CONTRACTZEN PRIVACY POLICY

Last updated on 14 June, 2026

1 INTRODUCTION

ContractZen Oy (“ContractZen”, “we”, “us”, “our”) is committed to protecting your privacy and to complying with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. Throughout this Privacy Policy the term “personal data” means information relating to an identified or identifiable individual (i.e. a natural person).

This Privacy Policy applies to personal data collected in connection with the ContractZen cloud service, however accessed and/or used, whether via personal computers, mobile devices such as mobile device applications or otherwise (the “Service”). It is provided to you for transparency under Articles 13 and 14 of the GDPR; it is referenced from, but does not itself form a binding part of, the ContractZen General Terms and Conditions. As a data subject, you may be a person using the Service under a valid subscription or a person involved in ordering the Service from us.

With the Service you can manage contracts and corporate documentation of a company. This Privacy Policy is an informational notice and not the legal basis for our processing: using the Service is not treated as your consent to processing. The legal bases on which we process your personal data are set out in Section 3, and nothing in this Privacy Policy requires you to waive any statutory rights you have under the GDPR or other applicable law.

Please note that this Privacy Policy applies to personal data that is processed by ContractZen as a data controller (for example your account, billing and usage data). It does not apply to the documents and personal data you submit, store or process in the Service to manage your own contracts and records. With respect to such content, you (or your organisation) act as the data controller and ContractZen acts as your data processor for the purposes of providing the Service; that processing is governed by a separate Data Processing Appendix. You remain responsible for ensuring you have a legal basis for the content you upload. This Privacy Policy does not apply to third parties’ websites and/or services which you may encounter when you use the Service; the collection, use and disclosure of personal data by any third parties will be subject to such third parties’ applicable privacy policies, and we are not responsible for their privacy practices.

2 THE DATA WE COLLECT

2.1 Data You Provide

When you use the Service, we primarily collect data that you provide to us directly. For example, when you use or register for the Service, we may ask you to provide us with registration information, such as your name, email address, as well as user names, passwords and other such credentials that are used to authenticate users and to validate their actions or that may be needed to provide you access to the Service.

Moreover, we may collect or ask for information relating to your purchase and/or use of the Service and other interactions with us. Such information may include, for example, details of the queries or requests you have made, billing and invoicing details (such as your name, company, billing or business address, business ID / VAT number, email address, subscription and transaction details, invoice records and payment status), details of agreements between you (or the organisation you represent) and ContractZen, records of contacts and communications, information relating to the content you have provided us with and other such transactional information. Payment card transactions are processed directly by third-party payment service providers; ContractZen does not collect or store your full payment card number or security code, although we may receive limited confirmation data such as the payment status, a transaction reference, and the card type and last four digits.

We may collect and update personal data from publicly available sources, or from registers of authorities and companies providing services related to personal data.

2.2 Data Collected Automatically

Certain information may be collected automatically as a standard part of your use of the Service. Such information includes, for example, your IP address, access times, the website you linked from, pages you visit, the links you use, content you viewed, information about your devices such as (but without limitation) device type and model, unique ID and operating system version of the device, and other such technical information your browser provides us with or as may be otherwise collected in connection with the Service. When you use the Service or otherwise interact with us over telecommunications networks, certain additional information, such as your mobile subscription number, may be transmitted to us by the telecommunications operator as a standard part of that communication.

We use cookies and similar technologies on the device that you use to access the Service. Strictly necessary cookies, which are required to run the Service and keep it secure, are always active. Analytics and other non-essential cookies are used only with your consent, which you can give or withdraw at any time through our cookie banner or settings; managing cookies through your browser alone is not a substitute for this consent. If you disable strictly necessary cookies, some features of the Service may not work. If you use the Service on a mobile device, we also store data in your device’s local storage for caching purposes.

We use third-party analytics providers, such as Google Analytics and Microsoft Azure Application Insights, to help us understand usage patterns of the Service, where you have consented to analytics cookies. Where these tools involve transfers of personal data outside the EEA, we apply the safeguards described in Section 4. A current list of the analytics providers and other subprocessors we use is available on request.

3 PURPOSES AND LAWFUL BASES FOR PROCESSING YOUR PERSONAL DATA

The categories of personal data mentioned above may be processed for the following purposes and to the extent necessary for that purpose:

  1. to set up and maintain your registration with the Service and to fulfil your requests;
    • Legal basis: Legitimate interest in providing our services to our customers and engaging in general business activities (Article 6(1)(f) GDPR). If you are our direct customer and have a contract with us regarding the provision of the Service, the legal basis is the performance of that contract (Article 6(1)(b) GDPR).
  2. to provide features available in the Service;
    • Legal basis: Legitimate interest in providing our services to our customers and engaging in general business activities (Article 6(1)(f) GDPR). If you are our direct customer and have a contract with us regarding the provision of the Service, the legal basis is the performance of that contract (Article 6(1)(b) GDPR).
  3. to ensure the security and technical functionality of the Service;
    • Legal basis: Legitimate interest in ensuring the security and reliability of our products and services and to protect our and our customers’ data (Article 6(1)(f) GDPR).
  4. to operate, manage, develop and improve the Service;
    • Legal basis: Legitimate interest in improving our current services and developing new services based on feedback and data acquired in the course of providing services to our customers (Article 6(1)(f) GDPR).
  5. to communicate with you regarding the provision of the Service; and
    • Legal basis: Legitimate interest in providing our services to our customers and engaging in general business activities (Article 6(1)(f) GDPR). If you are our direct customer and have a contract with us regarding the provision of the Service, the legal basis is the performance of that contract (Article 6(1)(b) GDPR).
  6. to audit and analyze the Service, including analyzing trends related to the use of the Service;
    • Legal basis: Legitimate interest in complying with internal and external audits and providing our services to our customers and engaging in general business activities (Article 6(1)(f) GDPR).
  7. to process any transactions you may enter into in the Service;
    • Legal basis: Legitimate interest in providing our services to our customers and engaging in general business activities, including processing payments made for the use of our services (Article 6(1)(f) GDPR). If you are our direct customer and have a contract with us regarding the provision of the Service, the legal basis is the performance of that contract (Article 6(1)(b) GDPR).
  8. to conduct market research;
    • Legal basis: Legitimate interests in conducting customary market research for the purpose of understanding the market in which we provide our services (Article 6(1)(f) GDPR).
  9. direct electronic marketing in accordance with applicable law;
    • Legal basis: Legitimate interest in providing information about services to existing and potential business partners and maintain business relationships (Article 6(1)(f) GDPR). Where required by applicable law, we will send you direct marketing only based on your consent (Article 6(1)(a) GDPR).
  10. to protect our and/or our customers’ rights and property and to prevent and investigate fraud and other misuses; and
    • Legal basis: Legitimate interest in protecting our and our customers’ rights and ensuring data security, protecting our and our customers’ assets, preventing and investigating fraud and other misuses (Article 6(1)(f) GDPR).
  11. to comply with any mandatory legal requirements and/or in connection with law enforcement or other civil or criminal legal proceedings.
    • Legal basis: Legal obligation (Article 6(1)(c) GDPR).

The processing of personal data collected through non-essential cookies for each of the above-mentioned purposes is based on your consent (Article 6(1)(a) GDPR).

Where processing relies on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Where processing relies on our legitimate interests, you may object to it as described in Section 6.

The provision of certain personal data is necessary to enter into and perform our contract with you or the organization you represent. For example, when you or the organization you represent subscribes to the Service, you are required to provide us with certain personal data for the purposes specified in this Privacy Policy. Failure to provide that data may prevent us from performing our contractual obligations, which may lead to you or the organization you represent being unable to use the Service.

Your personal data is not processed to make automated decisions that produce legal or similarly significant effects concerning you within the meaning of Article 22 of the GDPR.

4 SHARING YOUR PERSONAL DATA AND INTERNATIONAL TRANSFERS

We do not sell, lease or rent personal data about you. We disclose personal data only as described below.

We may provide personal data about you to service providers (subprocessors) who work on our behalf for the purposes above, including cloud hosting, AI features, analytics, payment processing, electronic-signature and customer-support providers. Such parties are bound by contract to protect your personal data, to use it only to provide their services to us, and to apply appropriate security measures. Our current subprocessor list will be available on request. Payment processing and invoicing/accounting are handled by third-party service providers; full payment card details are entered into and processed directly by the payment service provider and are not received or stored by ContractZen.

The Service is hosted in Microsoft Azure data centres located within the European Union, and our AI features run on Azure AI Foundry model deployments located within the European Union. The personal data we process as controller is therefore primarily stored and processed within the EEA. In limited situations, for example in connection with support functions and some optional third-party features you choose to enable, such as payment processing or electronic-signature services, we or our subprocessors may transfer personal data outside the EEA. Where that happens, we ensure an appropriate safeguard is in place, such as a European Commission adequacy decision, the EU Standard Contractual Clauses together with any necessary supplementary measures, or the provider’s certification under the EU-US Data Privacy Framework. You can request details of these safeguards by contacting us at info@contractzen.com.

We may be obligated by mandatory legislation to disclose personal data about you to certain authorities, such as law enforcement agencies. We may also process personal data about you where needed to establish, exercise or defend legal claims, or to prevent and investigate fraud and other misuses.

We may transfer, assign and disclose personal data about you to our subsidiaries and affiliates or a subsequent owner, co-owner or operator of the Service and their advisors in connection with a corporate merger, consolidation, restructuring, or the sale of substantially all of our stock and/or assets or in connection with bankruptcy proceedings or other corporate reorganization, or in connection with a due diligence process preceding such merger, consolidation, restructuring, or sale, in accordance with this Privacy Policy.

We may also disclose information to third parties in an aggregated and/or anonymised format that does not constitute personal data and does not allow the identification of individual users.

5 SECURITY OF YOUR INFORMATION

We take the security of your personal data seriously and implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR. These include encryption of data in transit and at rest, access controls on a least-privilege basis, network protection, logging and monitoring, regular backups, and confidentiality obligations on our staff. In the event of a personal data breach affecting you, we will act in accordance with our legal obligations, including notifying the competent supervisory authority and affected individuals where required. No method of transmission or storage is completely secure, so while we cannot guarantee absolute security, we are committed to protecting your data and to continuously improving our safeguards.

5A DATA RETENTION

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, after which we delete or anonymise it. In general: account and profile data are kept for the life of your subscription and for 12 months afterwards; billing and financial records are kept for the period required by applicable accounting law (in Finland, generally up to about six years); usage logs and analytics data are kept for 12 months; marketing data are kept until you opt out or after 12 months of inactivity; and support communications are kept for 12 months. Where a precise period cannot be given in advance, we determine it using these criteria.

6 YOUR RIGHTS

Subject to the GDPR, you have the right to access the personal data we hold about you. You can exercise this and the other rights below by contacting us through the contact points referred to in Section 8.

You have the right to rectify any incomplete, incorrect or outdated personal data we hold about you.

You have the right to request erasure of personal data concerning you (the right to be forgotten), and we will erase the data where there is no longer a lawful ground for processing it.

You have the right to request that we restrict the processing of your personal data in the circumstances set out in the GDPR.

You have the right to data portability, namely to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and, where technically feasible, to have it transmitted to another controller.

Where our processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

In some cases you have the right to object to processing based on our legitimate interests, and we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You may object to direct marketing at any time, and every electronic marketing message we send gives you an option to opt out of future communications. We respond to rights requests free of charge and normally within one month, as required by the GDPR.

You also have the right to lodge a complaint with the competent supervisory authority regarding our processing of your personal data. Our lead supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) in Finland.

7 CHILDREN’S PRIVACY

The Service is intended for business and professional use and is not directed to children. We do not knowingly collect personal data from children below the applicable digital-consent age. If you believe a child has provided us with personal data, please contact us and we will delete it.

8 THE CONTROLLER OF YOUR PERSONAL DATA AND CONTACT DETAILS

Your personal data is controlled by ContractZen Oy, Eteläesplanadi 2, 00130 Helsinki, Finland. For privacy enquiries or to exercise your rights, please contact us at info@contractzen.com. Our lead supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) in Finland.

9 CHANGES TO THIS PRIVACY POLICY

ContractZen may update this Privacy Policy from time to time. If we make a material change, we will notify you of the change, and update the “last updated” date above, before the change takes effect. We recommend that you revisit this Privacy Policy from time to time, and previous versions are available on request.