Privacy Policy
Effective: February 12, 2026
Chaman Ventures, SAS au capital de 100 €
RCS Paris 989 498 902 — TVA FR92989498902
229 Rue Saint-Honoré, 75001 Paris, France
1. Controller
- Chaman Ventures, SAS au capital de 100 €, RCS Paris 989 498 902.
- TVA: FR92989498902.
- Registered address: 229 Rue Saint-Honoré, 75001 Paris, France.
- Contact: hello@contractspec.studio
- Security contact: security@contractspec.studio
2. Data we collect
- Account data: name, email address, profile image (via Google OAuth or email signup).
- Organization data: workspace name, team membership, role assignments.
- Evidence data: content you submit or sync (meeting transcripts, support tickets, analytics events, documents).
- Usage data: page views, feature usage events, and session metadata via PostHog (EU).
- Billing data: processed by Stripe. We do not store payment card numbers.
3. How we use your data
- To provide the Service: evidence ingestion, correlation, impact analysis, and artifact generation.
- To operate billing and subscriptions via Stripe.
- To send transactional emails (account verification, export notifications, stakeholder briefs).
- To improve the Service through anonymized, aggregated usage analytics.
- We do not sell your data. We do not use your data to train AI models.
4. PII redaction
- Emails and phone numbers are automatically redacted at the evidence ingestion stage.
- Name redaction is optional and configurable per workspace.
- Custom regex rules can be added for additional PII patterns.
- Raw PII is never stored after redaction.
5. Sub-processors
- Platform-level: Vercel (hosting), Supabase (database, EU), PostHog (analytics, EU), Stripe (billing), OpenAI, Anthropic, Mistral AI, Groq (LLM inference), Resend and Scaleway (email), Telnyx (SMS), fal.ai (image generation), Gradium (voice), DeepL (translation), Jina AI (web extraction), Linear (export).
- User-configurable: Slack, GitHub, Jira, Notion, Zendesk, LinkedIn, OneDrive, Google Drive, Granola, tl;dv, Fireflies.ai, Fathom, Twilio, Postmark, ElevenLabs, Qdrant, Powens, Google Calendar. These only process data when you explicitly connect them.
- Full sub-processor list with data categories is maintained in our DPA.
6. Data residency
- Primary database: EU (eu-west-1) via Supabase.
- Analytics: EU via PostHog.
- LLM inference may route through US providers (OpenAI, Anthropic, Groq). EU-only inference available via Mistral AI.
- Enterprise plans support single-tenant or on-premises deployment.
7. Retention
- Configurable per workspace: 30 days to 12 months.
- Data is hard-deleted on schedule. No recovery after the retention window.
- On-demand purge available at any time from workspace settings.
- Account deletion removes all associated data within the retention window.
8. Cookies and analytics
- We use PostHog (EU-hosted) for product analytics and feature flags.
- Session replay requires explicit user consent and is off by default.
- We do not use third-party advertising trackers.
- Essential cookies: authentication session tokens only.
9. Your rights (GDPR)
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data via account settings or by contacting us.
- Erasure: delete your account and all associated data.
- Portability: export your data in JSON or CSV format.
- Objection: opt out of analytics tracking at any time.
- To exercise any right, email hello@contractspec.studio.
10. Security measures
- OAuth tokens encrypted at rest (AES-256).
- Role-based access control with organization-level permissions.
- Audit trail for every evidence ingestion, rule execution, and export.
- SOC 2 Type I in progress. Penetration test results available on request.
- See our Security page for the full breakdown.
11. Changes to this policy
- We will notify you of material changes via email or in-app notice.
- Continued use after notice constitutes acceptance.
- Previous versions are available on request.