Get Started
Data Protection

GDPR compliance

Your privacy and data protection rights matter to us. ContractMate is designed around GDPR principles such as data minimization, purpose limitation, and user control.

Data Protection by Design

Privacy built into every feature from the ground up

We implement technical and organizational measures to ensure data protection principles are embedded in all processing activities.

AES-256 Document Encryption

Your documents are encrypted at rest and in transit

All uploaded documents are encrypted with your chosen password using AES-256. Data in transit is protected via SSL/TLS. Text is extracted server-side to enable AI chat.

EU Data Residency

Your data stays within the EU

All application data is processed and hosted within the European Union.

AI Transparency

Your data is never used for AI training

AI chat uses an AI provider. Your documents and conversations are processed solely to generate responses and are never used to train AI models.

Data Processing Records

Transparent data handling

We document our data processing activities internally and review vendors and data flows as the product evolves.

Consent Management

You're always in control

We obtain explicit consent before enabling optional analytics. We do not use session replay in the product. You can review and modify your cookie preferences at any time via the "Cookie Settings" link in the footer.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data.

Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

Right to Erasure

You have the right to request that we erase your personal data. Deleting your account permanently removes all associated data.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions.

Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, in a structured format.

How We Process Your Data

We process personal data lawfully, fairly, and transparently. Our legal bases for processing include:

  • Consent: Optional product analytics is only activated after you give explicit consent via our cookie banner. We do not use session replay or broad autocapture in the product.
  • Contract: Processing your documents, subscriptions, and account data is necessary to deliver the service you signed up for
  • Legal obligation: We retain certain records (e.g., payment invoices) as required by law
  • Legitimate interests: Security monitoring and fraud prevention to protect your account

AI Data Processing

Our AI Assistant uses an AI provider to generate responses. Here is how your data is handled:

  • When you use AI chat, the extracted text of your selected document and your question are sent to our AI provider to generate a response
  • Our AI provider processes this data solely to generate your response and is not retained or used for model training
  • Chat conversations are not stored on our servers and exist only in your browser session until you close the page
  • Your data is never shared for advertising , analytics, or any purpose other than generating chat responses
  • The AI Assistant clearly identifies itself as an AI system, in compliance with the EU AI Act (Article 50)

Data Hosting & Sub-processors

All ContractMate data is hosted within the European Union. Our sub-processors are:

  • Server hosting: Documents, account data, and metadata are hosted within the EU
  • AI provider: Processes document text on-demand to generate chat responses and is not used for model training
  • Payment processing: Handles subscriptions and payments securely. We store only payment reference IDs, not payment card details
  • Analytics provider: Processes pseudonymous usage analytics in the EU. Not used for advertising. We do not send document contents, AI chats, support messages, or health/emergency data to analytics.

All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of your data.

Data Breach Procedures

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay if there is a high risk to their rights and freedoms.

Exercise Your Rights

To exercise any of your GDPR rights, please contact us at info@contractmate.de and we will respond to your request within one month. If you're not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

We value your privacy We use cookies to improve your experience and analyze site usage. Read our Privacy Policy for details.