← Back to ClauseGuard

Privacy & Data Policy

Last updated: April 2026 · Plain English, no legalese.

The short version

Your contract documents are processed entirely in memory and deleted immediately after analysis. We never store, log, or train on your document content. Ever.

What we collect

  • Email address — used for account login and billing receipts.
  • Billing information — handled entirely by Payfast. We never see or store your card details.
  • Scan metadata — filename, risk score, risk level, and timestamp. This powers your scan history dashboard.

What we never collect

  • Document content — the text of your contracts is never written to disk or stored in any database.
  • Raw clause text — the report you receive contains AI-generated analysis, not the original contract text.
  • Training data — your documents are never used to train AI models.

How processing works

When you upload a contract, here's exactly what happens:

  1. 1Your file is received by our server and loaded into memory — it is never written to disk.
  2. 2The text is extracted in memory and sent to the Anthropic Claude API for analysis.
  3. 3Claude returns a structured risk report. The raw contract text is discarded immediately.
  4. 4We store only the analysis result (risk score, identified issues, recommendations) linked to your account.
  5. 5The analysis result does not contain your raw contract text — only the AI-generated findings.

Third parties

Anthropic (Claude API)

Contract text is sent to Anthropic's Claude API for analysis. Anthropic operates a zero-data-retention policy for API usage — they do not store or train on API inputs. See Anthropic's Privacy Policy.

Payfast (Billing)

All payment processing is handled by Payfast. Your card details never touch our servers. We receive only a payment confirmation and subscription token.

Clerk (Authentication)

Account creation, login, and session management is handled by Clerk. We store only your Clerk user ID to link your account to your scan history.

Data residency

By default, your account data is stored in the US(Supabase US region). EU data residency is available on request — contact us and we'll migrate your account to our EU instance. This is particularly relevant for GDPR compliance.

Data Processing Agreements

If your organisation requires a Data Processing Agreement (DPA) — for example, for GDPR or POPIA compliance — contact us at privacy@clauseguard.co.za. We will provide a signed DPA within 5 business days.

Contact

Questions about this policy or your data? Email privacy@clauseguard.co.za.

ClauseGuard reports are for informational purposes only and do not constitute legal advice. Consult a qualified attorney before signing any contract.