As a European company, we are committed to protecting your privacy and ensuring the security of your personal data.
Our privacy policy and data processing agreement (DPA) outline how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR).
If you have any questions about our privacy policy or data processing agreement, feel free to contact us.
Privacy Policy
Last updated: March 25, 2026
This privacy policy applies to the website (www.clauseguide.com) and the ClauseGuide application (the “Application“) developed by Cardonam SAS (ClauseGuide or “we“).
It aims at informing you about how we collect, use, and protect your personal data in accordance with the European Union General Data Protection Regulation (GDPR) and the French applicable law.
1. Identity of the data controller
The data controller is Cardonam SAS, a simplified joint-stock company registered in the Paris (France) trade and companies register under number 988 970 836 R.C.S. Paris with its registered office located at 58, rue de Monceau CS 48756 – 75380 Paris Cedex 08 – France.
For any questions regarding the processing of personal data, you can send an email to support@clauseguide.com.
2. Personal data collected
The types of personal data collected include:
- Identification data, such as your first and last name
- Contact details (email address, phone number, postal address, etc.)
- Professional data (company name, etc.)
- Payment and billing data
- Technical data related to your browser or IP address when browsing the website and the Application
These data are necessary to achieve the purposes described below. Failure to provide personal data may hinder the achievement of these purposes. On the website, personal data whose communication is optional will be specifically identified.
Use of strictly necessary technologies (cookies and local storage). We use a strictly necessary session cookie to keep you authenticated when you log in to the Application and to protect the security and proper functioning of your session. The Application may also use your browser’s local storage (localStorage) to store strictly necessary information for the functioning of the user interface (for example, to keep certain preferences or application state on your device). We do not use advertising cookies or analytics cookies/pixels at this time.
Payment processing (Stripe). If you subscribe to a paid plan, we use Stripe as a payment service provider to process payments and manage subscriptions. Depending on the payment method, Stripe may process payment information such as card details and payment authentication data. We do not store your card details on our servers.
Specific note regarding data generated by your use of the Application (e.g., chat content with the AI and data contained within the documents (e.g., contracts, guidelines) that you import into the Application) (the “User Content Data“): User Content Data may contain personal data concerning third parties (e.g., clients, employees, business partners). In such cases, you, as the user, are the data controller for these third-party personal data, and we act as your data processor pursuant to the terms of our Data Processing Agreement.
3. Purposes and legal bases for processing
| Purpose | Legal basis |
|---|---|
| Provision of the Application | Contract |
| Administration of your account | Contract |
| Customer support | Contract |
| Non-commercial communication (registered users) (e.g., service updates) | Contract |
| Maintenance of the Application (e.g., technical monitoring, bug fixing, performance optimization) | Legitimate Interest |
| Application security, abuse and fraud prevention | Legitimate Interest |
| Management of the commercial relationship | Legitimate Interest |
| Management of billing and accounting | Legal Obligations |
| Promotion and commercial offers | Legitimate Interest (registered users) / Consent (non-registered users) |
Where the legal basis is our legitimate interest (Article 6(1)(f) GDPR), we rely in particular on the following legitimate interests:
- Ensuring the security, stability, and proper functioning of the website and the Application (including preventing fraud, abuse, and unauthorized access, and enabling technical monitoring, debugging, and performance optimization).
- Managing and improving our customer relationships and business operations (for example, responding to requests, administering business accounts, and maintaining appropriate records of our interactions).
We consider that these processing activities are necessary for the purposes described above and are proportionate. We implement safeguards to reduce the impact on individuals (such as access controls, data minimization, and retention limits).
4. Data retention period
We retain your data for the time necessary to achieve the purposes described above. Unless we are required to retain this data to comply with our legal obligations or as part of the prevention or management of a dispute, we apply the following data retention policy:
| Data | Retention period |
|---|---|
| Identification data, contact details, professional data | Registered users: 5 years from the deactivation of your account. Other: 3 years from the date of collection or from the date of the last contact, whichever is later. |
| Payment and billing data | 10 years from the deactivation of your account from the Application. |
| Technical data related to your browser or IP address when browsing the website and the Application | Maximum 1 year from the collection of the data. |
| Contractual documents | 5 years from the deactivation of your account. |
| User data (customer support) | 5 years from the deactivation of your account. |
| User Content Data (Application) | User Content Data (messages, contracts, guidelines, etc.) are retained until their deletion by you (via the Application or explicit request) or by us according to our data retention policy, and at the latest after the expiration of a maximum period of one year following the date of deactivation of your account. You have the ability to delete your User Content Data at any time from the Application. |
5. Categories of recipients
Your personal data will be used by authorized members of our team as part of the execution of the purposes described above.
They may also be transmitted to any third party strictly involved in the achievement of the relevant purpose, and in particular:
- To suppliers and service providers we use as part of the development and provision of the Application (for example, AI inference providers, payment service providers)
- To service providers (bank, accountant, billing and accounting management provider, IT services, etc.)
- To security and content delivery providers (e.g., anti-bot protection and CDNs)
- To courts, authorities, and competent jurisdictions
- To tax and public administrations
- In the context of “Workspaces”, your data may be accessed by other members invited to the same workspace
Content delivery networks (CDNs)
To ensure performance, reliability, and security of the Application, some static resources (such as JavaScript and CSS files) may be delivered through third-party content delivery networks. When your browser loads these resources, the CDN provider may receive technical data such as your IP address, user agent, and standard access logs (date/time, requested URL, referrer, and device/browser information), to deliver the requested content and protect against abuse.
Anti-bot protection (Cloudflare Turnstile)
We use Cloudflare Turnstile to protect authentication and forms against automated abuse (spam, brute force, fraudulent activity). According to Cloudflare’s Turnstile Privacy Addendum (June 18, 2025), Turnstile processes minimal client-side signals (“Signals”) such as client IP address, TLS fingerprint, User-Agent header, and the sitekey and associated origin, solely for bot detection and blocking. In this context, Cloudflare processes these Signals as a data processor on our behalf (we act as the data controller for this processing) and the legal basis is our legitimate interest in securing the Application and preventing fraud. Cloudflare may also process Signals as an independent data controller to improve Turnstile’s bot detection capabilities, as described in Cloudflare’s Turnstile Privacy Addendum and main Privacy Policy.
Payment processing (Stripe)
We use Stripe for payments, subscription management, and other business services. Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud and prevention and detection, authentication, analytics related to the performance of its services, and to enhance and customize the user experience. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy.
Document OCR (Microsoft Azure Document Intelligence).
To provide certain features of the Application (such as document text extraction), we may use Microsoft Azure Document Intelligence as a service provider. This may involve processing documents and related data (which may contain personal data) to generate structured outputs used by the Application. We deploy this service in the EU Data Boundary (e.g., France Central or Sweden Central), so document processing and storage are performed within the EU Data Boundary by default. See Section 6 (“Data transfer”) for a short note on limited, safeguarded cross-border processing that may occur in exceptional operational cases.
AI inference
To provide certain AI features of the Application (inference), we may use services provided by Google (Vertex AI), Scaleway or other service providers (“AI Inference Providers”). We configure to use European servers only, so prompts and AI outputs are processed in European Union by default (see Section 6 (“Data transfer”) for a short note on limited, safeguarded cross-border processing that may occur for certain service/operational purposes).
6. Data transfer
The processing of your data will primarily be carried out within the European Union by service providers subject to the General Data Protection Regulation (GDPR).
Any transfer outside the European Economic Area (EEA) will be framed by appropriate safeguards, notably through the use of standard contractual clauses approved by the European Commission or when the destination country is recognized as offering an adequate level of protection by the European Commission.
Please note that even when we configure vendors to process your content in EU/EEA regions by default, some providers like Microsoft, Google’s standard service terms and DPAs may contractually allow limited processing, remote access, or transit outside the EU/EEA in exceptional operational circumstances (for example, security and abuse prevention, automated moderation, technical support and troubleshooting, service reliability monitoring, or network transit). Where applicable, these transfers are governed by appropriate safeguards (such as SCCs) under our vendors’ DPAs and our own DPA.
7. Your rights
In accordance with the GDPR, you have the following rights:
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to object
- Right to data portability
You also have the right to define directives relating to the fate of your personal data after your death.
To exercise these rights and/or obtain more information about the processing of your personal data, you can contact us by email at the address indicated above.
We will respond to your request as soon as possible and in any event within one (1) month from receipt (this period may be extended by two months in complex cases, in accordance with the GDPR).
When the legal basis for the purpose is consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Where applicable, you can withdraw your consent using the unsubscribe link in our communications or by contacting us at the address indicated above.
You have the right to lodge a complaint with the CNIL if you believe that the processing of your personal data is not in compliance with the regulations.
We do not carry out solely automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
8. Security
We implement appropriate technical and organizational measures to ensure a level of security adapted to the risk, including measures to prevent unauthorized access, disclosure, alteration, or destruction of your personal data. These measures include, but are not limited to, encryption and access controls.
9. Modification
This privacy policy may be modified at any time. The current version is the one published on the website. We encourage you to consult it regularly.
Data Processing Agreement
Last updated: May 5, 2026
This data processing agreement (“DPA“) forms part of the terms and conditions, and/or any additionnal or supplemental agreement (together the “Main Agreement“) entered into between the user (the “Controller“) and Cardonam SAS, a simplified joint-stock company registered in the Paris (France) trade and companies register under number 988 970 836 R.C.S. Paris with its registered office located at 58, rue de Monceau CS48756 75380 Paris Cedex 08, France (the “Processor”). The Controller and Processor are hereinafter collectively referred to as the “Parties” and individually as a “Party“.
Preamble
(A) The Processor provides the Controller with access to the ClauseGuide application (the “Application“), pursuant to the terms and conditions of the Main Agreement.
(B) In the course of providing the Application, the Processor may process personal data on behalf of the Controller.
(C) The Parties acknowledge that the Controller is the “Controller” and the Processor is the “Processor” of such personal data, as defined in the General Data Protection Regulation (EU) 2016/679 (“GDPR“) and applicable French national data protection laws (collectively, “Data Protection Laws“).
(D) This DPA sets out the obligations of the Parties regarding the processing of personal data and is intended to ensure compliance with Data Protection Laws.
1. Definitions
Capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.
In this DPA, the following terms shall have the meanings set forth below:
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Data Protection Laws, that the Processor processes on behalf of the Controller under the Main Agreement.
“Processing“, “Data Subject“, “Supervisory Authority“, “Personal Data Breach“, “Technical and Organisational Measures” shall have the meanings given to them in the Data Protection Laws.
2. Details of the Processing
2.1 The Processor shall process Personal Data for the purposes of providing the Application and related services to the Controller as described in the Main Agreement and in this DPA.
The details of the processing are as follows:
Nature and purpose of Processing: The processing consists of providing the Controller with a SaaS application that enables users to import contracts and other documents for AI analysis, contract management, to chat with AI agents and collaborate within workspaces. In providing AI features, the Processor may use third-party AI model and inference providers (e.g., Microsoft Azure AI, Google Cloud Vertex AI) as Sub-processors to process prompts, documents, and generated outputs as necessary to provide the Application.
Duration of Processing: Processing will occur for the duration of the Main Agreement, unless otherwise specified herein or in the Main Agreement.
Type of Personal Data: Personal data contained within documents (e.g., contracts, guidelines) imported by the Controller’s users (e.g., clients, employees, partners, customers of the Controller), and individuals who are members of the Controller’s workspaces (e.g., employees of the Controller, external collaborators, guest, etc.).
Categories of Data Subjects: Individuals whose personal data are contained in the documents imported by the Controller’s users (e.g., clients, employees, partners, customers of the Controller), and individuals who are members of the Controller’s workspaces (e.g., employees of the Controller, external collaborators, guests, etc.).
3. Controller’s Obligations
3.1 The Controller shall be solely responsible for:
- Ensuring that the Personal Data has been collected and transferred to the Processor in accordance with Data Protection Laws. This includes, but is not limited to, having a valid legal basis for processing and sharing such Personal Data with the Processor.
- Complying with all notifications and obtaining all necessary consents from Data Subjects, as required by Data Protection Laws, prior to any processing by the Processor.
- Ensuring that its instructions to the Processor comply with Data Protection Laws.
- Informing the Processor promptly in writing if the Controller’s instructions change or if any Personal Data processed requires specific handling under Data Protection Laws.
- Implementing appropriate technical and organisational measures to ensure the security of the Personal Data under its control, including the security of access information to the Application.
4. Processor’s Obligations
4.1 The Processor shall:
- Process only on documented instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or member state law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Main Agreement and this DPA constitute such documented instructions.
- Unlawful instructions: If the Processor considers that an instruction from the Controller infringes Data Protection Laws, the Processor shall promptly inform the Controller and is entitled to suspend the execution of the relevant instruction until the Controller has confirmed, amended or withdrawn it.
- Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security of Processing: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations regarding security of processing pursuant to Data Protection Laws. A description of the Processor’s security measures is provided in Appendix 1.
- Sub-processing: The Processor shall not engage another processor (“Sub-processor“) without specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, at least equivalent data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract or other legal act under Data Protection Laws, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Laws. The Processor shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations. A list of current Sub-processors is provided in Appendix 2.
- Assistance to the Controller: Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate Technical and Organisational Measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights. The Processor shall also assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, namely regarding security of processing, notification of a Personal Data Breach to the Supervisory Authority, communication of a Personal Data Breach to the Data Subject, data protection impact assessment, and prior consultation.
- Personal Data Breach Notification: In the event of a Personal Data Breach concerning Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay after becoming aware of it, providing all information required by Data Protection Laws to enable the Controller to meet its own obligations.
- Deletion of Personal Data: Delete all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless European Union or member state law requires storage of the Personal Data.
- Information and Audit: Make available to the Controller reasonable information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws.
- Records of Processing Activities: Maintain a record of all categories of processing activities carried out on behalf of the Controller, containing all information required by Data Protection Laws.
4.2 Third-party AI providers (clarifications)
Where the Processor uses third-party AI providers as Sub-processors (such as Microsoft Azure AI and Google Vertex AI) to provide AI features:
(a) The Parties acknowledge that such providers may impose their own contractual terms and DPAs. The Processor will seek to ensure that the processing by such Sub-processors is subject to data protection obligations consistent with this DPA.
(b) Certain providers may perform limited processing as independent controllers for specific purposes described in their terms (for example, automated moderation, security and abuse monitoring, and handling of user-provided feedback). The Processor will not intentionally provide training feedback to such providers through the Application’s user interface where the Processor has chosen not to enable such feedback, and will configure opt-out settings for training where available for the Processor’s account/project.
(c) The Processor’s obligations to provide information and support for audits under this DPA will be satisfied, where applicable, by providing the Controller with available compliance documentation and reasonable information received from or made available by such Sub-processors (e.g., via trust center materials), subject to confidentiality and trade secrets.
5. International Data Transfers
5.1 Personal Data is primarily processed within the European Union / European Economic Area (“EEA”). In limited cases, Personal Data may be transferred to and processed in countries outside of the EEA by the Processor or its Sub-processors (e.g., for support, security, or other ancillary service operations). Such transfers shall only occur where necessary and in accordance with Chapter V of the GDPR (e.g., through Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms).
5.2 Where Standard Contractual Clauses (“SCCs“) are used, the Controller hereby grants the Processor a general authorization to enter into SCCs with Sub-processors, ensuring that such Sub-processors commit to providing data protection equivalent to that required by Data Protection Laws.
6. Liability
6.1 The liability of each Party under this DPA shall be subject to the limitations of liability set forth in the Main Agreement.
7. General Provisions
7.1 This DPA shall be governed by and construed in accordance with the Main Agreement governing law.
7.2 In the event of a conflict between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall prevail with regard to data processing obligations.
Appendix 1 – Technical and organisational measures
The Processor implements technical and organisational measures to ensure a level of security appropriate to the risk. These measures may consist in:
- Physical security: Measures to prevent unauthorized physical access to systems processing Personal Data (e.g., secure data centers, access controls, surveillance).
- System access control: Measures to prevent unauthorized access to data processing systems (e.g., strong password policies, multi-factor authentication, access logging, role-based access control, separation of duties).
- Data access control: Measures to ensure that persons authorized to use a data processing system only have access to the Personal Data to which they have an access right (e.g., least privilege principle, regular access reviews, user unique IDs).
- Transmission control: Measures to ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport (e.g., encryption of data in transit – HTTPS/TLS, secure file transfer protocols).
- Input control: Measures to ensure that it is possible to check and establish whether and by whom Personal Data have been entered, modified or removed from data processing systems (e.g., audit trails, logging of all relevant activities).
- Data availability control: Measures to ensure that Personal Data is protected against accidental destruction or loss and that it is available to the Controller (e.g., regular backup procedures, robust disaster recovery plan, redundancy of systems, uninterruptible power supplies).
- Separation control: Measures to ensure that data collected for different purposes can be processed separately (e.g., logical separation of customer data within the application, segregation of duties).
- Pseudonymisation and encryption: Application of pseudonymisation and encryption of Personal Data where appropriate and feasible (e.g., encryption of data at rest).
- Regular testing and evaluation: Regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (e.g., penetration testing, vulnerability scans, security audits).
- Personnel training and awareness: Regular training of personnel involved in the processing of Personal Data on data protection and security best practices.
Appendix 2 – List of sub-processors
The Controller hereby generally authorizes the engagement of the Sub-processors listed below. The Processor shall keep this list updated and provide the Controller with notice of any new Sub-processors or changes to existing Sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall maintain a public list of its current Sub-processors and/or notify the Controller of any changes by email.
Note: For each Sub-processor below, processing is intended to occur in the EU/EEA (e.g., EU regions / EU Data Boundary) where available for the relevant service configuration. Certain Sub-processors’ standard terms and DPAs may allow limited processing, remote access, or transit outside the EU/EEA in exceptional operational circumstances (e.g., support, security/abuse prevention, service reliability monitoring, or network transit), subject to appropriate safeguards (e.g., SCCs) where applicable.
| Sub-processor | Services provided |
|---|---|
| Scaleway | Cloud infrastructure, AI Inference services (open-source AI models) |
| OVH | Cloud infrastructure |
| Microsoft (Azure AI) | Cloud infrastructure, Document intelligence services, AI Inference services |
| Google (Vertex AI) | AI inference services |
| Tensorix Ltd | AI inference services (open-source AI models) |