Privacy Policy
Last updated: 17 June 2026
Who we are
Explain My Contract is operated as a UK-based service. We are the data controller for the personal data described in this policy. Explain My Contract is operated by [Operator legal name — TO COMPLETE BEFORE PUBLISH].
Contact: support@explainmycontract.co.uk. Postal address: [Contact postal address — TO COMPLETE BEFORE PUBLISH].
Summary
We respect your privacy. We do not build profiles on you, sell your data, or use your information for marketing or advertising. Here's the key points:
- Uploaded files are sent securely to our server for text extraction
- You can review, redact, and anonymise before prepared text is sent to our AI provider
- Names and identifiers can be replaced with tokens before AI processing
- Checkout may create a short-lived recovery draft for paid sessions
- Browser session data can be cleared anytime
- Session auto-clears after inactivity or when you close your browser
How your data is processed
Here's the step-by-step flow of how your contract is handled:
- 1
Upload or paste
You upload a file or paste contract text. If you upload a file, it is sent securely to our server so text can be extracted.
- 2
Review & redact
You can review the pasted or extracted text and manually redact any sections you don't want sent for AI processing.
- 3
Anonymise (optional)
You can replace names, companies, and other identifiers with anonymous tokens (e.g., ⟦PERSON_1⟧).
- 4
Send to AI provider
Your prepared text (with any redactions and tokens applied) is sent securely over HTTPS to our AI provider.
- 5
Explanation generated
Our AI provider processes the text and returns a plain-English explanation.
- 6
Results displayed
The explanation is shown in your browser and can be cached in browser session storage. Tokenised names remain anonymised in the output.
Third-party processors
We use the following third-party services to provide this product:
OpenAI
AI text processing
Your prepared contract text (after any redaction/tokenisation you apply) is sent to generate the explanation.
We aim to send only the text needed to provide the service. We encourage you to redact or tokenise sensitive information before processing.
Stripe
Payment processing
Payment details are handled directly by Stripe. We do not receive or store your card information.
See Stripe's privacy policy for details on their data handling.
Vercel (hosting + Vercel Web Analytics)
Hosting, infrastructure, and cookieless usage analytics
Basic technical data (IP address, browser type) may be logged for operational and security purposes. Vercel Web Analytics collects aggregate, cookieless usage statistics.
Contract content is not logged or stored on our hosting infrastructure. Analytics does not use cookies and does not identify you personally.
Upstash (Redis)
Short-lived checkout drafts, payment records, and abuse controls
A short-lived checkout draft (the prepared contract text, kept up to 24 hours), payment-session metadata (e.g. Stripe session ID, amount, tier), and rate-limit/usage counters keyed by session or IP address.
Used only to recover paid sessions, prevent abuse, and enforce per-purchase usage limits. Checkout drafts expire automatically.
Our lawful bases for processing
Under UK GDPR we must have a lawful basis for processing your personal data. Ours are:
Providing the explanation you paid for — Contract (Article 6(1)(b))
We process your contract text and payment to deliver the explanation you request and purchase.
Security, abuse prevention, and reliability — Legitimate interests (Article 6(1)(f))
We use IP-based rate limiting, per-purchase usage records, and operational logging to keep the service secure, prevent abuse, and recover paid sessions. We balance this against your rights and do not use it to build profiles.
Meeting legal and financial obligations — Legal obligation (Article 6(1)(c))
Our payment processor retains transaction records as required by tax and financial-compliance law.
Cookieless usage analytics — Legitimate interests (Article 6(1)(f))
We use aggregate, cookieless analytics to understand how the service is used and fix problems. This does not store information on your device or identify you, so no consent banner is required.
International data transfers
Some of our processors are located outside the UK (for example in the United States). Where personal data is transferred outside the UK, we rely on appropriate safeguards as required by UK data protection law — such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as offered by each provider in their data processing terms.
- OpenAI — AI processing (United States)
- Stripe — payment processing (United States / global)
- Vercel — hosting and analytics (United States)
- Upstash — Redis storage (region depends on configured database location)
Data retention
Explain My Contract servers
Uploaded files are processed to extract text, and we may keep a short-lived checkout draft for up to 24 hours for paid-session recovery. Generated explanations are not stored on our servers.
Your browser session
Contract text, selected options, payment session details, and results are stored temporarily in your browser session while you use the service. This data is cleared when you close your browser, manually clear your session, or after 15 minutes of inactivity.
AI provider
Our AI provider processes your text according to their API data handling terms. We do not control their retention policies. Refer to their documentation for specifics.
Usage and abuse-control records
To enforce per-purchase limits (one explanation plus one regeneration) and prevent reuse of a paid session, we keep small usage records keyed to your payment session, and short-lived rate-limit counters keyed to IP address. Usage records are retained for as long as needed to enforce these limits; they contain no contract content.
Payment records
Stripe retains payment records as required for financial and legal compliance. We keep minimal payment-session metadata (such as the Stripe session ID, amount, and the tier purchased) to verify access. These records do not include your contract content.
Your choices
You have control over your data at every step:
Clear your session
Use the clear button in the navigation to delete all contract data from your browser at any time.
Redact before processing
Manually select and redact any text you don't want sent to the AI provider. Redacted content is never transmitted.
Anonymise identifiers
Replace names, companies, emails, and other identifiers with anonymous tokens before processing.
Output stays anonymised
If you tokenised names before processing, your explanation will use those same tokens—keeping identities protected.
Export or discard
Save your explanation as a PDF, or simply close your browser to discard everything.
Security
Encryption in transit
All data transmitted between your browser and our servers, and to third-party providers, is encrypted using HTTPS/TLS.
No content logging
We do not log your contract content or explanations on our servers. Only basic operational data (like error rates) is logged.
Minimal data transmission
We transmit only the text needed to generate your explanation. You control what is sent through redaction and tokenisation.
Session isolation
Your session data is isolated in your browser and is not accessible to other users or sessions.
Cookies & analytics
- We do not use cookies. We set no advertising, tracking, or third-party cookies.
- We store your theme preference (light/dark) in your browser's local storage. This is functional only and is not used to track you.
- We use Vercel Web Analytics for aggregate usage statistics. It is cookieless, does not store information on your device, and does not identify you personally — so no cookie banner is required.
Your rights
Under UK data protection law you have the following rights over your personal data:
- Access. Ask for a copy of the personal data we hold about you.
- Rectification. Ask us to correct inaccurate or incomplete personal data.
- Erasure. Ask us to delete personal data. Note most contract data is only held transiently (in your browser session, or a checkout draft for up to 24 hours); within that window you can ask us to delete a recovery draft.
- Restriction and objection. Ask us to restrict processing, or object to processing based on our legitimate interests.
- Portability. Where applicable, ask to receive personal data you provided in a portable format.
To exercise any of these, contact us at support@explainmycontract.co.uk.
Complaints
You have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), if you are unhappy with how we handle your personal data. We would appreciate the chance to address your concerns first.
Information Commissioner's Office (ICO) — https://ico.org.uk (helpline 0303 123 1113).
Contact us
If you have privacy concerns or questions, please contact: