

Log data: Our servers automatically record log data including your IP address, browser type and version, operating system, referring URL, and the date and time of each request. Log data is retained for 90 days for security and debugging purposes.

Device information: We collect information about the device you use to access the Platform, including device type, screen resolution, and browser language settings.

Cookies and tracking technologies: We use cookies and similar tracking technologies as described in our Cookie Policy. These collect data about your browsing behavior on the Site and your authenticated sessions in the Platform.

2.3 Information from Third Parties

Identity providers: If your organization configures SAML-based SSO with ClauseMesh, we receive identity information from your identity provider (such as Okta, Azure Active Directory, or Google Workspace) as part of the authentication process.

CRM and marketing data: We may receive contact information from business data providers, conference attendee lists, and partner referrals to identify prospective customers. We process this data under the legitimate interests legal basis for B2B marketing.

Payment processors: Our payment processor provides us with tokenized payment method information and transaction status updates.

3. How We Use Personal Data

We use personal data for the following purposes:

3.1 Providing and Operating the Service

We use account and usage data to authenticate your identity, provide access to Platform features you are entitled to under your subscription, process documents you submit, generate extraction and risk scoring outputs, maintain your user preferences, and provide customer support. The legal basis for this processing is performance of a contract (your subscription agreement or terms of service) and legitimate interests in operating our business.

3.2 Billing and Account Management

We use billing contact and payment information to invoice you for services, process payments, send receipts and renewal notices, and manage subscription upgrades, downgrades, and cancellations. The legal basis is performance of a contract and compliance with legal obligations (tax and financial record-keeping requirements).

3.3 Communication

We use your email address and contact information to send transactional communications (account confirmation, password resets, security notifications, invoice receipts), respond to support requests and demo inquiries, send product updates and release notes to existing customers, and communicate about our services to prospective customers who have expressed interest. The legal basis for transactional communications is contract performance; for marketing communications to existing customers, legitimate interests; for prospective customer outreach, legitimate interests with an opt-out mechanism available.

3.4 Product Improvement and Analytics

We use usage data and aggregated behavioral data to understand how the Platform is used, identify areas for improvement, diagnose technical problems, and develop new features. We do not use the content of contract documents you process through the Platform to train our extraction or risk scoring models without your explicit consent. Aggregated, de-identified usage statistics may be used for product development without restriction.

3.5 Security and Fraud Prevention

We process log data, IP addresses, and usage patterns to detect unauthorized access, abuse of the Platform, fraudulent transactions, and other security threats. The legal basis is legitimate interests in maintaining the security of our systems and protecting our customers.

3.6 Legal Compliance

We retain and process data as required by applicable law, including tax, financial reporting, and data retention obligations. We may process personal data to respond to lawful requests from law enforcement or regulatory authorities, subject to applicable legal requirements and our commitment to notify customers where permitted.

4. Data Sharing and Disclosure

We do not sell personal data to third parties. We share personal data only in the following circumstances:

4.1 Service Providers

We share personal data with third-party service providers who process data on our behalf under contractual data processing agreements. These include: cloud infrastructure providers (AWS), payment processors (Stripe), email delivery services (for transactional and marketing emails), customer relationship management software, customer support platforms, and product analytics services. Each service provider is restricted to processing data only as necessary to provide their service to us and is prohibited from using it for their own purposes.

4.2 Business Transfers

If ClauseMesh is involved in a merger, acquisition, financing, or sale of business assets, personal data may be transferred as part of that transaction. We will provide notice before personal data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose personal data when required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a legal obligation. We will challenge requests that we believe are unlawfully broad or that seek data beyond what the legal requirement specifies.

4.4 With Your Consent

We may share personal data with third parties for purposes not described in this Policy when we have obtained your explicit consent to do so.

5. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, subject to the following retention guidelines:

• Account data: Retained for the duration of your subscription and for 3 years after account closure, to support post-termination inquiries, legal claims, and regulatory compliance.
• Contract documents and extraction outputs: Retained for the duration of your subscription. Upon account closure, contract documents and extraction outputs are deleted within 30 days, with backups purged within 90 days. Extended retention is available as a paid add-on for customers who require longer-term archival.
• Billing records: Retained for 7 years from the date of the transaction to comply with tax and financial record-keeping requirements.
• Log data: Retained for 90 days.
• Support tickets: Retained for 2 years after closure.
• Marketing contact data: Retained until you opt out of marketing communications, after which we retain a suppression record (email address and opt-out date) for 3 years to prevent re-contact.

6. International Data Transfers

ClauseMesh is headquartered in the United States. Personal data collected from individuals in the European Economic Area, United Kingdom, and Switzerland may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home country.

For transfers of personal data from the EEA to the United States, we rely on Standard Contractual Clauses (2021 European Commission format) incorporated into our Data Processing Addendum and our agreements with sub-processors. We maintain a Transfer Impact Assessment documenting the legal safeguards applicable to US-hosted processing. Copies of applicable SCCs are available upon request by emailing team@clausemesh.com.

7. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

7.1 Rights Under GDPR (EEA and UK Residents)

• Right of access: You may request a copy of the personal data we hold about you, including information about how it is processed.
• Right to rectification: You may request correction of inaccurate personal data.
• Right to erasure: You may request deletion of your personal data in certain circumstances — for example, when the data is no longer necessary for the purpose for which it was collected, or when you withdraw consent where consent was the legal basis.
• Right to restriction of processing: You may request that we restrict processing of your personal data in certain circumstances, such as when accuracy is contested or when processing is unlawful but you prefer restriction to deletion.
• Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format for transfer to another controller where processing is based on consent or contract performance.
• Right to object: You may object to processing based on our legitimate interests, including for direct marketing purposes. When you object to direct marketing, we will cease processing for that purpose immediately.
• Right not to be subject to automated decisions: ClauseMesh does not make legally significant automated decisions about individuals. Risk scoring is applied to contract clauses, not to individuals.

To exercise these rights, email team@clausemesh.com with your request. We will respond within 30 days and may request verification of your identity before processing the request. If you are dissatisfied with our response, you have the right to lodge a complaint with your applicable supervisory authority.

7.2 Rights Under CCPA (California Residents)

California residents have the right to know what personal information is collected about them and how it is used and shared, to delete personal information, to opt out of the sale of personal information (ClauseMesh does not sell personal information), and to non-discrimination for exercising these rights. To exercise your California privacy rights, contact us at team@clausemesh.com.

8. Cookies

We use cookies and similar tracking technologies on the Site and Platform. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

9. Security

We maintain a comprehensive information security program designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Our security controls include: TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest; role-based access controls with principle of least privilege; multi-factor authentication requirements for ClauseMesh employees with access to production systems; annual penetration testing by a qualified third-party security firm; SOC 2 Type II audit conducted annually; and a formal incident response plan with designated response roles and customer notification procedures.

No information security program can guarantee complete protection against all threats. If you become aware of a security issue related to your ClauseMesh account, please contact us immediately at team@clausemesh.com.

10. Children's Privacy

ClauseMesh is a business-to-business service intended for use by professionals at corporate organizations. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected personal data from a minor, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (for existing customers) and by posting a prominent notice on the Site at least 14 days before the changes take effect. The "last updated" date at the top of this Policy reflects when the most recent changes were made. Continued use of the Site or Platform after a policy update constitutes acceptance of the revised terms.

12. Contact Information

For privacy-related inquiries, data subject rights requests, or questions about this Policy, please contact:

ClauseMesh Inc.
Attn: Privacy Team
1 World Trade Center
New York, NY 10007
Email: team@clausemesh.com
Phone: +1 (212) 539-7841

For EEA and UK residents, if you believe we have not addressed your privacy concern adequately, you have the right to contact your local data protection supervisory authority. In the EU, supervisory authority contact information is available at edpb.europa.eu.