Privacy Policy

Last updated: June 2026

1. Introduction

PactAlert is a product of RubiDev OÜ, a private limited company (osaühing) registered in Estonia (registry code: 16935750), with registered office at Vesivärava tn 50-201, Tallinn 10152, Estonia. When we say "we", "our", or "us" in this policy, we mean RubiDev OÜ.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to visitors to our website and to customers using the PactAlert service.

For a technical description of how we protect your data, see our Security page.

2. Information We Collect

When you visit our website

  • IP address and basic device information (via server logs)
  • Pages you visit and actions you take. We measure this with cookieless analytics that sets no cookies and identifies visitors by a rotating daily server-side hash rather than a personal identifier. If you accept analytics cookies in our banner, Google Analytics collects this in more detail as well.

When you run a free preview (Quick Scan)

  • Your name and email address
  • The contract document you upload for the preview
  • The obligations, deadlines, and key dates we extract from it

When you sign up for PactAlert

  • Your name and email address
  • Your sign-in provider identifier (e.g., Google OAuth user ID)
  • Workspace name and your role within it

When you use the service

  • Contract documents you upload
  • Obligations, deadlines, and metadata extracted from those contracts
  • Tasks you create and sync to third-party tools
  • Usage data (feature interactions, session logs) for debugging and product improvement

When you subscribe to a paid plan

  • Billing information — processed by Stripe, our payment processor. We do not store full payment card data.
  • Subscription status and invoice history

When you contact us

  • The contents of your message and any information you choose to share

3. How We Use Your Information

  • Provide and operate the PactAlert service
  • Process your contracts and extract obligations
  • Deliver your free preview (Quick Scan) results by email and at your private result link
  • Send service-related emails (deadline alerts, account notifications)
  • If you ran a free preview, contact you about your preview and whether PactAlert is a fit for your needs — you can ask us to stop at any time, and every such email includes an opt-out
  • Communicate with you about your account, subscription, and support requests
  • Improve the product using aggregated, de-identified usage data
  • Enforce our Terms of Service and prevent abuse
  • Comply with legal, tax, and accounting obligations

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

4. Legal Basis for Processing (EU/UK)

If you are in the EU, UK, or EEA, we process your personal data under one or more of the following GDPR legal bases:

  • Contract — to provide the service you signed up for
  • Legitimate interests — to secure our systems, improve the product, understand how our site is used through privacy-friendly cookieless analytics, prevent fraud or abuse, and follow up with people who have used our free preview about their interest in PactAlert (you may opt out or object at any time)
  • Consent — for optional analytics cookies (which load only if you accept them in our cookie banner) and for any communication where we ask for, and you give, your explicit consent
  • Legal obligation — to meet tax, accounting, and regulatory requirements

5. Sharing, Storage, and Retention

Subprocessors

We use a small set of trusted subprocessors to operate the service:

  • AWS S3 (US) — contract document storage
  • AWS SES (EU · Frankfurt) — transactional email delivery
  • OpenAI — extracts obligations from the contract text you upload
  • Stripe — payment processing and subscription billing
  • Google — sign-in, and optional Google Drive import if you connect it
  • PostHog (EU) — cookieless website and product analytics

The authoritative subprocessor list is maintained on our Security page. We will notify customers of material changes.

Data location

Contract documents are stored on AWS S3 in the United States. Transactional email is sent via AWS SES in Frankfurt (EU). See our Security page for the full per-subprocessor region breakdown.

International transfers

Some of our subprocessors (notably AWS S3, OpenAI, and Stripe) are located outside the EU. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, together with additional technical and organizational safeguards.

Retention

  • Website server logs: up to 30 days
  • Account data: retained while your account is active; removed when you delete your workspace
  • Contract content and extracted obligations: retained in your workspace until you delete them; removed from our active systems when you delete your workspace, with any residual backup copies overwritten on our regular backup rotation
  • Quick Scan preview uploads and results: automatically deleted 30 days after the scan, or sooner if you delete the scan from its result page
  • Billing records: retained for 7 years as required by Estonian accounting law
  • Support communications: retained for up to 2 years after our last contact

6. GDPR Roles — Contract Data About Third Parties

When you use PactAlert to process contracts, those contracts may contain personal data about third parties (signatories, clients, counterparties). In that case:

  • You are the data controller for that personal data
  • PactAlert (RubiDev OÜ) is the data processor, acting on your documented instructions

We will sign a Data Processing Addendum (DPA) on request. Email support@pactalert.com.

Free preview (Quick Scan): the anonymous preview works differently. There is no workspace or DPA, so for a Quick Scan we act as the data controller for the limited purpose of generating and delivering your sample result. Your upload is governed by the authorization you give in Section 3 of our Terms of Service, and the document and its results are deleted within 30 days (or sooner if you delete the scan).

7. Cookies and Tracking

We use a small set of cookies and similar technologies:

  • Essential cookies — required for sign-in, session management, and basic site functionality. These cannot be disabled without breaking the service.
  • Functional cookies — remember your preferences (e.g., cookie consent choices)
  • Analytics cookies — help us understand how the site is used (Google Analytics). These load only if you accept them in our cookie banner; we do not load them before you choose. You can change your choice at any time via the "Cookie preferences" link in the footer.

Cookieless analytics. Separately from the cookies above, we use PostHog (hosted in the EU) for privacy-friendly analytics. It sets no cookies and stores nothing on your device — visitors are counted using a rotating daily server-side hash, not a personal identifier — so it runs for all visitors under our legitimate interest in understanding how the site is used, without requiring consent. You can object to this analytics at any time by emailing support@pactalert.com.

We do not use cookies for advertising, retargeting, or cross-site tracking.

8. Your Rights

If you are in the EU, UK, or EEA, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a portable format
  • Restriction or objection — limit or object to certain processing
  • Withdraw consent — at any time, where we rely on consent
  • Complaint — lodge a complaint with your local data protection authority. In Estonia this is the Andmekaitse Inspektsioon.

To exercise any of these rights, email support@pactalert.com. You can also delete your workspace directly from your account settings at any time. We respond to verified requests within 30 days; for complex or numerous requests we may extend this by up to a further 60 days and will tell you if we need to.

9. Security

We take reasonable technical and organizational measures to protect your data, including encryption at rest and in transit, workspace isolation, and restricted internal access. For a full description of our security posture, subprocessors, and what we are still building, see our Security page.

If we discover a personal data breach affecting you, we will notify you in accordance with applicable law, including the GDPR 72-hour notification requirement where it applies.

10. Children's Privacy

PactAlert is a B2B service and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active customers or prominently on this page. The "Last updated" date at the top reflects the most recent version. Continued use of PactAlert after changes constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data-subject requests, or to request our DPA, contact us at support@pactalert.com.

Data controller: RubiDev OÜ, Vesivärava tn 50-201, Tallinn 10152, Estonia (registry code 16935750).