Privacy Policy

Pactwise LLC. ("Company," "we," "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our contract and vendor management platform ("the Service").

This policy applies to all users of Pactwise services including the web application, APIs, and any related services. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

We collect the following categories of information:

Account Information: Name, email address, company name, role, department, and authentication credentials when you register for an account.

Customer Data: Contracts, vendor information, financial data, compliance records, and other business documents you upload or create within the Service.

Usage Data: Log data, device information, browser type, IP address, pages visited, features used, interaction data, and approximate geolocation collected automatically when you use the Service.

Payment Information: Billing details processed through our payment provider, Stripe. We never store full credit card numbers on our servers.

Communication Data: Support tickets, feedback, and correspondence you send to us.

Device Information: Device identifiers, operating system, browser version, screen resolution, and language preferences.

We use your information to:

• Provide, operate, and maintain the Service
• Process transactions and manage your subscription
• Provide AI-powered contract analysis and insights
• Send transactional notifications (contract expirations, approval requests, alerts)
• Provide customer support and respond to inquiries
• Improve and develop new features for the Service
• Detect, prevent, and address security issues
• Enforce our Terms of Service and Acceptable Use Policy
• Comply with legal obligations and respond to lawful requests
• Communicate product updates, changes, and service announcements

Our AI system ("Donna AI") processes Customer Data to provide contract analysis, risk scoring, recommendations, and other intelligent features within the Service.

Cross-Enterprise Learning Methodology:

Donna AI derives anonymized, aggregated patterns across enterprises to improve the quality of its analysis for all customers. This process uses a multi-layer anonymization approach:

• PII Regex Scrubbing: Personally identifiable information is removed before any cross-enterprise processing. Email addresses, phone numbers, and Social Security numbers are replaced with tokens (e.g., [EMAIL], [PHONE], [SSN]).
• Numeric Bucketing: Monetary amounts and other numeric values are generalized into ranges (e.g., small, medium, large, very large, enterprise) rather than stored as exact figures.
• Categorical Generalization: Specific company names and other identifying categorical data are generalized to industry types or broad categories.
• K-Anonymity: Patterns are shared across enterprises only after they have been observed by at least 5 distinct enterprises (k=5 threshold), preventing identification of any single tenant's data.
• Differential Privacy: Laplace noise (epsilon=1.0) is applied to all aggregate statistics, providing mathematically provable privacy guarantees.
• Enterprise Identifier Hashing: Enterprise identifiers are SHA-256 hashed and irreversible in market price intelligence data.

ML Model Training:

• ML models are trained exclusively on publicly available data sources: SEC EDGAR, USASpending.gov, CourtListener, and academic datasets (CUAD, LEDGAR).
• Individual customer contracts are never used to train ML models.
• Individual customer data is never shared with or visible to other tenants.

Opt-Out: You may opt out of cross-enterprise pattern learning at any time by contacting privacy@pactwise.ai. Opting out will not affect the core functionality of the Service.

We share information with the following service providers to operate the Service. Each subprocessor processes data only as necessary to provide their respective services and is bound by a data processing agreement.

We maintain data processing agreements with each subprocessor and will notify you of material changes to our subprocessor list. The current subprocessor list is available at /legal/dpa.

We implement industry-standard security measures including:

• Encryption at rest and in transit (TLS 1.2+)
• Row-level security (RLS) ensuring strict data isolation between tenants
• Role-based access controls with 5-level permission hierarchy
• Comprehensive audit logging of all data access
• Rate limiting and CORS protection
• Regular security assessments and monitoring
• Automated security scanning in our CI pipeline (static analysis, container, and secret scanning)
• Dependency vulnerability scanning and automated patching
• Encrypted backups

We retain your data for the following periods:

• Account Data: Duration of your subscription plus 30 days post-termination to allow for data export.
• Customer Data: Duration of your subscription plus 30 days post-termination. After this period, data is permanently deleted.
• Usage/Access Logs: 90 days from the date of collection.
• Anonymized/Aggregated Data: Retained indefinitely. This data cannot be traced back to any individual or enterprise.
• Payment Records: 7 years, as required by IRS regulations and applicable tax law.
• Security Logs: 1 year from the date of collection.
• Data Rights Request Records: 3 years, as required for regulatory compliance.

Depending on your jurisdiction, you may have the following rights regarding your personal information ("PI"):

• Right to Know/Access: Request what personal information we collect, use, and disclose about you.
• Right to Delete: Request deletion of your personal information, subject to legal exceptions (e.g., compliance obligations, fraud prevention).
• Right to Correct: Request correction of inaccurate personal information we hold about you.
• Right to Data Portability: Export your data in a machine-readable format (JSON, CSV).
• Right to Opt-Out of Cross-Enterprise Learning: Opt out of having your anonymized data included in cross-enterprise pattern analysis by contacting privacy@pactwise.ai.
• Right to Non-Discrimination: Exercising any of these rights will not affect the quality, level, or pricing of the Service you receive.

How to exercise your rights: Email privacy@pactwise.ai with your request. We will respond within 30 business days. Identity verification may be required before processing your request.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and its amendments. This section supplements the information provided in Section 8.

Categories of personal information collected in the last 12 months:

• We do not sell personal information as defined under the CCPA.
• We do not share personal information for cross-context behavioral advertising.
• "Do Not Sell or Share My Personal Information": Although we do not sell or share PI, you may submit a request via privacy@pactwise.ai at any time. See Section 10 for additional details.
• Authorized Agents: You may designate an authorized agent to submit requests on your behalf with written authorization. We may require verification of both the agent's identity and your written authorization.
• Financial Incentives: We do not offer financial incentives for the collection, sale, retention, or deletion of personal information.
• Shine the Light: California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Pactwise does not sell personal information. We do not share personal information for cross-context behavioral advertising.

The anonymized, aggregated data used in cross-enterprise learning (described in Section 4) cannot be traced back to individuals or individual enterprises and does not constitute a "sale" or "sharing" of personal information under the CCPA or any applicable privacy law.

If you wish to exercise your right to opt out of any future sale or sharing, should our practices change, contact privacy@pactwise.ai.

Donna AI provides recommendations, analysis, risk scores, and other insights to assist your decision-making. However, Donna AI does not make fully automated decisions that produce legal or similarly significant effects on individuals.

All AI outputs are advisory in nature. Human review and approval are required for all consequential actions within the Service. You may request human review of any AI-generated analysis by contacting hello@pactwise.ai.

Your data is stored and processed primarily in the United States. If you are located outside the United States, your information will be transferred to and processed in the US.

We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where required.

We use the following categories of cookies and similar technologies:

• Essential Cookies: Authentication session tokens, CSRF protection, and user preference cookies. These are strictly necessary for the Service to function and cannot be disabled.
• Analytics: Anonymized usage patterns collected to improve the Service. We do not use third-party analytics services.

We do not use advertising cookies or tracking pixels. We do not participate in ad networks.

For full details and management options, see our Cookie Policy.

In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law. Notifications will include the nature of the breach, data affected, remediation steps taken, and recommended actions for users.

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

The Service may contain links to third-party websites, services, or resources that are not operated by Pactwise. We are not responsible for the privacy practices or content of these third-party sites.

We encourage you to review the privacy policies of any third-party websites you visit through links on the Service.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use of the Service after such notice constitutes acceptance of the updated policy. We may require explicit re-acceptance for significant changes.

For privacy-related inquiries, contact our Data Protection Officer at privacy@pactwise.ai

Pactwise LLC.

For CCPA-specific requests, email privacy@pactwise.ai with the subject line "CCPA Request." We will respond within 30 business days. If additional time is needed, we will notify you of the extension (up to 45 additional days) and the reason for the delay.

For enterprise customers with a Data Processing Agreement ("DPA"), the DPA terms supplement this Privacy Policy. In the event of a conflict between this Policy and the DPA, the DPA governs with respect to Customer Data processing.

The current DPA template is available at /legal/dpa.