ContractCheck
Join waitlist

Privacy Policy

This policy explains how ContractCheck (operated by SweetWater Holding UG (haftungsbeschränkt)) collects, stores, and uses your data. We are based in Hamburg, Germany and process data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data controller

SweetWater Holding UG (haftungsbeschränkt)
Bunsenstraße 1, 22765 Hamburg, Germany
Email: jane@licy.io

See our Imprint for full company details.

2. What we collect

We collect only the data necessary to provide ContractCheck:

  • Account data: name, email, password hash (via Firebase Authentication), organisation name, role.
  • Waitlist data: email, optional name, optional company, optional message you send us.
  • Contract data: the contract files you upload (PDF / DOCX), filename, size, and the metadata our AI extracts (counterparty, start date, end date, notice period, auto-renewal flag).
  • Billing data: when you subscribe to a paid plan, payment processing is handled entirely by our merchant of record, Lemon Squeezy. We receive subscription status, plan type, and billing email from Lemon Squeezy via webhook - but we never see or store your payment card number, CVV, or bank details.
  • Usage logs: server-side logs of API requests (IP address, user-agent, timestamp, route) retained for up to 30 days for security and debugging.

3. Why we process it (legal basis under Art. 6 GDPR)

  • Account, waitlist, and contract data: Art. 6(1)(b) - performance of a contract (providing the service you signed up for).
  • Server logs and security telemetry: Art. 6(1)(f) - legitimate interest in operating a secure service.
  • Marketing emails (if you opted in): Art. 6(1)(a) - your consent, which you can revoke at any time.

4. Where your data lives (sub-processors)

We use the following third-party processors. Each is bound by a Data Processing Agreement under Art. 28 GDPR:

  • Firebase Authentication (Google Ireland Ltd.): stores email + password credentials. Data may be processed in the EU and the United States. Google offers Standard Contractual Clauses for international transfers.
  • Cloudflare R2(Cloudflare, Inc.): stores your uploaded contract files. We use the EU jurisdiction endpoint, so files are stored in Cloudflare's European data centres.
  • PostgreSQL ([TODO: hosting provider, location]): stores account, waitlist, and contract metadata.
  • OpenRouter (OpenRouter, Inc.): used to call third-party large language models (currently Anthropic Claude Sonnet 4.6) for contract metadata extraction. Your contract content is transmitted to OpenRouter and the model provider only for the duration of the request and is not used for model training under our provider agreements.
  • DreamHost (New Dream Network, LLC): sends our transactional emails (waitlist confirmation, invitations, reminders).
  • Vercel (Vercel Inc.): hosts the web application and serverless functions.
  • Lemon Squeezy (Lemon Squeezy, LLC): our merchant of record for paid subscriptions. Lemon Squeezy processes payments, invoices, sales tax, and VAT on our behalf. We do not collect or store your payment card details - all payment data is handled exclusively by Lemon Squeezy under their Privacy Policy.

5. International transfers

Some sub-processors above are based outside the EU/EEA. Where applicable we rely on the European Commission's Standard Contractual Clauses and additional safeguards. You can request a copy of any specific agreement by emailing us.

6. How long we keep your data

  • Active accounts: as long as your account is open.
  • Closed accounts: deleted within 30 days, except where statutory retention obligations apply (e.g. § 257 HGB / § 147 AO for billing documents - up to 10 years).
  • Waitlist entries: kept until you ask us to delete them.
  • Server logs: 30 days.

7. Your rights under the GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Correct inaccurate data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77) - for German residents, this is your state Datenschutzbehörde

To exercise any of these rights, email jane@licy.io.

8. Cookies

We set a single strictly-necessary cookie called __session to keep you signed in. This cookie is exempt from consent requirements under § 25 (2) Nr. 2 TTDSG / GDPR Recital 30 because it is essential to provide the service you requested.

We do not use marketing, advertising, or analytics cookies. We do not embed third-party trackers.

9. Security

Files at rest in Cloudflare R2 are encrypted. Data in transit is protected by TLS. Authentication is handled by Firebase, which provides industry-standard credential storage. We follow the principle of least privilege when granting access to production systems.

10. Changes

We may update this policy. Material changes will be communicated by email to active users. The most current version is always available at this URL.