Privacy Policy

Last updated: 17 June 2026

Who we are

Explain My Contract is operated as a UK-based service. We are the data controller for the personal data described in this policy. Explain My Contract is operated by [Operator legal name — TO COMPLETE BEFORE PUBLISH].

Contact: support@explainmycontract.co.uk. Postal address: [Contact postal address — TO COMPLETE BEFORE PUBLISH].

Summary

We respect your privacy. We do not build profiles on you, sell your data, or use your information for marketing or advertising. Here's the key points:

  • Uploaded files are sent securely to our server for text extraction
  • You can review, redact, and anonymise before prepared text is sent to our AI provider
  • Names and identifiers can be replaced with tokens before AI processing
  • Checkout may create a short-lived recovery draft for paid sessions
  • Browser session data can be cleared anytime
  • Session auto-clears after inactivity or when you close your browser

How your data is processed

Here's the step-by-step flow of how your contract is handled:

  1. 1

    Upload or paste

    You upload a file or paste contract text. If you upload a file, it is sent securely to our server so text can be extracted.

  2. 2

    Review & redact

    You can review the pasted or extracted text and manually redact any sections you don't want sent for AI processing.

  3. 3

    Anonymise (optional)

    You can replace names, companies, and other identifiers with anonymous tokens (e.g., ⟦PERSON_1⟧).

  4. 4

    Send to AI provider

    Your prepared text (with any redactions and tokens applied) is sent securely over HTTPS to our AI provider.

  5. 5

    Explanation generated

    Our AI provider processes the text and returns a plain-English explanation.

  6. 6

    Results displayed

    The explanation is shown in your browser and can be cached in browser session storage. Tokenised names remain anonymised in the output.

Third-party processors

We use the following third-party services to provide this product:

OpenAI

AI text processing

Your prepared contract text (after any redaction/tokenisation you apply) is sent to generate the explanation.

We aim to send only the text needed to provide the service. We encourage you to redact or tokenise sensitive information before processing.

Stripe

Payment processing

Payment details are handled directly by Stripe. We do not receive or store your card information.

See Stripe's privacy policy for details on their data handling.

Vercel (hosting + Vercel Web Analytics)

Hosting, infrastructure, and cookieless usage analytics

Basic technical data (IP address, browser type) may be logged for operational and security purposes. Vercel Web Analytics collects aggregate, cookieless usage statistics.

Contract content is not logged or stored on our hosting infrastructure. Analytics does not use cookies and does not identify you personally.

Upstash (Redis)

Short-lived checkout drafts, payment records, and abuse controls

A short-lived checkout draft (the prepared contract text, kept up to 24 hours), payment-session metadata (e.g. Stripe session ID, amount, tier), and rate-limit/usage counters keyed by session or IP address.

Used only to recover paid sessions, prevent abuse, and enforce per-purchase usage limits. Checkout drafts expire automatically.

Our lawful bases for processing

Under UK GDPR we must have a lawful basis for processing your personal data. Ours are:

Providing the explanation you paid for Contract (Article 6(1)(b))

We process your contract text and payment to deliver the explanation you request and purchase.

Security, abuse prevention, and reliability Legitimate interests (Article 6(1)(f))

We use IP-based rate limiting, per-purchase usage records, and operational logging to keep the service secure, prevent abuse, and recover paid sessions. We balance this against your rights and do not use it to build profiles.

Meeting legal and financial obligations Legal obligation (Article 6(1)(c))

Our payment processor retains transaction records as required by tax and financial-compliance law.

Cookieless usage analytics Legitimate interests (Article 6(1)(f))

We use aggregate, cookieless analytics to understand how the service is used and fix problems. This does not store information on your device or identify you, so no consent banner is required.

International data transfers

Some of our processors are located outside the UK (for example in the United States). Where personal data is transferred outside the UK, we rely on appropriate safeguards as required by UK data protection law — such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as offered by each provider in their data processing terms.

  • OpenAI — AI processing (United States)
  • Stripe — payment processing (United States / global)
  • Vercel — hosting and analytics (United States)
  • Upstash — Redis storage (region depends on configured database location)

Data retention

Explain My Contract servers

Uploaded files are processed to extract text, and we may keep a short-lived checkout draft for up to 24 hours for paid-session recovery. Generated explanations are not stored on our servers.

Your browser session

Contract text, selected options, payment session details, and results are stored temporarily in your browser session while you use the service. This data is cleared when you close your browser, manually clear your session, or after 15 minutes of inactivity.

AI provider

Our AI provider processes your text according to their API data handling terms. We do not control their retention policies. Refer to their documentation for specifics.

Usage and abuse-control records

To enforce per-purchase limits (one explanation plus one regeneration) and prevent reuse of a paid session, we keep small usage records keyed to your payment session, and short-lived rate-limit counters keyed to IP address. Usage records are retained for as long as needed to enforce these limits; they contain no contract content.

Payment records

Stripe retains payment records as required for financial and legal compliance. We keep minimal payment-session metadata (such as the Stripe session ID, amount, and the tier purchased) to verify access. These records do not include your contract content.

Your choices

You have control over your data at every step:

  • Clear your session

    Use the clear button in the navigation to delete all contract data from your browser at any time.

  • Redact before processing

    Manually select and redact any text you don't want sent to the AI provider. Redacted content is never transmitted.

  • Anonymise identifiers

    Replace names, companies, emails, and other identifiers with anonymous tokens before processing.

  • Output stays anonymised

    If you tokenised names before processing, your explanation will use those same tokens—keeping identities protected.

  • Export or discard

    Save your explanation as a PDF, or simply close your browser to discard everything.

Security

Encryption in transit

All data transmitted between your browser and our servers, and to third-party providers, is encrypted using HTTPS/TLS.

No content logging

We do not log your contract content or explanations on our servers. Only basic operational data (like error rates) is logged.

Minimal data transmission

We transmit only the text needed to generate your explanation. You control what is sent through redaction and tokenisation.

Session isolation

Your session data is isolated in your browser and is not accessible to other users or sessions.

Cookies & analytics

  • We do not use cookies. We set no advertising, tracking, or third-party cookies.
  • We store your theme preference (light/dark) in your browser's local storage. This is functional only and is not used to track you.
  • We use Vercel Web Analytics for aggregate usage statistics. It is cookieless, does not store information on your device, and does not identify you personally — so no cookie banner is required.

Your rights

Under UK data protection law you have the following rights over your personal data:

  • Access. Ask for a copy of the personal data we hold about you.
  • Rectification. Ask us to correct inaccurate or incomplete personal data.
  • Erasure. Ask us to delete personal data. Note most contract data is only held transiently (in your browser session, or a checkout draft for up to 24 hours); within that window you can ask us to delete a recovery draft.
  • Restriction and objection. Ask us to restrict processing, or object to processing based on our legitimate interests.
  • Portability. Where applicable, ask to receive personal data you provided in a portable format.

To exercise any of these, contact us at support@explainmycontract.co.uk.

Complaints

You have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), if you are unhappy with how we handle your personal data. We would appreciate the chance to address your concerns first.

Information Commissioner's Office (ICO) https://ico.org.uk (helpline 0303 123 1113).

Contact us

If you have privacy concerns or questions, please contact:

support@explainmycontract.co.uk