Privacy Policy

Effective Date: March 24, 2026

1. Introduction

KontractAI ("we," "our," or "us") operates the KontractAI contract lifecycle management application (the "Application") accessible at app.kontractai.com, and the KontractAI Word Add-in (the "Add-in") available for Microsoft Word Desktop and Web. This Privacy Policy describes how we collect, use, and protect your personal information when you use the Application and the Add-in.

2. Information We Collect

Account Information

• Name, email address, role, and department provided during account creation
• Authentication credentials (passwords are hashed using bcrypt; we never store plaintext passwords)
• Two-factor authentication secrets (encrypted, used solely for TOTP verification)

Contract Documents

• Documents uploaded to the Application or via the Add-in, including .docx, .doc, and .pdf files
• Document metadata including filenames, file sizes, version numbers, and upload timestamps
• Custom XML properties embedded in documents for request association

Usage Data

• Activity logs including login events, document uploads, status changes, and administrative actions
• IP addresses associated with login and API requests
• Browser and device information transmitted via standard HTTP headers

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the KontractAI Application and Add-in
• Authenticate users and enforce access controls
• Process and store contract documents with version tracking
• Synchronize documents to your organization's SharePoint Online environment
• Send email notifications for contract status changes and assignments
• Generate audit logs for compliance and security purposes
• Improve the reliability and performance of our services

4. AI Data Processing

The Application uses Anthropic's Claude API to extract contract metadata and provide AI-powered document analysis. When you use AI features:

• Contract documents are transmitted to Anthropic's API as base64-encoded data over TLS-encrypted connections
• Anthropic does not train its models on API data. All API requests are subject to Anthropic's commercial API terms which prohibit training on customer data.
• AI-processed data is not stored by Anthropic beyond 30 days for trust and safety purposes
• You can review Anthropic's privacy practices at anthropic.com/privacy

5. Microsoft Word Add-in

The KontractAI Word Add-in accesses the following data from your Word environment:

• The content of the currently open document (to upload as a contract version)
• The document filename and file size
• Custom XML properties embedded in the document (to identify the associated contract request)

The Add-in communicates exclusively with KontractAI servers at app.kontractai.com over HTTPS. The Add-in does not:

• Access documents other than the one currently open
• Store data locally beyond your authentication token
• Transmit data to any third party other than your organization's KontractAI instance
• Access your Microsoft account credentials (authentication is handled by KontractAI's own login system or your organization's SSO provider)

6. Data Storage and Security

• All data is stored on dedicated infrastructure (not shared hosting)
• Data in transit is encrypted using TLS 1.2/1.3
• Data at rest is encrypted using LUKS2 AES-256 on encrypted volumes
• Database access is restricted to internal container network connections
• Access is controlled by role-based permissions with five role tiers
• Two-factor authentication is available for all accounts
• Single Sign-On via Microsoft Entra ID is supported for organizations that require it

7. SharePoint Integration

When your organization has SharePoint integration enabled:

• Contract documents are synced to your organization's SharePoint Online site
• Documents are stored in structured folder hierarchies within your organization's SharePoint tenant
• KontractAI accesses SharePoint using OAuth 2.0 credentials configured by your organization's administrator
• We do not access SharePoint data beyond the designated KontractAI document libraries

8. Data Sharing

We do not sell, rent, or share your personal information with third parties for their marketing purposes. We share data only:

• With Anthropic's Claude API for AI document processing (as described in Section 4)
• With your organization's SharePoint Online tenant (as described in Section 7)
• As required by law, regulation, or legal process
• To protect the rights, property, or safety of KontractAI, our users, or the public

9. Data Retention

• Active account data is retained for the duration of your organization's subscription
• Contract documents and version history are retained until deleted by an authorized user
• Activity and audit logs are retained for compliance purposes
• Upon account termination, we will delete or anonymize your data within 90 days, unless retention is required by law

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Export your data in a machine-readable format
• Object to certain processing of your information

To exercise these rights, contact us at privacy@kontractai.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Application or Add-in after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

KontractAI
Erlichman Law, PLLC
Email: privacy@kontractai.com
Website: kontractai.com